I edited the nat statements to include route-maps instead of list, as seen
below. Worked perfectly - pings to R2 loop are seen from overload nat
source, whereas pings to R3 loop are showing as coming from statically
natted source (192.168.200.0/24). Only one issue - I can't initiate the
traffec from R3 loop 0 towards the 192.168.200.0/24 network, so this will
only work as static nat one way from R1 towards R3. perhaps another NAT
setup on R3 towards to R1 would finish this policy off... It will respond
fine, but if i kick the traffic off ftom R3 instead - no joy. I have a
feeling this is working correctly - just a lack of understanding on my part
to the exact behaviour of this NAT...
R1 - ping 192.168.2.2 rep 1 so lo 0
R2 :
ICMP: echo reply sent, src 192.168.2.2, dst 10.1.12.1
R1 - ping 192.168.3.3 rep 1 so lo 0
R3
ICMP: echo reply sent, src 192.168.3.3, dst 192.168.200.1
same pings provided same results over and over.
traffic initiated from R3 - reverse of above - gave following error:
000087: ICMP: echo reply sent, src 192.168.3.3, dst 192.168.200.1 (//reply
from previous successful test)
R3#ping 192.168.200.1 source 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.3
000088: ICMP: time exceeded rcvd from 10.1.12.2.
On Tue, Jul 31, 2012 at 1:22 PM, ccie99999 <ccie99999_at_googlemail.com> wrote:
> Peter,
>
> you're absolutely right!
>
> I've seen the behaviour at step 3 me too! (forgot to mention it)
>
> Carlos.. I ll lab your suggestion.
>
> I'll get back soon
>
> On Tue, Jul 31, 2012 at 11:58 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar
> >wrote:
>
> > Can you try putting a route-map to both nat statements ?
> > I.e. instead of just an ACL, a route-map that uses the ACL.
> > -Carlos
> >
> > peter dervan @ 31/07/2012 08:52 -0300 dixit:
> >
> > Hi,
> >> I labbed this up, and thought i had this working - but got some
> unexpected
> >> results. Maybe someone could shed some light on the following results?
> >> sorry if this is a little long!
> >>
> >> with the config below,
> >>
> >> 1) when i pinged R2 loop using R1 loop (this should be using overload
> nat)
> >> - this worked correctly. debugs (attached below) showed source as the
> >> overload interface - ALL GOOD
> >>
> >> 2) when i pinged the loop of R3 using R1 loop (should engage static
> policy
> >> nat using pool etc) - this worked correctly - source was showing from
> >> 192.168.200.1 instead of 192.168.1.1
> >>
> >> 3) when i repeated Step 1 - ping R2 loop from R1 loop (overload nat) -
> >> THIS
> >> NOW ENGAGED THE WRONG NAT POLICY - this showed source of 192.168.200.1,
> >> instead of previous source of serial0/0.12 (10.1.12.1)
> >>
> >> I'm fairly sure the nat translation below - which was not there before
> >> step
> >> 1, but was there after step 2, is the reason for this behaviour. Does
> the
> >> nat translation table not allow/account for the destination once there
> is
> >> a
> >> translation stored?? Any advice would be much appreciated!! (ps: ASA
> >> option of using a route-map to make it policy based is so mcuh easier!)
> >>
> >> Does anyone know if perhaps ip nat enable should be used??
> >>
> >>
> >> I set up the lab topoogy as:
> >> R1 ------------------------------**--> R2
> >> ------------------------------**-->
> >> R3
> >> (10.1.12.1) (10.1.12.2) (10.1.23.2)
> (10.1.23.3)
> >> Lo0: 192.168.1.1 Lo0: 192.168.2.2 Lo0:
> >> 192.168.3.3
> >>
> >> RIP running between all devices, a default route was put on R1 and R3
> >> pointing to R2, and R2 had static route to 192.168.200.0/24 to
> 10.1.12.1
> >> (going to be static natted address). This is all fine...
> >>
> >> The config of R1 (where the NAT is being performed) is as follows:
> >>
> >> access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
> >> //this is for the policy static nat - going to translate
> 192.168.1.0/24to
> >> 192.168.200/24
> >>
> >> access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
> >> access-list 150 permit ip 192.168.1.0 0.0.0.255 any
> >> //access-list for nat overload,called within route-map for nat
> >>
> >> route-map NAT permit 10
> >> match ip address 150
> >> // route-map used in nat statement
> >>
> >> ip nat pool POOL 192.168.200.1 192.168.200.254 prefix-length 24
> >> ip nat inside source list 120 pool POOL
> >> ip nat inside source route-map NAT interface Serial0/0.12 overload
> >>
> >> interface Loopback0
> >> ip address 192.168.1.1 255.255.255.255
> >> ip nat inside
> >>
> >> interface Serial0/0.12 point-to-point
> >> ip address 10.1.12.1 255.255.255.0
> >> ip nat outside
> >> ip virtual-reassembly
> >> snmp trap link-status
> >> frame-relay interface-dlci 102
> >>
> >>
> >>
> >> DEBUGS AS FOLLOWS:
> >>
> >> #INITIAL PING FROM R1 LOOP TO R2 LOOP (OVERLOAD nat) - SUCCESSFUL
> >> R1#ping 192.168.2.2 rep 1 so lo 0
> >>
> >> Type escape sequence to abort.
> >> Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
> >> Packet sent with a source address of 192.168.1.1
> >> !
> >> Success rate is 100 percent (1/1), round-trip min/avg/max = 32/32/32 ms
> >> R1#
> >> NAT: map match NAT
> >> NAT: [0] Allocated Port for 192.168.1.1 -> 10.1.12.1: wanted 16 got 16
> >> NAT: i: icmp (192.168.1.1, 16) -> (192.168.2.2, 16) [55]
> >> NAT: s=192.168.1.1->10.1.12.1, d=192.168.2.2 [55]
> >> NAT*: o: icmp (192.168.2.2, 16) -> (10.1.12.1, 16) [55]
> >> NAT*: s=192.168.2.2, d=10.1.12.1->192.168.1.1 [55]
> >> R1#
> >> R1#sh ip nat trans
> >> Pro Inside global Inside local Outside local Outside
> >> global
> >> icmp 10.1.12.1:16 192.168.1.1:16 192.168.2.2:16
> >> 192.168.2.2:16
> >>
> >> ==============================**==============================**========
> >> #INITIAL PING FROM R1 LOOP TO R3 LOOP (POLICY STATIC nat) - SUCCESSFUL
> >>
> >>
> >> R1#ping 192.168.3.3 rep 1 so lo 0
> >>
> >> Type escape sequence to abort.
> >> Sending 1, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
> >> Packet sent with a source address of 192.168.1.1
> >> !
> >> Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms
> >> R1#
> >> NAT: i: icmp (192.168.1.1, 18) -> (192.168.3.3, 18) [57]
> >> NAT: s=192.168.1.1->192.168.200.1, d=192.168.3.3 [57]
> >> NAT*: o: icmp (192.168.3.3, 18) -> (192.168.200.1, 18) [57]
> >> NAT*: s=192.168.3.3, d=192.168.200.1->192.168.1.1 [57]
> >> R1#
> >> R1#sh ip nat tran
> >> R1#sh ip nat translations
> >> Pro Inside global Inside local Outside local Outside
> >> global
> >> icmp 10.1.12.1:17 192.168.1.1:17 192.168.2.2:17
> >> 192.168.2.2:17
> >> icmp 192.168.200.1:18 192.168.1.1:18 192.168.3.3:18
> >> 192.168.3.3:18
> >> --- 192.168.200.1 192.168.1.1 --- ---
> >>
> >>
> >> ==============================**==============================**========
> >>
> >> #SECOND PING FROM R1 LOOP TO R2 LOOP (OVERLOAD nat) - UNSUCCESSFUL
> >>
> >>
> >> R1#ping 192.168.2.2 rep 1 so lo 0
> >>
> >> Type escape sequence to abort.
> >> Sending 1, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
> >> Packet sent with a source address of 192.168.1.1
> >> !
> >> Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms
> >> R1#
> >> NAT: i: icmp (192.168.1.1, 19) -> (192.168.2.2, 19) [58]
> >> NAT: s=192.168.1.1->192.168.200.1, d=192.168.2.2 [58]
> >> NAT*: o: icmp (192.168.2.2, 19) -> (192.168.200.1, 19) [58]
> >> NAT*: s=192.168.2.2, d=192.168.200.1->192.168.1.1 [58]
> >> R1#
> >> R1#sh ip nat tra
> >> R1#sh ip nat translations
> >> Pro Inside global Inside local Outside local Outside
> >> global
> >> icmp 10.1.12.1:17 192.168.1.1:17 192.168.2.2:17
> >> 192.168.2.2:17
> >> icmp 192.168.200.1:18 192.168.1.1:18 192.168.3.3:18
> >> 192.168.3.3:18
> >> icmp 192.168.200.1:19 192.168.1.1:19 192.168.2.2:19
> >> 192.168.2.2:19
> >> --- 192.168.200.1 192.168.1.1 --- ---
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Jul 31, 2012 at 1:08 AM, ccie99999 <ccie99999_at_googlemail.com>
> >> wrote:
> >>
> >> thanks guys for your reply but still I don't get it..
> >>>
> >>> I'm here, this is the same situation I've:
> >>> https://supportforums.cisco.**com/thread/2043483<
> https://supportforums.cisco.com/thread/2043483>
> >>>
> >>> but after setting the static and the dynamic with the route-map I still
> >>> don't have a working solution.
> >>>
> >>> and googling this it looks like it's a common issue..
> >>>
> >>> checking some previous lab I did for my ccie I don't see this scenario.
> >>>
> >>> thanks again for your help
> >>>
> >>> On Mon, Jul 30, 2012 at 5:16 PM, Dan Shechter G <danshtr_at_gmail.com>
> >>> wrote:
> >>>
> >>> Its a bit mess on IOS, but in general static route has precedence over
> >>>> dynamic NAT.
> >>>>
> >>>> you can use route map, but notice that route-maps in nat are evaluated
> >>>> be
> >>>> lexical order, which means that route-map 'rmA' will be evaluated
> before
> >>>> 'rmB'
> >>>>
> >>>> On 30 Jul 2012, at 17:19, ccie99999 wrote:
> >>>>
> >>>> yeah, nothing..
> >>>>>
> >>>>> overload works but not static nat..
> >>>>> even after a clear ip nat tran * , a ping to the remote net + a show
> ip
> >>>>>
> >>>> nat
> >>>>
> >>>>> translat and I don't see the static nat..
> >>>>>
> >>>>> :(
> >>>>>
> >>>>> On Mon, Jul 30, 2012 at 2:04 PM, peter dervan <petesccie_at_gmail.com>
> >>>>>
> >>>> wrote:
> >>>>
> >>>>>
> >>>>> Hi,
> >>>>>> Try something like this, been a while since i labbed this so can't
> >>>>>> remember if it will do proper 1 to 1 static network nat or not...
> >>>>>>
> >>>>>> ==============================**=======================
> >>>>>>
> >>>>>> access-list 120 permit ip 192.168.1.0 0.0.0.255 10.10.0.0
> 0.1.255.255
> >>>>>>
> >>>>>> ip nat pool OVERLAPPING 192.168.200.1 192.168.200.254 prefix-length
> 24
> >>>>>>
> >>>>>> ip nat inside source list 120 pool OVERLAPPING
> >>>>>>
> >>>>>> ==============================**=======================
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Mon, Jul 30, 2012 at 2:41 PM, ccie99999 <
> ccie99999_at_googlemail.com
> >>>>>>
> >>>>> wrote:
> >>>>>
> >>>>>>
> >>>>>> Hi Peter,
> >>>>>>>
> >>>>>>> thanks for your help.
> >>>>>>>
> >>>>>>> I've tried what you've suggested and it looks it's working (the
> >>>>>>>
> >>>>>> static
> >>>
> >>>> is
> >>>>
> >>>>> not taking the precedence on the dynamic one)
> >>>>>>>
> >>>>>>> unluckily the static nat is not working..
> >>>>>>>
> >>>>>>> this is my basic nat stuff:
> >>>>>>>
> >>>>>>> (note: net 192.168.1.x must become 192.168.200.x with the static
> nat
> >>>>>>>
> >>>>>> and
> >>>>
> >>>>> talk to 10.10.0.0)
> >>>>>>>
> >>>>>>> route-map NAT permit 10
> >>>>>>> match ip address 101
> >>>>>>>
> >>>>>>> access-list 101 permit ip 192.168.200.0 0.0.0.255 10.10.0.0
> >>>>>>>
> >>>>>> 0.1.255.255
> >>>
> >>>> access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.1.255.255
> >>>>>>>
> >>>>>>> ip nat pool OVERLAPPING 192.168.200.1 192.168.200.254 pref 24
> >>>>>>>
> >>>>>>> ip nat inside source route-map NAT pool OVERLAPPING
> >>>>>>>
> >>>>>>> ######
> >>>>>>>
> >>>>>>> ip nat inside source list 100 interface Dialer0 overload
> >>>>>>>
> >>>>>>> access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0
> 0.1.255.255
> >>>>>>> access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0
> >>>>>>>
> >>>>>> 0.1.255.255
> >>>
> >>>> access-list 100 permit ip 192.168.1.0 0.0.0.255 any
> >>>>>>>
> >>>>>>> thaaaanks again.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Mon, Jul 30, 2012 at 12:29 PM, Peter Dervan <
> petesccie_at_gmail.com>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>> Try making the static nat policy based, using a nat pool and route
> >>>>>>>>
> >>>>>>> map.
> >>>>
> >>>>> Policy would allow static nat to kick in only when traffic is
> >>>>>>>>
> >>>>>>> destined
> >>>
> >>>> to a
> >>>>>>>
> >>>>>>>> particular destination - should fix your issue.
> >>>>>>>>
> >>>>>>>> Sent from my iPhone
> >>>>>>>>
> >>>>>>>> On 30 Jul 2012, at 13:14, ccie99999 <ccie99999_at_googlemail.com>
> >>>>>>>>
> >>>>>>> wrote:
> >>>
> >>>>
> >>>>>>>> Hi guys,
> >>>>>>>>>
> >>>>>>>>> I feel a bit frustrated because of this simple issue:
> >>>>>>>>>
> >>>>>>>>> I've got to do a static nat and a dynamic one with the overload.
> >>>>>>>>>
> >>>>>>>>> the static one is for translating my entire lan to a specific net
> >>>>>>>>>
> >>>>>>>> (because
> >>>>>>>>
> >>>>>>>>> of overlapping over ipsec).
> >>>>>>>>>
> >>>>>>>>> the dynamic one with overload is for surfing the web.
> >>>>>>>>>
> >>>>>>>>> As soon as I set up the static nat the customer looses the access
> >>>>>>>>>
> >>>>>>>> to
> >>>
> >>>> internet (the dynamic one stop to work).
> >>>>>>>>>
> >>>>>>>>> I know that a static route has precedence over a dynamic but I've
> >>>>>>>>>
> >>>>>>>> set
> >>>
> >>>> up
> >>>>>>>
> >>>>>>>> a
> >>>>>>>>
> >>>>>>>>> specific acl:
> >>>>>>>>>
> >>>>>>>>> this is my conf:
> >>>>>>>>>
> >>>>>>>>> NAT:
> >>>>>>>>> ip nat inside source list 100 interface Dialer0 overload
> >>>>>>>>> ip nat inside source static network 192.168.1.0 192.168.200.0 /24
> >>>>>>>>>
> >>>>>>>>> ACL:
> >>>>>>>>> access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.0.0
> >>>>>>>>>
> >>>>>>>> 0.1.255.255
> >>>
> >>>> access-list 100 deny ip 192.168.200.0 0.0.0.255 10.10.0.0
> >>>>>>>>>
> >>>>>>>> 0.1.255.255
> >>>>>>>
> >>>>>>>> access-list 100 permit ip 192.168.1.0 0.0.0.255 any
> >>>>>>>>>
> >>>>>>>>> I've even tried to use a route-map within the dynamic nat but
> still
> >>>>>>>>>
> >>>>>>>> doesn't
> >>>>>>>>
> >>>>>>>>> work..
> >>>>>>>>>
> >>>>>>>>> where am I wrong?
> >>>>>>>>>
> >>>>>>>>> thanks in advance
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> ccie99999
> >>>>>>>>> twitter: @ccie99999
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>> ______________________________**______________________________**
> >>> ___________
> >>>
> >>>> Subscription information may be found at:
> >>>>>>>>> http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> ccie99999
> >>>>>>> twitter: @ccie99999
> >>>>>>>
> >>>>>>>
> >>>>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>>>
> >>>>>>>
> >>>>>>> ______________________________**______________________________**
> >>> ___________
> >>>
> >>>> Subscription information may be found at:
> >>>>>>> http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>> --
> >>>>> ccie99999
> >>>>> twitter: @ccie99999
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>
> >>>>> ______________________________**______________________________**
> >>>>> ___________
> >>>>> Subscription information may be found at:
> >>>>> http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>> --
> >>> ccie99999
> >>> twitter: @ccie99999
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> ______________________________**______________________________**
> >>> ___________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>>
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> ______________________________**______________________________**
> >> ___________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> > --
> > Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> >
>
>
>
> --
> ccie99999
> twitter: @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 31 2012 - 13:56:29 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:24 ART