RE: Simple NAT Issue

From: Joe Astorino (joe_astorino@comcast.net)
Date: Wed Feb 04 2009 - 04:26:47 ARST

Thanks for the solution Pavel. Do you know if it is indeed true that a
router doing the NATing will not actually NAT packets that it generates,
even if the source address is in the NAT translation list? I seem to
remember this sort of thing working on older versions of IOS.
 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
74k/eLaYWYqu7YI=
=8HMA
-----END PGP PUBLIC KEY BLOCK-----

 

  _____

From: Pavel Bykov [mailto:slidersv@gmail.com]
Sent: Wednesday, February 04, 2009 1:22 AM
To: joe_astorino@comcast.net
Cc: ccielab@groupstudy.com
Subject: Re: Simple NAT Issue

One of the solutions how to accomplish your goal is to use PBR and local
policy.
e.g.:

route-map NAT
set interface lo55
!
ip local policy route-map NAT

On Wed, Feb 4, 2009 at 6:32 AM, <joe_astorino@comcast.net> wrote:

I am having a problem regarding NAT and was hoping somebody could help me
understand this. I have a router, R5 that I wish to do NAT translation so
that anything sourced from its Loopback55 address will be translated to its
Loopback1 interface. This way I can meet a requirement that I should be able
to source a ping from Loopback55 and have it reply successfully without
adding Loopback55 to any routing protocol.

If I set this up the way I have below, and try a ping sourced from Lo55 it
does not work...no translation occurs. I thought I remember hearing
something at one point that the router doing the NAT translation won't NAT
packets sourced from itself, only packets that pass through it, but I am not
sure on that. Any ideas guys?

Just to be sure, I have checked that I do have reachability to the address I
am trying to ping when sourced from lo1.

R5(config)#do sh ip int brie | i Loop
Loopback1 99.99.99.5 YES manual up up
Loopback55 55.55.55.55 YES manual up up

R5(config)#do sh access-list 55
Standard IP access list 55
10 permit 55.55.55.55

R5(config)#do sh run int e0/0 | i ip nat
ip nat outside

R5(config)#do sh run int s2/0 | i ip nat
ip nat outside

R5(config)#do sh run int s2/0.56| i ip nat
ip nat outside

R5(config)#do sh run int s2/1 | i ip nat
ip nat outside

R5(config)#do sh run int lo1 | i nat
ip nat outside

R5(config)#do sh run int lo55 | i nat
ip nat inside

ip nat inside source list 55 interface lo1 overload

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST