Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1785
Views
5
Helpful
5
Replies

IP NAT OUTSIDE issue

MahmoudDawoud0323
Level 1
Level 1

‎09-15-2020 10:17 PM - edited ‎09-15-2020 10:30 PM

Hello Fellow Engineers,

 

Greetings!

I am having a real weird issue here that I may be missing smth in the middle, R2 can ping the whole topology, but no one can ping R2 or it's loopback. the topology down below:-

I am having static NAT on R1 from Loopback1 to be the outgoing interface GIG1/0 which is 1.1.1.1 /30

on R1:-

ip nat inside source static 192.168.1.1 interface GigabitEthernet1/0

ip route 0.0.0.0 0.0.0.0 1.1.1.2

 

on R2 there is no NAT:-

ip route 0.0.0.0 0.0.0.0 172.68.16.2

 

on NAT router, there is NAT as per below:-

ip nat inside source static 1.1.1.1 interface GigabitEthernet2/0
ip nat outside source static 172.68.16.1 99.99.99.99 >>>> Chosen any IP as an example, when I chose 1.1.1.2 for example it never works.

 

ip route 99.99.99.99 255.255.255.255 172.68.16.1  >>>> Route for OUTSIDE LOCAL NAT
ip route 192.168.1.1 255.255.255.255 1.1.1.1    >>>>> Loopback of R1
ip route 192.168.2.1 255.255.255.255 172.68.16.1  >>>>> Loopback of R2

 

Surprisingly , when R1 pings 99.99.99.99 it is working as expected but not sure why other pings are dropping. Below are errors and debugs.

 

NAT#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 99.99.99.99 172.68.16.1
icmp 172.68.16.2:3 1.1.1.1:3 99.99.99.99:3 172.68.16.1:3
--- 172.68.16.2 1.1.1.1 --- ---

 

R1#ping 99.99.99.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 99.99.99.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/44 ms

 

Errors:-

 

R1#ping 172.68.16.1 rep 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.68.16.1, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)

debugging on R2 (it is same if I use loopback1 as source as there is NAT rule)

R2#
*Sep 16 07:19:16.683: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 100, input feature, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 16 07:19:16.687: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 100, rcvd 2
*Sep 16 07:19:16.691: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 100, stop process pak for forus packet
*Sep 16 07:19:16.695: IP: tableid=0, s=172.68.16.1 (local), d=172.68.16.2 (GigabitEthernet2/0), routed via FIB
*Sep 16 07:19:16.695: IP: s=172.68.16.1 (local), d=172.68.16.2 (GigabitEthernet2/0), len 100, sending
*Sep 16 07:19:16.695: IP: s=172.68.16.1 (local), d=172.68.16.2
R2# (GigabitEthernet2/0), len 100, sending full packet
*Sep 16 07:19:16.735: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 56, input feature, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 16 07:19:16.735: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 56, rcvd 2
*Sep 16 07:19:16.735: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 56, stop process pak for forus packet

 

Best Regards,
Dawoud
CCNP NSE4 CEH
Preview file
27 KB
0 Helpful
5 Replies 5

Asemmoqbel
Level 1
Level 1

‎09-16-2020 11:29 PM

Hello, Dawoud

 

From R1, you can only ping the natted IP 99.99.99.99 but you will not be able to ping the real IP 172.68.16.1 and that's how Nat Works. 

 

Unless you remove the Nat rule, you will be able to ping 172.68.16.1.

 

 

MahmoudDawoud0323
Level 1
Level 1
In response to Asemmoqbel

‎09-17-2020 11:44 AM

Hi,

Thanks for your feedback.

 

But then how am I able to ping from R2 the entire IPs of R1 if this is the case?

Please tell me a detaild technical reason why this is happening, I am thinking the return traffic should trigger the NAT however I want to know what is the uses of the outside NAT command.

 

I appreciate your feedback in advance.

Best Regards,
Dawoud
CCNP NSE4 CEH
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to MahmoudDawoud0323

‎09-17-2020 12:35 PM

 

 I did a quick lab setup and I can ping both IPs on R2 fine which is what I expected. 

 

What I didn't do is setup the NAT for the loopback on R1 because in your example you are not using it. 

 

Jon

0 Helpful

MahmoudDawoud0323
Level 1
Level 1
In response to Jon Marshall

‎09-17-2020 12:38 PM

Hi Jon,

It was actually to impersonate a real site with the LAN loopback so it had to have NAT using outgoing interface, so what does this have to do ?

Best Regards,
Dawoud
CCNP NSE4 CEH
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to MahmoudDawoud0323

‎09-17-2020 12:45 PM

 

The point I was making was that in your example from R1 you just ping R2's IPs so R1 will just use the interface IP. 

 

If you want to use the loopback IP then from R1 you need to do an extended ping using the loopback interface IP as the source IP. 

 

But I thought the issue was you couldn't ping both IPs on R2 whereas I can and would expect to be able to as long as there are routes to both IPs and there are. 

 

Jon

0 Helpful
Customers Also Viewed These Support Documents