03-27-2012 02:13 AM - edited 03-04-2019 03:48 PM
Hi,
I've tested the following NAT configuration
hostname R4
!
no ip cef
!
interface Loopback104
ip address 172.16.104.1 255.255.255.0
!
interface Serial0/0.234 point-to-point
ip address 172.16.234.4 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
snmp trap link-status
frame-relay interface-dlci 403
!
interface FastEthernet0/1
ip address 172.16.64.4 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip route-cache
!
!
ip nat outside source static 172.16.110.1 172.16.104.10
!
in which IP-CEF & IP-FASTSWITCHING are disabled to better understand debug messages related to IP routing & NAT processing
R4 is configured for "outside source static" translating and, as debug show, a ping packet entering from outside fast0/1 is translated (outside global -> ouside local) and then routed to ser0/0.234 outgoing i/f (inside i/f)
However pinging the remote loopabck router (3.3.3.3), attached on inside i/f, from 172.16.110.1, configured on a router attached on outside side, doesn't work !
Adding ip nat outside on loopback 104 i/f solve the issue; now debug shows
*Mar 1 00:57:44.203: IP: tableid=0, s=172.16.110.1 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB
*Mar 1 00:57:44.207: NAT: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [130]
*Mar 1 00:57:44.211: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward
*Mar 1 00:57:44.223: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB <--------------------- msg A
*Mar 1 00:57:44.227: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [130] <--------------------------------------------------------- msg B
*Mar 1 00:57:44.227: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward <----------- msg C ???
*Mar 1 00:57:44.227: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB <------------- msg D
*Mar 1 00:57:44.227: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward
*Mar 1 00:57:44.231: NAT*: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [131]
*Mar 1 00:57:44.231: IP: tableid=0, s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB
*Mar 1 00:57:44.231: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward
*Mar 1 00:57:44.239: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB
*Mar 1 00:57:44.239: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [131]
*Mar 1 00:57:44.239: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward
*Mar 1 00:57:44.243: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB
*Mar 1 00:57:44.243: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward
*Mar 1 00:57:44.247: NAT*: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [132]
*Mar 1 00:57:44.251: IP: tableid=0, s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB
*Mar 1 00:57:44.255: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward
*Mar 1 00:57:44.255: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB
*Mar 1 00:57:44.259: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [132]
*Mar 1 00:57:44.259: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward
*Mar 1 00:57:44.263: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB
*Mar 1 00:57:44.263: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward
Now, from my understanding, message A (highlighted) referes to IP routing from ser0/0.234 to Loopback104 and message B to outside local -> outside global translation performed on this interface.
Message D is related to the (natted)packet re-entering from Loopback104 forwarded to outside fa0/1 (gw = 172.16.64.10)
What about message C ? Why Loopback104 has to be configured with ip nat outside ?
thanks
03-28-2012 03:09 AM
Hi,
I don't know why the reply received by mail is not shown here in the thread....
******************************************************************
Carlo,
For outside static nat, you usually nat to an address that your router knows how to get to. The result that you got was because the address that you're natting to is on the loopback and not the f0/0 interface where I'm sure the traffic is coming from. You would need to put "ip nat outside" on the loopback interface in this scenario because you're telling the router that the address to use as outgoing nat is the loopback interface. Otherwise, you can nat to an address on your fa0/0 interface and your should be fine like:
ip nat outside source static 172.16.110.1 172.16.64.49
Then you'd be able to ping your loopback without putting a nat statement on the interface.
HTH,
John
*************************************************************************
From http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml I can guess that in every case (Local->Global and Global->Local translation) the address translation itself is performed - from IOS point of view - on outside sw i/f
show int Lop104 switching counters before ping is issued:
R4#sh int loop104 switchi
Loopback104
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 2 56 2 56
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
R4#
R5#ping 3.3.3.3 source loop110 r 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.110.1
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 4/20/36 ms
And after ping:
R4#sh int loop104 switchi
Loopback104
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 5 356 5 356
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
R4#
Pkts In/Out, infact, increasead by 3 unit (3 ping packet)
so in this scenario outside i/f on which NAT is performed is Loop104
Does it make sense ?
03-29-2012 01:36 AM
Any idea ?
Thanks
03-29-2012 03:31 AM
Can you attach a diagram of how this is laid out?
Here's what I'm seeing and others can jump in here:
I laid out a topology like: RtrA ---> RtrB (2.2.2.2) ----> RtrC (NAT) -----> RtrD (4.4.4.4)
The first section is without nat enabled on the loopback. I drop traffic, but you'll notice on the last line that the destination is 3.3.3.50 and it doesn't go farther than that.
*Mar 1 00:41:12.019: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), routed via FIB
*Mar 1 00:41:12.019: IP: s=3.3.3.50 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), g=10.34.0.4, len 100, forward
*Mar 1 00:41:12.027: IP: tableid=0, s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50 (Loopback3), routed via RIB
*Mar 1 00:41:12.027: IP: s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50, len 100, rcvd 6
With nat enabled the router goes as far as to translate further to the destination of 2.2.2.2.
*Mar 1 00:41:56.179: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), routed via FIB
*Mar 1 00:41:56.183: IP: s=3.3.3.50 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), g=10.34.0.4, len 100, forward
*Mar 1 00:41:56.187: IP: tableid=0, s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50 (Loopback3), routed via RIB
*Mar 1 00:41:56.187: IP: s=4.4.4.4 (FastEthernet0/1), d=2.2.2.2 (Loopback3), g=2.2.2.2, len 100, forward
*Mar 1 00:41:56.191: IP: tableid=0, s=4.4.4.4 (Loopback3), d=2.2.2.2 (FastEthernet0/0), routed via RIB
*Mar 1 00:41:56.191: IP: s=4.4.4.4 (Loopback3), d=2.2.2.2 (FastEthernet0/0), g=192.168.23.2, len 100, forward
My conclusion is that without NAT enabled on that interface, the router looks in the local routing table for the destination of 3.3.3.50 and realizes that it's local to the router...dropping the traffic. With NAT enabled, it looks in the translation table to see what it's translated to and then routes to the translated address.
Pro Inside global Inside local Outside local Outside global
--- --- --- 3.3.3.50 2.2.2.2
03-29-2012 05:19 AM
Here Lab layout:
Yes, I agree with you.....for these reasons I can guess Outside->Inside and Inside->Outside NAT translations are perfomed by IOS on software interface where ip nat outside is configured...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide