Re: NAT issue from Maarten Vervoorn on 2010-05-25 (Ccielab archives 05/2010)

From: Maarten Vervoorn <mr.vervoorn_at_gmail.com>
Date: Tue, 25 May 2010 19:15:59 +0200

I allready get it. I got confused with the directions. It seems the
configured NAT adres is always available and when traffic comes from outside
to in it performs a NAT in both direction even if you denied everthing in
the access-list. I tested some more with an extended access-list permitting
and denying a couple of networks and turn on debugging on all routers. You
can indeed select the traffic.

The only thing is that when you deny traffic in the NAT rule with a
route-map it is available from outside to inside. So even if you deny a
particular network that network is able to make a conenction through the NAT
rule the return traffic is then natted. Only if the traffic is inititiated
from inside to outside it won't be nat

Kind regards,

Maarten Vervoorn

2010/5/25 Maarten Vervoorn <mr.vervoorn_at_gmail.com>

> If I use permit ip any any in the access-list the traffic isn't
> synchronous. It replies always with the natted address. So I wanted to use a
> deny any. But I was wondering how this route-map works, what does it do.
> When I deny any the traffic performs a nat but not if I ping its physical
> address.
>
> With permit any any
> R1#ping 10.15.105.12
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.15.105.12, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 92/295/608 ms
> R1#
> *May 25 16:02:39.983: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:40.271: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:40.463: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:40.555: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:40.863: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> R1#ping 10.130.208.211
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.130.208.211, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 72/174/308 ms
> R1#
> *May 25 16:02:45.951: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:46.191: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:46.351: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:46.427: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:02:46.523: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> R1#
>
> With a deny any any
> R1#ping 10.15.105.12
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.15.105.12, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 76/179/480 ms
> R1#
> *May 25 16:07:31.551: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:07:31.711: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:07:31.819: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:07:31.899: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> *May 25 16:07:31.975: ICMP: echo reply rcvd, src 10.15.105.12, dst
> 10.15.243.89
> R1#ping 10.130.208.211
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.130.208.211, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 100/139/196 ms
> R1#
> *May 25 16:07:36.511: ICMP: echo reply rcvd, src 10.130.208.211, dst
> 10.15.243.89
> *May 25 16:07:36.679: ICMP: echo reply rcvd, src 10.130.208.211, dst
> 10.15.243.89
> *May 25 16:07:36.815: ICMP: echo reply rcvd, src 10.130.208.211, dst
> 10.15.243.89
> *May 25 16:07:36.911: ICMP: echo reply rcvd, src 10.130.208.211, dst
> 10.15.243.89
> *May 25 16:07:37.023: ICMP: echo reply rcvd, src 10.130.208.211, dst
> 10.15.243.89
> R1#
>
> 2010/5/25 Maarten Vervoorn <mr.vervoorn_at_gmail.com>
>
> The extended access-list has the same results. It seems when I deny all
>> ip traffic it still performs a NAT
>> R4---R3---R5---R1
>>
>> R3
>> ip nat inside source static 10.130.208.211 10.15.105.12 route-map NAT
>> !
>> ip access-list extended NAT-ext
>> deny ip any any
>> !
>> !
>> route-map NAT permit 10
>> match ip address NAT-ext
>> !
>> !
>>
>>
>> R1#
>> R1#ping 10.15.105.12
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.15.105.12, timeout is 2 seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 120/173/268 ms
>> R1#
>> *May 25 15:44:49.563: ICMP: echo reply rcvd, src 10.15.105.12, dst
>> 10.15.243.89
>> *May 25 15:44:49.775: ICMP: echo reply rcvd, src 10.15.105.12, dst
>> 10.15.243.89
>> *May 25 15:44:49.911: ICMP: echo reply rcvd, src 10.15.105.12, dst
>> 10.15.243.89
>> *May 25 15:44:50.063: ICMP: echo reply rcvd, src 10.15.105.12, dst
>> 10.15.243.89
>> *May 25 15:44:50.183: ICMP: echo reply rcvd, src 10.15.105.12, dst
>> 10.15.243.89
>> R1#
>> 2010/5/22 Tyson Scott <tscott_at_ipexpert.com>
>>
>> Use an extended access-list.
>>>
>>> Regards,
>>>
>>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>> Technical Instructor - IPexpert, Inc.
>>> Mailto: tscott_at_ipexpert.com
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Maarten Vervoorn
>>> Sent: Friday, May 21, 2010 4:50 PM
>>> To: George Philip
>>> Cc: Adrian Brayton; Cisco certification
>>> Subject: Re: NAT issue
>>>
>>> Well, I try to have both adresses natted and physical to be available.
>>> But
>>> the have to respond with the address the connections is setup with
>>> So With only: ip nat inside source static 10.130.208.211 10.15.105.12
>>> If you ping 10.130.208.211 it replies with 10.15.105.12. Most connections
>>> of
>>> this application can't deal with this. So I wanted to test it out with a
>>> route-map to filter out connections which are not needed to be natted.
>>> Than
>>> I come to some strange behaviour with this. After that I wanted to know
>>> exactly what the route-map does then I tried to configure a deny any. And
>>> the behaviour did change
>>> So with the command: ip nat inside source static 10.130.208.211
>>> 10.15.105.12
>>> route-map test
>>> (route-map containes a deny any statement)
>>> If I ping 10.130.208.211 it replies with 10.130.208.211. So it definitly
>>> is
>>> changing something.
>>> I'm try to figure out what this something is.
>>> 2010/5/21 George Philip <gphilip88_at_gmail.com>
>>>
>>> > Are you trying to get the traffic to take different paths? The
>>> > route-map statement with static NAT is used to influence path
>>> > selection.
>>> >
>>> > On your route-map you have a deny any but no action after that, so
>>> > that route map matches no traffic and does not change anything. In
>>> > other words contines as default behavior which is to translate.
>>> >
>>> > Check out:
>>> >
>>>
>>> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
>>> >
>>> > I dont clearly understand what you are trying to accomplish?
>>> >
>>> >
>>> > On Fri, May 21, 2010 at 4:11 PM, Adrian Brayton <abrayton_at_gmail.com>
>>> > wrote:
>>> > > Are the address's that you are pinging in the routing table? What I
>>> am
>>> > trying
>>> > > to say is, is this one big IGP? The address that you are pinging
>>> should
>>> > not be
>>> > > in the routing table of the router you are using to ping?
>>> > >
>>> > > Is that what is possibly happening?
>>> > >
>>> > >
>>> > > On May 21, 2010, at 3:59 PM, Maarten Vervoorn wrote:
>>> > >
>>> > >> Hi,
>>> > >>
>>> > >> Thanks for your reply
>>> > >>
>>> > >> I know the route-map is to identify the traffic. Sso with this NAT
>>> rule
>>> > it
>>> > > should NOT nat anything. But is does. I can ping 10.15.105.12 from R5
>>> and
>>> > R1.
>>> > > But the Nat rule wasn't working right with a deny any. How come I can
>>> > ping
>>> > > 10.15.105.12? I used the NAT rule with a route-map to select some
>>> > traffice but
>>> > > it seems the NAT rule is doing something else. If if select only one
>>> > netwerk
>>> > > it NATs every network the right way.
>>> > >>
>>> > >> The issue I had is that I needed both addresses reachable and reply
>>> from
>>> > the
>>> > > same adres. So with a simple static inside nat if you ping
>>> 10.130.208.211
>>> > it
>>> > > replies with the natted adres 10.15.105.12. Most connections of
>>> > application
>>> > > can't deal with that. So I implemented a route-map in which I can
>>> select
>>> > the
>>> > > networks. If I made a route-map and only selected 10.15.243.0/24 it
>>> als
>>> > natted
>>> > > 10.15.98.0/24 both synchronous replies. So then I tried with a deny
>>> any
>>> > and
>>> > > yes as I expected its still nating to all networks and synchronous.
>>> But
>>> I
>>> > > can't figure out why this is the case. I thought indeed NAT did not
>>> work
>>> > with
>>> > > a route-map deny any. But it seems it did.
>>> > >>
>>> > >> Debugging says its natting all the right way debugging icmp packets
>>> I
>>> > see
>>> > > both syncronous replys, so a ping to 105.12 replies with 105.12 and
>>> ping
>>> > yo
>>> > > 208.211 replies with 211.
>>> > >>
>>> > >> So my question basicly is what is this route-map doing in the NAt
>>> rule
>>> > > because it should deny everything so nothing should be translated.
>>> But
>>> it
>>> > does
>>> > > everything is natted
>>> > >>
>>> > >> Kind regards,
>>> > >>
>>> > >> Maarten Vervoorn
>>> > >> http://ccie.forumotion.com
>>> > >>
>>> > >> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>>> > >> Sorry about the delay... What are the debugs saying?
>>> > >>
>>> > >> I am having a hard time following exactly what you are trying to do
>>> but
>>> > I do
>>> > > have a question or two.
>>> > >>
>>> > >> With your route-map statement, you have an ACL that denies
>>> everything.
>>> > Now,
>>> > > with your route-map on the nat translation it is just telling it to
>>> not
>>> > > translate anything. Now when you remove the route-map statement it
>>> should
>>> > now
>>> > > be doing the NAT translations.
>>> > >>
>>> > >> I could be wrong but I think you are using the route-map the
>>> incorrect
>>> > way.
>>> > > The route-map is meant to identify traffic that you want to
>>> translate,
>>> if
>>> > it
>>> > > doesnt match the route-map it wont be translated if it does then it
>>> will.
>>> > >>
>>> > >>
>>> > >> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
>>> > >>
>>> > >>> Yes I have, and if had hadn't it wouldn't work. I forgot to copy
>>> this.
>>> > It
>>> > > works perfectly I only do not understand why. The route-maps denies
>>> > > everything. I'm able to ping from the outside routers the NAT adres
>>> > > 10.15.105.12 and it even replies from that Natted addres. Its exactly
>>> > what I
>>> > > want. But if I remove the route-map If I ping 10.130.208.211 it will
>>> > reply
>>> > > from 10.15.105.12. If I add the route-map it replies with 208.211 and
>>> > also
>>> > > replies to 105.12
>>> > >>> What does this route-map excactly do here?
>>> > >>>
>>> > >>> interface Loopback1
>>> > >>> ip address 10.15.105.1 255.255.255.0
>>> > >>> ip nat outside
>>> > >>> interface FastEthernet0/0
>>> > >>> ip address 10.15.98.1 255.255.255.0
>>> > >>> ip nat outside
>>> > >>> interface Serial1/0
>>> > >>> ip address 10.130.208.254 255.255.255.128
>>> > >>> ip nat inside
>>> > >>>
>>> > >>>
>>> > >>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>>> > >>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I
>>> dont
>>> > see
>>> > > it there?
>>> > >>>
>>> > >>>
>>> > >>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
>>> > >>>
>>> > >>> > During a lab setup I encounterd on a strange behaviour.
>>> > >>> >
>>> > >>> > Lab setup
>>> > >>> > S0/1 Fa0/0
>>> > >>> > R1--------------R3---------------R5----------R1
>>> > >>> >
>>> > >>> > R3 is a nat router which nat 10.130.208.211 to 105.12
>>> > >>> > I want both addresses to be reachable and synchronous (ping
>>> 105.12
>>> > and
>>> > >>> > receive a reply from 105.12, ping 208.211 and a receive a reply
>>> form
>>> > >>> > 208.211)
>>> > >>> > After some configurations I configurated a route-map with a deny
>>> any
>>> > >>> > statement. Both 105.12 and 208.211 are reachable and reply
>>> > synchronous.
>>> > > But
>>> > >>> > I do not know why if I ping 105.12 from R5 or R1 i receive a
>>> reply
>>> > form
>>> > >>> > 105.12 because the route-map has a deny any.
>>> > >>> >
>>> > >>> > Can anyone clarify this?
>>> > >>> >
>>> > >>> > Config R3
>>> > >>> > interface Loopback1
>>> > >>> > ip address 10.15.105.1 255.255.255.0
>>> > >>> > !
>>> > >>> > interface FastEthernet0/0
>>> > >>> > ip address 10.15.98.1 255.255.255.0
>>> > >>> > !
>>> > >>> > interface Serial1/0
>>> > >>> > ip address 10.130.208.254 255.255.255.128
>>> > >>> > !
>>> > >>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map
>>> > test
>>> > >>> > !
>>> > >>> > ip access-list standard NAT
>>> > >>> > deny any
>>> > >>> > !
>>> > >>> > logging alarm informational
>>> > >>> > access-list 100 permit icmp any any
>>> > >>> > !
>>> > >>> > route-map test permit 10
>>> > >>> > match ip address NAT
>>> > >>> > !
>>> > >>> > !
>>> > >>> >
>>> > >>> >
>>> > >>> > Blogs and organic groups at http://www.ccie.net
>>> > >>> >
>>> > >>> >
>>> > _______________________________________________________________________
>>> > >>> > Subscription information may be found at:
>>> > >>> > http://www.groupstudy.com/list/CCIELab.html
>>> > >
>>> > >
>>> > > Blogs and organic groups at http://www.ccie.net
>>> > >
>>> > >
>>> _______________________________________________________________________
>>> > > Subscription information may be found at:
>>> > > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue May 25 2010 - 19:15:59 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART