From: Jason Guy \(jguy\) (jguy@cisco.com)
Date: Sat Sep 22 2007 - 16:08:29 ART
Gary,
I am pretty sure this is very similar if not identical to the problem
discussed a while back about making sure the traceroute returns with the
address of the loopback. This is really not too different. Here we are
sourcing a ping internally, and it must be natted outbound.
Since Ruth is using NVI rather than the inside/outside, I am not sure
how to make this work. I could not make it work with PBR. NVI has
always been a thorn in my side. I know it works fine if the traffic is
transit, but if trying to do something cleaver, forget it.
Looking back to the thread on July 1st, it appears there were 2
solutions to the issue. If using the ip nat inside/outside method, you
could use these configs I just labbed up...same as the thread in july.
Both work with the NAT inside/outside. Anyone know how to make this
work with the "ip nat enable" NVI approach?
====================================
Easier approach:
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.37.3 255.255.255.0
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 155.1.37.7
!
ip nat pool HideMe 155.1.37.3 155.1.37.3 prefix-length 24
ip nat inside source list 1 pool HideMe
!
access-list 1 permit 192.168.1.0 0.0.0.255
====================================================
Harder approach but more obvious:
interface Loopback1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
ip address 155.1.37.3 255.255.255.0
ip nat outside
!
ip local policy route-map LOCAL
ip route 0.0.0.0 0.0.0.0 155.1.37.7
!
ip nat pool HideMe 155.1.37.3 155.1.37.3 prefix-length 24
ip nat inside source list 1 pool HideMe
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
route-map LOCAL permit 10
match ip address 1
set interface Loopback1
!
==================================
Cheers,
Jason
-----Original Message-----
From: Gary Duncanson [mailto:gary.duncanson@googlemail.com]
Sent: Saturday, September 22, 2007 2:08 PM
To: Jason Guy (jguy)
Cc: ruth@mycomputer.co.uk; ccielab@groupstudy.com
Subject: Re:
Hi Jason,
I found an example in Solie Volume 1. Chapter 15 Configuring NAT.
As for the loopback fun you suggest you may very well be right and this
could be a gotcha that Ruth's lab is demonstrating. It occured to me
that
perhaps this may be a problem as the example has physical interfaces for
NAT
inside and outside as opposed to a loopback interface for the inside.
This is where books run out of documentation! :) Have you got a PBR
example?
Regards
Gary
----- Original Message -----
From: "Jason Guy (jguy)" <jguy@cisco.com>
To: "Gary Duncanson" <gary.duncanson@googlemail.com>;
"ruth@mycomputer.co.uk" <rswgreat@yahoo.co.uk>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, September 22, 2007 3:52 PM
Subject: RE:
Gary,
Which Solie book, and which chapter? Safari does not show page numbers.
:)
Secondly, I think Ruth will need to set up PBR to send the packets to
the loopback interface. Simply sourcing the packet from the loopback
address does not get it into the nat processing. I think the is what
they refer to as Nat-on-a-stick. Absolutely you need to have the IP
reachability to the destination as well.
Jason
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gary Duncanson
Sent: Saturday, September 22, 2007 9:28 AM
To: ruth@mycomputer.co.uk
Cc: ccielab@groupstudy.com
Subject: Re:
Ruth,
Check Solie page 1040
Without IP reachability NAT will fail. Anchor the subnet you are
translating
to on the router.
create interface..
interface loopback20
ip address 150.50.1.1 255.255.255.0
no ip directed-broadcast
Make sure you have the ip nat inside and ip nat outside commands on the
correct interfaces.
use ip classless
add a route to the outside (translated) network
ip route 0.0.0.0 0.0.0.0 150.50.17.2
HTH
Gary
----- Original Message -----
From: "ruth@mycomputer.co.uk" <rswgreat@yahoo.co.uk>
To: <ccielab@groupstudy.com>
Sent: Saturday, September 22, 2007 1:56 PM
> Hi
>
> Could someone please take a look at this and help me? When I ping
> 150.50.17.2 (reachable out of f0/0) with a source of 192.168.1.1 it
> resolutely
> fails to NAT.
>
> !
> !
> ip cef
> no ip domain lookup
> !
> !
> interface
> Loopback1
> ip address 192.168.1.1 255.255.255.0
> ip nat enable
> !
> interface
> FastEthernet0/0
> ip address 150.50.17.1 255.255.255.0
> ip nat enable
> duplex
> auto
> speed auto
> !
> interface FastEthernet2/0
> ip address 150.50.200.1
> 255.255.255.0
> duplex auto
> speed auto
> !
> router rip
> version 2
> passive-interface default
> no passive-interface FastEthernet0/0
> network
> 150.50.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> !
> ip
> nat pool HideMe 150.50.1.2 150.50.1.254 netmask 255.255.255.0
> ip nat inside
> source list 1 pool HideMe
> !
> access-list 1 permit 192.168.1.0 0.0.0.255
> !
> !
> Interfaces:-
>
> R1#s
> Interface IP-Address OK? Method
> Status Protocol
> FastEthernet0/0 150.50.17.1 YES
> manual up up
> Serial1/0
> unassigned YES unset administratively down down
> Serial1/1
> unassigned YES unset administratively down down
> Serial1/2
> unassigned YES unset administratively down down
> Serial1/3
> unassigned YES unset administratively down down
> FastEthernet2/0
> 150.50.200.1 YES manual up up
> NVI0
> unassigned NO unset up up
> Loopback1 192.168.1.1 YES manual up
> up
>
> Thank you!
> ___________________________________________________________
> Yahoo! Answers -
> Got a question? Someone out there knows the answer. Try it
> now.
> http://uk.answers.yahoo.com/
>
>
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART