cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4787
Views
0
Helpful
15
Replies

NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

costaspal
Level 1
Level 1

Hello fellow engineers!

I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…

Scenario description:

2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).    The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.

Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:

VLAN 11 -> 10.0.1.x

VLAN 12 -> 10.0.2.x

VLAN 13 -> 10.0.3.x

VLAN 71 -> 192.168.17.x

VLAN 204 -> 172.16.204.x

and – last but not least ! – VLAN 10 -> 10.0.0.x

All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).

Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !

What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !

Could pls someone spot what I’m missing !!

To help you I also attach the router config and some command outputs…

All help is appreciated.

Thanx

Costas

1 Accepted Solution

Accepted Solutions

Hello Kosta.

 

After studying the provided config I've concluded to the below:

 

1. Default gateway of the MultiISP router is Oxygen (212.251.64.153).

2. The route map statements regarding default gateway's IP address are not needed. A permit any route map statement at the end will provide the neccessary access to all the IP addresses that are need to follow the default gateway of the router.

3. Unfortunatelly in order for the NAT rules to apply in a PBR scenario the respective ACLs need to be configured pointing to the appropriate outgoing interface (e.x. Port-Channel 1.64).

4. Since the need is for 1:1 NAT for the servers then the NAT statements should be in the form of

ip nat source static <Private IP address>  < Public IP address)

 

As an extra if you want a complete control over PBR there should be no default gateway static routes. The routing should take place in the route map statements since it could give a better control over it and remove the additional complexity of having routing through PBR for some hosts and static routing for all the others.

 

Hope that helped a little. I will be more than glad to hear your feedback on this.

 

Thank you.

View solution in original post

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

Costas

Can you try replacing "permit any" in your rest_of_10.0.0.x acl with -

"permit 10.0.0.0 0.0.0.255"

Jon

Hello Jon.

That's what I initially had !   Afterwards I replaced it with "any".

It didn't have any effect though.   After all I do not get any hits there !

Thanx for responding

Costas

Do you have any firewall rules etc. anywhere that might be blocking traffic ?

Jon

Nop !

No security configured -yet- at the router (as you may see there is no security related ACL anywhere and no "access-group" command is used).

Nothing on the PC either !   I did all tests with my laptop picking-up and testing each and every one of the IP's for static NATting as well as many different other IP's.   For instance, at the clipping for "sh ip nat tra" I attached I had the 10.0.0.221 at the time.

Costas

Your default route via the Dialer interface has an AD of 5 so the one used will be 212.251.64.153.

Have you tried just removing the last PBR statement ?

Jon

That last PBR statement

(route-map 10.0.0.X_hosts_PBR permit 70
 description *** rest of 10.0.0.x net --> Oxygen ***
 match ip address rest_of_10.0.0.x
 set ip next-hop 212.251.64.153
)

was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !

(route-map 10.0.0.X_hosts_PBR, permit, sequence 255
  Match clauses:
    ip address (access-lists): rest_of_10.0.0.x
  Set clauses:
    ip next-hop 212.251.64.153
  Policy routing matches: 0 packets, 0 bytes
)

...

Looking at the output from your first post of the route map the match clauses are all using different acls than in your configuration.

Have you modified it for posting ?

Jon

Yes...

Sorry for the delay in replying, the site is not making it easy at the moment :-)

I can't see anything obviously wrong with the configuration you posted and you do seem to be getting some translations for 10.0.0.x hosts which is weird to say the least.

I know you said you can't access web pages but if you try do you actually see translations for that connection ?

Jon

 

I wonder if there is any significance in the fact that on the "show ip nat trans" they are all udp translations. And you say that DNS (udp) seems to work but web pages don't load (tcp). 

Can you do a "debug IP nat" and send some requests through?

Hi there - thanx for responding.

I really can't answer that but, if DNS does not get through nothing else would...

I have not kept a NAT debug -- if I recall correctly, because I didn't observe anything of significance -- I do have "deb ip packet" that didn't make much of it; you're welcome to have a look.

Costas

P.S. --> "100" is an ACL to filter traffic to/from my IP at the time...

I know Jon...   It took at least half-hour to create this conversation and upload the files !!

 

I do not see any entries in the NAT table for the target site (pulic IP) - if that is what you mean...    Only DNS requests !   In addition, I tried to connect to our own WebVPN site via its public IP address (to bypass a DNS issue) and still nothing !

To top that, tracerouting to that destination worked just fine !   I haven't kept a proof for that - I might as well try it again...

Costas

Just a thought.

Can the 10.0.0.x clients resolve DNS queries properly ie. you can traceroute to a public IP and you see DNS requests in the translation table but nothing else.

Which suggests it may be that the clients are not getting back a DNS response with the IP address so they then don't make a connection to the web server.

I appreciate you cannot hit the web page using the IP not the name but some web servers don't display if you try and connect with the IP address.

I can't think why DNS wouldn't work for them but would for other subnets though.

Jon

That's my assumption too, Jon - just cannot figure-out why these specific hosts do not get their DNS requests resolved; hence no additional TCP connections...

As I mentioned, when hitting a public IP address via the browser I used our own ASA's portal page which I know for sure works that way !

To "top" your last sentence, let me remind you that most of the static NAT's are from hosts in the same subnet !! (10.0.0.x)

It's quite a puzzle...

Costas