Re: Maddening NAT issue

smathias · ‎05-22-2004

Yet again I am beating my head against the wall with a NAT problem and virtually no useful toubleshooting tools.

This is a somewhat convoluted scenario:

One inside interface doing NAT and policy routing

Two outside interfaces to different ISPs, both doing NAT overload. One of them has two static NATs as well.

On the static NAT, inbound traffic is translated and routed to the host, routed back out, policy routed, and fails translation:

*Mar 1 00:09:51.059: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53882]

*Mar 1 00:09:51.063: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward

*Mar 1 00:09:51.063: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53883]

*Mar 1 00:09:51.067: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward

*Mar 1 00:09:51.067: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53884]

*Mar 1 00:09:51.071: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward

*Mar 1 00:09:51.071: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53885]

*Mar 1 00:09:51.075: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward

*Mar 1 00:09:51.075: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53886]

*Mar 1 00:09:51.079: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 62, forward

*Mar 1 00:09:51.079: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53887]

*Mar 1 00:09:51.083: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward

*Mar 1 00:09:51.083: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53888]

*Mar 1 00:09:51.083: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 61, forward

*Mar 1 00:09:51.087: NAT: s=192.168.100.140->63.225.xxx.140, d=69.2.200.182 [1064]

*Mar 1 00:09:51.087: NAT: translation failed (A), dropping packet s=63.225.xxx.140 d=69.2.200.182

The only reference I find to NAT: translation failed (A) is to enable ip subnet-zero. This is enabled. Not sure what else to try or how to look deeper to determine what is failing.

I have shut down the other outside interface, removed NAT overload on this interface leaving only statics, disabled CEF and ip route-cache, all with no change.

subbarao.s · ‎05-22-2004

Can you post the config?

smathias · ‎05-22-2004

No routing protocol, default route is set from DHCP on fa0/0.

no aaa new-model

ip subnet-zero

!

no ip cef

no ip domain lookup

!

interface FastEthernet0/0

ip address dhcp

ip access-group 100 in

ip nat outside

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 63.225.xxx.141 255.255.255.248

ip access-group 101 in

ip nat outside

no ip route-cache

duplex auto

speed auto

fair-queue

!

interface Ethernet1/0

ip address 192.168.0.2 255.255.255.252

ip nat inside

ip inspect PSFW in

ip policy route-map INTERNET

half-duplex

!

ip nat inside source route-map ISP1 interface FastEthernet0/0 overload

ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

ip nat inside source static 192.168.xxx.139 63.225.xxx.139

ip nat inside source static 192.168.xxx.140 63.225.xxx.140

no ip http server

ip classless

ip route 172.16.xxx.0 255.255.255.0 192.168.0.1

ip route 192.168.xxx.0 255.255.255.0 192.168.0.1

!

access-list 1 permit 172.16.xxx.0 0.0.0.255

access-list 1 permit 120.20.12.0 0.0.0.7

access-list 99 permit 192.168.xxx.140

access-list 99 permit 63.225.xxx.140

access-list 100 permit udp any eq bootps any eq bootpc

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.0.15.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip any host 255.255.255.255

access-list 100 deny tcp any any log

access-list 100 deny udp any any log

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any traceroute

access-list 100 permit icmp any any unreachable

access-list 100 deny ip any any log

access-list 101 deny ip 10.0.0.0 0.0.0.255 any

access-list 101 deny ip 172.16.0.0 0.0.15.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip any host 255.255.255.255

access-list 101 permit tcp any host 63.225.xxx.139 eq www

access-list 101 permit tcp any host 63.225.xxx.139 eq ftp-data

access-list 101 permit tcp any host 63.225.xxx.139 eq ftp

access-list 101 permit tcp any host 63.225.xxx.140 eq smtp

access-list 101 permit tcp any host 63.225.xxx.140 eq domain

access-list 101 permit udp any host 63.225.xxx.140 eq domain

access-list 101 permit udp 0.0.0.0 255.255.255.0 host 172.16.xxx.132

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any packet-too-big

access-list 101 permit icmp any any traceroute

access-list 101 permit icmp any any unreachable

access-list 101 permit udp any eq ntp any

access-list 101 deny ip any any log

access-list 110 permit ip host 172.16.xxx.132 any

access-list 110 permit ip 192.168.xxx.0 0.0.0.255 any

access-list 110 permit tcp 172.16.xxx.0 0.0.0.255 207.225.159.0 0.0.0.255 eq nntp

access-list 120 deny ip host 172.16.xxx.132 any

access-list 120 deny ip 192.168.xxx.0 0.0.0.255 any

access-list 120 deny tcp 172.16.xxx.0 0.0.0.255 207.225.159.0 0.0.0.255 eq nntp

access-list 120 permit ip any any

route-map INTERNET permit 10

match ip address 110

set ip default next-hop 63.225.xxx.142

!

route-map INTERNET permit 20

set interface FastEthernet0/0

!

route-map ISP1 permit 10

match ip address 120

!

route-map ISP2 permit 10

match ip address 110

!

line con 0

line aux 0

line vty 0 4

access-class 1 in

login

line vty 5 15

access-class 1 in

login

!

end

subbarao.s · ‎05-22-2004

Can you attach "debug ip policy" along with NAT debug?

smathias · ‎05-22-2004

I notice that sometimes the NAT does work and others it doesn't, though it is always consistent (an address that doesn't work never does).

debug ip policy

debug ip packet

debug ip nat

*Mar 1 03:17:50.067: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:50.067: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.136.109.247 [31922]

*Mar 1 03:17:50.071: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.136.109.247 (FastEthernet0/1), g=63.225.xxx.142, len 75, forward

*Mar 1 03:17:50.207: NAT: s=64.136.109.247, d=63.225.xxx.140->192.168.xxx.140 [43728]

*Mar 1 03:17:50.207: IP: tableid=0, s=64.136.109.247 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), routed via RIB

*Mar 1 03:17:50.207: IP: s=64.136.109.247 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), g=192.168.0.1, len 91, forward

*Mar 1 03:17:52.215: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:52.215: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 60, policy match

*Mar 1 03:17:52.215: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:52.215: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 60, policy routed

*Mar 1 03:17:52.215: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:52.215: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31923]

*Mar 1 03:17:52.219: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 60, forward

*Mar 1 03:17:54.227: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=209.208.92.254 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:54.227: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.208.92.254, len 87, policy match

*Mar 1 03:17:54.227: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:54.227: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.208.92.254 (FastEthernet0/1), len 87, policy routed

*Mar 1 03:17:54.227: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:54.231: NAT: s=192.168.xxx.140->63.225.xxx.140, d=209.208.92.254 [31927]

*Mar 1 03:17:54.231: IP: s=63.225.xxx.140 (Ethernet1/0), d=209.208.92.254 (FastEthernet0/1), g=63.225.xxx.142, len 87, forward

*Mar 1 03:17:54.383: NAT: s=209.208.92.254, d=63.225.xxx.140->192.168.xxx.140 [0]

*Mar 1 03:17:54.387: IP: tableid=0, s=209.208.92.254 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), routed via RIB

*Mar 1 03:17:54.387: IP: s=209.208.92.254 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), g=192.168.0.1, len 121, forward

*Mar 1 03:17:54.391: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=195.68.220.2 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:54.391: IP: s=192.168.xxx.140 (Ethernet1/0), d=195.68.220.2, len 87, policy match

*Mar 1 03:17:54.391: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:54.391: IP: s=192.168.xxx.140 (Ethernet1/0), d=195.68.220.2 (FastEthernet0/1), len 87, policy routed

*Mar 1 03:17:54.395: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:54.395: NAT: s=192.168.xxx.140->63.225.xxx.140, d=195.68.220.2 [31930]

*Mar 1 03:17:54.395: IP: s=63.225.xxx.140 (Ethernet1/0), d=195.68.220.2 (FastEthernet0/1), g=63.225.xxx.142, len 87, forward

*Mar 1 03:17:54.591: NAT: s=195.68.220.2, d=63.225.xxx.140->192.168.xxx.140 [16526]

*Mar 1 03:17:54.595: IP: tableid=0, s=195.68.220.2 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), routed via RIB

*Mar 1 03:17:54.595: IP: s=195.68.220.2 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), g=192.168.0.1, len 139, forward

*Mar 1 03:17:54.599: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:54.599: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 132, policy match

*Mar 1 03:17:54.603: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:54.603: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 132, policy routed

smathias · ‎05-22-2004

*Mar 1 03:17:54.603: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:54.603: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31932]

*Mar 1 03:17:54.603: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 132, forward

*Mar 1 03:17:54.755: NAT*: s=64.200.120.242, d=63.225.xxx.140->192.168.xxx.140 [3892]

*Mar 1 03:17:54.755: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:54.759: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 96, policy match

*Mar 1 03:17:54.759: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:54.759: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 96, policy routed

*Mar 1 03:17:54.759: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:54.759: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31933]

*Mar 1 03:17:54.759: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 96, forward

*Mar 1 03:17:54.883: NAT*: s=64.200.120.242, d=63.225.xxx.140->192.168.xxx.140 [3913]

*Mar 1 03:17:54.887: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:54.887: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 123, policy match

*Mar 1 03:17:54.887: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:54.891: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 123, policy routed

*Mar 1 03:17:54.891: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:54.891: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31934]

*Mar 1 03:17:54.891: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 123, forward

*Mar 1 03:17:56.083: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:56.083: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 123, policy match

*Mar 1 03:17:56.083: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:56.087: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 123, policy routed

*Mar 1 03:17:56.087: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:56.087: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31935]

*Mar 1 03:17:56.087: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 123, forward

*Mar 1 03:17:56.219: NAT*: s=64.200.120.242, d=63.225.xxx.140->192.168.xxx.140 [4174]

*Mar 1 03:17:56.223: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=209.173.53.162 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:56.223: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.173.53.162, len 72, policy match

*Mar 1 03:17:56.223: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:56.223: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.173.53.162 (FastEthernet0/1), len 72, policy routed

*Mar 1 03:17:56.223: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:56.227: NAT: s=192.168.xxx.140->63.225.xxx.140, d=209.173.53.162 [31937]

*Mar 1 03:17:56.227: IP: s=63.225.xxx.140 (Ethernet1/0), d=209.173.53.162 (FastEthernet0/1), g=63.225.xxx.142, len 72, forward

*Mar 1 03:17:56.315: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB

*Mar 1 03:17:56.315: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 40, policy match

*Mar 1 03:17:56.315: IP: route map INTERNET, item 10, permit

*Mar 1 03:17:56.315: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 40, policy routed

*Mar 1 03:17:56.315: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142

*Mar 1 03:17:56.315: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31938]

subbarao.s · ‎05-22-2004

Can you post the log for the failed instance?

smathias · ‎05-22-2004

I posted three chunks in the last batch as the forum only allows 4000 characters. Pretty low limit for posting configs or debugs.

The second or third chunk showed a failed instance.

tekha · ‎05-23-2004

Don't worry you really close to cracking it.

Put a "match interface FastEthernet0/0" on the route-map "ISP1", reenable CEF and you are there.

Like this.

route-map ISP1 permit 10

match interface FastEthernet0/0

match ip address 120

!

route-map ISP2 permit 10

match interface FastEthernet0/1

match ip address 110

!

Tell me how many default routes do you have when running a "sh ip route"? 2 hopefully.

smathias · ‎05-23-2004

I will give this a try, but what will the match interface FastEthernet do as the policy is applied on Ethernet1/0? I would think it will never match.

I have a dynamically learned default out fa0/0. You are saying I should add a static default out fa0/1 as well?

tekha · ‎05-23-2004

The "match inter..." is to tell the router that packets traveling out the FastEthernet0/0 needs to be NAT'tet to the IP address of FastEthernet0/0, and packets traveling out FastEthernet0/1 needs to be NAT'tet to the IP address of FastEthernet0/0. As it is now, you are NAT'ing everything on the same Interface, meening that packets returning, will all go thru the same line. You have only seen traffic one line at a time, correct?

You also need to default routes in order to make the load-sharing (per-destination).

Try putting this in, and let me know how works.

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 63.225.xxx.14X 254

!

route-map ISP1 permit 10

match interface FastEthernet0/0

match ip address 110

!

route-map ISP2 permit 10

match interface FastEthernet0/1

match ip address 110

The default route learned by DHCP has a adminstrative disrance of 254, wright? Eg. S* 0.0.0.0/0 [254/0] via *.*.*.*.

That is why you make the 254 in the end of default route out FastEthernet0/1. This way you should see 2 default routes, when doing a "sh ip route 0.0.0.0".

Remember "ip cef" in global and "ip route-cache cef" on both interfaces.

Good luck.