From: Sam Lai (slai@gggroup.net)
Date: Sat Dec 14 2002 - 12:03:48 GMT-3
Seems that NAT will not work with policy routing together on the same routers.
I am not sure what restrictions are on your scenario, but I've tried something that works and satisfy the requirements. Instead of doing nat on R1, I do it on R2 - "ip nat outside source static 111.111.111.111 11.11.11.11"
Hope this help.
Sam Lai
----------------------------------------------------------
hostname r1
!
interface Loopback100
ip address 111.111.111.111 255.255.255.255
ip nat inside
!
interface Serial0/1
ip address 10.10.10.1 255.255.255.252
ip nat outside
clockrate 2000000
!
ip local policy route-map default-route
!
ip access-list extended anything
route-map default-route permit 10
match ip address anything
set ip next-hop 10.10.10.2
!
----------------------------------------------------------
hostname r2
!
interface Loopback100
ip address 22.22.22.22 255.255.255.255
ip nat inside
!
interface Serial1
ip address 10.10.10.2 255.255.255.252
ip nat outside
!
ip nat outside source static 111.111.111.111 11.11.11.11
ip route 11.11.11.11 255.255.255.255 Serial1
----------------------------------------------------------
r1#ping
Protocol [ip]:
Target IP address: 22.22.22.22
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: loop 100
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
r1#
07:39:20: %SEC-6-IPACCESSLOGDP: list anything permitted icmp 111.111.111.111 -> 22.22.22.22 (0/0), 5 packets
----------------------------------------------------------
r2#sh ip nat tran
Pro Inside global Inside local Outside local Outside global
--- 22.22.22.22 22.22.22.22 11.11.11.11 111.111.111.111
--- --- --- 11.11.11.11 111.111.111.111
r2#
----------------------------------------------------------
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Tony Kwok
Sent: Saturday, December 14, 2002 5:49 AM
To: ccielab@groupstudy.com
Subject: The Policy routing with NAT problem.
Hi,
I got one problem about the policy routing with NAT.
I got two routers with hostname R1 and R2.
On the R1, I got one default route to the Ethernet
interface. In order to reach the loop back address
22.22.22.22, I am trying to using the policy routing
with NAT. I have tried a long time and find that the
policy routing can run properly but fail with NAT.
However, if I disable the policy routing and using the
static route instead. The NAT is working properly. Is
there any hints for this problem? Thx.
R1 ---back-to-back----- R2
Rotuer configuration.
Building configuration...
Current configuration : 1259 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname R1
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret 5 $1$38kB$pyDkrvN5QJ9Rtyl8Gbvqw0
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback100
ip address 111.111.111.111 255.255.255.255
ip nat inside
!
interface FastEthernet0/0
ip address 203.74.124.8 255.255.255.240
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.1 255.255.255.252
ip nat outside
clockrate 64000
!
interface Serial0/1
no ip address
shutdown
!
ip local policy route-map hello
ip nat inside source static 111.111.111.111
11.11.11.11
ip classless
ip route 0.0.0.0 0.0.0.0 203.74.124.1
no ip http server
!
access-list 100 permit ip any host 22.22.22.22
route-map hello permit 10
match ip address 100
set ip next-hop 10.0.0.2
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer cor custom
!
!
!
!
line con 0
password 7 010400015401575D
login
transport input none
line aux 0
modem InOut
modem autoconfigure type usr_sportster
transport input all
speed 115200
line vty 0 4
password 7 10590F1C0A1D4359
login
!
end
R1#ping
Protocol [ip]:
Target IP address: 22.22.22.22
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: lo 100
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout
is 2 seconds:
.....
R1#sh ip nat tran
Pro Inside global Inside local Outside
local Outside global
--- 11.11.11.11 111.111.111.111 ---
---
R1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M
- mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA -
OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external
type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS
level-2, ia - IS-IS inter area
* - candidate default, U - per-user static
route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.74.124.1 to network
0.0.0.0
111.0.0.0/32 is subnetted, 1 subnets
C 111.111.111.111 is directly connected,
Loopback100
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
203.74.124.0/28 is subnetted, 1 subnets
C 203.74.124.0 is directly connected,
FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 203.74.124.1
*************************************************************************************
R2#sh run
Building configuration...
Current configuration : 875 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname R2
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
no logging console
!
memory-size iomem 30
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback100
ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.252
no fair-queue
!
ip classless
ip route 11.11.11.11 255.255.255.255 Serial0/0
no ip http server
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer cor custom
!
!
!
!
line con 0
password 7 051C000A2E461F5B
login
transport input none
line aux 0
login local
line vty 0 4
password 7 08364A4B06135445
login
!
end
R2#
R2#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M
- mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA -
OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external
type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS
level-2, ia - IS-IS inter area
* - candidate default, U - per-user static
route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
22.0.0.0/32 is subnetted, 1 subnets
C 22.22.22.22 is directly connected, Loopback100
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
11.0.0.0/32 is subnetted, 1 subnets
S 11.11.11.11 is directly connected, Serial0/0
R2#ping
Protocol [ip]:
Target IP address: 11.11.11.11
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: lo 100
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout
is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 36/39/52 ms
R2#
1w1d: ICMP: echo reply rcvd, src 111.111.111.111, dst
22.22.22.22
1w1d: ICMP: echo reply rcvd, src 111.111.111.111, dst
22.22.22.22
1w1d: ICMP: echo reply rcvd, src 111.111.111.111, dst
22.22.22.22
1w1d: ICMP: echo reply rcvd, src 111.111.111.111, dst
22.22.22.22
1w1d: ICMP: echo reply rcvd, src 111.111.111.111, dst
22.22.22.22
Thx. a lot for your help.
Regards,
Tony
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:45 GMT-3