Re: IP NAT outside static issue

From: Petr Lapukhov (petrsoft@gmail.com)
Date: Mon May 15 2006 - 02:25:51 ART

• Next message: Jens Petter Eikeland: "RE: RE : Windows SLA App"
• Previous message: Kumar Raja-Q16843: "RE: RTP Compression Header"
• Maybe in reply to: Schulz, Dave: "IP NAT outside static issue"
• Next in thread: Schulz, Dave: "RE: IP NAT outside static issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dave,

AFAIK inside nat is performed AFTER routing lookup, and outside nat
is performed BEFORE routing lookup.

That is, when return packet hits inside interface, it is routed to local
alias,
and is not translated.

Try adding a static route at R4:

ip route 10.1.1.20 255.255.255.255 192.168.1.1

Also, check the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_exampl
e09186a0080093f2f.shtml

HTH
Petr

2006/5/15, Schulz, Dave <DSchulz@dpsciences.com>:
>
> Group -
>
> (sorry for the length on this one)....but I have been working with some of
> the
> various permutations of NAT and ran into one that I could not figure
> out. I
> have a router R4 doing Nat with R6 being the inside (10.1.1.0 network),
> and,
> R1 being on the outside (192.168.1.0 network). I am trying to make the
> outside to look as though it is attached to the inside of the network by
> using
> the ip nat outside command. I can get a ping to go from the R1 to R6 and
> R6
> to respond, but the translation in the reverse direction does not appear
> to be
> working. Thoughts? .....here are the configs and debugs.....
>
> R4.......
> !
> interface FastEthernet0/0
> ip address 10.1.1.1 255.255.255.0
> ip nat inside
> no ip route-cache cef
> no ip route-cache
> duplex half
> speed 10
> !
> interface Serial1/0
> ip address 192.168.1.4 255.255.255.0
> ip nat outside
> encapsulation frame-relay
> serial restart-delay 0
> frame-relay map ip 192.168.1.1 401 broadcast
> frame-relay map ip 192.168.1.4 401
> no frame-relay inverse-arp
> frame-relay lmi-type ansi
> !
> router eigrp 100
> network 192.168.1.0
> no auto-summary
> !
> ip nat outside source static 192.168.1.1 10.1.1.20
>
>
>
> R6 (inside).....no ip routing, set up to appear as a Workstation.....
>
> interface FastEthernet0/0
> ip address 10.1.1.3 255.255.255.0
> ip access-group 100 in
> no ip route-cache
> duplex auto
> speed auto
> !
> access-list 100 permit icmp host 10.1.1.10 host 10.1.1.3
> access-list 100 permit icmp any any
> access-list 100 permit ip any any
>
> R1 (outside).......
>
> !
> interface Serial0/0
> ip address 192.168.1.1 255.255.255.0
> encapsulation frame-relay
> frame-relay map ip 192.168.1.1 104
> frame-relay map ip 192.168.1.4 104 broadcast
> no frame-relay inverse-arp
> !
> router eigrp 100
> network 172.16.0.0
> network 192.168.1.0
> no auto-summary
> !
> ip route 0.0.0.0 0.0.0.0 192.168.1.4
>
>
> R4 (show ip nat trans)......when doing a ping from R1 to 10.1.1.3
> (inside)......
>
> R4#sh ip nat trans
> Pro Inside global Inside local Outside local Outside
> global
> --- --- --- 10.1.1.20
> 192.168.1.1
> --- 10.1.1.3 10.1.1.3 10.1.1.20
> 192.168.1.1
> --- --- --- 10.1.1.10
> 172.16.1.2
> R4#
>
> R4 deb ip nat det......
> R4#deb ip nat det
> IP NAT detailed debugging is on
> *May 14 21:49:06.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3, 18)
> [2159]
> *May 14 21:49:06.352: NAT*: s=192.168.1.1->10.1.1.20, d=10.1.1.3 [2159]l
> *May 14 21:49:08.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3, 18)
> [2160]
> *May 14 21:49:08.352: NAT*: s=192.168.1.1->10.1.1.20, d=10.1.1.3 [2160]
> *May 14 21:49:10.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3, 18)
> [2161]
>
>
> debug ip icmp at R4......
> R4#
> *May 14 21:47:22.352: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20q
> *May 14 21:47:24.356: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20
> *May 14 21:47:26.352: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20
>
> debug ip icmp at R6.....
>
> R6#
> *Mar 3 15:12:52.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
> *Mar 3 15:12:54.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
> *Mar 3 15:12:56.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
>
> It appears from the above that the echo replies from 10.1.13 to
10.1.1.20are
> not being translated on the return trip through R4. I was thinking that I
> may
> have to create a null route to see if they are even getting to R4. So, I
> add
> the following ....ip route 10.1.1.20255.255.255.255 Null0. Then, the
> debug ip
> icmp on R4 shows this......
>
> R4#deb ip
> *May 14 21:53:23.744: %SYS-5-CONFIG_I: Configured from console by
> consoleicmp
> ICMP packet debugging is on
> R4#
> *May 14 21:53:28.352: ICMP: dst (10.1.1.20) host unreachable sent to
> 10.1.1.3
> *May 14 21:53:30.352: ICMP: dst (10.1.1.20) host unreachable sent to
> 10.1.1.3
> *May 14 21:53:32.352: ICMP: dst (10.1.1.20) host unreachable sent to
> 10.1.1.3
>
> I know I am missing something, but I have looked at this from all sides
> and
> can't seem to see the issues. I hope someone has some insights.
>
> Dave
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Jens Petter Eikeland: "RE: RE : Windows SLA App"
• Previous message: Kumar Raja-Q16843: "RE: RTP Compression Header"
• Maybe in reply to: Schulz, Dave: "IP NAT outside static issue"
• Next in thread: Schulz, Dave: "RE: IP NAT outside static issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:21 ART