Question About Local Policy Route-map + NAT (IE CoreLab Lab7

From: Jung-I Lin (easyman.lin@gmail.com)
Date: Sun Apr 16 2006 - 00:28:41 GMT-3

Dear All,

I have a question which is related to Local PBR + NAT.
The scenario is like this

R5 has several interface participate in OSPF , the only exception is E1/0.
The goal is to have the packets which is sourced from R5's E1/0 can
reach other and correctly reply back.
And the restriction is you can only use one "ip nat outside" command
on an interface.

So I use local policy route-map + nat , part of the config is as following

!
interface Loopback0
 ip address 150.1.5.5 255.255.255.0
 ip nat outside
!
interface Ethernet0/0
 ip address 144.1.5.5 255.255.255.0
 half-duplex
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 clockrate 125000
 no fair-queue
!
interface Serial0/0.501 multipoint
 ip address 144.1.15.5 255.255.255.0
 ip ospf network point-to-point
 frame-relay map ip 144.1.15.1 501 broadcast
!
interface BRI0/0
 no ip address
 shutdown
!
interface Serial0/1
 ip unnumbered Ethernet0/0
 encapsulation ppp
 clockrate 64000
!
interface Ethernet1/0
 ip address 144.1.55.5 255.255.255.0
 ip nat inside
 half-duplex
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map CONNECTED->OSPF
 network 144.1.5.5 0.0.0.0 area 0
 network 144.1.15.5 0.0.0.0 area 0
!
ip local policy route-map POLICY
ip nat inside source list 1 interface Loopback0 overload
access-list 1 permit 144.1.55.0 0.0.0.255
access-list 100 permit ip host 144.1.55.5 any
!
route-map POLICY permit 10
 match ip address 100
 set interface Loopback0

R5 is able to ping other router without sourced from E1/0
Rack1R5#p 144.1.15.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms

But if I sourced from E1/0 the ping is not ok.
Rack1R5#ping 144.1.15.1 source Ethernet1/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
Packet sent with a source address of 144.1.55.5
.....
Success rate is 0 percent (0/5)

I use debug ip policy and debug ip nat, and the output
*Mar 1 19:11:01.599: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:01.603: IP: route map POLICY, item 10, permit
*Mar 1 19:11:01.603: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:01.603: IP: local to Loopback0 144.1.15.1.
*Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:03.598: IP: route map POLICY, item 10, permit
*Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:03.598: IP: local to Loopback0 144.1.15.1
*Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:05.601: IP: route map POLICY, item 10, permit
*Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:05.601: IP: local to Loopback0 144.1.15.1.
*Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:07.604: IP: route map POLICY, item 10, permit
*Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:07.604: IP: local to Loopback0 144.1.15.1.
*Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:09.608: IP: route map POLICY, item 10, permit
*Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:09.608: IP: local to Loopback0 144.1.15.1.

It seems that the Local PBR is fine, but the NAT did not work.
Any comments? 

--
Thanks
Best Regards,

Jung-I Lin

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:57 GMT-3