From: Alex De Gruiter \(AU\) (Alex.deGruiter@didata.com.au)
Date: Thu Aug 10 2006 - 23:55:37 ART
Ismail,
Although I am not in possession of the IE workbook, let me attempt to
clarify.
Judging by the configuration, you need to translate IP addresses from
172.16.0.0/16 to 167.1.27.100-199, in a "NAT on a stick" scenario, with
2 x IP addresses assigned to the same interface (without dot1q/isl
trunking).
You need to perform NAT *from* one interface *to* another. You can't
have one interface acting as both the inside and outside, so you use PBR
to virtually route the packet internal to the router (to the virtual
loopback). When the packet is delivered to the loopback, the router
makes another routing decision and performs the NAT after the route
lookup is successful, and the packet moves from the inside to outside
NAT interface.
I took a while lab'ing a similar scenario to the one you have below, and
can confirm that the PBR is definitely required. If you don't have it,
the router just tries to route the packet straight back out the
interface, and no NAT is performed.
My configuration is as follows:
(NAT-router)
interface Loopback0
ip address 172.16.5.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/0
ip address 167.1.27.2 255.255.255.0 secondary
ip address 192.168.85.5 255.255.255.0
ip nat outside
ip policy route-map POLICY
ip nat pool INSIDE_GLOBAL 192.168.4.100 192.168.4.199 prefix-length 24
ip nat inside source list INSIDE_LOCAL pool INSIDE_GLOBAL overload
ip access-list standard INSIDE_LOCAL
permit 172.16.0.0 0.0.255.255
route-map POLICY permit 10
match ip address INSIDE_LOCAL
set interface Loopback0
! routing back to the 2nd subnet in your example
ip route 172.16.0.0 255.255.0.0 167.1.27.1
(source-router)
interface GigabitEthernet0/0
ip address 167.1.27.1 255.255.255.0
interface Loopback172
ip address 172.16.0.1 255.255.0.0
ip route 0.0.0.0 0.0.0.0 167.1.27.2
(destination-router)
interface GigabitEthernet0/0
ip address 192.168.85.1 255.255.255.0
ip route 192.168.4.0 255.255.255.0 192.168.85.5
*THEN from the source-router*:: telnet 192.168.85.1 /source-interface
loopback 172 (run a who when logged in to verify the source).
Regards,
Alex
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ismail el-shalh
Sent: Friday, 11 August 2006 11:52 AM
To: ccielab
Subject: RE: Policy Based Routing Question "set interface Loopback0"
Hi Brian,
Thanks for the clarification But still I am not able to get the
concept of why we usually set the output to a loopback interface!
for example in LAB 14, Task 11.1 (NAT on a Stick) you used this
command in your solution.
R2
interface loopback 0
ip nat inside
inter fas0/0
ip addd 172.16.0.2 255.255.255.0 secondary
ip address 167.1.27.2 255.255.255.0
ip nat outside
ip policy route-map POLICY
ip nat pool INSIDE_GLOBAL 167.1.27.100 167.1.27.199 netmask
255.255.255.0
ip nat inside source list INSIDE_LOCAL pool INSIDE_GLOBAL
ip access-list standard INSIDE_LOCAL
permit 172.16.0.0 0.0.0.255
!
!
route-map POLICY permit 10
match ip address INSIDE_LOCAL
set interface Loopback0 <------------- How this command is helping
here?
Brian Dennis <bdennis@internetworkexpert.com> wrote:
From the DocCD:
set interface
To indicate where to output packets that pass a match clause of a route
map for policy routing, use the set interface command in route-map
configuration mode. To delete an entry, use the no form of this command.
set interface interface-type interface-number [...interface-type
interface-number]
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fiprrp_r/ind_r/1rfindp2.htm#wp1020570
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ismail el-shalh
Sent: Thursday, August 10, 2006 5:15 PM
To: ccielab
Subject: Policy Based Routing Question "set interface Loopback0"
Dear Group, what does "set interface Loopback0" means in the following
configuration :
interface FastEthernet0/0
ip address 167.1.5.5 255.255.255.0
ip policy route-map POLICY
access-list 30 permit 167.1.5.0 0.0.0.255
interface loopback 0
ip address 150.1.5.5 255.255.255.0
route-map POLICY permit 10
match ip address 30
set interface Loopback0
Thanks,
Ismail
---------------------------------
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART