Re: Change Source of ICMP Unreachable

From: Bit Gossip (bit.gossip@chello.nl)
Date: Sat Aug 18 2007 - 08:40:02 ART

• Next message: Bit Gossip: "Re: Summary on ASBR / Make a Type-1 ?!?"
• Previous message: ISolveSystems: "Re: [FWD: RE: IE Workbook Lab Topologies]"
• Maybe in reply to: Szarmach, Douglas: "Change Source of ICMP Unreachable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Duglas,
I would simply do it this way: supposed that i want icmp unreachable from R5
sourced as from 150.1.5.99
Bit

R4s0/1 ---s0/1R5

~~~~~~~~~~~~~~~~~~~~~~~R5
interface Loopback0
 ip address 150.1.5.5 255.255.255.0
 ip nat inside
!
interface Serial0/1
 ip address 149.1.45.5 255.255.255.0
 ip nat outside
 !
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip local policy route-map PBR
!
ip nat pool PBR 150.1.5.99 150.1.5.99 prefix-length 24
ip nat inside source route-map NAT pool PBR
!
access-list 100 deny ospf any any
access-list 100 permit icmp any any unreachable
!
route-map PBR permit 10
 match ip address 100
 set interface Loopback0
!
route-map NAT permit 10
 match ip address 100
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R4#traceroute 149.1.45.5

Type escape sequence to abort.
Tracing the route to 149.1.45.5

  1 150.1.5.99 8 msec
*Mar 3 17:47:42.543: ICMP: dst (149.1.45.4) port unreachable rcv from
150.1.5.99 * 12 msec
R4#
*Mar 3 17:47:45.556: ICMP: dst (149.1.45.4) port unreachable rcv from
150.1.5.99
R4#

R5#debug ip nat detailed
IP NAT detailed debugging is on
R5#
R5#
*Mar 3 05:45:03.902: NAT: map match NAT
*Mar 3 05:45:03.902: NAT: New entry added to map hash table
*Mar 3 05:45:03.902: NAT: i: icmp (149.1.45.5, 33434) -> (149.1.45.4,
49236) [1341]
*Mar 3 05:45:03.902: NAT: s=149.1.45.5->150.1.5.99, d=149.1.45.4 [1341]
*Mar 3 05:45:03.906: NAT: installing alias for address 150.1.5.99

----- Original Message -----
From: "Szarmach, Douglas" <Douglas.Szarmach@cmegroup.com>
To: "Joseph Brunner" <joe@affirmedsystems.com>; "Cisco certification"
<ccielab@groupstudy.com>
Sent: Thursday, August 16, 2007 10:39 PM
Subject: RE: Change Source of ICMP Unreachable

>I found the following solution from an archive message...but testing it
> on a 3560 --> 3825 --> 3560 is resulting in no change to source, even
> though packets are showing matches on the 'local policy'. No NAT
> translations ever get made.
>
> interface Loopback0
> ip address 150.1.3.3 255.255.255.0
> ip nat outside
> !
> interface Loopback1
> ip address 3.3.3.3 255.255.255.255
> ip nat inside
> ip policy route-map POL1
> !
> ip local policy route-map POL
> ip nat inside source list 101 interface Loopback0 overload
> !
> access-list 101 permit icmp any any port-unreachable
> access-list 101 permit icmp any any time-exceeded
> !
> route-map POL permit 10
> match ip address 101
> set interface Loopback1
> !
> route-map POL1 permit 10
> set interface Loopback0
>
>
>
> Rack1R1#show ip local pol
> Local policy routing is enabled, using route map POL
> route-map POL, permit, sequence 10
> Match clauses:
> ip address (access-lists): 101
> Set clauses:
> interface Loopback1
> Policy routing matches: 9 packets, 564 bytes
> Rack1R1#
>
> Rack1R1#show ip nat trans
>
> Rack1R1#
>
>
>
> Douglas Szarmach
> Senior Network Engineer
> +1 312 648 3797
>
> CME Group
> A CME/Chicago Board of Trade Company
> 20 South Wacker Drive
> Chicago, Illinois 60606
> cmegroup.com
>
> -----Original Message-----
> From: Joseph Brunner [mailto:joe@affirmedsystems.com]
> Sent: Thursday, August 16, 2007 2:30 PM
> To: Szarmach, Douglas; 'Cisco certification'
> Subject: RE: Change Source of ICMP Unreachable
>
> Actually its both...
>
> Get the VOL II 4.1 workbook, something similar is in there...
>
> Traceroute responses must come back from a certain loopback...
>
> -Joe
>
> Senior CCNA
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Szarmach, Douglas
> Sent: Thursday, August 16, 2007 2:55 PM
> To: Cisco certification
> Subject: Change Source of ICMP Unreachable
>
> In the IE "Lab Strategy" classroom Brian mentions something about
> changing the source of all ICMP unreachables. Can someone explain how
> to do this?
>
> Is there an easy command or is it a crazy 'ip local-policy' and NAT
> solution to do so?
>
> Douglas Szarmach
> Senior Network Engineer
> +1 312 648 3797
>
> CME Group
> A CME/Chicago Board of Trade Company
> 20 South Wacker Drive
> Chicago, Illinois 60606
> cmegroup.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Bit Gossip: "Re: Summary on ASBR / Make a Type-1 ?!?"
• Previous message: ISolveSystems: "Re: [FWD: RE: IE Workbook Lab Topologies]"
• Maybe in reply to: Szarmach, Douglas: "Change Source of ICMP Unreachable"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART