05-22-2004 12:21 PM - edited 03-02-2019 03:53 PM
Yet again I am beating my head against the wall with a NAT problem and virtually no useful toubleshooting tools.
This is a somewhat convoluted scenario:
One inside interface doing NAT and policy routing
Two outside interfaces to different ISPs, both doing NAT overload. One of them has two static NATs as well.
On the static NAT, inbound traffic is translated and routed to the host, routed back out, policy routed, and fails translation:
*Mar 1 00:09:51.059: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53882]
*Mar 1 00:09:51.063: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward
*Mar 1 00:09:51.063: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53883]
*Mar 1 00:09:51.067: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward
*Mar 1 00:09:51.067: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53884]
*Mar 1 00:09:51.071: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward
*Mar 1 00:09:51.071: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53885]
*Mar 1 00:09:51.075: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward
*Mar 1 00:09:51.075: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53886]
*Mar 1 00:09:51.079: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 62, forward
*Mar 1 00:09:51.079: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53887]
*Mar 1 00:09:51.083: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 58, forward
*Mar 1 00:09:51.083: NAT: s=69.2.200.182, d=63.225.xxx.140->192.168.100.140 [53888]
*Mar 1 00:09:51.083: IP: s=69.2.200.182 (FastEthernet0/1), d=192.168.100.140 (Ethernet1/0), g=192.168.0.1, len 61, forward
*Mar 1 00:09:51.087: NAT: s=192.168.100.140->63.225.xxx.140, d=69.2.200.182 [1064]
*Mar 1 00:09:51.087: NAT: translation failed (A), dropping packet s=63.225.xxx.140 d=69.2.200.182
The only reference I find to NAT: translation failed (A) is to enable ip subnet-zero. This is enabled. Not sure what else to try or how to look deeper to determine what is failing.
I have shut down the other outside interface, removed NAT overload on this interface leaving only statics, disabled CEF and ip route-cache, all with no change.
05-22-2004 06:45 PM
Can you post the config?
05-22-2004 06:52 PM
No routing protocol, default route is set from DHCP on fa0/0.
no aaa new-model
ip subnet-zero
!
!
no ip cef
no ip domain lookup
!
!
interface FastEthernet0/0
ip address dhcp
ip access-group 100 in
ip nat outside
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 63.225.xxx.141 255.255.255.248
ip access-group 101 in
ip nat outside
no ip route-cache
duplex auto
speed auto
fair-queue
!
interface Ethernet1/0
ip address 192.168.0.2 255.255.255.252
ip nat inside
ip inspect PSFW in
ip policy route-map INTERNET
half-duplex
!
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
ip nat inside source static 192.168.xxx.139 63.225.xxx.139
ip nat inside source static 192.168.xxx.140 63.225.xxx.140
no ip http server
ip classless
ip route 172.16.xxx.0 255.255.255.0 192.168.0.1
ip route 192.168.xxx.0 255.255.255.0 192.168.0.1
!
!
access-list 1 permit 172.16.xxx.0 0.0.0.255
access-list 1 permit 120.20.12.0 0.0.0.7
access-list 99 permit 192.168.xxx.140
access-list 99 permit 63.225.xxx.140
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.0.15.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip any host 255.255.255.255
access-list 100 deny tcp any any log
access-list 100 deny udp any any log
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 deny ip any any log
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 deny ip 172.16.0.0 0.0.15.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any host 63.225.xxx.139 eq www
access-list 101 permit tcp any host 63.225.xxx.139 eq ftp-data
access-list 101 permit tcp any host 63.225.xxx.139 eq ftp
access-list 101 permit tcp any host 63.225.xxx.140 eq smtp
access-list 101 permit tcp any host 63.225.xxx.140 eq domain
access-list 101 permit udp any host 63.225.xxx.140 eq domain
access-list 101 permit udp 0.0.0.0 255.255.255.0 host 172.16.xxx.132
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp any
access-list 101 deny ip any any log
access-list 110 permit ip host 172.16.xxx.132 any
access-list 110 permit ip 192.168.xxx.0 0.0.0.255 any
access-list 110 permit tcp 172.16.xxx.0 0.0.0.255 207.225.159.0 0.0.0.255 eq nntp
access-list 120 deny ip host 172.16.xxx.132 any
access-list 120 deny ip 192.168.xxx.0 0.0.0.255 any
access-list 120 deny tcp 172.16.xxx.0 0.0.0.255 207.225.159.0 0.0.0.255 eq nntp
access-list 120 permit ip any any
route-map INTERNET permit 10
match ip address 110
set ip default next-hop 63.225.xxx.142
!
route-map INTERNET permit 20
set interface FastEthernet0/0
!
route-map ISP1 permit 10
match ip address 120
!
route-map ISP2 permit 10
match ip address 110
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
login
line vty 5 15
access-class 1 in
login
!
!
end
05-22-2004 08:47 PM
Can you attach "debug ip policy" along with NAT debug?
05-22-2004 09:43 PM
I notice that sometimes the NAT does work and others it doesn't, though it is always consistent (an address that doesn't work never does).
debug ip policy
debug ip packet
debug ip nat
*Mar 1 03:17:50.067: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:50.067: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.136.109.247 [31922]
*Mar 1 03:17:50.071: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.136.109.247 (FastEthernet0/1), g=63.225.xxx.142, len 75, forward
*Mar 1 03:17:50.207: NAT: s=64.136.109.247, d=63.225.xxx.140->192.168.xxx.140 [43728]
*Mar 1 03:17:50.207: IP: tableid=0, s=64.136.109.247 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), routed via RIB
*Mar 1 03:17:50.207: IP: s=64.136.109.247 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), g=192.168.0.1, len 91, forward
*Mar 1 03:17:52.215: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:52.215: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 60, policy match
*Mar 1 03:17:52.215: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:52.215: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 60, policy routed
*Mar 1 03:17:52.215: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:52.215: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31923]
*Mar 1 03:17:52.219: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 60, forward
*Mar 1 03:17:54.227: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=209.208.92.254 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:54.227: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.208.92.254, len 87, policy match
*Mar 1 03:17:54.227: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:54.227: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.208.92.254 (FastEthernet0/1), len 87, policy routed
*Mar 1 03:17:54.227: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:54.231: NAT: s=192.168.xxx.140->63.225.xxx.140, d=209.208.92.254 [31927]
*Mar 1 03:17:54.231: IP: s=63.225.xxx.140 (Ethernet1/0), d=209.208.92.254 (FastEthernet0/1), g=63.225.xxx.142, len 87, forward
*Mar 1 03:17:54.383: NAT: s=209.208.92.254, d=63.225.xxx.140->192.168.xxx.140 [0]
*Mar 1 03:17:54.387: IP: tableid=0, s=209.208.92.254 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), routed via RIB
*Mar 1 03:17:54.387: IP: s=209.208.92.254 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), g=192.168.0.1, len 121, forward
*Mar 1 03:17:54.391: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=195.68.220.2 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:54.391: IP: s=192.168.xxx.140 (Ethernet1/0), d=195.68.220.2, len 87, policy match
*Mar 1 03:17:54.391: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:54.391: IP: s=192.168.xxx.140 (Ethernet1/0), d=195.68.220.2 (FastEthernet0/1), len 87, policy routed
*Mar 1 03:17:54.395: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:54.395: NAT: s=192.168.xxx.140->63.225.xxx.140, d=195.68.220.2 [31930]
*Mar 1 03:17:54.395: IP: s=63.225.xxx.140 (Ethernet1/0), d=195.68.220.2 (FastEthernet0/1), g=63.225.xxx.142, len 87, forward
*Mar 1 03:17:54.591: NAT: s=195.68.220.2, d=63.225.xxx.140->192.168.xxx.140 [16526]
*Mar 1 03:17:54.595: IP: tableid=0, s=195.68.220.2 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), routed via RIB
*Mar 1 03:17:54.595: IP: s=195.68.220.2 (FastEthernet0/1), d=192.168.xxx.140 (Ethernet1/0), g=192.168.0.1, len 139, forward
*Mar 1 03:17:54.599: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:54.599: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 132, policy match
*Mar 1 03:17:54.603: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:54.603: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 132, policy routed
05-22-2004 09:46 PM
*Mar 1 03:17:54.603: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:54.603: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31932]
*Mar 1 03:17:54.603: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 132, forward
*Mar 1 03:17:54.755: NAT*: s=64.200.120.242, d=63.225.xxx.140->192.168.xxx.140 [3892]
*Mar 1 03:17:54.755: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:54.759: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 96, policy match
*Mar 1 03:17:54.759: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:54.759: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 96, policy routed
*Mar 1 03:17:54.759: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:54.759: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31933]
*Mar 1 03:17:54.759: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 96, forward
*Mar 1 03:17:54.883: NAT*: s=64.200.120.242, d=63.225.xxx.140->192.168.xxx.140 [3913]
*Mar 1 03:17:54.887: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:54.887: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 123, policy match
*Mar 1 03:17:54.887: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:54.891: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 123, policy routed
*Mar 1 03:17:54.891: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:54.891: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31934]
*Mar 1 03:17:54.891: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 123, forward
*Mar 1 03:17:56.083: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:56.083: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 123, policy match
*Mar 1 03:17:56.083: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:56.087: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 123, policy routed
*Mar 1 03:17:56.087: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:56.087: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31935]
*Mar 1 03:17:56.087: IP: s=63.225.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), g=63.225.xxx.142, len 123, forward
*Mar 1 03:17:56.219: NAT*: s=64.200.120.242, d=63.225.xxx.140->192.168.xxx.140 [4174]
*Mar 1 03:17:56.223: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=209.173.53.162 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:56.223: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.173.53.162, len 72, policy match
*Mar 1 03:17:56.223: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:56.223: IP: s=192.168.xxx.140 (Ethernet1/0), d=209.173.53.162 (FastEthernet0/1), len 72, policy routed
*Mar 1 03:17:56.223: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:56.227: NAT: s=192.168.xxx.140->63.225.xxx.140, d=209.173.53.162 [31937]
*Mar 1 03:17:56.227: IP: s=63.225.xxx.140 (Ethernet1/0), d=209.173.53.162 (FastEthernet0/1), g=63.225.xxx.142, len 72, forward
*Mar 1 03:17:56.315: IP: tableid=0, s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/0), routed via RIB
*Mar 1 03:17:56.315: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242, len 40, policy match
*Mar 1 03:17:56.315: IP: route map INTERNET, item 10, permit
*Mar 1 03:17:56.315: IP: s=192.168.xxx.140 (Ethernet1/0), d=64.200.120.242 (FastEthernet0/1), len 40, policy routed
*Mar 1 03:17:56.315: IP: Ethernet1/0 to FastEthernet0/1 63.225.xxx.142
*Mar 1 03:17:56.315: NAT: s=192.168.xxx.140->63.225.xxx.140, d=64.200.120.242 [31938]
05-22-2004 11:19 PM
Can you post the log for the failed instance?
05-22-2004 11:47 PM
I posted three chunks in the last batch as the forum only allows 4000 characters. Pretty low limit for posting configs or debugs.
The second or third chunk showed a failed instance.
05-23-2004 07:55 AM
Don't worry you really close to cracking it.
Put a "match interface FastEthernet0/0" on the route-map "ISP1", reenable CEF and you are there.
Like this.
route-map ISP1 permit 10
match interface FastEthernet0/0
match ip address 120
!
route-map ISP2 permit 10
match interface FastEthernet0/1
match ip address 110
!
Tell me how many default routes do you have when running a "sh ip route"? 2 hopefully.
05-23-2004 08:22 AM
I will give this a try, but what will the match interface FastEthernet do as the policy is applied on Ethernet1/0? I would think it will never match.
I have a dynamically learned default out fa0/0. You are saying I should add a static default out fa0/1 as well?
05-23-2004 11:09 AM
The "match inter..." is to tell the router that packets traveling out the FastEthernet0/0 needs to be NAT'tet to the IP address of FastEthernet0/0, and packets traveling out FastEthernet0/1 needs to be NAT'tet to the IP address of FastEthernet0/0. As it is now, you are NAT'ing everything on the same Interface, meening that packets returning, will all go thru the same line. You have only seen traffic one line at a time, correct?
You also need to default routes in order to make the load-sharing (per-destination).
Try putting this in, and let me know how works.
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 63.225.xxx.14X 254
!
route-map ISP1 permit 10
match interface FastEthernet0/0
match ip address 110
!
route-map ISP2 permit 10
match interface FastEthernet0/1
match ip address 110
The default route learned by DHCP has a adminstrative disrance of 254, wright? Eg. S* 0.0.0.0/0 [254/0] via *.*.*.*.
That is why you make the 254 in the end of default route out FastEthernet0/1. This way you should see 2 default routes, when doing a "sh ip route 0.0.0.0".
Remember "ip cef" in global and "ip route-cache cef" on both interfaces.
Good luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide