From: Ashok CCIE (ashok.ccie@gmail.com)
Date: Fri Jul 13 2007 - 04:21:49 ART
Hi Team,
>
> For the below mentioend topology the IP NAT Reversible is not working for
> me: What is the issue?
>
> R0 --- e0/0 ----R1 ----s2/0 ----- R2 -----s3/0 ----R3
>
> R0
> ~~~
> interface Ethernet0/0
> ip address 3.3.3.1 255.255.255.0
> ntp broadcast client
> ntp broadcast key 1
> !
> router ospf 100
> network 0.0.0.0 255.255.255.255 are 0
> !
> ~~~
>
> R1
> ~~~
> !
> interface Ethernet0/0
> ip address 3.3.3.2 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> !
> interface Serial2/0
> ip address 1.1.1.1 255.255.255.0
> ip nat outside
> no fair-queue
> !
> router ospf 100
> log-adjacency-changes
> network 0.0.0.0 255.255.255.255 area 0
> !
> ip classless
> no ip http server
> !
> ip nat pool POOL 10.10.10.10 10.10.10.20 prefix-length 24
> ip nat inside source route-map NAT pool POOL reversible
> !
> !
> ip access-list extended NAT_ACL
> permit ip any any log
> permit icmp any any log
>
> ip access-list extended NO_NAT_ACL
> permit ospf any any log
> permit tcp any any eq bgp log
> permit tcp any eq bgp any log
> permit eigrp any any log
> permit udp any eq rip any eq rip log
>
> route-map AA permit 10
> match ip address 120
> !
> route-map NAT deny 10
> match ip address NO_NAT_ACL
> !
> route-map NAT permit 20
> match ip address NAT_ACL
> !
> ~~~
>
>
> R2
> ~~~
> interface Serial2/0
> ip address 1.1.1.2 255.255.255.0
> ip nat outside
> serial restart-delay 0
> no fair-queue
> !
> interface Serial3/0
> ip address 2.2.2.1 255.255.255.0
> ip nat inside
> serial restart-delay 0
> !
> router ospf 100
> log-adjacency-changes
> network 1.1.1.0 0.0.0.255 area 0
> network 2.2.2.0 0.0.0.255 area 0
> !
> ip classless
> ip route 10.10.10.0 255.255.255.0 1.1.1.1
> ~~~
>
> R3
> ~~~
> interface Serial3/0
> ip address 2.2.2.2 255.255.255.0
> serial restart-delay 0
> !
> router ospf 100
> log-adjacency-changes
> network 2.2.2.0 0.0.0.255 area 0
> !
> ip route 10.10.10.0 255.255.255.0 2.2.2.1
> ~~~
>
> When i try to ping from R0, source is getting translated. But when i ping
> from R3 to address 10.10.10.11, i get packet drop and debug at R1 as
> follows:
>
>
> Jul 12 06:01:52.951: NAT: expiring 10.10.10.10 (1.1.1.1) icmp 783 (783)
> Jul 12 06:01:53.359: %SEC-6-IPACCESSLOGDP: list NAT_ACL permitted icmp
> 3.3.3.1 -> 2.2.2.2 (0/0), 5 packets
> Jul 12 06:01:55.039: NAT: expiring 10.10.10.10 (1.1.1.1) icmp 785 (785)
> Jul 12 06:02: 00.647: NAT: s=1.1.1.1->10.10.10.10, d=2.2.2.2 [907]
> Jul 12 06:02:02.719: NAT: s=1.1.1.1->10.10.10.10, d= 2.2.2.2 [908]
> Jul 12 06:02:04.831: NAT: s=1.1.1.1->10.10.10.10, d=2.2.2.2 [910]
>
>
> Jul 12 06:02:42.395: IP: s=2.2.2.2 (Serial2/0), d=10.10.10.11, len 100,
> unroutable
> Jul 12 06:02:42.395: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2(Serial2/0), routed via RIB
> Jul 12 06:02:42.395: IP: s=1.1.1.1 (local), d=2.2.2.2 (Serial2/0), len 56,
> sending
> Jul 12 06:02:42.463: IP: s=2.2.2.2 (Serial2/0), d= 10.10.10.11, len 100,
> unroutable
> Jul 12 06:02:44.479: IP: s=2.2.2.2 (Serial2/0), d=10.10.10.11, len 100,
> unroutable
> Jul 12 06:02: 44.479: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2(Serial2/0), routed via RIB
> Jul 12 06:02:44.479: IP: s=1.1.1.1 (local), d= 2.2.2.2 (Serial2/0), len
> 56, sending
> Jul 12 06:02:44.531: IP: s=2.2.2.2 (Serial2/0), d=10.10.10.11, len 100,
> unroutable
> Jul 12 06:02:44.771: IP: s= 3.3.3.2 (local), d=224.0.0.5 (Ethernet0/0),
> len 80, sending broad/multicast
> Jul 12 06:02:45.119: IP: s=1.1.1.1 (local), d=224.0.0.5 (Serial2/0), len
> 80, sending broad/multicast
> Jul 12 06:02:46.543: IP: s=2.2.2.2 (Serial2/0), d=10.10.10.11, len 100,
> unroutable
> Jul 12 06:02:46.543: IP: tableid=0, s= 1.1.1.1 (local), d=2.2.2.2(Serial2/0), routed via RIB
> Jul 12 06:02:46.543: IP: s=1.1.1.1 (local), d=2.2.2.2 (Serial2/0), len 56,
> sending
>
>
> Actually you see the packet drops here..
>
> Why so and what is missing?
>
> Thanks,
> Ashok
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART