Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
3
Replies

Problems with Policy Based NAT - cannot get it right

tiwang
Level 3
Level 3

‎05-30-2014 02:13 PM - edited ‎03-04-2019 11:04 PM

hi out there

 

I need to be able to nat a DMZ-zone on a router to circumwent some routing problems - we have a new dmz which has to be isolated from the main Network but has to be natted into the same ip Space

I expected that this was a simple task by defining a route-map and assig this route-map to the incoming interface which then would take the traffic from that vlan and loop around a loopback-interface to get it through a nat-outside interface.

This Work also to some extend - when I ping I can see that my nat-statement Works as expected - but when the reply is send back it is drpped in the router somewhere.

R1 (lo0: 192.168.10.1, F0/0: 80.0.0.1) <-> R2 ((lo2: 192.168.20.1, F0/0: 80.0.0.2 F0/1 81.0.0.2) <-> R3 F0/0: 81.0.0.1

I ping from R1 to R3 with source ip from lo0 (192.168.10.1) and try to get it natted around lo2 on R2 where F0/0 is inside of nat and lo2 is outside - I expected this to be fairly simple because the concept is used in f.ex "lollipop" or "router on a stick" - but I cannot get it right - it is being correct natted as far as I can see but the reply packet from R3 doesn't hit the correct return path - it is dropped somewhere in R2


the config of my nat-router is fairly simple:

 


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
interface Loopback2
 ip address 192.168.20.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 80.0.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map To_loop2
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 81.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 192.168.10.0 255.255.255.0 80.0.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Loopback2 overload
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit icmp any any time-exceeded
!
route-map To_loop2 permit 10
 match ip address 1
 set interface Loopback2
!
!

When a do a ping with source ip 192.168.10.1 - entering the router on f 0/0 the following happens:

 


*Mar  1 03:47:16.679: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
*Mar  1 03:47:16.683: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
*Mar  1 03:47:16.687: IP: route map To_loop2, item 10, permit
*Mar  1 03:47:16.687: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
*Mar  1 03:47:16.691: IP: FastEthernet0/0 to Loopback2 81.0.0.1
*Mar  1 03:47:16.695: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [199]
R2#
 

R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.20.1:40   192.168.10.1:40    81.0.0.1:40        81.0.0.1:40
R2#
 

and on R3 - 81.0.0.1 :

 


*Mar  1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
*Mar  1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
*Mar  1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1
 

 

But the packet is dropped in R2 - can some tell me why?

 

best regards /ti

Labels:
0 Helpful
3 Replies 3

syed kazim abbas
Level 3
Level 3

‎05-31-2014 03:32 AM

 Hi,

when u debug on R3# , you will receive this message , mean you need to put route in R3

*May 31 15:24:49.767: IP: s=81.0.0.1 (local), d=192.168.20.1, len 100, unroutable

 

ip route 192.168.20.0 255.255.255.0 81.0.0.2

this solve the problem

regards,

syed

 

"Don't forget to rate me if post helpful"

0 Helpful

tiwang
Level 3
Level 3
In response to syed kazim abbas

‎05-31-2014 12:30 PM

hi Again

yes - had it just been that simple - but - I had i default route pointing to R2 so this should bot be the problem - why it claims that it is non-routeable I cannot say but if we go to R3 and issue a ping from there:


R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 81.0.0.2 to network 0.0.0.0

     192.168.30.0/32 is subnetted, 1 subnets
C       192.168.30.1 is directly connected, Loopback3
     81.0.0.0/30 is subnetted, 1 subnets
C       81.0.0.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 81.0.0.2
R3#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            81.0.0.1        YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Loopback3                  192.168.30.1    YES NVRAM  up                    up
R3#ping 192.168.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/47/76 ms
R3#

 

so - hmm - anyone tried to re-create the setup and seen same problems? I can post the actual configs from GNS3 if anyone want to try - should be a fairly simple setup - which seen from my point of view should work.

Tried it with Ios 12.4.something and 15.1 just to verify if there has been something odd changed - but no difference.

 

best regards /Ti

ps: just tried to disable cef on R2 just to be sure that it wasn't related to this - no difference

 

0 Helpful

tiwang
Level 3
Level 3
In response to tiwang

‎06-03-2014 03:38 AM

btw - the previous test might not be so useable at all - more interesting would be to ping from R2 Agains R3 with source ip of the loopback interface used for NAT:


R2#ping 81.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 81.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/31/44 ms
R2#ping 81.0.0.1 so lo 2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 81.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/36 ms
R2#

See this Works fine - why doesn't my PBR NAT then not Work?

When I ping from R1 with source of loop1 against R3 81.0.0.1 adresse the packet is correct translated as far as I can see in wireshark but it is not translated back on the nat interface

 

If I debug on R2 and look on nat I get this when I ping from R1 to R3
R2#
*Mar  1 00:15:31.731: NAT: [0] Allocated Port for 192.168.10.1 -> 192.168.20.1: wanted 5 got 5
*Mar  1 00:15:31.735: NAT: i: icmp (192.168.10.1, 5) -> (81.0.0.1, 5) [25]
*Mar  1 00:15:31.735: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [25]
R2#
*Mar  1 00:15:33.775: NAT: i: icmp (192.168.10.1, 5) -> (81.0.0.1, 5) [26]
*Mar  1 00:15:33.775: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [26]
R2#
*Mar  1 00:15:35.731: NAT: i: icmp (192.168.10.1, 5) -> (81.0.0.1, 5) [27]
*Mar  1 00:15:35.735: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [27]
R2#
*Mar  1 00:15:37.747: NAT: i: icmp (192.168.10.1, 5) -> (81.0.0.1, 5) [28]
*Mar  1 00:15:37.751: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [28]
R2#sh ip nat t
*Mar  1 00:15:39.775: NAT: i: icmp (192.168.10.1, 5) -> (81.0.0.1, 5) [29]
*Mar  1 00:15:39.779: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [29]
R2#sh ip nat tra
R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.20.1:5    192.168.10.1:5     81.0.0.1:5         81.0.0.1:5
R2#
*Mar  1 00:16:40.199: NAT: expiring 192.168.20.1 (192.168.10.1) icmp 5 (5)
R2#
R3 is correctly replying on it:

R3#
*Mar  1 00:15:35.219: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
*Mar  1 00:15:35.223: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
*Mar  1 00:15:35.227: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1
*Mar  1 00:15:35.227: IP: tableid=0, s=81.0.0.1 (local), d=192.168.20.1 (FastEthernet0/0), rou
*Mar  1 00:15:35.231: IP: s=81.0.0.1 (local), d=192.168.20.1 (FastEthernet0/0), len 100, sendi
R3#

But the packet from R3 is newer "de-natted" ? Where is it dropped and why? Any comments and ideas are welcome...

 

 

best regards /ti
 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card