Re: NAT issue from Maarten Vervoorn on 2010-05-25 (Ccielab archives 05/2010)

From: Maarten Vervoorn <mr.vervoorn_at_gmail.com>
Date: Tue, 25 May 2010 15:52:21 +0200

The extended access-list has the same results. It seems when I deny all ip
traffic it still performs a NAT
R4---R3---R5---R1

R3
ip nat inside source static 10.130.208.211 10.15.105.12 route-map NAT
!
ip access-list extended NAT-ext
deny ip any any
!
!
route-map NAT permit 10
match ip address NAT-ext
!
!

R1#
R1#ping 10.15.105.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.105.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/173/268 ms
R1#
*May 25 15:44:49.563: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 15:44:49.775: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 15:44:49.911: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 15:44:50.063: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 15:44:50.183: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
R1#
2010/5/22 Tyson Scott <tscott_at_ipexpert.com>

> Use an extended access-list.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Technical Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Maarten Vervoorn
> Sent: Friday, May 21, 2010 4:50 PM
> To: George Philip
> Cc: Adrian Brayton; Cisco certification
> Subject: Re: NAT issue
>
> Well, I try to have both adresses natted and physical to be available. But
> the have to respond with the address the connections is setup with
> So With only: ip nat inside source static 10.130.208.211 10.15.105.12
> If you ping 10.130.208.211 it replies with 10.15.105.12. Most connections
> of
> this application can't deal with this. So I wanted to test it out with a
> route-map to filter out connections which are not needed to be natted. Than
> I come to some strange behaviour with this. After that I wanted to know
> exactly what the route-map does then I tried to configure a deny any. And
> the behaviour did change
> So with the command: ip nat inside source static 10.130.208.211
> 10.15.105.12
> route-map test
> (route-map containes a deny any statement)
> If I ping 10.130.208.211 it replies with 10.130.208.211. So it definitly is
> changing something.
> I'm try to figure out what this something is.
> 2010/5/21 George Philip <gphilip88_at_gmail.com>
>
> > Are you trying to get the traffic to take different paths? The
> > route-map statement with static NAT is used to influence path
> > selection.
> >
> > On your route-map you have a deny any but no action after that, so
> > that route map matches no traffic and does not change anything. In
> > other words contines as default behavior which is to translate.
> >
> > Check out:
> >
> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
> >
> > I dont clearly understand what you are trying to accomplish?
> >
> >
> > On Fri, May 21, 2010 at 4:11 PM, Adrian Brayton <abrayton_at_gmail.com>
> > wrote:
> > > Are the address's that you are pinging in the routing table? What I am
> > trying
> > > to say is, is this one big IGP? The address that you are pinging should
> > not be
> > > in the routing table of the router you are using to ping?
> > >
> > > Is that what is possibly happening?
> > >
> > >
> > > On May 21, 2010, at 3:59 PM, Maarten Vervoorn wrote:
> > >
> > >> Hi,
> > >>
> > >> Thanks for your reply
> > >>
> > >> I know the route-map is to identify the traffic. Sso with this NAT
> rule
> > it
> > > should NOT nat anything. But is does. I can ping 10.15.105.12 from R5
> and
> > R1.
> > > But the Nat rule wasn't working right with a deny any. How come I can
> > ping
> > > 10.15.105.12? I used the NAT rule with a route-map to select some
> > traffice but
> > > it seems the NAT rule is doing something else. If if select only one
> > netwerk
> > > it NATs every network the right way.
> > >>
> > >> The issue I had is that I needed both addresses reachable and reply
> from
> > the
> > > same adres. So with a simple static inside nat if you ping
> 10.130.208.211
> > it
> > > replies with the natted adres 10.15.105.12. Most connections of
> > application
> > > can't deal with that. So I implemented a route-map in which I can
> select
> > the
> > > networks. If I made a route-map and only selected 10.15.243.0/24 it
> als
> > natted
> > > 10.15.98.0/24 both synchronous replies. So then I tried with a deny
> any
> > and
> > > yes as I expected its still nating to all networks and synchronous. But
> I
> > > can't figure out why this is the case. I thought indeed NAT did not
> work
> > with
> > > a route-map deny any. But it seems it did.
> > >>
> > >> Debugging says its natting all the right way debugging icmp packets I
> > see
> > > both syncronous replys, so a ping to 105.12 replies with 105.12 and
> ping
> > yo
> > > 208.211 replies with 211.
> > >>
> > >> So my question basicly is what is this route-map doing in the NAt rule
> > > because it should deny everything so nothing should be translated. But
> it
> > does
> > > everything is natted
> > >>
> > >> Kind regards,
> > >>
> > >> Maarten Vervoorn
> > >> http://ccie.forumotion.com
> > >>
> > >> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
> > >> Sorry about the delay... What are the debugs saying?
> > >>
> > >> I am having a hard time following exactly what you are trying to do
> but
> > I do
> > > have a question or two.
> > >>
> > >> With your route-map statement, you have an ACL that denies everything.
> > Now,
> > > with your route-map on the nat translation it is just telling it to not
> > > translate anything. Now when you remove the route-map statement it
> should
> > now
> > > be doing the NAT translations.
> > >>
> > >> I could be wrong but I think you are using the route-map the incorrect
> > way.
> > > The route-map is meant to identify traffic that you want to translate,
> if
> > it
> > > doesnt match the route-map it wont be translated if it does then it
> will.
> > >>
> > >>
> > >> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
> > >>
> > >>> Yes I have, and if had hadn't it wouldn't work. I forgot to copy
> this.
> > It
> > > works perfectly I only do not understand why. The route-maps denies
> > > everything. I'm able to ping from the outside routers the NAT adres
> > > 10.15.105.12 and it even replies from that Natted addres. Its exactly
> > what I
> > > want. But if I remove the route-map If I ping 10.130.208.211 it will
> > reply
> > > from 10.15.105.12. If I add the route-map it replies with 208.211 and
> > also
> > > replies to 105.12
> > >>> What does this route-map excactly do here?
> > >>>
> > >>> interface Loopback1
> > >>> ip address 10.15.105.1 255.255.255.0
> > >>> ip nat outside
> > >>> interface FastEthernet0/0
> > >>> ip address 10.15.98.1 255.255.255.0
> > >>> ip nat outside
> > >>> interface Serial1/0
> > >>> ip address 10.130.208.254 255.255.255.128
> > >>> ip nat inside
> > >>>
> > >>>
> > >>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
> > >>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I
> dont
> > see
> > > it there?
> > >>>
> > >>>
> > >>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
> > >>>
> > >>> > During a lab setup I encounterd on a strange behaviour.
> > >>> >
> > >>> > Lab setup
> > >>> > S0/1 Fa0/0
> > >>> > R1--------------R3---------------R5----------R1
> > >>> >
> > >>> > R3 is a nat router which nat 10.130.208.211 to 105.12
> > >>> > I want both addresses to be reachable and synchronous (ping 105.12
> > and
> > >>> > receive a reply from 105.12, ping 208.211 and a receive a reply
> form
> > >>> > 208.211)
> > >>> > After some configurations I configurated a route-map with a deny
> any
> > >>> > statement. Both 105.12 and 208.211 are reachable and reply
> > synchronous.
> > > But
> > >>> > I do not know why if I ping 105.12 from R5 or R1 i receive a reply
> > form
> > >>> > 105.12 because the route-map has a deny any.
> > >>> >
> > >>> > Can anyone clarify this?
> > >>> >
> > >>> > Config R3
> > >>> > interface Loopback1
> > >>> > ip address 10.15.105.1 255.255.255.0
> > >>> > !
> > >>> > interface FastEthernet0/0
> > >>> > ip address 10.15.98.1 255.255.255.0
> > >>> > !
> > >>> > interface Serial1/0
> > >>> > ip address 10.130.208.254 255.255.255.128
> > >>> > !
> > >>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map
> > test
> > >>> > !
> > >>> > ip access-list standard NAT
> > >>> > deny any
> > >>> > !
> > >>> > logging alarm informational
> > >>> > access-list 100 permit icmp any any
> > >>> > !
> > >>> > route-map test permit 10
> > >>> > match ip address NAT
> > >>> > !
> > >>> > !
> > >>> >
> > >>> >
> > >>> > Blogs and organic groups at http://www.ccie.net
> > >>> >
> > >>> >
> > _______________________________________________________________________
> > >>> > Subscription information may be found at:
> > >>> > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue May 25 2010 - 15:52:21 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART