Re: IP NAT OUTSIDE

MahmoudDawoud0323 · ‎09-15-2020

Hello Fellow Engineers,

Greetings,

I have a problem with the attached topology , none of R1 and NAT can reach loopback1 of R2 and physical interface as well, however R1 can reach the OUTSIDE LOCAL address 99.99.99.99.

Please check below configuration:-

R1:-

ip nat inside source static 192.168.1.1 interface GigabitEthernet1/0

ip route 0.0.0.0 0.0.0.0 1.1.1.2

R2 there is no NAT:-

ip route 0.0.0.0 0.0.0.0 172.68.16.2

NAT router:-

ip nat inside source static 1.1.1.1 interface GigabitEthernet2/0
ip nat outside source static 172.68.16.1 99.99.99.99

ip route 99.99.99.99 255.255.255.255 172.68.16.1
ip route 192.168.1.1 255.255.255.255 1.1.1.1
ip route 192.168.2.1 255.255.255.255 172.68.16.1

Errors and debugs:-

================

R1#ping 172.68.16.1 so 192.168.1.1 rep 1 (Same output on R2 when pinging without source)
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.68.16.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.
Success rate is 0 percent (0/1)

R2#
*Sep 16 08:09:46.011: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 100, input feature, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 16 08:09:46.015: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 100, rcvd 2
*Sep 16 08:09:46.019: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 100, stop process pak for forus packet
*Sep 16 08:09:46.023: IP: tableid=0, s=172.68.16.1 (local), d=172.68.16.2 (GigabitEthernet2/0), routed via FIB
*Sep 16 08:09:46.023: IP: s=172.68.16.1 (local), d=172.68.16.2 (GigabitEthernet2/0), len 100, sending
*Sep 16 08:09:46.023: IP: s=172.68.16.1 (local), d=172.68.16.2
R2# (GigabitEthernet2/0), len 100, sending full packet
*Sep 16 08:09:46.071: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 56, input feature, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 16 08:09:46.071: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 56, rcvd 2
*Sep 16 08:09:46.071: IP: s=172.68.16.2 (GigabitEthernet2/0), d=172.68.16.1, len 56, stop process pak for forus packet

Best Regards,
Dawoud
CCNP NSE4 CEH

Giuseppe Larosa · ‎09-15-2020

Hello @MahmoudDawoud0323 ,

on the NAT router that is in the middle of the path have you configured the INSIDE interface to R1 with

ip nat inside at interface ievel

and have you configured the OUTSIDE interface to R2 on NAT router with

ip nat outside

at interface level ?

This is required to trigger NAT action.

You can use

show ip nat translations

to monitor the NAT operations

There also some specific NAT related debug commands like

debug ip nat

Hope to help

Giuseppe

MahmoudDawoud0323 · ‎09-15-2020

Hi Giuseppe,

Yeah , the NAT is working but only for 99.99.99.99.

NAT#show run int gig1/0
Building configuration...

Current configuration : 105 bytes
!
interface GigabitEthernet1/0
ip address 1.1.1.2 255.255.255.252
ip nat inside
negotiation auto
end

NAT#show run int gig2/0
Building configuration...

Current configuration : 108 bytes
!
interface GigabitEthernet2/0
ip address 172.68.16.2 255.255.255.0
ip nat outside
negotiation auto
end

After pinging 99.99.99.99 from R1, I can see the translation going:-

NAT#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 99.99.99.99 172.68.16.1
icmp 172.68.16.2:9 1.1.1.1:9 99.99.99.99:9 172.68.16.1:9
--- 172.68.16.2 1.1.1.1 --- ---
NAT#

I appreciate your feedback in advance.

Best Regards,
Dawoud
CCNP NSE4 CEH

MahmoudDawoud0323 · ‎09-15-2020

What's really weird is , as you can see from the debugs and also from below debugs, there is a reply back and translation back , look:-

R1#ping 172.68.16.1 so 192.168.1.1 rep 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.68.16.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.
Success rate is 0 percent (0/1)
NAT#

*Sep 16 08:41:39.655: NAT: Entry assigned id 17
*Sep 16 08:41:39.655: NAT*: s=1.1.1.1->172.68.16.2, d=172.68.16.1 [27]
*Sep 16 08:41:39.675: NAT*: s=172.68.16.1, d=172.68.16.2->1.1.1.1 [27]
*Sep 16 08:41:39.703: NAT: s=1.1.1.1->172.68.16.2, d=172.68.16.1 [59]

Best Regards,
Dawoud
CCNP NSE4 CEH

MahmoudDawoud0323 · ‎09-16-2020

@Giuseppe Larosa , I think I found the root cause of the issue but there is still a problem.

Found an ACL that denies all IPs except the 99.99.99.99 , so this means NAT translation from OUTSIDE to INSIDE is not happening when I ping the loopback nor the physical interface, below logs for your reference:-

R1#show run int gig1/0
Building configuration...

Current configuration : 138 bytes
!
interface GigabitEthernet1/0
ip address 1.1.1.1 255.255.255.252
ip access-group PROTECT-LAN in
ip nat outside
negotiation auto
end

Extended IP access list PROTECT-LAN
10 permit icmp 1.1.1.0 0.0.0.255 any (12 matches)
20 permit icmp host 99.99.99.99 any (42 matches) >>>> it should be hitting here where it hits sequence 30 instead not sure why
30 deny icmp any any (22 matches)
40 permit ip any any

After removing the ACL, the ping works but still why the source IP is not 99.99.99.99.

look:-

R1#ping 172.68.16.1 so 192.168.1.1 rep 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 172.68.16.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 40/40/40 ms

NAT#
*Sep 16 08:49:21.139: NAT: Entry assigned id 19
*Sep 16 08:49:21.139: NAT*: s=1.1.1.1->172.68.16.2, d=172.68.16.1 [29]
*Sep 16 08:49:21.163: NAT*: s=172.68.16.1, d=172.68.16.2->1.1.1.1 [29] >>>> Shouldn't we expect source to be translated to OUTSIDE Local to 99.99.99.99 as per this command:- ip nat outside source static 172.68.16.1 99.99.99.99

It is only when I ping 99.99.99.99 , the correct translation happens as per below:-

R1#ping 99.99.99.99 rep 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 99.99.99.99, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 16/16/16 ms

NAT#
*Sep 16 08:51:08.835: NAT: Entry assigned id 21
*Sep 16 08:51:08.835: NAT*: s=1.1.1.1->172.68.16.2, d=99.99.99.99 [35]
*Sep 16 08:51:08.835: NAT*: s=172.68.16.2, d=99.99.99.99->172.68.16.1 [35]
*Sep 16 08:51:08.843: NAT*: s=172.68.16.1->99.99.99.99, d=172.68.16.2 [35]
*Sep 16 08:51:08.843: NAT*: s=99.99.99.99, d=172.68.16.2->1.1.1.1 [35]

Can you tell me what i am missing ? maybe I must use 99.99.99.99 only? but as a matter of logic it should work with loopback or physical interface.

i appreciate your feedback in advance.

Best Regards,
Dawoud
CCNP NSE4 CEH

Giuseppe Larosa · ‎09-16-2020

Hello @MahmoudDawoud0323 ,

good news that you have found solution to some of your issues.

ACL PROTECT-LAN was creating issues because there is an order of operations on received packets and likely the input ACL on the interface is processed before performing NAT.

see the following document

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html?dtid=osscdc000283

And this is the explanation of this part .

For the second part 99.99.99.99 is actually part of a NAT static command when you ping a different address this does not happen.

ping 172.68.16.1 so 192.168.1.1 rep 1

this triggers NAT on source address that is translated to 1.1.1.1 directly on R1, but the destination address 172.68.16.1 does not trigger NAT on router called NAT.

You are arriving from INSIDE and you ping the OUSIDE interface of router called NAT.

Hope to help

Giuseppe

MahmoudDawoud0323 · ‎09-16-2020

Hi,

I thought the return ICMP echo reply should trigger the NAT, I thought the initiation is important too.

So basically do you have any practical uses of IP NAT OUTSIDE command ? and if you have please share with me with example or content/URL.

Thanks a ton for the time and care.

Best Regards,
Dawoud
CCNP NSE4 CEH