02-08-2016 01:09 AM - edited 03-08-2019 04:30 AM
Hello all!
I can`t find mistake on my own. Why does ping from PC1 to R2 fail?
When i ping from R2 to PC1, ping reaches PC1 and on the way back it losts inside R1.
PC1 packet (s:192.168.02 d:77.77.77.78) as it recieves by R1 Fa0/1 (out) according to PBR forwards to Loopback0 (in)
and dissapears (debug), though packet should be translated (s:192.168.0.2 -> s:77.77.77.77) and forwarded to 77.77.77.78 through Fa0/1 (out).
Where i am wrong?
Scheme is in the attachment.
Regards, Alexey.
Solved! Go to Solution.
02-09-2016 02:18 AM
Hello, Alex.
I have made the same topology in lab environment.
You have to add the following route-map sentence to make your task work:
access-list 101 permit ip host 192.168.0.2 host 77.77.77.78
access-list 102 permit ip host 77.77.77.78 host 192.168.0.2
route-map Nat-loop permit 10
match ip address 101
set ip next-hop 4.4.4.2
route-map Nat permit 20
match ip address 102
set ip next-hop 4.4.4.2
Please, see my previous reply. I tried to write some explonations.
02-08-2016 02:39 AM
Hello, Alexey.
I believe, when the router R1 receives the packet with destination address of 77.77.77.77, the router thinks, that this packet is for R1's controll plane despite of Static NAT configuration.
Is it really necessary to translate 192.168.0.2 (PC's address) to the same address as R1's interface?
Maybe, you'd better translate 192.168.0.2 to some other IP-address, for example, 77.77.77.79?
Moreover, if you'd like to reach PC from R2 using 77.77.77.X addess, you need to add the route-map, which can redirect the traffic from R1's Fa0/1 interface (where "ip nat outside" is configured) to loopback interface lo0 (where "ip nat inside" is configured). This is necessary to make UN-NAT work (to UN-NAT 77.77.77.X IP-address to PC's address 192.168.0.2).
02-08-2016 02:56 AM
Boris, thank you for your answer!
According to NAT Order of Operations if a packet comes to outside nat interface it should perform NAT outside to inside translation before PBR and routing.
It is preferably for me to use R1 fa0/1 interface.
And as you can see in attachement PBR is configured on R1 fa0/1 to forward packets to Loopback0.
02-08-2016 03:36 AM
Alexey, please, pay an attention to Paul's advice. He also recommends to use a scecific IP-address for NAT statement.
And what about a NAT Order of Operations, yes, you are absolutely right, that NAT outside to inside (or UN-NAT) goes before PBR and routing. The router should translate the inside global IP-address to inside local IP address to have enough information to make forwarding decision (to have a correct Destination IP address in our case).
But. If I'm no mistacking, the router should first check, if the packet in future, after the UN-translation, will be forwarded out of an interface with "ip nat inside" statement. The condition of having both "ip nat inside" and "ip nat outside" on the way of the packet is the necessary condition.
It is funny, but it looks like chicken and egg problem :)
So, please, if after Paul's recommendation the ping won't be still successful, add the following configuration to R1:
access-list 102 permit ip host 77.77.77.78 host 192.168.0.2
route-map Nat permit 20
match ip address 102
set interface Loopback0
02-08-2016 03:01 AM
Hello
Try the following and give your host pc a specific nat inside global address
R2
no ip route 192.168.0.2 255.255.255.0 77.77.77.77
ip route 0.0.0.0 0.0.0.0 77.77.77.77
R1
no access-list 101 permit ip host 192.168.0.2 host 77.77.77.77
no ip nat inside source static 192.168.0.2 77.77.77.77
access-list 101 permit ip host 192.168.0.2 host 77.77.77.80
ip nat inside source static 192.168.0.2 77.77.77.80
route-map Nat permit 10
match ip address 101
no set ip-next hop 4.4.4.2
set interface Loopback0
res
Paul
02-08-2016 03:35 AM
Thank you Paul, i will try.
02-08-2016 09:58 AM
R1 configuration:
interface Loopback0
ip address 4.4.4.2 255.255.255.0
no ip redirects
ip nat inside
no ip virtual-reassembly
!
interface Ethernet0/1
ip address 192.168.0.1 255.255.255.0 secondary
ip address 77.77.77.77 255.255.255.0
no ip redirects
ip nat outside
no ip virtual-reassembly
ip policy route-map Nat-loop
full-duplex
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source static 192.168.0.2 77.77.77.79
!
access-list 101 permit ip host 192.168.0.2 host 77.77.77.78no cdp log mismatch duplex
route-map Nat-loop permit 10
match ip address 101
set default interface Loopback0
!
control-plane
Error due to #set interface loopback 0
R1(config-route-map)#set interface loopback 0
% route-map:can not set interface.
% Use P2P interfaces for set interface clause
And wireshark R1 fa0/1 printscreen in attachment.
It still does not translate source ip address =(
02-09-2016 02:18 AM
Hello, Alex.
I have made the same topology in lab environment.
You have to add the following route-map sentence to make your task work:
access-list 101 permit ip host 192.168.0.2 host 77.77.77.78
access-list 102 permit ip host 77.77.77.78 host 192.168.0.2
route-map Nat-loop permit 10
match ip address 101
set ip next-hop 4.4.4.2
route-map Nat permit 20
match ip address 102
set ip next-hop 4.4.4.2
Please, see my previous reply. I tried to write some explonations.
02-16-2016 12:16 PM
You are the best! :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide