Re: NAT issue

Are the address's that you are pinging in the routing table? What I am trying
to say is, is this one big IGP? The address that you are pinging should not be
in the routing table of the router you are using to ping?

Is that what is possibly happening?

On May 21, 2010, at 3:59 PM, Maarten Vervoorn wrote:

> Hi,
>
> Thanks for your reply
>
> I know the route-map is to identify the traffic. Sso with this NAT rule it
should NOT nat anything. But is does. I can ping 10.15.105.12 from R5 and R1.
But the Nat rule wasn't working right with a deny any. How come I can ping
10.15.105.12? I used the NAT rule with a route-map to select some traffice but
it seems the NAT rule is doing something else. If if select only one netwerk
it NATs every network the right way.
>
> The issue I had is that I needed both addresses reachable and reply from the
same adres. So with a simple static inside nat if you ping 10.130.208.211 it
replies with the natted adres 10.15.105.12. Most connections of application
can't deal with that. So I implemented a route-map in which I can select the
networks. If I made a route-map and only selected 10.15.243.0/24 it als natted
10.15.98.0/24 both synchronous replies. So then I tried with a deny any and
yes as I expected its still nating to all networks and synchronous. But I
can't figure out why this is the case. I thought indeed NAT did not work with
a route-map deny any. But it seems it did.
>
> Debugging says its natting all the right way debugging icmp packets I see
both syncronous replys, so a ping to 105.12 replies with 105.12 and ping yo
208.211 replies with 211.
>
> So my question basicly is what is this route-map doing in the NAt rule
because it should deny everything so nothing should be translated. But it does
everything is natted
>
> Kind regards,
>
> Maarten Vervoorn
> http://ccie.forumotion.com
>
> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
> Sorry about the delay... What are the debugs saying?
>
> I am having a hard time following exactly what you are trying to do but I do
have a question or two.
>
> With your route-map statement, you have an ACL that denies everything. Now,
with your route-map on the nat translation it is just telling it to not
translate anything. Now when you remove the route-map statement it should now
be doing the NAT translations.
>
> I could be wrong but I think you are using the route-map the incorrect way.
The route-map is meant to identify traffic that you want to translate, if it
doesnt match the route-map it wont be translated if it does then it will.
>
>
> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
>
>> Yes I have, and if had hadn't it wouldn't work. I forgot to copy this. It
works perfectly I only do not understand why. The route-maps denies
everything. I'm able to ping from the outside routers the NAT adres
10.15.105.12 and it even replies from that Natted addres. Its exactly what I
want. But if I remove the route-map If I ping 10.130.208.211 it will reply
from 10.15.105.12. If I add the route-map it replies with 208.211 and also
replies to 105.12
>> What does this route-map excactly do here?
>>
>> interface Loopback1
>> ip address 10.15.105.1 255.255.255.0
>> ip nat outside
>> interface FastEthernet0/0
>> ip address 10.15.98.1 255.255.255.0
>> ip nat outside
>> interface Serial1/0
>> ip address 10.130.208.254 255.255.255.128
>> ip nat inside
>>
>>
>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I dont see
it there?
>>
>>
>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
>>
>> > During a lab setup I encounterd on a strange behaviour.
>> >
>> > Lab setup
>> > S0/1 Fa0/0
>> > R1--------------R3---------------R5----------R1
>> >
>> > R3 is a nat router which nat 10.130.208.211 to 105.12
>> > I want both addresses to be reachable and synchronous (ping 105.12 and
>> > receive a reply from 105.12, ping 208.211 and a receive a reply form
>> > 208.211)
>> > After some configurations I configurated a route-map with a deny any
>> > statement. Both 105.12 and 208.211 are reachable and reply synchronous.
But
>> > I do not know why if I ping 105.12 from R5 or R1 i receive a reply form
>> > 105.12 because the route-map has a deny any.
>> >
>> > Can anyone clarify this?
>> >
>> > Config R3
>> > interface Loopback1
>> > ip address 10.15.105.1 255.255.255.0
>> > !
>> > interface FastEthernet0/0
>> > ip address 10.15.98.1 255.255.255.0
>> > !
>> > interface Serial1/0
>> > ip address 10.130.208.254 255.255.255.128
>> > !
>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map test
>> > !
>> > ip access-list standard NAT
>> > deny any
>> > !
>> > logging alarm informational
>> > access-list 100 permit icmp any any
>> > !
>> > route-map test permit 10
>> > match ip address NAT
>> > !
>> > !
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 21 2010 - 16:11:08 ART