RE: IP NAT outside static issue

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Mon May 15 2006 - 14:46:58 ART

• Next message: Schulz, Dave: "RE: MTU Problem"
• Previous message: D R: "Re: ip route to itself - rephrased"
• Maybe in reply to: Schulz, Dave: "IP NAT outside static issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Petr -

Thanks! That was the information that I needed.....I didn't realize
that the outside nat was performed before the routing. I added the
static route and everything is working. I assumed that the translation
was bidirectional (my first mistake). Thanks again!

Dave Schulz,

Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com%20>

________________________________

From: Petr Lapukhov [mailto:petrsoft@gmail.com]
Sent: Monday, May 15, 2006 1:26 AM
To: Schulz, Dave
Cc: ccielab@groupstudy.com
Subject: Re: IP NAT outside static issue

Dave,

AFAIK inside nat is performed AFTER routing lookup, and outside nat
is performed BEFORE routing lookup.

That is, when return packet hits inside interface, it is routed to local
alias,
and is not translated.

Try adding a static route at R4:

ip route 10.1.1.20 255.255.255.255 192.168.1.1

Also, check the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_e
xample09186a0080093f2f.shtml

HTH
Petr

2006/5/15, Schulz, Dave <DSchulz@dpsciences.com>:

Group -

(sorry for the length on this one)....but I have been working with some
of the
various permutations of NAT and ran into one that I could not figure
out. I
have a router R4 doing Nat with R6 being the inside ( 10.1.1.0 network),
and,
R1 being on the outside (192.168.1.0 network). I am trying to make the
outside to look as though it is attached to the inside of the network by
using
the ip nat outside command. I can get a ping to go from the R1 to R6
and R6
to respond, but the translation in the reverse direction does not appear
to be
working. Thoughts? .....here are the configs and debugs.....

R4.......
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
no ip route-cache cef
no ip route-cache
duplex half
speed 10
!
interface Serial1/0
ip address 192.168.1.4 255.255.255.0
ip nat outside
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 192.168.1.1 401 broadcast
frame-relay map ip 192.168.1.4 401
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
router eigrp 100
network 192.168.1.0
no auto-summary
!
ip nat outside source static 192.168.1.1 10.1.1.20

R6 (inside).....no ip routing, set up to appear as a Workstation.....

interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
ip access-group 100 in
no ip route-cache
duplex auto
speed auto
!
access-list 100 permit icmp host 10.1.1.10 host 10.1.1.3
access-list 100 permit icmp any any
access-list 100 permit ip any any

R1 (outside).......

!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 192.168.1.1 104
frame-relay map ip 192.168.1.4 104 broadcast
no frame-relay inverse-arp
!
router eigrp 100
network 172.16.0.0
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.1.4

R4 (show ip nat trans)......when doing a ping from R1 to 10.1.1.3
(inside)......

R4#sh ip nat trans
Pro Inside global Inside local Outside local Outside
global
--- --- --- 10.1.1.20
192.168.1.1
--- 10.1.1.3 10.1.1.3 10.1.1.20
192.168.1.1
--- --- --- 10.1.1.10
172.16.1.2
R4#

R4 deb ip nat det......
R4#deb ip nat det
IP NAT detailed debugging is on
*May 14 21:49:06.352: NAT*: o: icmp ( 192.168.1.1, 18) -> (10.1.1.3, 18)
[2159]
*May 14 21:49:06.352: NAT*: s=192.168.1.1->10.1.1.20, d= 10.1.1.3
<http://10.1.1.3> [2159]l
*May 14 21:49:08.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3, 18)
[2160]
*May 14 21:49:08.352: NAT*: s=192.168.1.1-> 10.1.1.20, d=10.1.1.3 [2160]
*May 14 21:49:10.352: NAT*: o: icmp (192.168.1.1, 18) -> (10.1.1.3 , 18)
[2161]

debug ip icmp at R4......
R4#
*May 14 21:47:22.352: ICMP: echo reply rcvd, src 10.1.1.3, dst
10.1.1.20q
*May 14 21:47:24.356: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20
*May 14 21:47:26.352: ICMP: echo reply rcvd, src 10.1.1.3, dst 10.1.1.20

debug ip icmp at R6.....

R6#
*Mar 3 15:12:52.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
*Mar 3 15:12:54.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20
*Mar 3 15:12:56.108: ICMP: echo reply sent, src 10.1.1.3, dst 10.1.1.20

It appears from the above that the echo replies from 10.1.13 to
10.1.1.20 are
not being translated on the return trip through R4. I was thinking that
I may
have to create a null route to see if they are even getting to R4. So,
I add
the following ....ip route 10.1.1.20255.255.255.255 Null0. Then, the
debug ip
icmp on R4 shows this......

R4#deb ip
*May 14 21:53:23.744: %SYS-5-CONFIG_I: Configured from console by
consoleicmp
ICMP packet debugging is on
R4#
*May 14 21:53:28.352: ICMP: dst (10.1.1.20) host unreachable sent to
10.1.1.3
*May 14 21:53:30.352: ICMP: dst (10.1.1.20 ) host unreachable sent to
10.1.1.3
*May 14 21:53:32.352: ICMP: dst (10.1.1.20) host unreachable sent to
10.1.1.3

I know I am missing something, but I have looked at this from all sides
and
can't seem to see the issues. I hope someone has some insights.

Dave

• Next message: Schulz, Dave: "RE: MTU Problem"
• Previous message: D R: "Re: ip route to itself - rephrased"
• Maybe in reply to: Schulz, Dave: "IP NAT outside static issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:21 ART