Domain-based and NVI based NAT Question

Evgeny777 · ‎05-27-2011

Cisco 2811; IOS 124-24.T5

The ping goes from two hosts, A and B, at the same time to the same address.

Domain-based NAT config (OK):

interface FastEthernet0/0

ip address 10.5.171.11 255.255.255.0

no ip redirects

no ip proxy-arp

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

no ip mroute-cache

no cdp enable

!

interface FastEthernet0/0/0.41

description -------------- iDirect Management

encapsulation dot1Q 41

ip address 10.147.0.1 255.255.255.240

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no ip mroute-cache

no cdp enable

!

ip route 0.0.0.0 0.0.0.0 10.5.171.1

!

ip nat inside source list iDirect_NMS interface FastEthernet0/0/0.41 overload

!

ip access-list extended iDirect_NMS

deny udp any any eq 0

deny tcp any any eq 0

permit ip 10.5.7.0 0.0.0.255 10.147.0.0 0.0.0.15

permit ip 192.168.3.0 0.0.0.255 10.147.0.0 0.0.0.15

deny ip any any

ip nat detailed debug output:

Host A

May 24 10:30:20: mapping pointer available mapping:0

May 24 10:30:20: NAT: [0] Allocated Port for 192.168.3.34 -> 10.147.0.1: wanted 512 got 512

May 24 10:30:20: NAT*: i: icmp (192.168.3.34, 512) -> (10.147.0.2, 512) [25128]

May 24 10:30:20: NAT*: s=192.168.3.34->10.147.0.1, d=10.147.0.2 [25128]

May 24 10:30:20: NAT*: o: icmp (10.147.0.2, 512) -> (10.147.0.1, 512) [10628]

Host B

May 24 10:30:32: mapping pointer available mapping:0

May 24 10:30:32: NAT: [0] Allocated Port for 10.5.7.32 -> 10.147.0.1: wanted 512 got 514

May 24 10:30:32: NAT*: i: icmp (10.5.7.32, 512) -> (10.147.0.2, 512) [10044]

May 24 10:30:32: NAT*: ICMP id=512->514

May 24 10:30:32: NAT*: s=10.5.7.32->10.147.0.1, d=10.147.0.2 [10044]

May 24 10:30:32: NAT: o: icmp (10.147.0.2, 514) -> (10.147.0.1, 514) [10633]

May 24 10:30:32: NAT: ICMP id=514->512

May 24 10:30:32: NAT: s=10.147.0.2, d=10.147.0.1->10.5.7.32 [10633]

NVI based NAT (Not OK)

interface FastEthernet0/0

ip address 10.5.171.11 255.255.255.0

no ip redirects

no ip proxy-arp

ip nbar protocol-discovery

ip nat enable

ip virtual-reassembly

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/0/0.41

encapsulation dot1Q 41

ip address 10.147.0.1 255.255.255.240

no ip redirects

no ip proxy-arp

ip nat enable

ip virtual-reassembly

no cdp enable

!

ip route 0.0.0.0 0.0.0.0 10.5.171.1

!

ip nat source list iDirect_NMS interface FastEthernet0/0/0.41 overload

!

ip access-list extended iDirect_NMS

deny udp any any eq 0

deny tcp any any eq 0

permit ip 10.5.7.0 0.0.0.255 10.147.0.0 0.0.0.15

permit ip 192.168.3.0 0.0.0.255 10.147.0.0 0.0.0.15

deny ip any any

ip nat detailed debug output:

Host A

May 24 10:34:38: NAT: creating portlist proto 1 globaladdr 10.147.0.1

May 24 10:34:38: NAT: [0] Allocated Port for 192.168.3.34 -> 10.147.0.1: wanted 512 got 512

May 24 10:34:38: NAT*: i: icmp (192.168.3.34, 512) -> (10.147.0.2, 512) [5800]

May 24 10:34:38: NAT*: s=192.168.3.34->10.147.0.1, d=10.147.0.2 [5800]

May 24 10:34:38: NAT: i: icmp (10.147.0.2, 512) -> (10.147.0.1, 512) [10639]

May 24 10:34:38: NAT: s=10.147.0.2, d=10.147.0.1->192.168.3.34 [10639]

Host B

May 24 10:34:50: NAT: [0] Allocated Port for 10.5.7.32 -> 10.147.0.1: wanted 512 got 513

May 24 10:34:50: NAT*: i: icmp (10.5.7.32, 512) -> (10.147.0.2, 512) [10900]

May 24 10:34:50: NAT*: s=10.5.7.32->10.147.0.1, d=10.147.0.2 [10900]

May 24 10:34:50: NAT: i: icmp (10.147.0.2, 512) -> (10.147.0.1, 512) [10644]

May 24 10:34:50: NAT: s=10.147.0.2, d=10.147.0.1->192.168.3.34 [10644]

Florin Barhala · ‎05-30-2011

Weirdo; it should be sourced with 10.147.0.1, right?

Evgeny777 · ‎05-31-2011

I believe the last line should look like:

s=10.147.0.2, d=10.147.0.1->10.5.7.32