NAT problem - extra hops on trace

From: Hunt Lee (huntl@webcentral.com.au)
Date: Mon Nov 11 2002 - 23:41:55 GMT-3

• Next message: Leo Song: "PIX/Remote Access IPSec Tunnel Local Authentication"
• Previous message: Nate Kleven: "OSPF Debug Message"
• Next in thread: Carlos G Mendioroz: "Re: NAT problem - extra hops on trace"
• Maybe reply: Carlos G Mendioroz: "Re: NAT problem - extra hops on trace"
• Maybe reply: Hunt Lee: "RE: NAT problem - extra hops on trace"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm trying to configure NAT on a stick. My config and outputs are below.
The requirements are:

1) HostA, behind R1, needs to communicate with HostB behind R3 using their
Global addresses

2) Traffic between these hosts must be sent through NATrouter.

Question is, even though HostA & HostB can ping each other on their
respective Global IPs, when i'm doing the trace, it shows that there are 2
extra hops in the middle of the trace (hop 3 & hop 4).

         
        Loopback (5.5.5.1/30 - IP Nat Outside)
           -------
              |
          NATrouter (fa0/0 -1.1.1.2/24 - IP Nat Inside)
              |
   ------------------------ (Ethernet)
   | |
   | 1.1.1.1/24 | 1.1.1.3/24
   | |
  R1 R3
   | 10.10.10.2/24 | 20.20.20.2/24
   | |
   | |
  HostA HostB
10.10.10.1/24 20.20.20.1/24

At R2:-

interface Loopback0
 ip address 5.5.5.1 255.255.255.252
 ip nat outside
 no ip route-cache
 no ip mroute-cache
!
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 no ip redirects
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 ip policy route-map haha
 speed 100
 full-duplex

ip nat inside source static 10.10.10.1 100.100.100.1
ip nat inside source static 20.20.20.1 200.200.200.1

ip route 10.0.0.0 255.0.0.0 1.1.1.1
ip route 20.0.0.0 255.0.0.0 1.1.1.3
ip route 100.100.100.1 255.255.255.255 1.1.1.1
ip route 200.200.200.1 255.255.255.255 1.1.1.3

access-list 101 permit ip host 10.10.10.1 any
access-list 101 permit ip any host 100.100.100.1
access-list 101 permit ip host 20.20.20.1 any
access-list 101 permit ip any host 200.200.200.1

route-map haha permit 10
 match ip address 101
 set ip next-hop 5.5.5.2

********* Pings works for HostA to HostB, as wall as HostB back to Host A
with the
Global IPs ******

HostA#ping 200.200.200.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/74/88 ms
HostA#

HostB#ping 100.100.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/74/88 ms
HostB#

****** And the debug output looks fine on "debug ip nat" ********

Nov 9 21:59:01.335 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
[105]
Nov 9 21:59:01.339 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
[105]
Nov 9 21:59:01.375 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
[105]
Nov 9 21:59:01.379 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
[105]
Nov 9 21:59:01.419 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
[106]
Nov 9 21:59:01.423 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
[106]
Nov 9 21:59:01.459 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
[106]
Nov 9 21:59:01.463 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
[106]
Nov 9 21:59:01.503 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
[107]
Nov 9 21:59:01.507 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
[107]
Nov 9 21:59:01.539 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
[107]
Nov 9 21:59:01.543 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
[107]
Nov 9 21:59:01.583 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
[108]
Nov 9 21:59:01.587 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
[108]
Nov 9 21:59:01.623 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
[108]
Nov 9 21:59:01.627 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
[108]
Nov 9 21:59:01.667 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
[109]
Nov 9 21:59:01.671 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
[109]
Nov 9 21:59:01.703 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
[109]
Nov 9 21:59:01.707 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
[109]

** But if I try to do trace 2 extra hops appears in the middle of the trace
(hop 3 & hop 4) ****

HostA#trace 200.200.200.1

Type escape sequence to abort.
Tracing the route to 200.200.200.1

  1 R1 (10.10.10.2) 20 msec 28 msec 20 msec
  2 NATrouter (1.1.1.2) 24 msec 24 msec 24 msec
  3 R3 (1.1.1.3) 24 msec 28 msec 28 msec <---- why / where do
these 2 extra hops
  4 NATrouter (1.1.1.2) 24 msec 32 msec 28 msec <---- comes from??
  5 R3 (1.1.1.3) 28 msec 32 msec 32 msec
  6 200.200.200.1 64 msec 52 msec *
HostA#

HostB#trace 100.100.100.1

Type escape sequence to abort.
Tracing the route to 100.100.100.1

  1 R3 (20.20.20.2) 24 msec 24 msec 24 msec
  2 NATrouter (1.1.1.2) 24 msec 28 msec 24 msec
  3 R1 (1.1.1.1) 28 msec 32 msec 32 msec <---- why /
where do these 2 extra hops
  4 NATrouter (1.1.1.2) 28 msec 32 msec 28 msec <---- comes from??
  5 R1 (1.1.1.1) 32 msec 32 msec 32 msec
  6 100.100.100.1 48 msec 48 msec *
HostB#

Thanks
H.

--
WebCentral Pty Ltd          Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road.          Network Operations - Systems Engineer
PO Box 4169, East Brisbane.              email: huntl@webcentral.com.au
Queensland, Australia.                  phone: +61 7 3249 2553

• Next message: Leo Song: "PIX/Remote Access IPSec Tunnel Local Authentication"
• Previous message: Nate Kleven: "OSPF Debug Message"
• Next in thread: Carlos G Mendioroz: "Re: NAT problem - extra hops on trace"
• Maybe reply: Carlos G Mendioroz: "Re: NAT problem - extra hops on trace"
• Maybe reply: Hunt Lee: "RE: NAT problem - extra hops on trace"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:57 GMT-3