From: Hunt Lee (huntl@webcentral.com.au)
Date: Tue Nov 12 2002 - 22:56:54 GMT-3
Carlos,
I just found out this morning that if I swap the Loopback interface to be
the "ip nat inside", while the Ethernet interface to be the "ip nat
outside", then the trace is fixed.
Interesting thought is that, in such a case with NAT on a stick where the
router only has one physical interface, how should one determine whether
that interface should be "ip nat inside" or "ip nat outside"?
Hunt
-----Original Message-----
From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
Sent: Tuesday, 12 November 2002 7:46 PM
To: Hunt Lee
Cc: 'ccielab@groupstudy.com'
Subject: Re: NAT problem - extra hops on trace
Hunt,
sounds like "the process" of going through the NatRouter is taking
2 extra TTL steps (route to loopback and back ?) but the router
is compensating that when the packet is eventually sent to R3.
When traceroute increases TTL one by one, it is "discovering"
the internal thing...
Hunt Lee wrote:
> I'm trying to configure NAT on a stick. My config and outputs are below.
> The requirements are:
>
> 1) HostA, behind R1, needs to communicate with HostB behind R3 using their
> Global addresses
>
> 2) Traffic between these hosts must be sent through NATrouter.
>
> Question is, even though HostA & HostB can ping each other on their
> respective Global IPs, when i'm doing the trace, it shows that there are 2
> extra hops in the middle of the trace (hop 3 & hop 4).
>
>
>
>
> Loopback (5.5.5.1/30 - IP Nat Outside)
> -------
> |
> NATrouter (fa0/0 -1.1.1.2/24 - IP Nat Inside)
> |
> ------------------------ (Ethernet)
> | |
> | 1.1.1.1/24 | 1.1.1.3/24
> | |
> R1 R3
> | 10.10.10.2/24 | 20.20.20.2/24
> | |
> | |
> HostA HostB
> 10.10.10.1/24 20.20.20.1/24
>
>
> At R2:-
>
> interface Loopback0
> ip address 5.5.5.1 255.255.255.252
> ip nat outside
> no ip route-cache
> no ip mroute-cache
> !
> interface FastEthernet0/0
> ip address 1.1.1.2 255.255.255.0
> no ip redirects
> ip nat inside
> no ip route-cache
> no ip mroute-cache
> ip policy route-map haha
> speed 100
> full-duplex
>
> ip nat inside source static 10.10.10.1 100.100.100.1
> ip nat inside source static 20.20.20.1 200.200.200.1
>
> ip route 10.0.0.0 255.0.0.0 1.1.1.1
> ip route 20.0.0.0 255.0.0.0 1.1.1.3
> ip route 100.100.100.1 255.255.255.255 1.1.1.1
> ip route 200.200.200.1 255.255.255.255 1.1.1.3
>
> access-list 101 permit ip host 10.10.10.1 any
> access-list 101 permit ip any host 100.100.100.1
> access-list 101 permit ip host 20.20.20.1 any
> access-list 101 permit ip any host 200.200.200.1
>
> route-map haha permit 10
> match ip address 101
> set ip next-hop 5.5.5.2
>
>
> ********* Pings works for HostA to HostB, as wall as HostB back to Host
A
> with the
> Global IPs ******
>
> HostA#ping 200.200.200.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 68/74/88 ms
> HostA#
>
> HostB#ping 100.100.100.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 68/74/88 ms
> HostB#
>
>
> ****** And the debug output looks fine on "debug ip nat" ********
>
> Nov 9 21:59:01.335 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
> [105]
> Nov 9 21:59:01.339 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
> [105]
> Nov 9 21:59:01.375 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
> [105]
> Nov 9 21:59:01.379 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
> [105]
> Nov 9 21:59:01.419 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
> [106]
> Nov 9 21:59:01.423 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
> [106]
> Nov 9 21:59:01.459 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
> [106]
> Nov 9 21:59:01.463 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
> [106]
> Nov 9 21:59:01.503 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
> [107]
> Nov 9 21:59:01.507 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
> [107]
> Nov 9 21:59:01.539 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
> [107]
> Nov 9 21:59:01.543 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
> [107]
> Nov 9 21:59:01.583 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
> [108]
> Nov 9 21:59:01.587 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
> [108]
> Nov 9 21:59:01.623 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
> [108]
> Nov 9 21:59:01.627 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
> [108]
> Nov 9 21:59:01.667 UTC: NAT: s=10.10.10.1->100.100.100.1, d=200.200.200.1
> [109]
> Nov 9 21:59:01.671 UTC: NAT: s=100.100.100.1, d=200.200.200.1->20.20.20.1
> [109]
> Nov 9 21:59:01.703 UTC: NAT: s=20.20.20.1->200.200.200.1, d=100.100.100.1
> [109]
> Nov 9 21:59:01.707 UTC: NAT: s=200.200.200.1, d=100.100.100.1->10.10.10.1
> [109]
>
>
> ** But if I try to do trace 2 extra hops appears in the middle of the
trace
> (hop 3 & hop 4) ****
>
>
> HostA#trace 200.200.200.1
>
> Type escape sequence to abort.
> Tracing the route to 200.200.200.1
>
> 1 R1 (10.10.10.2) 20 msec 28 msec 20 msec
> 2 NATrouter (1.1.1.2) 24 msec 24 msec 24 msec
> 3 R3 (1.1.1.3) 24 msec 28 msec 28 msec <---- why / where do
> these 2 extra hops
> 4 NATrouter (1.1.1.2) 24 msec 32 msec 28 msec <---- comes from??
> 5 R3 (1.1.1.3) 28 msec 32 msec 32 msec
> 6 200.200.200.1 64 msec 52 msec *
> HostA#
>
>
> HostB#trace 100.100.100.1
>
> Type escape sequence to abort.
> Tracing the route to 100.100.100.1
>
> 1 R3 (20.20.20.2) 24 msec 24 msec 24 msec
> 2 NATrouter (1.1.1.2) 24 msec 28 msec 24 msec
> 3 R1 (1.1.1.1) 28 msec 32 msec 32 msec <---- why /
> where do these 2 extra hops
> 4 NATrouter (1.1.1.2) 28 msec 32 msec 28 msec <---- comes from??
> 5 R1 (1.1.1.1) 32 msec 32 msec 32 msec
> 6 100.100.100.1 48 msec 48 msec *
> HostB#
>
>
> Thanks
> H.
>
>
> --
> WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company
> Level 1, 96 Lytton Road. Network Operations - Systems Engineer
> PO Box 4169, East Brisbane. email: huntl@webcentral.com.au
> Queensland, Australia. phone: +61 7 3249 2553
>
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:09 GMT-3