Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
2
Replies

NAT translating Loopbacks and outside interface addresses

rjackson
Level 5
Level 5

‎03-14-2003 02:11 PM - edited ‎03-02-2019 05:53 AM

I have NAT set up on a 2501 with the ethernet interface ip nat inside and one serial interface ip nat outside. But when I ping from the router or extended using a loopback address it is NAT those too. I thought it should only NAT traffic from the inside interface. Can anyone explain? Heres the config

!

interface Loopback0

ip address 10.8.0.1 255.255.255.0

!

interface Loopback1

ip address 10.9.0.1 255.255.255.0

!

interface Ethernet0

ip address 10.1.0.1 255.255.255.0

ip nat inside

ip wccp web-cache group-listen

ip authentication mode eigrp 2001 md5

ip authentication key-chain eigrp 2001 eigrp-key

!

interface Serial0

ip address 172.16.0.2 255.255.255.252

ip access-group 102 in

ip access-group 101 out

ip accounting access-violations

ip nat outside

no fair-queue

clockrate 1300000

!

interface Serial0.2

!

interface Serial1

no ip address

shutdown

!

router eigrp 2001

redistribute static

passive-interface Serial0

network 10.1.0.0 0.0.0.255

network 10.8.0.0 0.0.0.255

network 10.9.0.0 0.0.0.255

auto-summary

no eigrp log-neighbor-changes

!

router bgp 200

bgp log-neighbor-changes

neighbor 10.1.0.2 remote-as 200

!

ip kerberos source-interface any

ip nat pool internet 128.129.0.1 128.129.0.1 netmask 255.255.255.0

ip nat inside source list 1 pool internet overload

ip nat inside source static 10.6.0.1 128.129.0.246

ip nat inside source static 10.4.0.1 128.129.0.245

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.0.1

ip http server

!

access-list 1 permit any

* * * and heres some output....

d2501# clear ip nat trans *

d2501#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 128.129.0.245 10.4.0.1 --- ---

--- 128.129.0.246 10.6.0.1 --- ---

d2501#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

d2501#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp 128.129.0.1:8947 172.16.0.2:8947 1.1.1.1:8947 1.1.1.1:8947

icmp 128.129.0.1:8948 172.16.0.2:8948 1.1.1.1:8948 1.1.1.1:8948

icmp 128.129.0.1:8949 172.16.0.2:8949 1.1.1.1:8949 1.1.1.1:8949

icmp 128.129.0.1:8950 172.16.0.2:8950 1.1.1.1:8950 1.1.1.1:8950

icmp 128.129.0.1:8951 172.16.0.2:8951 1.1.1.1:8951 1.1.1.1:8951

--- 128.129.0.245 10.4.0.1 --- ---

--- 128.129.0.246 10.6.0.1 --- ---

d2501#ping

Protocol [ip]:

Target IP address: 1.1.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.8.0.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms

d2501#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp 128.129.0.1:8947 172.16.0.2:8947 1.1.1.1:8947 1.1.1.1:8947

icmp 128.129.0.1:8948 172.16.0.2:8948 1.1.1.1:8948 1.1.1.1:8948

icmp 128.129.0.1:8949 172.16.0.2:8949 1.1.1.1:8949 1.1.1.1:8949

icmp 128.129.0.1:8950 172.16.0.2:8950 1.1.1.1:8950 1.1.1.1:8950

icmp 128.129.0.1:8951 172.16.0.2:8951 1.1.1.1:8951 1.1.1.1:8951

--- 128.129.0.245 10.4.0.1 --- ---

--- 128.129.0.246 10.6.0.1 --- ---

icmp 128.129.0.1:7425 10.8.0.1:7425 1.1.1.1:7425 1.1.1.1:7425

icmp 128.129.0.1:7426 10.8.0.1:7426 1.1.1.1:7426 1.1.1.1:7426

icmp 128.129.0.1:7427 10.8.0.1:7427 1.1.1.1:7427 1.1.1.1:7427

icmp 128.129.0.1:7428 10.8.0.1:7428 1.1.1.1:7428 1.1.1.1:7428

icmp 128.129.0.1:7429 10.8.0.1:7429 1.1.1.1:7429 1.1.1.1:7429

d2501#

The status shows that e0 is the only inside interface

d2501#sh ip nat stat

Total active translations: 2 (2 static, 0 dynamic; 0 extended)

Outside interfaces:

Serial0

Inside interfaces:

Ethernet0

Hits: 115 Misses: 54

Expired translations: 53

Dynamic mappings:

-- Inside Source

access-list 1 pool internet refcount 0

pool internet: netmask 255.255.255.0

start 128.129.0.1 end 128.129.0.1

type generic, total addresses 1, allocated 0 (0%), misses 0

Labels:
0 Helpful
2 Replies 2

toyenekan
Level 1
Level 1

‎03-14-2003 03:49 PM

The access-list is the proble. You allow "any". This will NAT all addresses on your private network. Solution: Deny what NOT to NAt and ALloe what to NAT.

0 Helpful

rjackson
Level 5
Level 5
In response to toyenekan

‎03-17-2003 06:04 AM

Thanks for the response but the way I understand it, and have implemented it before, the access-list is only suppossed to be applied to interfaces with IP NAT INSIDE. The loopback does not have that, the serial is configured IP NAT OUTSIDE. I know I can filter out the addresses I don't want but I shouldn't have to if I want to NAT all packets coming in an INSIDE interface and going out an OUTSIDE interface.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card