Policybased nat around loopback interface - cant get it work...

tiwang · ‎05-28-2014

hi out there

I need to be able to nat a Network on a router to circumwent some routing problems - we have a new dmz which has to be isolated from the main Network but has to be natted into the same ip Space

I expected that this was a simple task by defining a route-map and assig this route-map to the incoming interface which then would take the traffic from that vlan and loop around a loopback-interface to get it through a nat-outside interface.

This Work also to some extend - when I ping I can see that my nat-statement Works as expected - but when the reply is send back it is drpped in the router somewhere.

the config of my nat-router is fairly simple:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
interface Loopback2
ip address 192.168.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 80.0.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map To_loop2
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 81.0.0.2 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 192.168.10.0 255.255.255.0 80.0.0.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Loopback2 overload
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit icmp any any time-exceeded
!
route-map To_loop2 permit 10
match ip address 1
set interface Loopback2
!
!

When a do a ping with source ip 192.168.10.1 - entering the router on f 0/0 the following happens:

*Mar 1 03:47:16.679: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, FIB policy match
*Mar 1 03:47:16.683: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1, len 100, policy match
*Mar 1 03:47:16.687: IP: route map To_loop2, item 10, permit
*Mar 1 03:47:16.687: IP: s=192.168.10.1 (FastEthernet0/0), d=81.0.0.1 (Loopback2), len 100, policy routed
*Mar 1 03:47:16.691: IP: FastEthernet0/0 to Loopback2 81.0.0.1
*Mar 1 03:47:16.695: NAT: s=192.168.10.1->192.168.20.1, d=81.0.0.1 [199]
R2#

R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.20.1:40 192.168.10.1:40 81.0.0.1:40 81.0.0.1:40
R2#

and on R3 - 81.0.0.1 :

*Mar 1 03:48:24.051: IP: tableid=0, s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEtherne
*Mar 1 03:48:24.055: IP: s=192.168.20.1 (FastEthernet0/0), d=81.0.0.1 (FastEthernet0/0), len
*Mar 1 03:48:24.059: ICMP: echo reply sent, src 81.0.0.1, dst 192.168.20.1

But the packet is dropped in R2 - can some tell me why?

best regards /ti

paul driver · ‎05-28-2014

Hello

No sure I understand your topology , I am thinking this is NAT on a stick scenario - so firstly looking at your post the inside /outside interfaces seem the wrong way around.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tiwang · ‎05-28-2014

well - have simple 3 routers defined in a lab.setup:

R1 (lo0: 192.168.10.1, F0/0: 80.0.0.1) <-> R2 ((lo2: 192.168.20.1, F0/0: 80.0.0.2 F0/1 81.0.0.2) <-> R3 F0/0: 81.0.0.1

I ping from R1 to R3 with source ip from lo0 (192.168.10.1) and try to get it natted around lo2 on R2 where F0/0 is inside of nat and lo2 is outside - I expected this to be fairly simple because the concept is used in f.ex "lollipop" or "router on a stick" - but I cannot get it right - it is being correct natted as far as I can see but the reply packet from R3 doesn't hit the correct return path - it is dropped somewhere in R2

doest it clarify it a bit?

best regards /ti