Re: NAT issue

Well, I try to have both adresses natted and physical to be available. But
the have to respond with the address the connections is setup with
So With only: ip nat inside source static 10.130.208.211 10.15.105.12
If you ping 10.130.208.211 it replies with 10.15.105.12. Most connections of
this application can't deal with this. So I wanted to test it out with a
route-map to filter out connections which are not needed to be natted. Than
I come to some strange behaviour with this. After that I wanted to know
exactly what the route-map does then I tried to configure a deny any. And
the behaviour did change
So with the command: ip nat inside source static 10.130.208.211 10.15.105.12
route-map test
(route-map containes a deny any statement)
If I ping 10.130.208.211 it replies with 10.130.208.211. So it definitly is
changing something.
I'm try to figure out what this something is.
2010/5/21 George Philip <gphilip88_at_gmail.com>

> Are you trying to get the traffic to take different paths? The
> route-map statement with static NAT is used to influence path
> selection.
>
> On your route-map you have a deny any but no action after that, so
> that route map matches no traffic and does not change anything. In
> other words contines as default behavior which is to translate.
>
> Check out:
> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
>
> I dont clearly understand what you are trying to accomplish?
>
>
> On Fri, May 21, 2010 at 4:11 PM, Adrian Brayton <abrayton_at_gmail.com>
> wrote:
> > Are the address's that you are pinging in the routing table? What I am
> trying
> > to say is, is this one big IGP? The address that you are pinging should
> not be
> > in the routing table of the router you are using to ping?
> >
> > Is that what is possibly happening?
> >
> >
> > On May 21, 2010, at 3:59 PM, Maarten Vervoorn wrote:
> >
> >> Hi,
> >>
> >> Thanks for your reply
> >>
> >> I know the route-map is to identify the traffic. Sso with this NAT rule
> it
> > should NOT nat anything. But is does. I can ping 10.15.105.12 from R5 and
> R1.
> > But the Nat rule wasn't working right with a deny any. How come I can
> ping
> > 10.15.105.12? I used the NAT rule with a route-map to select some
> traffice but
> > it seems the NAT rule is doing something else. If if select only one
> netwerk
> > it NATs every network the right way.
> >>
> >> The issue I had is that I needed both addresses reachable and reply from
> the
> > same adres. So with a simple static inside nat if you ping 10.130.208.211
> it
> > replies with the natted adres 10.15.105.12. Most connections of
> application
> > can't deal with that. So I implemented a route-map in which I can select
> the
> > networks. If I made a route-map and only selected 10.15.243.0/24 it als
> natted
> > 10.15.98.0/24 both synchronous replies. So then I tried with a deny any
> and
> > yes as I expected its still nating to all networks and synchronous. But I
> > can't figure out why this is the case. I thought indeed NAT did not work
> with
> > a route-map deny any. But it seems it did.
> >>
> >> Debugging says its natting all the right way debugging icmp packets I
> see
> > both syncronous replys, so a ping to 105.12 replies with 105.12 and ping
> yo
> > 208.211 replies with 211.
> >>
> >> So my question basicly is what is this route-map doing in the NAt rule
> > because it should deny everything so nothing should be translated. But it
> does
> > everything is natted
> >>
> >> Kind regards,
> >>
> >> Maarten Vervoorn
> >> http://ccie.forumotion.com
> >>
> >> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
> >> Sorry about the delay... What are the debugs saying?
> >>
> >> I am having a hard time following exactly what you are trying to do but
> I do
> > have a question or two.
> >>
> >> With your route-map statement, you have an ACL that denies everything.
> Now,
> > with your route-map on the nat translation it is just telling it to not
> > translate anything. Now when you remove the route-map statement it should
> now
> > be doing the NAT translations.
> >>
> >> I could be wrong but I think you are using the route-map the incorrect
> way.
> > The route-map is meant to identify traffic that you want to translate, if
> it
> > doesnt match the route-map it wont be translated if it does then it will.
> >>
> >>
> >> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
> >>
> >>> Yes I have, and if had hadn't it wouldn't work. I forgot to copy this.
> It
> > works perfectly I only do not understand why. The route-maps denies
> > everything. I'm able to ping from the outside routers the NAT adres
> > 10.15.105.12 and it even replies from that Natted addres. Its exactly
> what I
> > want. But if I remove the route-map If I ping 10.130.208.211 it will
> reply
> > from 10.15.105.12. If I add the route-map it replies with 208.211 and
> also
> > replies to 105.12
> >>> What does this route-map excactly do here?
> >>>
> >>> interface Loopback1
> >>> ip address 10.15.105.1 255.255.255.0
> >>> ip nat outside
> >>> interface FastEthernet0/0
> >>> ip address 10.15.98.1 255.255.255.0
> >>> ip nat outside
> >>> interface Serial1/0
> >>> ip address 10.130.208.254 255.255.255.128
> >>> ip nat inside
> >>>
> >>>
> >>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
> >>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I dont
> see
> > it there?
> >>>
> >>>
> >>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
> >>>
> >>> > During a lab setup I encounterd on a strange behaviour.
> >>> >
> >>> > Lab setup
> >>> > S0/1 Fa0/0
> >>> > R1--------------R3---------------R5----------R1
> >>> >
> >>> > R3 is a nat router which nat 10.130.208.211 to 105.12
> >>> > I want both addresses to be reachable and synchronous (ping 105.12
> and
> >>> > receive a reply from 105.12, ping 208.211 and a receive a reply form
> >>> > 208.211)
> >>> > After some configurations I configurated a route-map with a deny any
> >>> > statement. Both 105.12 and 208.211 are reachable and reply
> synchronous.
> > But
> >>> > I do not know why if I ping 105.12 from R5 or R1 i receive a reply
> form
> >>> > 105.12 because the route-map has a deny any.
> >>> >
> >>> > Can anyone clarify this?
> >>> >
> >>> > Config R3
> >>> > interface Loopback1
> >>> > ip address 10.15.105.1 255.255.255.0
> >>> > !
> >>> > interface FastEthernet0/0
> >>> > ip address 10.15.98.1 255.255.255.0
> >>> > !
> >>> > interface Serial1/0
> >>> > ip address 10.130.208.254 255.255.255.128
> >>> > !
> >>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map
> test
> >>> > !
> >>> > ip access-list standard NAT
> >>> > deny any
> >>> > !
> >>> > logging alarm informational
> >>> > access-list 100 permit icmp any any
> >>> > !
> >>> > route-map test permit 10
> >>> > match ip address NAT
> >>> > !
> >>> > !
> >>> >
> >>> >
> >>> > Blogs and organic groups at http://www.ccie.net
> >>> >
> >>> >
> _______________________________________________________________________
> >>> > Subscription information may be found at:
> >>> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 21 2010 - 22:49:44 ART