Re: NAT issue from Maarten Vervoorn on 2010-05-25 (Ccielab archives 05/2010)

From: Maarten Vervoorn <mr.vervoorn_at_gmail.com>
Date: Tue, 25 May 2010 16:08:51 +0200

If I use permit ip any any in the access-list the traffic isn't synchronous.
It replies always with the natted address. So I wanted to use a deny any.
But I was wondering how this route-map works, what does it do. When I deny
any the traffic performs a nat but not if I ping its physical address.

With permit any any
R1#ping 10.15.105.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.105.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/295/608 ms
R1#
*May 25 16:02:39.983: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:40.271: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:40.463: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:40.555: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:40.863: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
R1#ping 10.130.208.211
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.130.208.211, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/174/308 ms
R1#
*May 25 16:02:45.951: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:46.191: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:46.351: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:46.427: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:02:46.523: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
R1#

With a deny any any
R1#ping 10.15.105.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.105.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/179/480 ms
R1#
*May 25 16:07:31.551: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:07:31.711: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:07:31.819: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:07:31.899: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
*May 25 16:07:31.975: ICMP: echo reply rcvd, src 10.15.105.12, dst
10.15.243.89
R1#ping 10.130.208.211
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.130.208.211, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/139/196 ms
R1#
*May 25 16:07:36.511: ICMP: echo reply rcvd, src 10.130.208.211, dst
10.15.243.89
*May 25 16:07:36.679: ICMP: echo reply rcvd, src 10.130.208.211, dst
10.15.243.89
*May 25 16:07:36.815: ICMP: echo reply rcvd, src 10.130.208.211, dst
10.15.243.89
*May 25 16:07:36.911: ICMP: echo reply rcvd, src 10.130.208.211, dst
10.15.243.89
*May 25 16:07:37.023: ICMP: echo reply rcvd, src 10.130.208.211, dst
10.15.243.89
R1#

2010/5/25 Maarten Vervoorn <mr.vervoorn_at_gmail.com>

> The extended access-list has the same results. It seems when I deny all ip
> traffic it still performs a NAT
> R4---R3---R5---R1
>
> R3
> ip nat inside source static 10.130.208.211 10.15.105.12 route-map NAT
> !
> ip access-list extended NAT-ext
> deny ip any any
> !
> !
> route-map NAT permit 10
> match ip address NAT-ext
> !
> !
>
>
> R1#
> R1#ping 10.15.105.12
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.15.105.12, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 120/173/268 ms
> R1#
> *May 25 15:44:49.563: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 15:44:49.775: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 15:44:49.911: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 15:44:50.063: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 15:44:50.183: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> R1#
> 2010/5/22 Tyson Scott <tscott_at_ipexpert.com>
>
> Use an extended access-list.
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> Technical Instructor - IPexpert, Inc.
>> Mailto: tscott_at_ipexpert.com
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Maarten Vervoorn
>> Sent: Friday, May 21, 2010 4:50 PM
>> To: George Philip
>> Cc: Adrian Brayton; Cisco certification
>> Subject: Re: NAT issue
>>
>> Well, I try to have both adresses natted and physical to be available. But
>> the have to respond with the address the connections is setup with
>> So With only: ip nat inside source static 10.130.208.211 10.15.105.12
>> If you ping 10.130.208.211 it replies with 10.15.105.12. Most connections
>> of
>> this application can't deal with this. So I wanted to test it out with a
>> route-map to filter out connections which are not needed to be natted.
>> Than
>> I come to some strange behaviour with this. After that I wanted to know
>> exactly what the route-map does then I tried to configure a deny any. And
>> the behaviour did change
>> So with the command: ip nat inside source static 10.130.208.211
>> 10.15.105.12
>> route-map test
>> (route-map containes a deny any statement)
>> If I ping 10.130.208.211 it replies with 10.130.208.211. So it definitly
>> is
>> changing something.
>> I'm try to figure out what this something is.
>> 2010/5/21 George Philip <gphilip88_at_gmail.com>
>>
>> > Are you trying to get the traffic to take different paths? The
>> > route-map statement with static NAT is used to influence path
>> > selection.
>> >
>> > On your route-map you have a deny any but no action after that, so
>> > that route map matches no traffic and does not change anything. In
>> > other words contines as default behavior which is to translate.
>> >
>> > Check out:
>> >
>>
>> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
>> >
>> > I dont clearly understand what you are trying to accomplish?
>> >
>> >
>> > On Fri, May 21, 2010 at 4:11 PM, Adrian Brayton <abrayton_at_gmail.com>
>> > wrote:
>> > > Are the address's that you are pinging in the routing table? What I am
>> > trying
>> > > to say is, is this one big IGP? The address that you are pinging
>> should
>> > not be
>> > > in the routing table of the router you are using to ping?
>> > >
>> > > Is that what is possibly happening?
>> > >
>> > >
>> > > On May 21, 2010, at 3:59 PM, Maarten Vervoorn wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >> Thanks for your reply
>> > >>
>> > >> I know the route-map is to identify the traffic. Sso with this NAT
>> rule
>> > it
>> > > should NOT nat anything. But is does. I can ping 10.15.105.12 from R5
>> and
>> > R1.
>> > > But the Nat rule wasn't working right with a deny any. How come I can
>> > ping
>> > > 10.15.105.12? I used the NAT rule with a route-map to select some
>> > traffice but
>> > > it seems the NAT rule is doing something else. If if select only one
>> > netwerk
>> > > it NATs every network the right way.
>> > >>
>> > >> The issue I had is that I needed both addresses reachable and reply
>> from
>> > the
>> > > same adres. So with a simple static inside nat if you ping
>> 10.130.208.211
>> > it
>> > > replies with the natted adres 10.15.105.12. Most connections of
>> > application
>> > > can't deal with that. So I implemented a route-map in which I can
>> select
>> > the
>> > > networks. If I made a route-map and only selected 10.15.243.0/24 it
>> als
>> > natted
>> > > 10.15.98.0/24 both synchronous replies. So then I tried with a deny
>> any
>> > and
>> > > yes as I expected its still nating to all networks and synchronous.
>> But
>> I
>> > > can't figure out why this is the case. I thought indeed NAT did not
>> work
>> > with
>> > > a route-map deny any. But it seems it did.
>> > >>
>> > >> Debugging says its natting all the right way debugging icmp packets I
>> > see
>> > > both syncronous replys, so a ping to 105.12 replies with 105.12 and
>> ping
>> > yo
>> > > 208.211 replies with 211.
>> > >>
>> > >> So my question basicly is what is this route-map doing in the NAt
>> rule
>> > > because it should deny everything so nothing should be translated. But
>> it
>> > does
>> > > everything is natted
>> > >>
>> > >> Kind regards,
>> > >>
>> > >> Maarten Vervoorn
>> > >> http://ccie.forumotion.com
>> > >>
>> > >> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>> > >> Sorry about the delay... What are the debugs saying?
>> > >>
>> > >> I am having a hard time following exactly what you are trying to do
>> but
>> > I do
>> > > have a question or two.
>> > >>
>> > >> With your route-map statement, you have an ACL that denies
>> everything.
>> > Now,
>> > > with your route-map on the nat translation it is just telling it to
>> not
>> > > translate anything. Now when you remove the route-map statement it
>> should
>> > now
>> > > be doing the NAT translations.
>> > >>
>> > >> I could be wrong but I think you are using the route-map the
>> incorrect
>> > way.
>> > > The route-map is meant to identify traffic that you want to translate,
>> if
>> > it
>> > > doesnt match the route-map it wont be translated if it does then it
>> will.
>> > >>
>> > >>
>> > >> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
>> > >>
>> > >>> Yes I have, and if had hadn't it wouldn't work. I forgot to copy
>> this.
>> > It
>> > > works perfectly I only do not understand why. The route-maps denies
>> > > everything. I'm able to ping from the outside routers the NAT adres
>> > > 10.15.105.12 and it even replies from that Natted addres. Its exactly
>> > what I
>> > > want. But if I remove the route-map If I ping 10.130.208.211 it will
>> > reply
>> > > from 10.15.105.12. If I add the route-map it replies with 208.211 and
>> > also
>> > > replies to 105.12
>> > >>> What does this route-map excactly do here?
>> > >>>
>> > >>> interface Loopback1
>> > >>> ip address 10.15.105.1 255.255.255.0
>> > >>> ip nat outside
>> > >>> interface FastEthernet0/0
>> > >>> ip address 10.15.98.1 255.255.255.0
>> > >>> ip nat outside
>> > >>> interface Serial1/0
>> > >>> ip address 10.130.208.254 255.255.255.128
>> > >>> ip nat inside
>> > >>>
>> > >>>
>> > >>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>> > >>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I
>> dont
>> > see
>> > > it there?
>> > >>>
>> > >>>
>> > >>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
>> > >>>
>> > >>> > During a lab setup I encounterd on a strange behaviour.
>> > >>> >
>> > >>> > Lab setup
>> > >>> > S0/1 Fa0/0
>> > >>> > R1--------------R3---------------R5----------R1
>> > >>> >
>> > >>> > R3 is a nat router which nat 10.130.208.211 to 105.12
>> > >>> > I want both addresses to be reachable and synchronous (ping 105.12
>> > and
>> > >>> > receive a reply from 105.12, ping 208.211 and a receive a reply
>> form
>> > >>> > 208.211)
>> > >>> > After some configurations I configurated a route-map with a deny
>> any
>> > >>> > statement. Both 105.12 and 208.211 are reachable and reply
>> > synchronous.
>> > > But
>> > >>> > I do not know why if I ping 105.12 from R5 or R1 i receive a reply
>> > form
>> > >>> > 105.12 because the route-map has a deny any.
>> > >>> >
>> > >>> > Can anyone clarify this?
>> > >>> >
>> > >>> > Config R3
>> > >>> > interface Loopback1
>> > >>> > ip address 10.15.105.1 255.255.255.0
>> > >>> > !
>> > >>> > interface FastEthernet0/0
>> > >>> > ip address 10.15.98.1 255.255.255.0
>> > >>> > !
>> > >>> > interface Serial1/0
>> > >>> > ip address 10.130.208.254 255.255.255.128
>> > >>> > !
>> > >>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map
>> > test
>> > >>> > !
>> > >>> > ip access-list standard NAT
>> > >>> > deny any
>> > >>> > !
>> > >>> > logging alarm informational
>> > >>> > access-list 100 permit icmp any any
>> > >>> > !
>> > >>> > route-map test permit 10
>> > >>> > match ip address NAT
>> > >>> > !
>> > >>> > !
>> > >>> >
>> > >>> >
>> > >>> > Blogs and organic groups at http://www.ccie.net
>> > >>> >
>> > >>> >
>> > _______________________________________________________________________
>> > >>> > Subscription information may be found at:
>> > >>> > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue May 25 2010 - 16:08:51 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART