04-12-2009 10:25 PM - edited 03-06-2019 05:08 AM
Hello,
I have 2 routers in my lab connected together via the serial ports, on Router 1 I want any IP from 192.168.100.192/27 (Fas0/0) to get NAT'ed to 172.16.1.2-254 when going over the WAN.
If I use my laptop on 192.168.100.194 and ping 192.168.100.97 which is a loopback on Router 0 it will noy work, but I see the traffic getting there, but it seems to be the route back is not working, so maybe my OSPF isn't working to well, if I add a static route like below it works:
Router0(config)#ip route 172.16.1.0 255.255.255.0 10.10.10.14
Configs:
Router0#sh run
!
interface Loopback0
ip address 192.168.100.97 255.255.255.224
!
interface FastEthernet0/0
ip address 192.168.100.129 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
description WAN link to RouterA
ip address 10.10.10.13 255.255.255.252
no fair-queue
!
interface Serial0/1
no ip address
!
router ospf 1
log-adjacency-changes
network 10.10.10.12 0.0.0.3 area 0
network 192.168.100.96 0.0.0.31 area 0
network 192.168.100.128 0.0.0.3 area 0
!
ip http server
no ip http secure-server
ip classless
!
end
---------------------------------------
Router1#sh run
!
no ip domain-lookup
!
ip dhcp pool client
network 192.168.100.192 255.255.255.224
default-router 10.10.10.14
!
ip audit notify log
ip audit po max-events 100
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.100.193 255.255.255.224
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
ip address 10.10.10.14 255.255.255.252
ip nat outside
no fair-queue
clock rate 4000000
!
interface Serial0/1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.10.10.12 0.0.0.3 area 0
network 172.16.1.0 0.0.0.255 area 0
!
ip nat pool Andy 172.16.1.2 172.16.1.254 netmask 255.255.255.0
ip nat inside source list 100 pool Andy overload
ip classless
ip http server
!
access-list 100 permit ip 192.168.100.192 0.0.0.31 192.168.100.96 0.0.0.31
!
Router1#
Router 0 debug
Router0#sh ip route
Gateway of last resort is not set
172.16.0.0/32 is subnetted, 1 subnets
O 172.16.1.1 [110/65] via 10.10.10.14, 00:19:41, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.10.10.12 is directly connected, Serial0/0
192.168.100.0/27 is subnetted, 1 subnets
C 192.168.100.96 is directly connected, Loopback0
Router0#
Debug on R0
01:13:56: NAT: address not stolen for 192.168.100.194, proto 1 port 512
01:13:56: NAT: installing alias for address 172.16.1.4
01:13:56: NAT: creating portlist proto 1 globaladdr 172.16.1.4
01:13:56: NAT: Allocated Port for 192.168.100.194 -> 172.16.1.4: wanted 512 got 512
01:13:56: NAT: i: icmp (192.168.100.194, 512) -> (192.168.100.97, 512) [40908]
01:13:56: NAT: s=192.168.100.194->172.16.1.4, d=192.168.100.97 [40908]
04-12-2009 11:21 PM
Hi Andy,
A closer look at the routing table.
>O 172.16.1.1 [110/65] via 10.10.10.14, 00:19:41, Serial0/0
It's a host route. This is a feature of loopbak interface.
So, first of all, I would like to suggest you specify a "ip ospf network point-to-point" on the loopback interface.
And perhaps it'll work.
HTH
Tomoyuki
04-12-2009 11:47 PM
Very good Tomoyuki, I labbed it up and verified. This is interesting, I haven't come accross this issue before.
Router0#show run !I modified below for what is needed
interface Loopback0
ip address 10.0.0.1 255.255.255.0
end
!
router ospf 100
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0
network 200.0.0.0 0.0.0.3 area 0
end
!
Router0#sho ip ospf int lo0
Loopback0 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 100, Router ID 10.0.0.1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
Router1#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 8.0.0.2 to network 0.0.0.0
200.0.0.0/30 is subnetted, 1 subnets
C 200.0.0.0 is directly connected, FastEthernet1/0
10.0.0.0/32 is subnetted, 1 subnets
O 10.0.0.1 [110/2] via 100.0.0.2, 00:00:02, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 8.0.0.2
-------------------- AFTER CHANGE --------------------
Router0#show run !I modified below for what is needed
interface Loopback0
ip address 10.0.0.1 255.255.255.0
ip ospf network point-to-point
end
!
router ospf 100
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0
network 200.0.0.0 0.0.0.3 area 0
end
!
Router0#sho ip ospf int lo0
Loopback0 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 100, Router ID 10.0.0.1, Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Router1#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 8.0.0.2 to network 0.0.0.0
200.0.0.0/30 is subnetted, 1 subnets
C 200.0.0.0 is directly connected, FastEthernet1/0
10.0.0.0/24 is subnetted, 1 subnets
O 10.0.0.0 [110/2] via 200.0.0.2, 00:04:21, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 8.0.0.2
04-13-2009 01:12 AM
Out of in interest did you use GNS3 for this?
04-13-2009 01:28 AM
Hello Ryan,
I'm glad I could help you.
Regard,
Tomoyuki
04-12-2009 11:54 PM
I see, if I hadn't of used a loopback it would of worked?
What does "ip ospf network point-to-point" do?
04-13-2009 12:09 AM
The network type specifies how OSPF will work on the interface. For example, in a BROADCAST network type, OSPF knows that on that interface their will be an election for DR/BDR and that if the router is elected, it should listen on 224.0.0.5 and 224.0.0.6.
If you had not used a loopback, it would have worked. Cisco treats loopbacks as stub hosts (see output above).
HTH,
Ryan
04-13-2009 01:26 AM
>I see, if I hadn't of used a loopback it would of worked?
More properly, R0 needed to receive the exactly route.
For example, it has been able to work if it specify a "default-information originate always" on the ospf.
>What does "ip ospf network point-to-point" do?
As Ryan indicated and follows, ospf works by "loopback type" when you define ospf on the loopback interface.
------
Router#sh ip ospf interface loopback 1
Loopback1 is up, line protocol is up
Internet Address 1.1.1.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
------
In the loopback type, LSA advertises the route in /32.
So, "ip ospf network" changes this type.
And OSPF makes it possible to advertise exactly subnet of the loopback interface.
HTH
Tomoyuki
04-13-2009 10:17 AM
Now this is working, I just have a question about the NAT I have and how it works.
From my laptop (192.168.100.194 Router0 side) if I ping 192.168.100.97 on the Router1 side it translates to 172.16.1.2 and works, then I notice the translation expires.
This is great for one direction say if I need to access resources on that side (Router0), however I have noticed that from the Router0 side (opposite direction) they can't ping 172.16.1.x IP's as they don't exist I suppose as they just get translated then expire and get removed, any way round this?
04-13-2009 06:17 PM
The IOS firewall maintains an idle timer for each type of translation table entry. Each time a packet matching a translation entry is forwarded, the idle timer is reset. As soon as the idle timer expires, that translation table entry is removed.
So for ping ICMP to never expire you can add the
ICMP entries
IOSFirewall(config)# ip nat translation icmp-timeout {seconds | never}
60 seconds (1 minute)
By default it time out in 60 sec.
This is done for security purposes, so it is recommended notr to use the never keyword, and stick with the default value
Below is a table that will helpful
Commands and Default Values Translation Type
Command Syntax
Default Value
Dynamic NAT entries
IOSFirewall(config)# ip nat translation timeout {seconds | never}
86,400 seconds (24 hours)
ICMP entries
IOSFirewall(config)# ip nat translation icmp-timeout {seconds | never}
60 seconds (1 minute)
DNS entries
IOSFirewall(config)# ip nat translation dns-timeout {seconds | never}
60 seconds (1 minute)
Specific UDP port entries
IOSFirewall(config)# ip nat translation port-timeout udp port {seconds | never}
All other UDP entries
IOSFirewall(config)# ip nat translation timeout {seconds | never}
300 seconds (5 minutes)
TCP entries from the SYN packet to the next packet
IOSFirewall(config)# ip nat translation syn-timeout {seconds | never}
60 seconds (1 minute)
TCP after FIN or RST packet
IOSFirewall(config)# ip nat translation finrst-timeout {seconds | never}
60 seconds (1 minute)
PPTP entries
IOSFirewall(config)# ip nat translation pptp-timeout {seconds | never}
86,400 seconds (24 hours)
Specific TCP port entries
IOSFirewall(config)# ip nat translation port-timeout tcp port {seconds | never}
04-13-2009 10:02 PM
Thanks this is useful to know.
As you can see in my scenario I am NATing in one direction, I'm sort of treating it as if I'm a user going to some servers over the WAN, now I think it would work, but what happens if a server or engineer needed to get to my pc they would need to use my NAT address which expires, I know you can stop the NAT expiring but I can imagine in the real world I might come up against two LAN's having the same IP range and can't be changed so would a NAT have to be created each direction or some sort of NAT policy?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide