From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Mon Apr 17 2006 - 02:32:37 GMT-3
Hello Guys.. / Lin
Lin have you found the way to resolve this issue?
Seems that the policy routing is pushing the traffic to the loopback
interface, but It's not getting translated by the NAT process when the
traffic goes out the interface, you can tell that if you remove the local
policy and apply the ip nat out in int s0/0
Experts help here please :D
Thanks
Victor.
Rack1R5#show run | in nat inside source
ip nat inside source list 100 interface Loopback0 overload
Rack1R5#show run | in access
access-list 100 permit ip host 144.1.55.5 any
access-list 100 permit ip 144.1.55.0 0.0.0.255 any
Rack1R5#show run interface loopback 0
interface Loopback0
ip address 10.5.5.5 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
end
Rack1R5#show run | be route-map MYMAP permit 10
route-map MYMAP permit 10
ma ip add 100
set interface Loopback0
!
Rack1R5#show run | be route-map MYMAP permit 10
route-map MYMAP permit 10
set interface Loopback0
!
Rack1R5#ping 10.2.2.2 !!R2 Lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms
Rack1R5#
*Mar 1 02:20:04.012: IP: s=144.1.15.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:04.012: ICMP type=8, code=0
*Mar 1 02:20:04.012: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:04.016: IP: s=144.1.15.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:04.016: ICMP type=8, code=0
*Mar 1 02:20:04.016: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:04.016: IP: tableid=0, s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:04.016: IP: s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:04.020: ICMP type=8, code=0
*Mar 1 02:20:04.076: IP: tableid=0, s=10.2.2.2 (Serial0/0), d=144.1.15.5
(Serial0/0), routed via RIB
*Mar 1 02:20:04.080: IP: s=144.1.15.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:04.080: ICMP type=8, code=0
*Mar 1 02:20:04.080: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:04.080: IP: s=144.1.15.5 (local), d=10.2.2.2
Rack1R5# (Loopback0), len 100, policy routed
*Mar 1 02:20:04.084: ICMP type=8, code=0
*Mar 1 02:20:04.084: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:04.084: IP: tableid=0, s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:04.084: IP: s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:04.088: ICMP type=8, code=0
*Mar 1 02:20:04.144: IP: tableid=0, s=10.2.2.2 (Serial0/0), d=144.1.15.5
(Serial0/0), routed via RIB
*Mar 1 02:20:04.148: IP: s=144.1.15.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:04.148: ICMP type=8, code=0
*Mar 1 02:20:04.148: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:04.148: IP: s=144.1.15.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:04.148: ICMP type=8, code=0
*Mar 1 02:20:04.148: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:04.152: IP: tableid=0, s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:04.152: IP: s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:04.152: ICMP type=8, code=0
*Mar 1 02:20:04.212: IP: tableid=0, s=10.2.2.2 (Serial0/0), d=144.1.15.5
(Serial0/0), routed via RIB
*Mar 1 02:20:04.212: IP: s=144.1.15.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:04.216: ICMP type=8, code=0
*Mar 1 02:20:04.216: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:04.216: IP: s=144.1.15.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:04.216: ICMP type=8, code=0
*Mar 1 02:20:04.216: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:04.220: IP: tableid=0, s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:04.220: IP: s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:04.220: ICMP type=8, code=0
*Mar 1 02:20:04.280: IP: tableid=0, s=10.2.2.2 (Serial0/0), d=144.1.15.5
(Serial0/0), routed via RIB
*Mar 1 02:20:04.280: IP: s=144.1.15.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:04.280: ICMP type=8, code=0
*Mar 1 02:20:04.280: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:04.284: IP: s=144.1.15.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:04.284: ICMP type=8, code=0
*Mar 1 02:20:04.284: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:04.284: IP: tableid=0, s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:04.284: IP: s=144.1.15.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:04.288: ICMP type=8, code=0
*Mar 1 02:20:04.344: IP: tableid=0, s=10.2.2.2 (Serial0/0), d=144.1.15.5
(Serial0/0), routed via RIB
And when doing the same for traffic sourced by the E1/0
Rack1R5#ping 10.2.2.2 source e1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 144.1.55.5
*Mar 1 02:20:39.358: IP: s=144.1.55.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:39.362: ICMP type=8, code=0
*Mar 1 02:20:39.362: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:39.362: IP: s=144.1.55.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:39.362: ICMP type=8, code=0
*Mar 1 02:20:39.362: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:39.362: IP: tableid=0, s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:39.366: IP: s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:39.366: ICMP type=8, code=0.
*Mar 1 02:20:41.361: IP: s=144.1.55.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:41.361: ICMP type=8, code=0
*Mar 1 02:20:41.361: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:41.361: IP: s=144.1.55.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:41.361: ICMP type=8, code=0
*Mar 1 02:20:41.361: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:41.365: IP: tableid=0, s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:41.365: IP: s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:41.365: ICMP type=8, code=0.
*Mar 1 02:20:43.364: IP: s=144.1.55.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:43.364: ICMP type=8, code=0
*Mar 1 02:20:43.364: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:43.364: IP: s=144.1.55.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:43.364: ICMP type=8, code=0
*Mar 1 02:20:43.364: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:43.368: IP: tableid=0, s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:43.368: IP: s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:43.368: ICMP type=8, code=0.
*Mar 1 02:20:45.368: IP: s=144.1.55.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:45.368: ICMP type=8, code=0
*Mar 1 02:20:45.368: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:45.368: IP: s=144.1.55.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:45.368: ICMP type=8, code=0
*Mar 1 02:20:45.368: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:45.372: IP: tableid=0, s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:45.372: IP: s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:45.372: ICMP type=8, code=0.
*Mar 1 02:20:47.367: IP: s=144.1.55.5 (local), d=10.2.2.2, len 100,
policy match
*Mar 1 02:20:47.367: ICMP type=8, code=0
*Mar 1 02:20:47.367: IP: route map MYMAP, item 10, permit
*Mar 1 02:20:47.367: IP: s=144.1.55.5 (local), d=10.2.2.2 (Loopback0),
len 100, policy routed
*Mar 1 02:20:47.367: ICMP type=8, code=0
*Mar 1 02:20:47.367: IP: local to Loopback0 10.2.2.2
*Mar 1 02:20:47.371: IP: tableid=0, s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), routed via RIB
*Mar 1 02:20:47.371: IP: s=144.1.55.5 (Loopback0), d=10.2.2.2
(Serial0/0), g=144.1.15.1, len 100, forward
*Mar 1 02:20:47.371: ICMP type=8, code=0.
Success rate is 0 percent (0/5)
-----Original Message-----
From: nobody@groupstudy.com [ mailto:nobody@groupstudy.com ] On Behalf Of
Victor Cappuccio
Sent: Sunday, April 16, 2006 12:09 AM
To: Victor Cappuccio
Cc: Jung-I Lin; CCIE GroupStudy
Subject: Re: Question About Local Policy Route-map + NAT (IE CoreLab Lab7
task 4.9)
Lin, that is called NAT on a Stick
here is the link for more information. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 094430.shtml
HTH
Victor.
Victor Cappuccio escribiC3:
Hi My friend.. I have not seen this lab yet but maybe Channing the ip
nat outside to E1/0 and nat inside to loo0
Jung-I Lin escribiC3:
Dear All,
I have a question which is related to Local PBR + NAT.
The scenario is like this
R5 has several interface participate in OSPF , the only exception is
E1/0.
The goal is to have the packets which is sourced from R5's E1/0 can
reach other and correctly reply back.
And the restriction is you can only use one "ip nat outside" command
on an interface.
So I use local policy route-map + nat , part of the config is as
following
!
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 144.1.5.5 255.255.255.0
half-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay
clockrate 125000
no fair-queue
!
interface Serial0/0.501 multipoint
ip address 144.1.15.5 255.255.255.0
ip ospf network point-to-point
frame-relay map ip 144.1.15.1 501 broadcast
!
interface BRI0/0
no ip address
shutdown
!
interface Serial0/1
ip unnumbered Ethernet0/0
encapsulation ppp
clockrate 64000
!
interface Ethernet1/0
ip address 144.1.55.5 255.255.255.0
ip nat inside
half-duplex
!
router ospf 1
log-adjacency-changes
redistribute connected subnets route-map CONNECTED->OSPF
network 144.1.5.5 0.0.0.0 area 0
network 144.1.15.5 0.0.0.0 area 0
!
ip local policy route-map POLICY
ip nat inside source list 1 interface Loopback0 overload
access-list 1 permit 144.1.55.0 0.0.0.255
access-list 100 permit ip host 144.1.55.5 any
!
route-map POLICY permit 10
match ip address 100
set interface Loopback0
R5 is able to ping other router without sourced from E1/0
Rack1R5#p 144.1.15.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
But if I sourced from E1/0 the ping is not ok.
Rack1R5#ping 144.1.15.1 source Ethernet1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
Packet sent with a source address of 144.1.55.5
.....
Success rate is 0 percent (0/5)
I use debug ip policy and debug ip nat, and the output
*Mar 1 19:11:01.599: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:01.603: IP: route map POLICY, item 10, permit
*Mar 1 19:11:01.603: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:01.603: IP: local to Loopback0 144.1.15.1.
*Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:03.598: IP: route map POLICY, item 10, permit
*Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:03.598: IP: local to Loopback0 144.1.15.1
*Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:05.601: IP: route map POLICY, item 10, permit
*Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:05.601: IP: local to Loopback0 144.1.15.1.
*Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:07.604: IP: route map POLICY, item 10, permit
*Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:07.604: IP: local to Loopback0 144.1.15.1.
*Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
policy match
*Mar 1 19:11:09.608: IP: route map POLICY, item 10, permit
*Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1
(Loopback0), len 100, policy routed
*Mar 1 19:11:09.608: IP: local to Loopback0 144.1.15.1.
It seems that the Local PBR is fine, but the NAT did not work.
Any comments?
--
Thanks
Best Regards,
Jung-I Lin
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:57 GMT-3