Re: NAT issue

Yes I can it will only cost me a couple of days because I haven;t got access
to my study lab from here. So it will be Tuesday. I know most of the
configuratie. Below is the configurtion how it is

Topology
R4----R3-----R5------R1
R4 S0/1 <-> S1/0 R3 Fa0/0 <-> Fa0/0 R5 Fa0/1 <-> Fa0/1 R1

R4
Interface Serial0/1
 ip address 10.130.208.211 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.130.208.254

R3
 interface Loopback1
 ip address 10.15.105.1 255.255.255.0
 ip nat outside
!
interface FastEthernet0/0
 ip address 10.15.98.1 255.255.255.0
 ip nat outside
!
interface Serial1/0
 ip address 10.130.208.254 255.255.255.128
 ip nat inside
!
ip nat inside source static 10.130.208.211 10.15.105.12 route-map test
!
ip access-list standard NAT
  deny any
!
route-map test permit 10
 match ip address NAT
!
ip route 10.15.243.0 255.255.255.0 10.15.98.111

R5
interface FastEthernet0/0
 ip address 10.15.98.111 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.15.243.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.15.98.1

R1
 interface FastEthernet0/1
 ip address 10.15.243.89 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.15.243.1

Kind regards,

Maarten Vervoorn
http://ccie.forumotion.com

2010/5/21 Adrian Brayton <abrayton_at_gmail.com>

> Is there anyway that you can send me a running config on all the devices
> involved?
>
> On May 21, 2010, at 4:29 PM, Maarten Vervoorn wrote:
>
> I did the lab with static routing to test it out. Most router have
> default routes. As you can see in the config. Loopback 1 from R3 has network
> 10.15.105.1/24. But there is no active interface with .12 Its only used to
> NAT the 208.211 But the route maps tells me deny any so I wonder how it
> comes the 105.12 is still active. And when I ping the 105.12 I receive a
> 105.12 reply fro R5
>
>
>
> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>
>> Are the address's that you are pinging in the routing table? What I am
>> trying to say is, is this one big IGP? The address that you are pinging
>> should not be in the routing table of the router you are using to ping?
>>
>> Is that what is possibly happening?
>>
>>
>> On May 21, 2010, at 3:59 PM, Maarten Vervoorn wrote:
>>
>> Hi,
>>
>> Thanks for your reply
>>
>> I know the route-map is to identify the traffic. Sso with this NAT rule it
>> should NOT nat anything. But is does. I can ping 10.15.105.12 from R5 and
>> R1. But the Nat rule wasn't working right with a deny any. How come I can
>> ping 10.15.105.12? I used the NAT rule with a route-map to select some
>> traffice but it seems the NAT rule is doing something else. If if select
>> only one netwerk it NATs every network the right way.
>>
>> The issue I had is that I needed both addresses reachable and reply from
>> the same adres. So with a simple static inside nat if you ping
>> 10.130.208.211 it replies with the natted adres 10.15.105.12. Most
>> connections of application can't deal with that. So I implemented a
>> route-map in which I can select the networks. If I made a route-map and only
>> selected 10.15.243.0/24 it als natted 10.15.98.0/24 both synchronous
>> replies. So then I tried with a deny any and yes as I expected its still
>> nating to all networks and synchronous. But I can't figure out why this is
>> the case. I thought indeed NAT did not work with a route-map deny any. But
>> it seems it did.
>>
>> Debugging says its natting all the right way debugging icmp packets I see
>> both syncronous replys, so a ping to 105.12 replies with 105.12 and ping yo
>> 208.211 replies with 211.
>>
>> So my question basicly is what is this route-map doing in the NAt rule
>> because it should deny everything so nothing should be translated. But it
>> does everything is natted
>>
>> Kind regards,
>>
>> Maarten Vervoorn
>> http://ccie.forumotion.com
>>
>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>>
>>> Sorry about the delay... What are the debugs saying?
>>>
>>> I am having a hard time following exactly what you are trying to do but I
>>> do have a question or two.
>>>
>>> With your route-map statement, you have an ACL that denies everything.
>>> Now, with your route-map on the nat translation it is just telling it to not
>>> translate anything. Now when you remove the route-map statement it should
>>> now be doing the NAT translations.
>>>
>>> I could be wrong but I think you are using the route-map the incorrect
>>> way. The route-map is meant to identify traffic that you want to translate,
>>> if it doesnt match the route-map it wont be translated if it does then it
>>> will.
>>>
>>>
>>> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
>>>
>>> Yes I have, and if had hadn't it wouldn't work. I forgot to copy this.
>>> It works perfectly I only do not understand why. The route-maps denies
>>> everything. I'm able to ping from the outside routers the NAT adres
>>> 10.15.105.12 and it even replies from that Natted addres. Its exactly what I
>>> want. But if I remove the route-map If I ping 10.130.208.211 it will reply
>>> from 10.15.105.12. If I add the route-map it replies with 208.211 and also
>>> replies to 105.12
>>> What does this route-map excactly do here?
>>>
>>> interface Loopback1
>>> ip address 10.15.105.1 255.255.255.0
>>> ip nat outside
>>> interface FastEthernet0/0
>>> ip address 10.15.98.1 255.255.255.0
>>> ip nat outside
>>> interface Serial1/0
>>> ip address 10.130.208.254 255.255.255.128
>>> ip nat inside
>>>
>>>
>>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>>>
>>>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I dont
>>>> see it there?
>>>>
>>>>
>>>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
>>>>
>>>> > During a lab setup I encounterd on a strange behaviour.
>>>> >
>>>> > Lab setup
>>>> > S0/1 Fa0/0
>>>> > R1--------------R3---------------R5----------R1
>>>> >
>>>> > R3 is a nat router which nat 10.130.208.211 to 105.12
>>>> > I want both addresses to be reachable and synchronous (ping 105.12 and
>>>> > receive a reply from 105.12, ping 208.211 and a receive a reply form
>>>> > 208.211)
>>>> > After some configurations I configurated a route-map with a deny any
>>>> > statement. Both 105.12 and 208.211 are reachable and reply
>>>> synchronous. But
>>>> > I do not know why if I ping 105.12 from R5 or R1 i receive a reply
>>>> form
>>>> > 105.12 because the route-map has a deny any.
>>>> >
>>>> > Can anyone clarify this?
>>>> >
>>>> > Config R3
>>>> > interface Loopback1
>>>> > ip address 10.15.105.1 255.255.255.0
>>>> > !
>>>> > interface FastEthernet0/0
>>>> > ip address 10.15.98.1 255.255.255.0
>>>> > !
>>>> > interface Serial1/0
>>>> > ip address 10.130.208.254 255.255.255.128
>>>> > !
>>>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map test
>>>> > !
>>>> > ip access-list standard NAT
>>>> > deny any
>>>> > !
>>>> > logging alarm informational
>>>> > access-list 100 permit icmp any any
>>>> > !
>>>> > route-map test permit 10
>>>> > match ip address NAT
>>>> > !
>>>> > !
>>>> >
>>>> >
>>>> > Blogs and organic groups at http://www.ccie.net
>>>> >
>>>> >
>>>> _______________________________________________________________________
>>>> > Subscription information may be found at:
>>>> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 21 2010 - 22:42:32 ART