03-16-2012 06:56 AM - edited 03-04-2019 03:41 PM
Hi,
I've configured a Cisco 3725 w/ IOS 12.(4)21a to implement natting for local originated packet going out towards a specific IP destination
Basically I configured ip nat outside on the egress i/f /(serial 0/0.100)
interface Serial0/0.100 point-point
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
!
and ip nat inside source list TO-DST interface serial 0/0.100 in global configuration mode
ip access-list extended TO-DST
permit ip host 10.10.10.1 host 172.16.10.3
!
ip nat inside source list TO-DST interface Serial0/0.100 overload
!
The C3725 has an entry for 172.16.10.3 in IP RIB and pinging from this router to dst is ok. Now a question arises.....
How can the router perform NAT if ip nat inside command is not configured on any interfaces ?
Thanks
03-16-2012 07:14 AM
Once you have NAT outside defined, all other interfaces are treated as inside for NAT translation.
Thanks.
03-16-2012 07:25 AM
But....this is a default behaviour ? And why then configure ip nat inside (on the the inside router interface) in a enterprise scenario to perform natting for inside hosts ?
03-16-2012 07:43 AM
Not sure. But you have designated a boundary: an outside interface. And you do have a ip nat inside statement configured on the router.
Thanks.
03-16-2012 08:11 AM
.....just to better understand...In my scenario I've an outside interface (serial0/0.100 configured with ip nat outside) but I've not configured any inside interface (no interface has ip nat inside configured)
How can NAT work ? Is it a specific condition in which packets (ping) are local originated by the router itself ?
Thanks in advance
03-16-2012 08:17 AM
Hi Carlo,
I think that you can solve that, tricking the router
int lo0
ip add 1.1.1.1 255.255.255.255
ip nat inside
!
route-map NAT-NH-LOOP
match
set ip next-hop 1.1.1.1
!
ip local policy route-map NAT-NH-LOOP
Regards
Dan
03-16-2012 08:38 AM
Yes, I know this trick (the local (ping) originated packet re-enter from loopback0 where ip nat inside is configured...)....but I do not understand why it works without ip nat inside on any interfaces...
03-16-2012 08:43 AM
I do not belive that NAT is performned
First do you have any other nat configured ?
Can you post :
debug ip nat
debug ip icmp
ping 172.16.10.3
unde all
Dan
03-16-2012 10:07 AM
R1#sh run int lo101
Building configuration...
Current configuration : 86 bytes
!
interface Loopback101
ip address 10.10.10.1 255.255.255.255
ip ospf 1 area 0
end
!
R1#sh run int s0/0.100
Building configuration...
Current configuration : 198 bytes
!
interface Serial0/0.100 point-to-point
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip ospf 1 area 0
snmp trap link-status
frame-relay interface-dlci 102
end
R1#sh runn | b access-list
ip access-list extended TO-DST
permit ip host 10.10.10.1 host 172.16.10.3
!
R1#sh run | in nat inside
ip nat inside source list TO-DST interface Serial0/0.100 overload
R1#
!
R1#
R1#debu ip nat
IP NAT debugging is on
R1#debu ip icmp
ICMP packet debugging is on
R1#
R1#
R1#
R1#sh deb
Generic IP:
ICMP packet debugging is on
IP NAT debugging is on
R1#
R1#ping 172.16.10.3 source loopback 101 r 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 172.16.10.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 108/122/136 ms
R1#
*Mar 1 00:11:09.623: NAT: s=10.10.10.1->172.16.1.1, d=172.16.10.3 [16]
*Mar 1 00:11:09.751: NAT*: s=172.16.10.3, d=172.16.1.1->10.10.10.1 [16]
*Mar 1 00:11:09.755: ICMP: echo reply rcvd, src 172.16.10.3, dst 10.10.10.1
*Mar 1 00:11:09.759: NAT: s=10.10.10.1->172.16.1.1, d=172.16.10.3 [17]
*Mar 1 00:11:09.863: NAT*: s=172.16.10.3, d=172.16.1.1->10.10.10.1 [17]
*Mar 1 00:11:09.867: ICMP: echo reply rcvd, src 172.16.10.3, dst 10.10.10.1
R1#
R1#u all
All possible debugging has been turned off
R1#
Any help is apreciated..
03-16-2012 10:19 AM
To my knowledge this is not expected ! Are you using real hardware ? What IOS/HW are you using on this one ?
Regards
Dan
03-17-2012 01:33 PM
Same behaviour (w/o any ip nat inside) on 'real' C7200
7200-RR1#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.2(33)SRE3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 25-Jan-11 08:35 by prod_rel_team
ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)
7200-RR1 uptime is 7 weeks, 5 days, 11 hours, 15 minutes
System returned to ROM by power-on
System restarted at 10:10:16 MET Mon Jan 23 2012
System image file is "disk2:c7200-adventerprisek9-mz.122-33.SRE3.bin"
Last reload type: Normal Reload
this time the ping source address is 172.16.217.230 (loop0) with destination 172.16.217.15
7200-RR1#debu ip nat
IP NAT debugging is on
7200-RR1#debu ip icmp
ICMP packet debugging is on
7200-RR1#
7200-RR1#
7200-RR1#sh deb
Generic IP:
ICMP packet debugging is on
IP NAT debugging is on
7200-RR1#
7200-RR1#ping 172.16.217.15 source loopback 0 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 172.16.217.15, timeout is 2 seconds:
Packet sent with a source address of 172.16.217.230
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 28/28/28 ms
7200-RR1#
Mar 17 21:30:23.451 MET: NAT: ICMP id=8->1024
Mar 17 21:30:23.451 MET: NAT: s=172.16.217.230->172.16.203.230, d=172.16.217.15 [37]
Mar 17 21:30:23.479 MET: NAT*: ICMP id=1024->8
Mar 17 21:30:23.479 MET: NAT*: s=172.16.217.15, d=172.16.203.230->172.16.217.230 [37]
Mar 17 21:30:23.479 MET: ICMP: echo reply rcvd, src 172.16.217.15, dst 172.16.217.230, topology BASE, dscp 0 topoid 0
Mar 17 21:30:23.479 MET: NAT: ICMP id=8->1024
Mar 17 21:30:23.479 MET: NAT: s=172.16.217.230->172.16.203.230, d=172.16.217.15 [38]
Mar 17 21:30:23.507 MET: NAT*: ICMP id=1024->8
Mar 17 21:30:23.507 MET: NAT*: s=172.16.217.15, d=172.16.203.230->172.16.217.230 [38]
Mar 17 21:30:23.507 MET: ICMP: echo reply rcvd, src 172.16.217.15, dst 172.16.217.230, topology BASE, dscp 0 topoid 0
7200-RR1#
Any idea ? Carlo.
03-18-2012 01:36 AM
Hi Carlo,
Tested and found the same behavior.
It seams that the router considers the control-plane as an inside interface.
Have a look at this link :
http://ieoc.com/forums/p/18741/161550.aspx
Regards
Dan
03-19-2012 01:38 AM
great explaination !
Another question related to NAT....
Having a router an inside and outside interface configured, the only NAT option supported on outside interface is ip nat ouside source ...... while on inside i/f source/destination natting (ip nat inside source/destination ) is supported
Why these differences exist from a configuration point of view ?
Thanks
03-19-2012 02:08 AM
Hi Carlo,
ip nat inside/outside source list/route-map is for Source NAT and the flow must be initiated from the interface specified in the command - this does not apply for the static command.
ip nat inside/outside source static - is bidirectional - meaning that the packet could be initiated on any interface (inside or outside ) this means that is not only Source NAT but also Destination NAT,
ip nat inside destination is used for loadbalancing, the packet must be initiated from OUTSIDE.
Regards
Dan
03-19-2012 03:06 AM
Hi Dan,
just to better understand...
ip nat outside source lis/route-map create a dynamic NAT entry (when flow is outside initiated) to translate outside-global -> outside-local
From you answer it seem to me ip nat inside destination list/route-map works the same way
If this is right, what are differences between them ?
Thanks a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide