Solved: You are the best! :)

one_of_alex1 · ‎02-08-2016

Hello all!

I can`t find mistake on my own. Why does ping from PC1 to R2 fail?
When i ping from R2 to PC1, ping reaches PC1 and on the way back it losts inside R1.
PC1 packet (s:192.168.02 d:77.77.77.78) as it recieves by R1 Fa0/1 (out) according to PBR forwards to Loopback0 (in)
and dissapears (debug), though packet should be translated (s:192.168.0.2 -> s:77.77.77.77) and forwarded to 77.77.77.78 through Fa0/1 (out).

Where i am wrong?
Scheme is in the attachment.

Regards, Alexey.

Boris Uskov · ‎02-09-2016

Hello, Alex.

I have made the same topology in lab environment.

You have to add the following route-map sentence to make your task work:

access-list 101 permit ip host 192.168.0.2 host 77.77.77.78

access-list 102 permit ip host 77.77.77.78 host 192.168.0.2

route-map Nat-loop permit 10
match ip address 101

set ip next-hop 4.4.4.2

route-map Nat permit 20
match ip address 102

set ip next-hop 4.4.4.2

Please, see my previous reply. I tried to write some explonations.

View solution in original post

Boris Uskov · ‎02-08-2016

Hello, Alexey.

I believe, when the router R1 receives the packet with destination address of 77.77.77.77, the router thinks, that this packet is for R1's controll plane despite of Static NAT configuration.

Is it really necessary to translate 192.168.0.2 (PC's address) to the same address as R1's interface?

Maybe, you'd better translate 192.168.0.2 to some other IP-address, for example, 77.77.77.79?

Moreover, if you'd like to reach PC from R2 using 77.77.77.X addess, you need to add the route-map, which can redirect the traffic from R1's Fa0/1 interface (where "ip nat outside" is configured) to loopback interface lo0 (where "ip nat inside" is configured). This is necessary to make UN-NAT work (to UN-NAT 77.77.77.X IP-address to PC's address 192.168.0.2).

one_of_alex1 · ‎02-08-2016

Boris, thank you for your answer!

According to NAT Order of Operations if a packet comes to outside nat interface it should perform NAT outside to inside translation before PBR and routing.

It is preferably for me to use R1 fa0/1 interface.

And as you can see in attachement PBR is configured on R1 fa0/1 to forward packets to Loopback0.

Boris Uskov · ‎02-08-2016

Alexey, please, pay an attention to Paul's advice. He also recommends to use a scecific IP-address for NAT statement.

And what about a NAT Order of Operations, yes, you are absolutely right, that NAT outside to inside (or UN-NAT) goes before PBR and routing. The router should translate the inside global IP-address to inside local IP address to have enough information to make forwarding decision (to have a correct Destination IP address in our case).

But. If I'm no mistacking, the router should first check, if the packet in future, after the UN-translation, will be forwarded out of an interface with "ip nat inside" statement. The condition of having both "ip nat inside" and "ip nat outside" on the way of the packet is the necessary condition.

It is funny, but it looks like chicken and egg problem :)

So, please, if after Paul's recommendation the ping won't be still successful, add the following configuration to R1:

access-list 102 permit ip host 77.77.77.78 host 192.168.0.2

route-map Nat permit 20
match ip address 102

set interface Loopback0

paul driver · ‎02-08-2016

Hello

Try the following and give your host pc a specific nat inside global address

R2
no ip route 192.168.0.2 255.255.255.0 77.77.77.77
ip route 0.0.0.0 0.0.0.0 77.77.77.77

R1

no access-list 101 permit ip host 192.168.0.2 host 77.77.77.77
no ip nat inside source static 192.168.0.2 77.77.77.77

access-list 101 permit ip host 192.168.0.2 host 77.77.77.80
ip nat inside source static 192.168.0.2 77.77.77.80

route-map Nat permit 10
match ip address 101
no set ip-next hop 4.4.4.2
set interface Loopback0

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

one_of_alex1 · ‎02-08-2016

Thank you Paul, i will try.

one_of_alex1 · ‎02-08-2016

R1 configuration:

interface Loopback0
ip address 4.4.4.2 255.255.255.0
no ip redirects
ip nat inside
no ip virtual-reassembly
!
interface Ethernet0/1
ip address 192.168.0.1 255.255.255.0 secondary
ip address 77.77.77.77 255.255.255.0
no ip redirects
ip nat outside
no ip virtual-reassembly
ip policy route-map Nat-loop
full-duplex
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source static 192.168.0.2 77.77.77.79
!
access-list 101 permit ip host 192.168.0.2 host 77.77.77.78

no cdp log mismatch duplex

route-map Nat-loop permit 10
match ip address 101
set default interface Loopback0
!

control-plane

Error due to #set interface loopback 0

R1(config-route-map)#set interface loopback 0
% route-map:can not set interface.
% Use P2P interfaces for set interface clause

And wireshark R1 fa0/1 printscreen in attachment.

It still does not translate source ip address =(

Boris Uskov · ‎02-09-2016

Hello, Alex.

I have made the same topology in lab environment.

You have to add the following route-map sentence to make your task work:

access-list 101 permit ip host 192.168.0.2 host 77.77.77.78

access-list 102 permit ip host 77.77.77.78 host 192.168.0.2

route-map Nat-loop permit 10
match ip address 101

set ip next-hop 4.4.4.2

route-map Nat permit 20
match ip address 102

set ip next-hop 4.4.4.2

Please, see my previous reply. I tried to write some explonations.

one_of_alex1 · ‎02-16-2016

You are the best! :)

NAT + PBR question