RE: The Policy routing with NAT problem.

From: Tony Kwok (sykwok8@yahoo.com)
Date: Sat Dec 14 2002 - 12:48:45 GMT-3

• Next message: Tony Schaffran: "RE: Passed in San Jose on 5th attempt #10855( Long)"
• Previous message: Chuck Church: "Re: Preparation of the Lab"
• Maybe in reply to: Tony Kwok: "The Policy routing with NAT problem."
• Next in thread: Tony Kwok: "Re: The Policy routing with NAT problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Thx. for your reply Sam but the question is to do the
policy routing and NAT on the same router R1. Do
anyone have comment or suggestions? Thx.

Regards,
Tony
--- Sam Lai <slai@gggroup.net> wrote:
> Seems that NAT will not work with policy routing
> together on the same routers.
> I am not sure what restrictions are on your
> scenario, but I've tried something that works and
> satisfy the requirements. Instead of doing nat on
> R1, I do it on R2 - "ip nat outside source static
> 111.111.111.111 11.11.11.11"
>
> Hope this help.
>
> Sam Lai
>
>
----------------------------------------------------------
> hostname r1
> !
> interface Loopback100
> ip address 111.111.111.111 255.255.255.255
> ip nat inside
> !
> interface Serial0/1
> ip address 10.10.10.1 255.255.255.252
> ip nat outside
> clockrate 2000000
> !
> ip local policy route-map default-route
> !
> ip access-list extended anything
> route-map default-route permit 10
> match ip address anything
> set ip next-hop 10.10.10.2
> !
>
>
----------------------------------------------------------
> hostname r2
> !
> interface Loopback100
> ip address 22.22.22.22 255.255.255.255
> ip nat inside
> !
> interface Serial1
> ip address 10.10.10.2 255.255.255.252
> ip nat outside
> !
> ip nat outside source static 111.111.111.111
> 11.11.11.11
> ip route 11.11.11.11 255.255.255.255 Serial1
>
----------------------------------------------------------
> r1#ping
> Protocol [ip]:
> Target IP address: 22.22.22.22
> Repeat count [5]:
> Datagram size [100]:
> Timeout in seconds [2]:
> Extended commands [n]: y
> Source address or interface: loop 100
> Type of service [0]:
> Set DF bit in IP header? [no]:
> Validate reply data? [no]:
> Data pattern [0xABCD]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 22.22.22.22,
> timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 4/5/8 ms
> r1#
> 07:39:20: %SEC-6-IPACCESSLOGDP: list anything
> permitted icmp 111.111.111.111 -> 22.22.22.22 (0/0),
> 5 packets
>
----------------------------------------------------------
>
> r2#sh ip nat tran
> Pro Inside global Inside local Outside
> local Outside global
> --- 22.22.22.22 22.22.22.22
> 11.11.11.11 111.111.111.111
> --- --- ---
> 11.11.11.11 111.111.111.111
> r2#
>
----------------------------------------------------------
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> Tony Kwok
> Sent: Saturday, December 14, 2002 5:49 AM
> To: ccielab@groupstudy.com
> Subject: The Policy routing with NAT problem.
>
>
> Hi,
>
> I got one problem about the policy routing with NAT.
>
> I got two routers with hostname R1 and R2.
>
> On the R1, I got one default route to the Ethernet
> interface. In order to reach the loop back address
> 22.22.22.22, I am trying to using the policy routing
> with NAT. I have tried a long time and find that
> the
> policy routing can run properly but fail with NAT.
> However, if I disable the policy routing and using
> the
> static route instead. The NAT is working properly.
> Is
> there any hints for this problem? Thx.
>
> R1 ---back-to-back----- R2
>
> Rotuer configuration.
> Building configuration...
>
> Current configuration : 1259 bytes
> !
> version 12.1
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname R1
> !
> logging buffered 4096 debugging
> logging rate-limit console 10 except errors
> enable secret 5 $1$38kB$pyDkrvN5QJ9Rtyl8Gbvqw0
> !
> ip subnet-zero
> !
> !
> no ip finger
> no ip domain-lookup
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback100
> ip address 111.111.111.111 255.255.255.255
> ip nat inside
> !
> interface FastEthernet0/0
> ip address 203.74.124.8 255.255.255.240
> duplex auto
> speed auto
> !
> interface Serial0/0
> ip address 10.0.0.1 255.255.255.252
> ip nat outside
> clockrate 64000
> !
> interface Serial0/1
> no ip address
> shutdown
> !
> ip local policy route-map hello
> ip nat inside source static 111.111.111.111
> 11.11.11.11
> ip classless
> ip route 0.0.0.0 0.0.0.0 203.74.124.1
> no ip http server
> !
> access-list 100 permit ip any host 22.22.22.22
> route-map hello permit 10
> match ip address 100
> set ip next-hop 10.0.0.2
> !
> !
> voice-port 1/0/0
> !
> voice-port 1/0/1
> !
> dial-peer cor custom
> !
> !
> !
> !
> line con 0
> password 7 010400015401575D
> login
> transport input none
> line aux 0
> modem InOut
> modem autoconfigure type usr_sportster
> transport input all
> speed 115200
> line vty 0 4
> password 7 10590F1C0A1D4359
> login
> !
> end
>
> R1#ping
>
=== message truncated ===

• Next message: Tony Schaffran: "RE: Passed in San Jose on 5th attempt #10855( Long)"
• Previous message: Chuck Church: "Re: Preparation of the Lab"
• Maybe in reply to: Tony Kwok: "The Policy routing with NAT problem."
• Next in thread: Tony Kwok: "Re: The Policy routing with NAT problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:45 GMT-3