Re: dynamic vs static nat

Peter,

you're absolutely right!

I've seen the behaviour at step 3 me too! (forgot to mention it)

Carlos.. I ll lab your suggestion.

I'll get back soon

On Tue, Jul 31, 2012 at 11:58 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:

> Can you try putting a route-map to both nat statements ?
> I.e. instead of just an ACL, a route-map that uses the ACL.
> -Carlos
>
> peter dervan @ 31/07/2012 08:52 -0300 dixit:
>
> Hi,
>> I labbed this up, and thought i had this working - but got some unexpected
>> results. Maybe someone could shed some light on the following results?
>> sorry if this is a little long!
>>
>> with the config below,
>>
>> 1) when i pinged R2 loop using R1 loop (this should be using overload nat)
>> - this worked correctly. debugs (attached below) showed source as the
>> overload interface - ALL GOOD
>>
>> 2) when i pinged the loop of R3 using R1 loop (should engage static policy
>> nat using pool etc) - this worked correctly - source was showing from
>> 192.168.200.1 instead of 192.168.1.1
>>
>> 3) when i repeated Step 1 - ping R2 loop from R1 loop (overload nat) -
>> THIS
>> NOW ENGAGED THE WRONG NAT POLICY - this showed source of 192.168.200.1,
>> instead of previous source of serial0/0.12 (10.1.12.1)
>>
>> I'm fairly sure the nat translation below - which was not there before
>> step
>> 1, but was there after step 2, is the reason for this behaviour. Does the
>> nat translation table not allow/account for the destination once there is
>> a
>> translation stored?? Any advice would be much appreciated!! (ps: ASA
>> option of using a route-map to make it policy based is so mcuh easier!)
>>
>> Does anyone know if perhaps ip nat enable should be used??
>>
>>
>> I set up the lab topoogy as:
>> R1 ------------------------------**--> R2
>> ------------------------------**-->
>> R3
>> (10.1.12.1) (10.1.12.2) (10.1.23.2) (10.1.23.3)
>> Lo0: 192.168.1.1 Lo0: 192.168.2.2 Lo0:
>> 192.168.3.3
>>
>> RIP running between all devices, a default route was put on R1 and R3
>> pointing to R2, and R2 had static route to 192.168.200.0/24 to 10.1.12.1
>> (going to be static natted address). This is all fine...
>>
>> The config of R1 (where the NAT is being performed) is as follows:
>>
>> access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>> //this is for the policy static nat - going to translate 192.168.1.0/24to
>> 192.168.200/24
>>
>> access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>> access-list 150 permit ip 192.168.1.0 0.0.0.255 any
>> //access-list for nat overload,called within route-map for nat
>>
>> route-map NAT permit 10
>> match ip address 150
>> // route-map used in nat statement
>>
>> ip nat pool POOL 192.168.200.1 192.168.200.254 prefix-length 24
>> ip nat inside source list 120 pool POOL
>> ip nat inside source route-map NAT interface Serial0/0.12 overload
>>
>> interface Loopback0
>> ip address 192.168.1.1 255.255.255.255
>> ip nat inside
>>
>> interface Serial0/0.12 point-to-point
>> ip address 10.1.12.1 255.255.255.0
>> ip nat outside
>> ip virtual-reassembly
>> snmp trap link-status
>> frame-relay interface-dlci 102
>>
>>
>>
>> DEBUGS AS FOLLOWS:
>>
>> #INITIAL PING FROM R1 LOOP TO R2 LOOP (OVERLOAD nat) - SUCCESSFUL
>> R1#ping 192.168.2.2 rep 1 so lo 0
>>
>> Type escape sequence to abort.
>> Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
>> Packet sent with a source address of 192.168.1.1
>> !
>> Success rate is 100 percent (1/1), round-trip min/avg/max = 32/32/32 ms
>> R1#
>> NAT: map match NAT
>> NAT: [0] Allocated Port for 192.168.1.1 -> 10.1.12.1: wanted 16 got 16
>> NAT: i: icmp (192.168.1.1, 16) -> (192.168.2.2, 16) [55]
>> NAT: s=192.168.1.1->10.1.12.1, d=192.168.2.2 [55]
>> NAT*: o: icmp (192.168.2.2, 16) -> (10.1.12.1, 16) [55]
>> NAT*: s=192.168.2.2, d=10.1.12.1->192.168.1.1 [55]
>> R1#
>> R1#sh ip nat trans
>> Pro Inside global Inside local Outside local Outside
>> global
>> icmp 10.1.12.1:16 192.168.1.1:16 192.168.2.2:16
>> 192.168.2.2:16
>>
>> ==============================**==============================**========
>> #INITIAL PING FROM R1 LOOP TO R3 LOOP (POLICY STATIC nat) - SUCCESSFUL
>>
>>
>> R1#ping 192.168.3.3 rep 1 so lo 0
>>
>> Type escape sequence to abort.
>> Sending 1, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
>> Packet sent with a source address of 192.168.1.1
>> !
>> Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms
>> R1#
>> NAT: i: icmp (192.168.1.1, 18) -> (192.168.3.3, 18) [57]
>> NAT: s=192.168.1.1->192.168.200.1, d=192.168.3.3 [57]
>> NAT*: o: icmp (192.168.3.3, 18) -> (192.168.200.1, 18) [57]
>> NAT*: s=192.168.3.3, d=192.168.200.1->192.168.1.1 [57]
>> R1#
>> R1#sh ip nat tran
>> R1#sh ip nat translations
>> Pro Inside global Inside local Outside local Outside
>> global
>> icmp 10.1.12.1:17 192.168.1.1:17 192.168.2.2:17
>> 192.168.2.2:17
>> icmp 192.168.200.1:18 192.168.1.1:18 192.168.3.3:18
>> 192.168.3.3:18
>> --- 192.168.200.1 192.168.1.1 --- ---
>>
>>
>> ==============================**==============================**========
>>
>> #SECOND PING FROM R1 LOOP TO R2 LOOP (OVERLOAD nat) - UNSUCCESSFUL
>>
>>
>> R1#ping 192.168.2.2 rep 1 so lo 0
>>
>> Type escape sequence to abort.
>> Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
>> Packet sent with a source address of 192.168.1.1
>> !
>> Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms
>> R1#
>> NAT: i: icmp (192.168.1.1, 19) -> (192.168.2.2, 19) [58]
>> NAT: s=192.168.1.1->192.168.200.1, d=192.168.2.2 [58]
>> NAT*: o: icmp (192.168.2.2, 19) -> (192.168.200.1, 19) [58]
>> NAT*: s=192.168.2.2, d=192.168.200.1->192.168.1.1 [58]
>> R1#
>> R1#sh ip nat tra
>> R1#sh ip nat translations
>> Pro Inside global Inside local Outside local Outside
>> global
>> icmp 10.1.12.1:17 192.168.1.1:17 192.168.2.2:17
>> 192.168.2.2:17
>> icmp 192.168.200.1:18 192.168.1.1:18 192.168.3.3:18
>> 192.168.3.3:18
>> icmp 192.168.200.1:19 192.168.1.1:19 192.168.2.2:19
>> 192.168.2.2:19
>> --- 192.168.200.1 192.168.1.1 --- ---
>>
>>
>>
>>
>>
>> On Tue, Jul 31, 2012 at 1:08 AM, ccie99999 <ccie99999_at_googlemail.com>
>> wrote:
>>
>> thanks guys for your reply but still I don't get it..
>>>
>>> I'm here, this is the same situation I've:
>>> https://supportforums.cisco.**com/thread/2043483<https://supportforums.cisco.com/thread/2043483>
>>>
>>> but after setting the static and the dynamic with the route-map I still
>>> don't have a working solution.
>>>
>>> and googling this it looks like it's a common issue..
>>>
>>> checking some previous lab I did for my ccie I don't see this scenario.
>>>
>>> thanks again for your help
>>>
>>> On Mon, Jul 30, 2012 at 5:16 PM, Dan Shechter G <danshtr_at_gmail.com>
>>> wrote:
>>>
>>> Its a bit mess on IOS, but in general static route has precedence over
>>>> dynamic NAT.
>>>>
>>>> you can use route map, but notice that route-maps in nat are evaluated
>>>> be
>>>> lexical order, which means that route-map 'rmA' will be evaluated before
>>>> 'rmB'
>>>>
>>>> On 30 Jul 2012, at 17:19, ccie99999 wrote:
>>>>
>>>> yeah, nothing..
>>>>>
>>>>> overload works but not static nat..
>>>>> even after a clear ip nat tran * , a ping to the remote net + a show ip
>>>>>
>>>> nat
>>>>
>>>>> translat and I don't see the static nat..
>>>>>
>>>>> :(
>>>>>
>>>>> On Mon, Jul 30, 2012 at 2:04 PM, peter dervan <petesccie_at_gmail.com>
>>>>>
>>>> wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>> Try something like this, been a while since i labbed this so can't
>>>>>> remember if it will do proper 1 to 1 static network nat or not...
>>>>>>
>>>>>> ==============================**=======================
>>>>>>
>>>>>> access-list 120 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
>>>>>>
>>>>>> ip nat pool OVERLAPPING 192.168.200.1 192.168.200.254 prefix-length 24
>>>>>>
>>>>>> ip nat inside source list 120 pool OVERLAPPING
>>>>>>
>>>>>> ==============================**=======================
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 30, 2012 at 2:41 PM, ccie99999 <ccie99999_at_googlemail.com
>>>>>>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Hi Peter,
>>>>>>>
>>>>>>> thanks for your help.
>>>>>>>
>>>>>>> I've tried what you've suggested and it looks it's working (the
>>>>>>>
>>>>>> static
>>>
>>>> is
>>>>
>>>>> not taking the precedence on the dynamic one)
>>>>>>>
>>>>>>> unluckily the static nat is not working..
>>>>>>>
>>>>>>> this is my basic nat stuff:
>>>>>>>
>>>>>>> (note: net 192.168.1.x must become 192.168.200.x with the static nat
>>>>>>>
>>>>>> and
>>>>
>>>>> talk to 10.10.0.0)
>>>>>>>
>>>>>>> route-map NAT permit 10
>>>>>>> match ip address 101
>>>>>>>
>>>>>>> access-list 101 permit ip 192.168.200.0 0.0.0.255 10.10.0.0
>>>>>>>
>>>>>> 0.1.255.255
>>>
>>>> access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
>>>>>>>
>>>>>>> ip nat pool OVERLAPPING 192.168.200.1 192.168.200.254 pref 24
>>>>>>>
>>>>>>> ip nat inside source route-map NAT pool OVERLAPPING
>>>>>>>
>>>>>>> ######
>>>>>>>
>>>>>>> ip nat inside source list 100 interface Dialer0 overload
>>>>>>>
>>>>>>> access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
>>>>>>> access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0
>>>>>>>
>>>>>> 0.1.255.255
>>>
>>>> access-list 100 permit ip 192.168.1.0 0.0.0.255 any
>>>>>>>
>>>>>>> thaaaanks again.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 30, 2012 at 12:29 PM, Peter Dervan <petesccie_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Try making the static nat policy based, using a nat pool and route
>>>>>>>>
>>>>>>> map.
>>>>
>>>>> Policy would allow static nat to kick in only when traffic is
>>>>>>>>
>>>>>>> destined
>>>
>>>> to a
>>>>>>>
>>>>>>>> particular destination - should fix your issue.
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>> On 30 Jul 2012, at 13:14, ccie99999 <ccie99999_at_googlemail.com>
>>>>>>>>
>>>>>>> wrote:
>>>
>>>>
>>>>>>>> Hi guys,
>>>>>>>>>
>>>>>>>>> I feel a bit frustrated because of this simple issue:
>>>>>>>>>
>>>>>>>>> I've got to do a static nat and a dynamic one with the overload.
>>>>>>>>>
>>>>>>>>> the static one is for translating my entire lan to a specific net
>>>>>>>>>
>>>>>>>> (because
>>>>>>>>
>>>>>>>>> of overlapping over ipsec).
>>>>>>>>>
>>>>>>>>> the dynamic one with overload is for surfing the web.
>>>>>>>>>
>>>>>>>>> As soon as I set up the static nat the customer looses the access
>>>>>>>>>
>>>>>>>> to
>>>
>>>> internet (the dynamic one stop to work).
>>>>>>>>>
>>>>>>>>> I know that a static route has precedence over a dynamic but I've
>>>>>>>>>
>>>>>>>> set
>>>
>>>> up
>>>>>>>
>>>>>>>> a
>>>>>>>>
>>>>>>>>> specific acl:
>>>>>>>>>
>>>>>>>>> this is my conf:
>>>>>>>>>
>>>>>>>>> NAT:
>>>>>>>>> ip nat inside source list 100 interface Dialer0 overload
>>>>>>>>> ip nat inside source static network 192.168.1.0 192.168.200.0 /24
>>>>>>>>>
>>>>>>>>> ACL:
>>>>>>>>> access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0
>>>>>>>>>
>>>>>>>> 0.1.255.255
>>>
>>>> access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0
>>>>>>>>>
>>>>>>>> 0.1.255.255
>>>>>>>
>>>>>>>> access-list 100 permit ip 192.168.1.0 0.0.0.255 any
>>>>>>>>>
>>>>>>>>> I've even tried to use a route-map within the dynamic nat but still
>>>>>>>>>
>>>>>>>> doesn't
>>>>>>>>
>>>>>>>>> work..
>>>>>>>>>
>>>>>>>>> where am I wrong?
>>>>>>>>>
>>>>>>>>> thanks in advance
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> ccie99999
>>>>>>>>> twitter: @ccie99999
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> ______________________________**______________________________**
>>> ___________
>>>
>>>> Subscription information may be found at:
>>>>>>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> ccie99999
>>>>>>> twitter: @ccie99999
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>>>>>>> ______________________________**______________________________**
>>> ___________
>>>
>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> ccie99999
>>>>> twitter: @ccie99999
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> ______________________________**______________________________**
>>>>> ___________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> ccie99999
>>> twitter: @ccie99999
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ______________________________**______________________________**
>>> ___________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________**______________________________**
>> ___________
>> Subscription information may be found at:
>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>
>>
>>
>>
>>
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>

-- 
ccie99999
twitter: @ccie99999
Blogs and organic groups at http://www.ccie.net