Re: NAT & Local Policy Based Routing's Question !!
From: wsqccie@hotmail.com
Date: Tue Aug 12 2003 - 06:53:53 GMT-3
jsut test with nat overlap, i still can not work well when I ping 1.1.1.14 which in another part.
I think the key solution is to stop layer 2 MAC autofinding. eg, when we ping 1.1.1.14 from 1.1.1.2, router will find this is in my lan, and then send packet out to e0/0 , and then no reply. and nat will not function
Current configuration : 549 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
!
!
!
!
!
--More-- ��������� ���������!
!
!
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
ip address 2.2.2.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip http server
!
!
!
line con 0
--More-- ��������� ���������line aux 0
line vty 0 4
!
end
r1#
r2#
r2#sh run
Building configuration...
Current configuration : 887 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
logging buffered 4096 debugging
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
!
!
!
!
--More-- ��������� ���������!
!
!
!
interface Ethernet0/0
ip address 2.2.2.2 255.255.255.0
ip nat outside
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 1.1.1.2 255.255.255.0
ip nat inside
!
ip nat pool overlap-test 172.16.0.1 172.16.0.100 netmask 255.255.255.0
ip nat pool out 10.10.10.1 10.10.10.10 netmask 255.255.255.0
ip nat inside source list 1 pool out
ip nat outside source list 1 pool overlap-test
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.1
no ip http server
--More-- ��������� ���������!
access-list 1 permit 1.1.1.0 0.0.0.255
snmp-server community PUBLIC RW
snmp-server community public RW
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
r2#ping 1� �� � 1.1.1.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r2#
01:06:43: IP: s=2.2.2.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:06:43: IP: NAT enab = 1 trans = 0 flags = 80
01:06:43: IP: s=1.1.1.14 (Ethernet0/0), d=2.2.2.2 (Ethernet0/0), len 100, rcvd 3
01:06:43: ICMP: echo reply rcvd, src 1.1.1.14, dst 2.2.2.2
01:06:43: IP: s=2.2.2.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:06:43: IP: NAT enab = 1 trans = 0 flags = 80
01:06:43: IP: s=1.1.1.14 (Ethernet0/0), d=2.2.2.2 (Ethernet0/0), len 100, rcvd 3
01:06:43: ICMP: echo reply rcvd, src 1.1.1.14, dst 2.2.2.2
01:06:43: IP: s=2.2.2.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:06:43: IP: NAT enab = 1 trans = 0 flags = 80
01:06:43: IP: s=1.1.1.14 (Ethernet0/0), d=2.2.2.2 (Ethernet0/0), len 100, rcvd 3
01:06:43: ICMP: echo reply rcvd, src 1.1.1.14, dst 2.2.2.2
01:06:43: IP: s=2.2.2.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:06:43: IP: NAT enab = 1 trans = 0 flags = 80
01:06:43: IP: s=1.1.1.14 (Ethernet0/0), d=2.2.2.2 (Ethernet0/0), len 100, rcvd 3
01:06:43: ICMP: echo reply rcvd, src 1.1.1.14, dst 2.2.2.2
01:06:43: IP: s=2.2.2.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:06:43: IP: NAT enab = 1 trans = 0 flags = 80
01:06:43: IP: s=1.1.1.14 (Ethernet0/0), d=2.2.2.2 (Ethernet0/0), len 100, rcvd 3
01:06:43: ICMP: echo reply rcvd, src 1.1.1.14, dst 2.2.2.2
r2#ping
Protocol [ip]:
Target IP address: 1.1.1.14
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 1.1.1.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.14, timeout is 2 seconds:
01:07:00: IP: s=1.1.1.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:07:00: NAT: i: icmp (1.1.1.2, 845) -> (1.1.1.14, 845) [90]
01:07:00: NAT: s=1.1.1.2->10.10.10.1, d=1.1.1.14 [90]
01:07:00: NAT*: o: icmp (1.1.1.14, 845) -> (10.10.10.1, 845) [537]
01:07:00: NAT*: s=1.1.1.14->172.16.0.1, d=10.10.10.1 [537]
01:07:00: NAT*: s=172.16.0.1, d=10.10.10.1->1.1.1.2 [537]
01:07:00: IP: s=172.16.0.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/0), g=2.2.2.1, len 100, forward.
01:07:02: IP: s=1.1.1.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:07:02: NAT: i: icmp (1.1.1.2, 846) -> (1.1.1.14, 846) [91]
01:07:02: NAT: s=1.1.1.2->10.10.10.1, d=1.1.1.14 [91]
01:07:02: NAT*: o: icmp (1.1.1.14, 846) -> (10.10.10.1, 846) [539]
01:07:02: NAT*: s=1.1.1.14->172.16.0.1, d=10.10.10.1 [539]
01:07:02: NAT*: s=172.16.0.1, d=10.10.10.1->1.1.1.2 [539]
01:07:02: IP: s=172.16.0.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/0), g=2.2.2.1, len 100, forward.
01:07:04: IP: s=1.1.1.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:07:04: NAT: i: icmp (1.1.1.2, 847) -> (1.1.1.14, 847) [92]
01:07:04: NAT: s=1.1.1.2->10.10.10.1, d=1.1.1.14 [92]
01:07:04: NAT*: o: icmp (1.1.1.14, 847) -> (10.10.10.1, 847) [541]
01:07:04: NAT*: s=1.1.1.14->172.16.0.1, d=10.10.10.1 [541]
01:07:04: NAT*: s=172.16.0.1, d=10.10.10.1->1.1.1.2 [541]
01:07:04: IP: s=172.16.0.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/0), g=2.2.2.1, len 100, forward.
01:07:06: IP: s=1.1.1.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:07:06: NAT: i: icmp (1.1.1.2, 848) -> (1.1.1.14, 848) [93]
01:07:06: NAT: s=1.1.1.2->10.10.10.1, d=1.1.1.14 [93]
01:07:06: NAT*: o: icmp (1.1.1.14, 848) -> (10.10.10.1, 848) [543]
01:07:06: NAT*: s=1.1.1.14->172.16.0.1, d=10.10.10.1 [543]
01:07:06: NAT*: s=172.16.0.1, d=10.10.10.1->1.1.1.2 [543]
01:07:06: IP: s=172.16.0.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/0), g=2.2.2.1, len 100, forward.
01:07:08: IP: s=1.1.1.2 (local), d=1.1.1.14 (Ethernet0/0), len 100, sending
01:07:08: NAT: i: icmp (1.1.1.2, 849) -> (1.1.1.14, 849) [94]
01:07:08: NAT: s=1.1.1.2->10.10.10.1, d=1.1.1.14 [94]
01:07:08: NAT*: o: icmp (1.1.1.14, 849) -> (10.10.10.1, 849) [545]
01:07:08: NAT*: s=1.1.1.14->172.16.0.1, d=10.10.10.1 [545]
01:07:08: NAT*: s=172.16.0.1, d=10.10.10.1->1.1.1.2 [545]
01:07:08: IP: s=172.16.0.1 (Ethernet0/0), d=1.1.1.2 (Ethernet0/0), g=2.2.2.1, len 100, forward.
Success rate is 0 percent (0/5)
r2#
----- Original Message -----
From: "Ansar Mohideen" <ansar@garmco.com>
To: <wwwjjang@chol.com>
Cc: <ccielab@groupstudy.com>
Sent: Monday, August 11, 2003 12:29 PM
Subject: RE: NAT & Local Policy Based Routing's Question !!
> Hi Jang
>
> You have to do overlapping address translation.
> Please find the example from the Doc CD.
>
> Translating Overlapping Address Example
> In the following example, the addresses in the local network are being used
> legitimately by someone else on the Internet. An extra translation is
> required to access that external network. Pool net-10 is a pool of outside
> local IP addresses. The statement ip nat outside source list 1 pool net-10
> translates the addresses of hosts from the outside overlapping network to
> addresses in that pool.
>
> ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
> ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24
> ip nat inside source list 1 pool net-208
> ip nat outside source list 1 pool net-10
> !
> interface serial 0
> ip address 171.69.232.192 255.255.255.240
> ip nat outside
> !
> interface ethernet0
> ip address 192.168.1.94 255.255.255.0
> ip nat inside
> !
> access-list 1 permit 192.168.1.0 0.0.0.255
>
>
> Regards.
>
> -----Original Message-----
> From: wwwjjang@chol.com [mailto:wwwjjang@chol.com]
> Sent: Sunday, August 10, 2003 5:45 PM
> To: ccielab@groupstudy.com
> Subject: NAT & Local Policy Based Routing's Question !!
>
> Hi! Everyone..
>
> I was confused by this question..
> Who knows the solution ??
> ---------
> Diagram
> ---------
>
> (e0 1.1.1.1/24)-R2-(so 2.2.2.2)-(s1 2.2.2.1)-R1-(e0 1.1.1.3/24)-(e0
> 1.1.1.14)-R3
>
> |_______________________________OSPF__________________________|
>
>
> Note:
> - The R2's E0-Net(1.1.1.0.24) is same with the Ethernet-Network between R1
> & R3 (1.1.1.0/24)
> -R2's E0 is not covered with a OSPF & is a Private-network !!
>
> __________
> Question
> ----------
> 1> Make Sure that R2'E0-Network can communicate with ouside.
> 2> Make sure that you can send a ping to the R2's S0(2.2.2.2) with a source
> ip
> 1.1.1.14(R3,s E0) and receive a echo-reply from R2's E0(1.1.1.1)
>
> ----------
> My answer
> ----------
> 1> First, i configure a NAT on R2.(it operates well !!)
>
> R2>
> interface Ethernet0
> ip address 1.1.1.1 255.255.255.0
> ip nat inside
> !
> interface Serial1
> ip address 2.2.2.2 255.255.255.0
> ip nat outside
> !
> ip nat inside source route-map NAT interface serial 0 overload
> access-list 20 permit 1.1.1.0 0.0.0.255
> !
> route-map NAT permit 10
> match ip address 20
>
> 2> When i send a ping to the R2's s0, i can't receive a echo-reply.
> Since the R2's E0-Network(1.1.1.0/24) is same with the Ethernet-Network
> between R1 & R3, The echo-reply packet is sended to the R2'E0.
> So the echo-reply packet is dropped.
> (Can you understand my explanation ???)
>
> So i think that the local policy-map on R2 is a one of the solutins.
>
> R2>
>
> ip local policy route-map POL
> route-map POL permit 10
> match ip add 150
> set ip next-hop 2.2.2.1
> access-list 150 permit icmp any any
>
> => So, when i send a ping to the R2's S0(2.2.2.2) with a source
> R3'e0(1.1.1.14),
> i can receive a echo-reply from R2's E0(1.1.1.1)!!!!
> => But the NAT don't work. !!!
> When i remove the Local policy-map, The NAT works well !!
>
> Do you know the reason of this problem???
> How can i solve the two-questions ??
>
> Thanks !!
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> -----------------------------------------------------------------------
> This e-mail message and any files transmitted with it are confidential
> and are intended solely for the use of the individual or entity to whom
> they are addressed. If you are not the intended recipient, or the
> person responsible for delivering the e-mail to the intended recipient
> be advised that you have received this e-mail in error and that any
> use, dissemination, forwarding, printing, or copying of this e-mail is
> strictly prohibited If you have received an e-mail in error, please
> immediately notify your direct supervisor or contact GARMCO IT Helpdesk
> on (973)-734664, email IThelp@garmco.com.
> Thank you very much for your co-operation.
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Tue Sep 02 2003 - 18:53:57 GMT-3