Something wrong with my NAT lab

jamesgonzo · ‎04-05-2009

Hi,

I have been trying to test NAT between offices that use the same LAN IP range. I based my config on another post in this forum.

Below are the 2 configs:

R0#sh run

Building configuration...

Current configuration : 950 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R0

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

no ip domain lookup

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Serial0/0

ip address 10.1.1.1 255.255.255.0

ip nat outside

clock rate 128000

!

ip forward-protocol nd

ip route 172.19.1.0 255.255.255.0 10.1.1.2

!

ip http server

no ip http secure-server

ip nat inside source static network 192.168.1.0 172.19.2.0 /24

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

R1#sh run

Building configuration...

Current configuration : 911 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Serial0/0

ip address 10.1.1.2 255.255.255.0

ip nat outside

!

ip forward-protocol nd

ip route 172.19.2.0 255.255.255.0 10.1.1.1

!

ip http server

no ip http secure-server

ip nat inside source static network 192.168.1.0 172.19.1.0 /24

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

If I ping from R0 and use the loopback as the source I get no replies:

R0#ping 172.19.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

R0#

However I get this output on the remote R1 router, it is like is is receiving the ping but can't route/NAT it back over the WAN link.

R1#

*Mar 1 00:27:55.182: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [45]

*Mar 1 00:27:55.186: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:55.190: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:57.161: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [46]

*Mar 1 00:27:57.165: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:57.169: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:59.088: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [47]

*Mar 1 00:27:59.092: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:59.096: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:01.071: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [48]

*Mar 1 00:28:01.075: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:01.079: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:03.075: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [49]

*Mar 1 00:28:03.079: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:03.083: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:35.123: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 8 (8)

Am I missing something?

Marwan ALshawi · ‎04-05-2009

try to clear ip nat translation

Istvan_Rabai · ‎04-05-2009

I think the problem is that when the packet arrives to R1 the source address is 192.168.1.1 and the destination address 172.19.1.1 is translated to 192.168.1.1, the same address.

When the reply to the ping is sent from 192.168.1.1, the destination address is the same, 192.168.1.1, so the reply is sent to itself, and it never gets out of R1 and never reaches R0.

You can seee it from the debug output:

*Mar 1 00:27:55.186: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:55.190: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

within the same router.

Cheers:

Istvan

Marwan ALshawi · ‎04-05-2009

i think Istvan

thats mean R1 not doing NAT

but i did same as your config copy past

becuase i found it right

and it is working

look bellow:

R0#ping 172.19.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 120/168/224 ms

R1#debug ip nat detailed

IP NAT detailed debugging is on

R1#

*Apr 6 10:16:31.319: NAT*: o: icmp (10.1.1.1, 1) -> (172.19.1.1, 1) [5]

*Apr 6 10:16:31.319: NAT*: s=10.1.1.1, d=172.19.1.1->192.168.1.1 [5]

*Apr 6 10:16:31.323: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Apr 6 10:16:31.327: NAT: i: icmp (192.168.1.1, 1) -> (10.1.1.1, 1) [5]

*Apr 6 10:16:31.327: NAT: s=192.168.1.1->172.19.1.1, d=10.1.1.1 [5]

*Apr 6 10:16:31.451: NAT*: o: icmp (10.1.1.1, 1) -> (172.19.1.1, 1) [6]

*Apr 6 10:16:31.451: NAT*: s=10.1.1.1, d=172.19.1.1->192.168.1.1 [6]

*Apr 6 10:16:31.455: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Apr 6 10:16:31.455: NAT: i: icmp (192.168.1.1, 1) -> (10.1.1.1, 1) [6]

*Apr 6 10:16:31.455: NAT: s=192.168.1.1->172.19.1.1, d=10.1.1.1 [6]

*Apr 6 10:16:31.619: NAT*: o: icmp (10.1.1.1, 1) -> (172.19.1.1, 1) [7]

*Apr 6 10:16:31.619: NAT*: s=10.1.1.1, d=172.19.1.1->192.168.1.1 [7]

*Apr 6 10:16:31.623: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Apr 6 10:16:31.627: NAT: i: icmp (192.168.1.1, 1) -> (10.1.1.1, 1) [7]

*Apr 6 10:16:31.627: NAT: s=192.168.1.1->172.19.1.1, d=10.1.1.1 [7]

thats why i told you try to clear ip nat ternaslation becuase maybe u need a refresh

good luck

HTH

jamesgonzo · ‎04-06-2009

Hi, "ping 172.19.1.1" does work for me too, but try "ping 172.19.1.1 source loopback 0"

tim1csolutions · ‎04-05-2009

Try configuring it this way:

R0:

ip nat inside source static network 192.168.1.0 172.19.2.0 /24

ip nat outside source static network 192.168.1.0 172.19.1.0 /24

ip route 172.19.1.0 255.255.255.0 10.1.1.2

R1:

(Remove NAT configuration)

ip route 172.19.2.0 255.255.255.0 10.1.1.1

Timothy Chin

CCIE #23866 (R&S)

jamesgonzo · ‎04-06-2009

Hi,

I added what you mentioned so the NAT is on one side only but the ping only works from oneside (R1 > R0), I have the configs and debugs in the e attached file.

tim1csolutions · ‎04-06-2009

try pinging from R0 using the loopback interface as the source.

Timothy Chin

CCIE #23866 (R&S)

jamesgonzo · ‎04-07-2009

Not able to ping:

R0#ping 172.19.1.1 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

R0#

what is seen on R1 when I did the above:

*Mar 1 00:05:33.078: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [25]

*Mar 1 00:05:33.078: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [25]

*Mar 1 00:05:33.082: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:33.086: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:35.097: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [26]

*Mar 1 00:05:35.101: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [26]

*Mar 1 00:05:35.105: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:35.109: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:36.936: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [27]

*Mar 1 00:05:36.936: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [27]

*Mar 1 00:05:36.936: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:36.936: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:38.835: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [28]

*Mar 1 00:05:38.839: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [28]

*Mar 1 00:05:38.843: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:38.847: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:41.063: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [29]

*Mar 1 00:05:41.063: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [29]

*Mar 1 00:05:41.067: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:41.075: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:06:02.570: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 4 (4)

*Mar 1 00:06:41.546: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 5 (5)

tim1csolutions · ‎04-07-2009

Try one more thing. Since it is local router traffic on R0 configure this:

access-list 100 permit ip host 192.168.1.1 any

route-map LOCAL permit 10

match ip address 100

set interface loopback0

ip local policy route-map LOCAL

then ping 172.19.1.1 using the loopback interface as the source. What you are doing here is "directing" local router traffic to interface loopback0 which is your inside interface then the traffic is routed out the outside interface so the NAT policy can take effect.

Timothy Chin

CCIE #23866 (R&S)

jamesgonzo · ‎04-08-2009

I think that worked:

r0:

Sending 1, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!

Success rate is 100 percent (1/1), round-trip min/avg/max = 277/277/277 ms

R0#

*Mar 1 00:05:05.600: NAT: i: icmp (192.168.1.1, 6) -> (172.19.1.1, 6) [30]

*Mar 1 00:05:05.604: NAT: s=192.168.1.1->172.19.2.1, d=172.19.1.1 [30]

*Mar 1 00:05:05.861: NAT*: o: icmp (192.168.1.1, 6) -> (172.19.2.1, 6) [30]

*Mar 1 00:05:05.865: NAT*: o: icmp (192.168.1.1, 6) -> (172.19.2.1, 6) [30]

*Mar 1 00:05:05.865: NAT*: s=192.168.1.1, d=172.19.2.1->192.168.1.1 [30]

*Mar 1 00:05:05.869: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:06.398: NAT: expiring 172.19.2.1 (192.168.1.1) icmp 5 (5)

*Mar 1 00:05:06.402: NAT: expiring 172.19.2.1 (192.168.1.1) icmp 5 (5)

R1:

*Mar 1 00:05:05.620: NAT*: o: icmp (172.19.2.1, 6) -> (172.19.1.1, 6) [30]

*Mar 1 00:05:05.625: NAT*: s=172.19.2.1, d=172.19.1.1->192.168.1.1 [30]

*Mar 1 00:05:05.629: ICMP: echo reply sent, src 192.168.1.1, dst 172.19.2.1

*Mar 1 00:05:06.350: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 5 (5)

This is a little more complicated than I first thought, should the first NAT setup I had of worked or is this policy map they I should do it? I'm not clear on the commands you gave me.

Thanks