cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
550
Views
0
Helpful
3
Replies

Problems with Policy Based NAT - cannot get it right

tiwang
Level 3
Level 3

hi out there

 

I need to be able to nat a DMZ-zone on a router to circumwent some routing problems - we have a new dmz which has to be isolated from the main Network but has to be natted into the same ip Space

I expected that this was a simple task by defining a route-map and assig this route-map to the incoming interface which then would take the traffic from that vlan and loop around a loopback-interface to get it through a nat-outside interface.

This Work also to some extend - when I ping I can see that my nat-statement Works as expected - but when the reply is send back it is drpped in the router somewhere.

R1 (lo0: 192.168.10.1, F0/0: 80.0.0.1) <-> R2 ((lo2: 192.168.20.1, F0/0: 80.0.0.2 F0/1 81.0.0.2) <-> R3 F0/0: 81.0.0.1

I ping from R1 to R3 with source ip from lo0 (192.168.10.1) and try to get it natted around lo2 on R2 where F0/0 is inside of nat and lo2 is outside - I expected this to be fairly simple because the concept is used in f.ex "lollipop" or "router on a stick" - but I cannot get it right - it is being correct natted as far as I can see but the reply packet from R3 doesn't hit the correct return path - it is dropped somewhere in R2


the config of my nat-router is fairly simple:

 


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
interface Loopback2
 ip address 192.168.20.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 80.0.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map To_loop2
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 81.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 192.168.10.0 255.255.255.0 80.0.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Loopback2 overload
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit icmp any any time-exceeded
!
route-map To_loop2 permit 10
 match ip address 1
 set interface Loopback2
!
!

When a do a ping with source ip 192.168.10.1 - entering the router on f 0/0 the following happens:

 


*Mar  1 03:47:16.679: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
*Mar  1 03:47:16.683: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
*Mar  1 03:47:16.687: IP: route map To_loop2, item 10, permit
*Mar  1 03:47:16.687: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
*Mar  1 03:47:16.691: IP: FastEthernet0/0 to Loopback2 81.0.0.1
*Mar  1 03:47:16.695: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [199]
R2#
 

R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.20.1:40   192.168.10.1:40    81.0.0.1:40        81.0.0.1:40
R2#
 

and on R3 - 81.0.0.1 :

 


*Mar  1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
*Mar  1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
*Mar  1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1
 

 

But the packet is dropped in R2 - can some tell me why?

 

best regards /ti

3 Replies 3

 Hi,

when u debug on R3# , you will receive this message , mean you need to put route in R3

*May 31 15:24:49.767: IP: s=81.0.0.1 (local), d=192.168.20.1, len 100, unroutable

 

ip route 192.168.20.0 255.255.255.0 81.0.0.2

this solve the problem

regards,

syed

 

"Don't forget to rate me if post helpful"