NAT inside destination not working

saba · ‎02-18-2018

My setup is on gns3, dynamips.

What I'm trying to do is a load balancing between two identical servers using NAT.

The server addresses are 192.168.48.74 and .75. With one public address, I'd like my clients on the internet to access those servers. So if my clients on the internet try to connect to the server through the public address, the router R1 should translate it to one of the local addresses.

This should be done with 'ip nat inside destination list' command according to some articles[1]. But in my setting it doesn't work at all. Can anyone help me?

R1 configuration is as follows:

!
version 12.4
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
interface Loopback0
 ip address 10.10.11.1 255.255.255.248
!
interface Loopback1
 ip address 192.168.48.1 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback2
 ip address 192.168.48.33 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback3
 ip address 192.168.64.1 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback4
 ip address 192.168.64.33 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback5
 ip address 192.168.80.97 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback6
 ip address 192.168.80.193 255.255.255.224
 ip ospf network point-to-point
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
!
interface Serial0/0.13 multipoint
 ip address 200.200.17.5 255.255.255.252
 ip ospf network point-to-point
 frame-relay map ip 200.200.17.6 103 broadcast
!
interface Serial0/1
 ip address 200.200.17.13 255.255.255.252
 serial restart-delay 0
!
interface Serial0/2
 no ip address
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Ethernet1/0
 ip address 200.200.17.18 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 full-duplex
!
interface Ethernet1/1
 no ip address
 full-duplex
!
interface Ethernet1/1.15
 encapsulation dot1Q 600
 ip address 166.15.13.1 255.255.255.252
!
interface Ethernet1/1.17
 encapsulation dot1Q 107
 ip address 192.168.32.1 255.255.255.240
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1/1.18
 encapsulation dot1Q 108
 ip address 192.168.32.17 255.255.255.240
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
router ospf 1
 router-id 10.10.11.1
 log-adjacency-changes
 area 0 authentication message-digest
 area 192 virtual-link 10.10.13.3 message-digest-key 53 md5 sj79aqj2dn0js
 passive-interface default
 no passive-interface Serial0/0.13
 no passive-interface Serial0/1
 no passive-interface Ethernet1/1.17
 no passive-interface Ethernet1/1.18
 network 192.168.32.1 0.0.0.0 area 1003
 network 192.168.32.17 0.0.0.0 area 1003
 network 192.168.48.0 0.0.0.63 area 1003
 network 192.168.64.0 0.0.0.63 area 1003
 network 192.168.80.96 0.0.0.31 area 1003
 network 192.168.80.192 0.0.0.31 area 1003
 network 200.200.17.5 0.0.0.0 area 192
 network 200.200.17.13 0.0.0.0 area 192
 default-information originate always
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.200.17.17
!
!
ip nat pool RETAIL-WEB-LOCAL 192.168.48.74 192.168.48.75 prefix-length 29 type rotary
ip nat inside source list NAT-GRP interface Ethernet1/0 overload
ip nat inside destination list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL
!
!
ip access-list standard NAT-GRP
 permit 192.168.48.0 0.0.0.63
 permit 192.168.64.0 0.0.16.255
ip access-list standard RETAIL-WEB-GLOBAL
 permit 200.200.17.34
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end

SW3 config is as follows:

no service password-encryption
!
hostname SW3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
!
interface Loopback1
 ip address 192.168.48.65 255.255.255.248
 ip ospf network point-to-point
!
interface Loopback2
 ip address 192.168.48.73 255.255.255.248
 ip ospf network point-to-point
!
interface Loopback3
 ip address 192.168.48.81 255.255.255.248
 ip ospf network point-to-point
!
interface Loopback4
 ip address 192.168.80.1 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback5
 ip address 192.168.80.33 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback6
 ip address 192.168.48.137 255.255.255.248
 ip ospf network point-to-point
!
interface Port-channel1
 switchport mode trunk
!
interface Port-channel2
 switchport mode trunk
!
interface Port-channel3
 switchport mode trunk
!
interface FastEthernet1/0
 switchport access vlan 210
!
!
interface FastEthernet1/9
 switchport mode trunk
 channel-group 2 mode on
!
interface FastEthernet1/10
 switchport mode trunk
 channel-group 2 mode on
!
interface FastEthernet1/11
 switchport mode trunk
 channel-group 3 mode on
!
interface FastEthernet1/12
 switchport mode trunk
 channel-group 3 mode on
!
interface FastEthernet1/13
 switchport mode trunk
 channel-group 1 mode on
!
interface FastEthernet1/14
 switchport mode trunk
 channel-group 1 mode on
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
interface Vlan108
 ip address 192.168.32.18 255.255.255.240
 ip access-group CTRL-RETAIL-TELLER in
!
interface Vlan708
 ip address 192.168.32.34 255.255.255.240
 ip access-group CTRL-RETAIL-TELLER in
!
router ospf 1
 router-id 10.10.11.3
 log-adjacency-changes
 passive-interface default
 no passive-interface Vlan108
 no passive-interface Vlan708
 network 192.168.32.18 0.0.0.0 area 1003
 network 192.168.32.34 0.0.0.0 area 1003
 network 192.168.48.64 0.0.0.31 area 1003
 network 192.168.80.0 0.0.0.7 area 1003
 network 192.168.80.32 0.0.0.7 area 1003
!
ip http server
no ip http secure-server
!
ip access-list extended CTRL-RETAIL-TELLER
 permit ip 192.168.48.0 0.0.0.15 192.168.48.68 0.0.0.1
 permit ip 192.168.48.32 0.0.0.7 192.168.48.68 0.0.0.1
 deny   ip any 192.168.48.64 0.0.0.7
 permit ip any any
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end

ip nat statistics on R1 shows the following:

R1#sh ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  Ethernet1/0
Inside interfaces:
  Ethernet1/1.17, Ethernet1/1.18
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-GRP interface Ethernet1/0 refcount 0
-- Inside Destination
[Id: 2] access-list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL refcount 0
 pool RETAIL-WEB-LOCAL: netmask 255.255.255.248
        start 192.168.48.74 end 192.168.48.75
        type rotary, total addresses 2, allocated 0 (0%), misses 0
Queued Packets: 0

When I tried to ping 200.200.17.34 from ISP, it fails. It doesn't even create any "ip nat translation" entry. It tries to route the address without going through nat at all.

Georg Pauwen · ‎02-18-2018

Hello,

where is 200.200.17.34 configured ? I don't see an ip nat outside interface in your configuration with that IP address...

saba · ‎02-18-2018

I didn't think that address has to be assigned in an interface. That
address needs to be translated, and the article explaining ip nat inside
destination doesn't have any interface assigned with the public address
which needs to be translated.

Do you think I should change the public address to the address associated
in the ip nat interface?

Georg Pauwen · ‎02-19-2018

Hello,

you are right, my bad, the interface address does not have to match the public address.

Looking through your config, check your inside NAT access list, it doesn't include the addresses for your servers:

ip access-list standard NAT-GRP
permit 192.168.48.0 0.0.0.63 --> includes only hosts 1 - 62, change the wildcard to 0.0.0.127
permit 192.168.64.0 0.0.16.255

Also, can you ping 192.168.48.74 from the router ? I cannot fully figure out what your network looks like, since you have a virtual llink (to where ?) and your switch, is supposed to be a layer 3 switch ?

paul driver · ‎02-20-2018

Hello

@saba wrote:
I didn't think that address has to be assigned in an interface. That
address needs to be translated, and the article explaining ip nat inside
destination doesn't have any interface assigned with the public address
which needs to be translated.

Do you think I should change the public address to the address associated
in the ip nat interface?

You need to be able to have 200.200.17.34 available for you to use and advertised by you isp, your global inside addressing 200.200.17.18/30 doesn't even extend to this ip address so why are you trying to connect via it?

As for your destination nat config this looks okay

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

saba · ‎02-22-2018

I do have the address 200.200.17.34 though it's not in any of the loopback interfaces. ISP has that in static routes. I didn't set up the loopback because they don't have any routing protocols between R1 & ISP.

Georg Pauwen · ‎02-22-2018

Hello,

you have a virtual link with area 192 being the transit area. What re you linking to ?

Try and take the access list 'ip access-list standard NAT-GRP' out of your configuration altogether...

no ip access-list standard NAT-GRP