Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
1
Replies

Strange NAT behavior

tom.meyer
Level 1
Level 1

‎07-15-2014 09:47 AM - edited ‎03-07-2019 08:04 PM

I have an 2901 router  and I am getting the strangest ping results from a NATed IP address on my DMZ.  I am about at my wits end and would appreciate any help.

From 192.168.1.X:

C:\>ping 192.168.12.140

Pinging 192.168.12.140 with 32 bytes of data:
Reply from 66.112.44.186: bytes=32 time=1ms TTL=126
Reply from 66.112.44.186: bytes=32 time=1ms TTL=126
Reply from 66.112.44.186: bytes=32 time=1ms TTL=126
Reply from 66.112.44.186: bytes=32 time=1ms TTL=126

Ping statistics for 192.168.12.140:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

 

Network diagram:

I have a 

 

Relevant config from 2901 router:

interface Vlan254

 ip address 192.168.254.2 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache

interface GigabitEthernet0/1.12
 description Primary DMZ
 encapsulation dot1Q 12
 ip address 192.168.12.1 255.255.255.0
 ip nat inside
 ip inspect Inspect_1 in
 ip inspect Inspect_1 out
 ip virtual-reassembly in
 no ip route-cache

interface GigabitEthernet0/1.66
 description Public
 encapsulation dot1Q 66
 ip address 66.112.44.190 255.255.255.240
 ip access-group Public_Access in
 ip inspect Inspect_1 in
 ip inspect Inspect_1 out
 ip virtual-reassembly in
 no ip route-cache

ip nat inside source static 192.168.12.140 66.112.44.186

 

Labels:
0 Helpful
1 Reply 1

mgaven
Level 1
Level 1

‎07-16-2014 05:33 AM

This behaviour is correct following your configuration.

You have declared interface GigabitEthernet0/1.12 "NAT inside" and the interface Vlan254 "NAT outside".

If you send a ping from 192.168.1.x to 192.168.12.140 , the reply ingress to the 2901 from the "INSIDE" and egress from the "OUTSIDE". This causes that the router applies the rule "ip nat inside source static 192.168.12.140 66.112.44.186" and this is the IP that you see in your console, it´s correct.

 

Maybe the correct configuration for your scenario (I don´t know what do you want with it) is to declare like "NAT Outside" the interface GigabitEthernet0/1.12, not the interface vlan 254.

 

Success!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card