Solved: Nat prefix-lenght higher than 29 don't work

ssambourg · ‎02-09-2017

Hello,

I'm configuring Dynamic NAT with PAT on CISCO2811 : c2800nm-adventerprisek9_ivs_li-mz.151-4.M.bin

Following my configuration :

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
end

Partner-ISR-Init#sh run int f0/1
Building configuration...

Current configuration : 139 bytes
!
interface FastEthernet0/1
ip address 198.51.100.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end

ip nat pool NATPOOL 198.51.100.100 198.51.100.100 prefix-length 29
ip nat inside source list 10 pool NATPOOL overload

The Nat works fine with these settings :

sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 198.51.100.100:1 10.10.10.20:1 209.165.200.225:1 209.165.200.225:1

But if I set a prefix-lenght of 30 for my pool which only have one IP address, the nat translation stop working :

no ip nat inside source list 10 pool NATPOOL

Dynamic mapping in use, do you want to delete all entries? [no]: yes
ip nat pool NATPOOL 198.51.100.100 198.51.100.100 prefix-length 30
ip nat inside source list 10 pool NATPOOL

do sh ip nat trans
! nothing !

With a debug ip nat I have the following input :

NAT: translation failed (A), dropping packet s=10.10.10.20 d=209.165.200.225

What could be a reason for a same pool with one adresse put a prefix /29 works and for a /30 prefix lenght stop working ?

Julio E. Moisa · ‎02-09-2017

Hi

Prefix-length is only used as a 'sanity check', as per cisco. If you enter a beginning address that have a .0 and an ending address that has a .255.

It works with /30 but It is related to addressing, for example if you change to .5 instead 100 it will work, imagine that prefix length as whether you are subnetting, so 198.51.100.100/30 is the subnet not a valid IP, the valid IP address will be .101 and .102 and 103 will be your broadcast IP. Try changing .100 for .101 and it will work. Just imagine that you are subnetting.

R1#ping 3.3.3.3 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!

R2

*Mar 1 00:29:21.043: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [70]
*Mar 1 00:29:23.043: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [71]
*Mar 1 00:29:23.075: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [71]
*Mar 1 00:29:23.099: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [72]
*Mar 1 00:29:23.115: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [72]
*Mar 1 00:29:23.123: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [73]
*Mar 1 00:29:23.151: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [73]
*Mar 1 00:29:23.163: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [74]
*Mar 1 00:29:23.183: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [74]

R2

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 198.51.100.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 1.1.1.1 255.255.255.255 10.10.10.2
ip route 3.3.3.3 255.255.255.255 198.51.100.2
!
!
ip http server
no ip http secure-server
ip nat pool NATPOOL 198.51.100.5 198.51.100.5 prefix-length 30
ip nat inside source list 10 pool NATPOOL overload
!
access-list 10 permit any

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎02-09-2017

Hi

I made a lab with your config /29 and no issues at all, let me check with /30

*Mar 1 00:07:22.007: NAT*: s=1.1.1.1->198.51.100.100, d=3.3.3.3 [0]
*Mar 1 00:07:24.015: NAT*: s=1.1.1.1->198.51.100.100, d=3.3.3.3 [1]
*Mar 1 00:07:24.027: NAT*: s=3.3.3.3, d=198.51.100.100->1.1.1.1 [1]
*Mar 1 00:07:24.035: NAT*: s=1.1.1.1->198.51.100.100, d=3.3.3.3 [2]
*Mar 1 00:07:24.047: NAT*: s=3.3.3.3, d=198.51.100.100->1.1.1.1 [2]
*Mar 1 00:07:24.059: NAT*: s=1.1.1.1->198.51.100.100, d=3.3.3.3 [3]
*Mar 1 00:07:24.071: NAT*: s=3.3.3.3, d=198.51.100.100->1.1.1.1 [3]
*Mar 1 00:07:24.083: NAT*: s=1.1.1.1->198.51.100.100, d=3.3.3.3 [4]
*Mar 1 00:07:24.095: NAT*: s=3.3.3.3, d=198.51.100.100->1.1.1.1 [4]

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎02-09-2017

.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ssambourg · ‎02-09-2017

Hi,

thanks for this feedback.

Could you please try to add this on R2 router :

no ip nat inside source list 10 pool NATPOOL overload

ip nat pool NATPOOL 198.51.100.100 198.51.100.100 prefix-length 30

ip nat inside source list 10 pool NATPOOL overload

What your hardware and version for your lab ?

Julio E. Moisa · ‎02-09-2017

Hi,

Im using 3 cisco 1841, please verify my last post, that should fix the inconvenience.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ssambourg · ‎02-09-2017

Hi

yes ! I initially try with a /32 prefix to illustrate difference between static nat (bi directionnal) and with this configuration via pool (unidirectionnal).

Thanks for your explanation ;-)

Julio E. Moisa · ‎02-09-2017

You are welcome my friend,

Have a great day :-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎02-09-2017

Hi

Prefix-length is only used as a 'sanity check', as per cisco. If you enter a beginning address that have a .0 and an ending address that has a .255.

It works with /30 but It is related to addressing, for example if you change to .5 instead 100 it will work, imagine that prefix length as whether you are subnetting, so 198.51.100.100/30 is the subnet not a valid IP, the valid IP address will be .101 and .102 and 103 will be your broadcast IP. Try changing .100 for .101 and it will work. Just imagine that you are subnetting.

R1#ping 3.3.3.3 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!

R2

*Mar 1 00:29:21.043: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [70]
*Mar 1 00:29:23.043: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [71]
*Mar 1 00:29:23.075: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [71]
*Mar 1 00:29:23.099: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [72]
*Mar 1 00:29:23.115: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [72]
*Mar 1 00:29:23.123: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [73]
*Mar 1 00:29:23.151: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [73]
*Mar 1 00:29:23.163: NAT*: s=1.1.1.1->198.51.100.5, d=3.3.3.3 [74]
*Mar 1 00:29:23.183: NAT*: s=3.3.3.3, d=198.51.100.5->1.1.1.1 [74]

R2

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 198.51.100.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 1.1.1.1 255.255.255.255 10.10.10.2
ip route 3.3.3.3 255.255.255.255 198.51.100.2
!
!
ip http server
no ip http secure-server
ip nat pool NATPOOL 198.51.100.5 198.51.100.5 prefix-length 30
ip nat inside source list 10 pool NATPOOL overload
!
access-list 10 permit any

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<