From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Mon May 15 2006 - 01:46:12 ART
Group -
(sorry for the length on this one)....but I have been working with some of the
various permutations of NAT and ran into one that I could not figure out. I
have a router R4 doing Nat with R6 being the inside (10.1.1.0 network), and,
R1 being on the outside (192.168.1.0 network). I am trying to make the
outside to look as though it is attached to the inside of the network by using
the ip nat outside command. I can get a ping to go from the R1 to R6 and R6
to respond, but the translation in the reverse direction does not appear to be
working. Thoughts? .....here are the configs and debugs.....
R4.......
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
no ip route-cache cef
no ip route-cache
duplex half
speed 10
!
interface Serial1/0
ip address 192.168.1.4 255.255.255.0
ip nat outside
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 192.168.1.1 401 broadcast
frame-relay map ip 192.168.1.4 401
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
router eigrp 100
network 192.168.1.0
no auto-summary
!
ip nat outside source static 192.168.1.1 10.1.1.20
R6 (inside).....no ip routing, set up to appear as a Workstation.....
interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
ip access-group 100 in
no ip route-cache
duplex auto
speed auto
!
access-list 100 permit icmp host 10.1.1.10 host 10.1.1.3
access-list 100 permit icmp any any
access-list 100 permit ip any any
R1 (outside).......
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 192.168.1.1 104
frame-relay map ip 192.168.1.4 104 broadcast
no frame-relay inverse-arp
!
router eigrp 100
network 172.16.0.0
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.1.4
R4 (show ip nat trans)......when doing a ping from R1 to 10.1.1.3
(inside)......
R4#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- --- --- 10.1.1.20
192.168.1.1
--- 10.1.1.3 10.1.1.3 10.1.1.20
192.168.1.1
--- --- --- 10.1.1.10
172.16.1.2
R4#
R4 deb ip nat det......
R4#deb ip nat det
IP NAT detailed debugging is on
*May 14 21:49:06.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3, 18)
[2159]
*May 14 21:49:06.352: NAT*: s=192.168.1.1->10.1.1.20, d=10.1.1.3 [2159]l
*May 14 21:49:08.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3, 18)
[2160]
*May 14 21:49:08.352: NAT*: s=192.168.1.1->10.1.1.20, d=10.1.1.3 [2160]
*May 14 21:49:10.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3, 18)
[2161]
debug ip icmp at R4......
R4#
*May 14 21:47:22.352: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20q
*May 14 21:47:24.356: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20
*May 14 21:47:26.352: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20
debug ip icmp at R6.....
R6#
*Mar 3 15:12:52.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
*Mar 3 15:12:54.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
*Mar 3 15:12:56.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
It appears from the above that the echo replies from 10.1.13 to 10.1.1.20 are
not being translated on the return trip through R4. I was thinking that I may
have to create a null route to see if they are even getting to R4. So, I add
the following ....ip route 10.1.1.20255.255.255.255 Null0. Then, the debug ip
icmp on R4 shows this......
R4#deb ip
*May 14 21:53:23.744: %SYS-5-CONFIG_I: Configured from console by consoleicmp
ICMP packet debugging is on
R4#
*May 14 21:53:28.352: ICMP: dst (10.1.1.20) host unreachable sent to 10.1.1.3
*May 14 21:53:30.352: ICMP: dst (10.1.1.20) host unreachable sent to 10.1.1.3
*May 14 21:53:32.352: ICMP: dst (10.1.1.20) host unreachable sent to 10.1.1.3
I know I am missing something, but I have looked at this from all sides and
can't seem to see the issues. I hope someone has some insights.
Dave
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:21 ART