Cisco 831 Source and Destination NAT

Jens Bretschneider · ‎01-27-2008

Hi,

I've got a problem dealing with Cisco-NAT.

I've a device which is reachable on the IP 169.254.1.1, with no route set. For some reasons I can't change this setting nor set a route.

I've tried to set up a Cisco 831 with source- and destination-NAT, so the SA gets translated to the 169.254.1.1xx pool and the DA to 169.254.1.1.

The WAN Net of the Cisco is 212.202.254.225/28.

The Cisco is konfigured as follows:

interface Ethernet0

description "LAN"

ip address 169.254.1.254 255.255.0.0

ip nat inside

!

interface Ethernet1

description "WAN"

ip address 212.202.254.226 255.255.255.240

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 212.202.254.225

!

ip nat pool apipa-pool 169.254.1.100 169.254.1.199 netmask 255.255.0.0

ip nat inside source static 169.254.1.1 212.202.254.227

ip nat outside source list 1 pool apipa-pool

!

access-list 1 permit 195.90.0.0 0.0.255.255

access-list 1 remark "The Network where the clients reside"

When I now start telnet on my Host 195.90.0.241, it just hangs:

xxx@host:~> telnet 212.202.254.227

Trying 212.202.254.227...

On the 169.254.1.1 target device, the debugging looks like the following lines:

01/23/2008-15:04:02:IP-FILTER: I:PROTO 6 (TCP) pkt from 169.254.1.100/1993

01/23/2008-15:04:02:IP-FILTER: to 169.254.1.1/23 accepted, SYN Flag

01/23/2008-15:04:02:IP-FILTER: O:PROTO 6 (TCP) pkt from 169.254.1.1/23

01/23/2008-15:04:02:IP-FILTER: to 169.254.1.100/1993 accepted, SYN/ACK Fls

So the packets are sent correct and get answered.

Debugging on the Cisco 831 looks like this:

fritz#debug ip nat detailed

IP NAT detailed debugging is on

fritz#debug ip packet detail

IP packet debugging is on (detailed)

*Mar 1 11:21:32.019: NAT*: o: tcp (195.90.0.241, 1993) -> (212.202.254.227, 23) [4363]

*Mar 1 11:21:32.019: NAT*: s=195.90.0.241->169.254.1.100, d=212.202.254.227 [4363] <===== OK!

*Mar 1 11:21:32.019: NAT*: s=169.254.1.100, d=212.202.254.227->169.254.1.1 [4363] <===== OK!

*Mar 1 11:21:32.019: NAT: installing alias for address 169.254.1.100

*Mar 1 11:21:32.027: IP: tableid=0, s=169.254.1.1 (Ethernet0), d=169.254.1.100 (Ethernet0), routed via RIB

*Mar 1 11:21:32.031: IP: s=169.254.1.1 (Ethernet0), d=169.254.1.100 (Ethernet0), len 44, rcvd 3

*Mar 1 11:21:32.031: TCP src=23, dst=1993, seq=1298156341, ack=1465516680, win=4096 ACK SYN

*Mar 1 11:21:32.031: IP: tableid=0, s=169.254.1.100 (local), d=169.254.1.1 (Ethernet0), routed via FIB

*Mar 1 11:21:32.035: IP: s=169.254.1.100 (local), d=169.254.1.1 (Ethernet0), len 40, sending

*Mar 1 11:21:32.035: TCP src=1993, dst=23, seq=1465516680, ack=0, win=0 RST

NAT Table:

fritz#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 169.254.1.100 195.90.0.241

--- 212.202.254.227 169.254.1.1 --- ---

I don't know what's wrong. It looks like the answers are not noticed at all on the Cisco router, and don't get routed or NATted. Why not?

IOS is c831-k9o3sy6-mz.124-18.bin.

Any help is greatly appreciated.

Regards,

Jens

Edison Ortiz · ‎01-27-2008

Why do you mean by "no route set" on device 169.254.1.1?

Do you mean you are enable to set a default gateway to 169.254.1.254? Because you need to in order for this device to know that to get to the internet, packets must go to 169.254.1.254.

What you are experiencing is a network with Windows machines and no DHCP available. When a machine boots up and DHCP is unavailable, it automatically addresses itself in the 169.254.0.0/16 subnet.

You need to create a DHCP server on that LAN and change the IP address on the router's LAN interface.

If it's a small LAN, go with a class C address such as 192.168.1.0/24. On the router LAN interface, assign 192.168.1.254/24 and create a DHCP scope for that subnet. Make sure the default gateway on that scope is set to 192.168.1.254.

Change the NAT pool on the router and then you should be able to connect to the internet, it's that simple.

HTH,

__

Edison.

Jens Bretschneider · ‎01-28-2008

I can't change the IP on that device and I can't add a route or a default gateway on that device.

It is NOT a windows PC. I know that a windows PC uses APIPA adresses too when no DHCP is available, but that's not the point here.

Edison Ortiz · ‎01-28-2008

The point is, you don't get routed nor natted from the host.

The host does not have a default gateway.

You are unable to set a default gateway because the IP addressing scheme used does not allowed you to do that.

Did you force the IP address on those devices or were they automatically self-assigned? I'm assuming it's self-assigned due to the inability to set a default gateway.

If you are unable to set the default gateway, how the host is supposed to know to use your router as the exit point of your network?

Makes sense?

__

Edison.

Jens Bretschneider · ‎01-28-2008

Did you really read my first message?

The cisco has an IP pool in the same 169.254.x.x Subnet and should renumber the SA to this pool, so no gateway is needed.