RE: changing the source of the ICMP

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Thu Oct 02 2003 - 17:56:37 GMT-3

Here are two possible solutions:

Easy solution:
Rack1R1#ping 129.1.17.7 source lo 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 129.1.17.7, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1 <--- Lo0 IP address
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Rack1R1#

Complex solution:
interface Loopback0
 ip address 150.1.1.1 255.255.255.0
 ip nat inside
!
interface Ethernet0/0
 ip address 129.1.17.1 255.255.255.0
 ip nat outside
!
ip local policy route-map LOCAL
ip nat inside source list 140 interface Loopback0 overload
access-list 140 permit icmp any any
access-list 150 permit icmp any any
!
route-map LOCAL permit 10
 match ip address 150
 set ip next-hop 150.1.1.1

Rack1R1#clear ip nat trans *
Rack1R1#sho ip nat tran

Rack1R1#ping 129.1.17.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 129.1.17.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Rack1R1#sho ip nat tran
Pro Inside global Inside local Outside local Outside
global
icmp 150.1.1.1:8780 129.1.17.1:8780 129.1.17.7:8780
129.1.17.7:8780
icmp 150.1.1.1:8781 129.1.17.1:8781 129.1.17.7:8781
129.1.17.7:8781
icmp 150.1.1.1:8782 129.1.17.1:8782 129.1.17.7:8782
129.1.17.7:8782
icmp 150.1.1.1:8783 129.1.17.1:8783 129.1.17.7:8783
129.1.17.7:8783
icmp 150.1.1.1:8784 129.1.17.1:8784 129.1.17.7:8784
129.1.17.7:8784
Rack1R1#

As a side note whenever someone pings this router's E0/0 interface the
replies will be sourced off the loopback. If you don't want this
behavior you can make the ACL's more specific as to what gets NAT'ed and
what gets policy routed.

Rack1SW1#ping 129.1.17.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 129.1.17.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack1SW1#
14:40:38: ICMP: echo reply rcvd, src 150.1.1.1, dst 129.1.17.7
14:40:38: ICMP: echo reply rcvd, src 150.1.1.1, dst 129.1.17.7
14:40:38: ICMP: echo reply rcvd, src 150.1.1.1, dst 129.1.17.7
14:40:38: ICMP: echo reply rcvd, src 150.1.1.1, dst 129.1.17.7
14:40:38: ICMP: echo reply rcvd, src 150.1.1.1, dst 129.1.17.7
Rack1SW1#

You should test this out fully in a lab before deploying it to make sure
that the NAT configuration does not cause any problems ;-) I would
personally probably "tighten" up the configuration a little.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
MADMAN
Sent: Thursday, October 02, 2003 12:49 PM
To: cisco
Cc: 'Ccielab (E-mail)'
Subject: changing the source of the ICMP

   Had a question posed today that I don't think can be done but thought

I would pose it to this list. I don't think you can.

   On a router you can change the source interface to a predetermined ip

address when telnetng from the router, "ip telnet source-interface
x.x.x.x"

   Is there a way to do the same for ICMP with a global configuration so

one doesn't have to always go thru the extended ping?

   Thanks

   Dave 

-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

"Emotion should reflect reason not guide it"

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:56 GMT-3