Hi,
I labbed this up, and thought i had this working - but got some unexpected
results. Maybe someone could shed some light on the following results?
sorry if this is a little long!
with the config below,
1) when i pinged R2 loop using R1 loop (this should be using overload nat)
- this worked correctly. debugs (attached below) showed source as the
overload interface - ALL GOOD
2) when i pinged the loop of R3 using R1 loop (should engage static policy
nat using pool etc) - this worked correctly - source was showing from
192.168.200.1 instead of 192.168.1.1
3) when i repeated Step 1 - ping R2 loop from R1 loop (overload nat) - THIS
NOW ENGAGED THE WRONG NAT POLICY - this showed source of 192.168.200.1,
instead of previous source of serial0/0.12 (10.1.12.1)
I'm fairly sure the nat translation below - which was not there before step
1, but was there after step 2, is the reason for this behaviour. Does the
nat translation table not allow/account for the destination once there is a
translation stored?? Any advice would be much appreciated!! (ps: ASA
option of using a route-map to make it policy based is so mcuh easier!)
Does anyone know if perhaps ip nat enable should be used??
I set up the lab topoogy as:
R1 --------------------------------> R2 -------------------------------->
R3
(10.1.12.1) (10.1.12.2) (10.1.23.2) (10.1.23.3)
Lo0: 192.168.1.1 Lo0: 192.168.2.2 Lo0:
192.168.3.3
RIP running between all devices, a default route was put on R1 and R3
pointing to R2, and R2 had static route to 192.168.200.0/24 to 10.1.12.1
(going to be static natted address). This is all fine...
The config of R1 (where the NAT is being performed) is as follows:
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
//this is for the policy static nat - going to translate 192.168.1.0/24 to
192.168.200/24
access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
//access-list for nat overload,called within route-map for nat
route-map NAT permit 10
match ip address 150
// route-map used in nat statement
ip nat pool POOL 192.168.200.1 192.168.200.254 prefix-length 24
ip nat inside source list 120 pool POOL
ip nat inside source route-map NAT interface Serial0/0.12 overload
interface Loopback0
ip address 192.168.1.1 255.255.255.255
ip nat inside
interface Serial0/0.12 point-to-point
ip address 10.1.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly
snmp trap link-status
frame-relay interface-dlci 102
DEBUGS AS FOLLOWS:
#INITIAL PING FROM R1 LOOP TO R2 LOOP (OVERLOAD nat) - SUCCESSFUL
R1#ping 192.168.2.2 rep 1 so lo 0
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 32/32/32 ms
R1#
NAT: map match NAT
NAT: [0] Allocated Port for 192.168.1.1 -> 10.1.12.1: wanted 16 got 16
NAT: i: icmp (192.168.1.1, 16) -> (192.168.2.2, 16) [55]
NAT: s=192.168.1.1->10.1.12.1, d=192.168.2.2 [55]
NAT*: o: icmp (192.168.2.2, 16) -> (10.1.12.1, 16) [55]
NAT*: s=192.168.2.2, d=10.1.12.1->192.168.1.1 [55]
R1#
R1#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 10.1.12.1:16 192.168.1.1:16 192.168.2.2:16 192.168.2.2:16
====================================================================
#INITIAL PING FROM R1 LOOP TO R3 LOOP (POLICY STATIC nat) - SUCCESSFUL
R1#ping 192.168.3.3 rep 1 so lo 0
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms
R1#
NAT: i: icmp (192.168.1.1, 18) -> (192.168.3.3, 18) [57]
NAT: s=192.168.1.1->192.168.200.1, d=192.168.3.3 [57]
NAT*: o: icmp (192.168.3.3, 18) -> (192.168.200.1, 18) [57]
NAT*: s=192.168.3.3, d=192.168.200.1->192.168.1.1 [57]
R1#
R1#sh ip nat tran
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.1.12.1:17 192.168.1.1:17 192.168.2.2:17 192.168.2.2:17
icmp 192.168.200.1:18 192.168.1.1:18 192.168.3.3:18 192.168.3.3:18
--- 192.168.200.1 192.168.1.1 --- ---
====================================================================
#SECOND PING FROM R1 LOOP TO R2 LOOP (OVERLOAD nat) - UNSUCCESSFUL
R1#ping 192.168.2.2 rep 1 so lo 0
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms
R1#
NAT: i: icmp (192.168.1.1, 19) -> (192.168.2.2, 19) [58]
NAT: s=192.168.1.1->192.168.200.1, d=192.168.2.2 [58]
NAT*: o: icmp (192.168.2.2, 19) -> (192.168.200.1, 19) [58]
NAT*: s=192.168.2.2, d=192.168.200.1->192.168.1.1 [58]
R1#
R1#sh ip nat tra
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.1.12.1:17 192.168.1.1:17 192.168.2.2:17 192.168.2.2:17
icmp 192.168.200.1:18 192.168.1.1:18 192.168.3.3:18 192.168.3.3:18
icmp 192.168.200.1:19 192.168.1.1:19 192.168.2.2:19 192.168.2.2:19
--- 192.168.200.1 192.168.1.1 --- ---
On Tue, Jul 31, 2012 at 1:08 AM, ccie99999 <ccie99999_at_googlemail.com> wrote:
> thanks guys for your reply but still I don't get it..
>
> I'm here, this is the same situation I've:
> https://supportforums.cisco.com/thread/2043483
>
> but after setting the static and the dynamic with the route-map I still
> don't have a working solution.
>
> and googling this it looks like it's a common issue..
>
> checking some previous lab I did for my ccie I don't see this scenario.
>
> thanks again for your help
>
> On Mon, Jul 30, 2012 at 5:16 PM, Dan Shechter G <danshtr_at_gmail.com> wrote:
>
> > Its a bit mess on IOS, but in general static route has precedence over
> > dynamic NAT.
> >
> > you can use route map, but notice that route-maps in nat are evaluated be
> > lexical order, which means that route-map 'rmA' will be evaluated before
> > 'rmB'
> >
> > On 30 Jul 2012, at 17:19, ccie99999 wrote:
> >
> > > yeah, nothing..
> > >
> > > overload works but not static nat..
> > > even after a clear ip nat tran * , a ping to the remote net + a show ip
> > nat
> > > translat and I don't see the static nat..
> > >
> > > :(
> > >
> > > On Mon, Jul 30, 2012 at 2:04 PM, peter dervan <petesccie_at_gmail.com>
> > wrote:
> > >
> > >> Hi,
> > >> Try something like this, been a while since i labbed this so can't
> > >> remember if it will do proper 1 to 1 static network nat or not...
> > >>
> > >> =====================================================
> > >>
> > >> access-list 120 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
> > >>
> > >> ip nat pool OVERLAPPING 192.168.200.1 192.168.200.254 prefix-length 24
> > >>
> > >> ip nat inside source list 120 pool OVERLAPPING
> > >>
> > >> =====================================================
> > >>
> > >>
> > >>
> > >> On Mon, Jul 30, 2012 at 2:41 PM, ccie99999 <ccie99999_at_googlemail.com
> > >wrote:
> > >>
> > >>> Hi Peter,
> > >>>
> > >>> thanks for your help.
> > >>>
> > >>> I've tried what you've suggested and it looks it's working (the
> static
> > is
> > >>> not taking the precedence on the dynamic one)
> > >>>
> > >>> unluckily the static nat is not working..
> > >>>
> > >>> this is my basic nat stuff:
> > >>>
> > >>> (note: net 192.168.1.x must become 192.168.200.x with the static nat
> > and
> > >>> talk to 10.10.0.0)
> > >>>
> > >>> route-map NAT permit 10
> > >>> match ip address 101
> > >>>
> > >>> access-list 101 permit ip 192.168.200.0 0.0.0.255 10.10.0.0
> 0.1.255.255
> > >>> access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
> > >>>
> > >>> ip nat pool OVERLAPPING 192.168.200.1 192.168.200.254 pref 24
> > >>>
> > >>> ip nat inside source route-map NAT pool OVERLAPPING
> > >>>
> > >>> ######
> > >>>
> > >>> ip nat inside source list 100 interface Dialer0 overload
> > >>>
> > >>> access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
> > >>> access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0
> 0.1.255.255
> > >>> access-list 100 permit ip 192.168.1.0 0.0.0.255 any
> > >>>
> > >>> thaaaanks again.
> > >>>
> > >>>
> > >>>
> > >>> On Mon, Jul 30, 2012 at 12:29 PM, Peter Dervan <petesccie_at_gmail.com>
> > >>> wrote:
> > >>>
> > >>>> Try making the static nat policy based, using a nat pool and route
> > map.
> > >>>> Policy would allow static nat to kick in only when traffic is
> destined
> > >>> to a
> > >>>> particular destination - should fix your issue.
> > >>>>
> > >>>> Sent from my iPhone
> > >>>>
> > >>>> On 30 Jul 2012, at 13:14, ccie99999 <ccie99999_at_googlemail.com>
> wrote:
> > >>>>
> > >>>>> Hi guys,
> > >>>>>
> > >>>>> I feel a bit frustrated because of this simple issue:
> > >>>>>
> > >>>>> I've got to do a static nat and a dynamic one with the overload.
> > >>>>>
> > >>>>> the static one is for translating my entire lan to a specific net
> > >>>> (because
> > >>>>> of overlapping over ipsec).
> > >>>>>
> > >>>>> the dynamic one with overload is for surfing the web.
> > >>>>>
> > >>>>> As soon as I set up the static nat the customer looses the access
> to
> > >>>>> internet (the dynamic one stop to work).
> > >>>>>
> > >>>>> I know that a static route has precedence over a dynamic but I've
> set
> > >>> up
> > >>>> a
> > >>>>> specific acl:
> > >>>>>
> > >>>>> this is my conf:
> > >>>>>
> > >>>>> NAT:
> > >>>>> ip nat inside source list 100 interface Dialer0 overload
> > >>>>> ip nat inside source static network 192.168.1.0 192.168.200.0 /24
> > >>>>>
> > >>>>> ACL:
> > >>>>> access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0
> 0.1.255.255
> > >>>>> access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0
> > >>> 0.1.255.255
> > >>>>> access-list 100 permit ip 192.168.1.0 0.0.0.255 any
> > >>>>>
> > >>>>> I've even tried to use a route-map within the dynamic nat but still
> > >>>> doesn't
> > >>>>> work..
> > >>>>>
> > >>>>> where am I wrong?
> > >>>>>
> > >>>>> thanks in advance
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> ccie99999
> > >>>>> twitter: @ccie99999
> > >>>>>
> > >>>>>
> > >>>>> Blogs and organic groups at http://www.ccie.net
> > >>>>>
> > >>>>>
> > >>>
> _______________________________________________________________________
> > >>>>> Subscription information may be found at:
> > >>>>> http://www.groupstudy.com/list/CCIELab.html
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> ccie99999
> > >>> twitter: @ccie99999
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >
> > >
> > > --
> > > ccie99999
> > > twitter: @ccie99999
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>
> --
> ccie99999
> twitter: @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 31 2012 - 12:52:32 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:24 ART