Re: Question About Local Policy Route-map + NAT (IE CoreLab

From: Jung-I Lin (easyman.lin@gmail.com)
Date: Mon Apr 17 2006 - 02:25:44 GMT-3

• Next message: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Previous message: Jian Gu: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Maybe in reply to: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Next in thread: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, Victor

I think nat on a stick is only valid for transit traffic, but not for
router's originated.
Although you can use local policy route-map function to force policy
route locally originated traffic, however NAT will not function for
router's locally originated traffic.
I did a small lab for testing this function, the topology is as following

R1(S0/1)------(S0/2)R3---(E0/0)(Nat inside)
                             \
                              (L0)(Nat outside)

The requirement is to have R3 be able to ping R1 S0/1 when packtes is
sourced from R3 E0/0.

R1:
interface Serial0/1
 ip address 10.1.13.1 255.255.255.0
 encapsulation ppp
!!
router rip
 version 2
 network 10.0.0.0
 no auto-summary

R3:
interface Loopback0
 ip address 150.1.3.3 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
!
interface Ethernet0/0
 ip address 20.1.3.3 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 half-duplex
!
interface Serial0/2
 ip address 10.1.13.3 255.255.255.0
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 clockrate 125000
router rip
 version 2
 network 10.0.0.0
 network 150.1.0.0
 no auto-summary
!
ip local policy route-map LOCAL_POLICY
ip nat inside source list 10 interface Loopback0 overload
access-list 10 permit 20.1.3.0 0.0.0.255
access-list 100 permit ip host 20.1.3.3 any
access-list 101 permit icmp any any
access-list 199 permit icmp any any
!
route-map LOCAL_POLICY permit 10
 match ip address 100
 set interface Loopback0

R1 show ip route
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.13.3/32 is directly connected, Serial0/1
C 10.1.13.0/24 is directly connected, Serial0/1
     150.1.0.0/24 is subnetted, 2 subnets
R 150.1.3.0 [120/1] via 10.1.13.3, 00:00:13, Serial0/1 (R1 knows
Lo0 of R3)
C 150.1.1.0 is directly connected, Loopback0

R3
debug ip icmp
debug ip policy
debug ip nat
Rack1R3#p 10.1.13.1 re 1 so 20.1.3.3

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
Packet sent with a source address of 20.1.3.3
.
Success rate is 0 percent (0/1)

sh logg
*Mar 1 18:20:33.411: IP: s=20.1.3.3 (local), d=10.1.13.1, len 100, policy match
*Mar 1 18:20:33.411: IP: route map LOCAL_POLICY, item 10, permit
*Mar 1 18:20:33.411: IP: s=20.1.3.3 (local), d=10.1.13.1 (Loopback0),
len 100, policy routed
*Mar 1 18:20:33.411: IP: local to Loopback0 10.1.13.1
R3 is policy route the icmp packet to Loopback0 as shown in the debug output.
But NAT is not functioning, I can't see any NAT debug output.

And R1 show packet is source from 20.1.3.3 which is R3's E0/0.

R1:
debug ip icmp
*Mar 1 18:20:31.931: ICMP: echo reply sent, src 10.1.13.1, dst 20.1.3.3

I have exchange the ip nat inside and outside command on Lo0 & E0/0,
but still the same.

The only way I can successfully ping R1 is using "ip nat inside" on
R3's Loop0 and "ip nat outside" on R3's S0/2.
See below
R3:
interface Loopback0
 ip address 150.1.3.3 255.255.255.0
 ip nat inside
!
interface Serial0/2
 ip address 10.1.13.3 255.255.255.0
 ip nat outside
 encapsulation ppp

Rack1R3#p 10.1.13.1 re 1 so 20.1.3.3

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
Packet sent with a source address of 20.1.3.3
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 24/24/24 ms
Rack1R3#
*Mar 1 18:42:20.269: IP: s=20.1.3.3 (local), d=10.1.13.1, len 100, policy match
*Mar 1 18:42:20.273: IP: route map LOCAL_POLICY, item 10, permit
*Mar 1 18:42:20.273: IP: s=20.1.3.3 (local), d=10.1.13.1 (Loopback0),
len 100, policy routed
*Mar 1 18:42:20.273: IP: local to Loopback0 10.1.13.1
*Mar 1 18:42:20.273: NAT: s=20.1.3.3->150.1.3.3, d=10.1.13.1 [33]
*Mar 1 18:42:20.293: NAT: s=10.1.13.1, d=150.1.3.3->20.1.3.3 [33]
*Mar 1 18:42:20.293: ICMP: echo reply rcvd, src 10.1.13.1, dst 20.1.3.3

In conclusion, I think "inside source nat" will only take effect when
the packet is comming in from "nat inside" interface and going out
"nat outside" interface.

Back to my original question, I think R5 is not able to ping other
Router if it can only use one "ip nat outside" command.

On 4/16/06, Victor Cappuccio <cvictor@protokolgroup.com> wrote:
> Lin, that is called NAT on a Stick
> here is the link for more information.
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
>
> HTH
> Victor.
>
>
> Victor Cappuccio escribiC3:
> > Hi My friend.. I have not seen this lab yet but maybe Channing the ip
> > nat outside to E1/0 and nat inside to loo0
> >
> >
> > Jung-I Lin escribiC3:
> >> Dear All,
> >>
> >> I have a question which is related to Local PBR + NAT.
> >> The scenario is like this
> >>
> >> R5 has several interface participate in OSPF , the only exception is
> >> E1/0.
> >> The goal is to have the packets which is sourced from R5's E1/0 can
> >> reach other and correctly reply back.
> >> And the restriction is you can only use one "ip nat outside" command
> >> on an interface.
> >>
> >> So I use local policy route-map + nat , part of the config is as
> >> following
> >>
> >> !
> >> interface Loopback0
> >> ip address 150.1.5.5 255.255.255.0
> >> ip nat outside
> >> !
> >> interface Ethernet0/0
> >> ip address 144.1.5.5 255.255.255.0
> >> half-duplex
> >> !
> >> interface Serial0/0
> >> no ip address
> >> encapsulation frame-relay
> >> clockrate 125000
> >> no fair-queue
> >> !
> >> interface Serial0/0.501 multipoint
> >> ip address 144.1.15.5 255.255.255.0
> >> ip ospf network point-to-point
> >> frame-relay map ip 144.1.15.1 501 broadcast
> >> !
> >> interface BRI0/0
> >> no ip address
> >> shutdown
> >> !
> >> interface Serial0/1
> >> ip unnumbered Ethernet0/0
> >> encapsulation ppp
> >> clockrate 64000
> >> !
> >> interface Ethernet1/0
> >> ip address 144.1.55.5 255.255.255.0
> >> ip nat inside
> >> half-duplex
> >> !
> >> router ospf 1
> >> log-adjacency-changes
> >> redistribute connected subnets route-map CONNECTED->OSPF
> >> network 144.1.5.5 0.0.0.0 area 0
> >> network 144.1.15.5 0.0.0.0 area 0
> >> !
> >> ip local policy route-map POLICY
> >> ip nat inside source list 1 interface Loopback0 overload
> >> access-list 1 permit 144.1.55.0 0.0.0.255
> >> access-list 100 permit ip host 144.1.55.5 any
> >> !
> >> route-map POLICY permit 10
> >> match ip address 100
> >> set interface Loopback0
> >>
> >> R5 is able to ping other router without sourced from E1/0
> >> Rack1R5#p 144.1.15.1
> >>
> >> Type escape sequence to abort.
> >> Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
> >> !!!!!
> >> Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
> >>
> >>
> >> But if I sourced from E1/0 the ping is not ok.
> >> Rack1R5#ping 144.1.15.1 source Ethernet1/0
> >>
> >> Type escape sequence to abort.
> >> Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
> >> Packet sent with a source address of 144.1.55.5
> >> .....
> >> Success rate is 0 percent (0/5)
> >>
> >>
> >> I use debug ip policy and debug ip nat, and the output
> >> *Mar 1 19:11:01.599: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
> >> policy match
> >> *Mar 1 19:11:01.603: IP: route map POLICY, item 10, permit
> >> *Mar 1 19:11:01.603: IP: s=144.1.55.5 (local), d=144.1.15.1
> >> (Loopback0), len 100, policy routed
> >> *Mar 1 19:11:01.603: IP: local to Loopback0 144.1.15.1.
> >> *Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
> >> policy match
> >> *Mar 1 19:11:03.598: IP: route map POLICY, item 10, permit
> >> *Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1
> >> (Loopback0), len 100, policy routed
> >> *Mar 1 19:11:03.598: IP: local to Loopback0 144.1.15.1
> >> *Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
> >> policy match
> >> *Mar 1 19:11:05.601: IP: route map POLICY, item 10, permit
> >> *Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1
> >> (Loopback0), len 100, policy routed
> >> *Mar 1 19:11:05.601: IP: local to Loopback0 144.1.15.1.
> >> *Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
> >> policy match
> >> *Mar 1 19:11:07.604: IP: route map POLICY, item 10, permit
> >> *Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1
> >> (Loopback0), len 100, policy routed
> >> *Mar 1 19:11:07.604: IP: local to Loopback0 144.1.15.1.
> >> *Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
> >> policy match
> >> *Mar 1 19:11:09.608: IP: route map POLICY, item 10, permit
> >> *Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1
> >> (Loopback0), len 100, policy routed
> >> *Mar 1 19:11:09.608: IP: local to Loopback0 144.1.15.1.
> >>
> >> It seems that the Local PBR is fine, but the NAT did not work.
> >> Any comments?
> >> --
> >> Thanks
> >> Best Regards,
> >>
> >> Jung-I Lin
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >
>

--
Thanks
Best Regards,
Jung-I Lin

• Next message: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Previous message: Jian Gu: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Maybe in reply to: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Next in thread: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:57 GMT-3