Hidding SrcIP DestIP for two networks (both ways) on one router

Unanswered Question
Mar 14th, 2007

We have to deploy client routers that would connecte them to one of our servers. There are situations when the private IP range the client side is using may conflict with our IP ranges.

What I want is to completely isolate the two IP ranges and to hide them from each other.


The configuration of the


Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 03/15/2007 - 01:26

Hi


I actually thought what you had done should work so i emulated it in our lab. Note that i didn't use any of the route-map configuration but I managed to get the same problem as you.


I think the issue is the loopback 9 interface. If i removed the loopback9 interface the ping worked fine from the 172.16.9.2 server to the 172.16.8.2 client. If i put the loopback9 interface back in it stopped working again.


Now as i say i wasn't using your route-map config so you may need to use loopbacks. i suspect it is a routing/nat order issue on the client router.


Let me know if i can try anything else out for you


HTH


Jon



cristip Thu, 03/15/2007 - 06:58

Hi


I tried to switch the inside and outside and I got the same result.

Did you try to NAT on just one loopback interface ?

I an not sure I understand what you did. Did you try 172.16.9.2 -> 10.2.2.1 and 172.16.8.2 ->10.1.1.2 ? This is what I need to obtain.


Thank you

Cristian

Jon Marshall Thu, 03/15/2007 - 07:00

Cristian


Have to nip into meeting.


Should that be 172.16.9.2 -> 10.2.2.2 not 10.2.2.1.


All i did was remove the loopback interface 9 from the config on the router.


Will have another look when i get out


Jon

cristip Thu, 03/15/2007 - 09:00

Yes sorry for that.

My mistake.


I tried this morning the scenario with one loopback interface and these settings


interface vlan 1

ip nat inside


interface fastethernet 4

ip nat inside


interface loopback 0

ip nat outside

ip address 10.3.3.1 255.255.255.0


ip nat inside source static 172.16.8.2 10.3.3.8

ip nat inside source static 172.16.9.2 10.3.3.9



I am still using the route maps to force the traffic to go through the loopback 0.


What I am seeing is this


Mar 3 18:48:33.173: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:33.173: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44106]

*Mar 3 18:48:33.173: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44106]

*Mar 3 18:48:33.173: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6

*Mar 3 18:48:33.173: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:33.173: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44106]

*Mar 3 18:48:33.1

NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44106]

*Mar 3 18:48:33.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:33.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

*Mar 3 18:48:34.173: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:34.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44107]

*Mar 3 18:48:34.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44107]

*Mar 3 18:48:34.177

IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6

*Mar 3 18:48:34.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:34.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44107]

*Mar 3 18:48:34.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44107]

*Mar 3 18:48:34.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:34.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

*Mar 3 18:48:35.177: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:35.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44108]

*Mar 3 18:48:35.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44108]

*Mar 3 18:48:35.177: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6

*Mar 3 18:48:35.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:35.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44108]

*Mar 3 18:48:35.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44108]

*Mar 3 18:48:35.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:35.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

*Mar 3 18:48:36.177: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:36.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44109]

*Mar 3 18:48:36.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44109]

*Mar 3 18:48:36.177: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, recv 6

*Mar 3 18:48:36.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:36.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44109]

*Mar 3 18:48:36.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44109]

*Mar 3 18:48:36.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:36.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

Jon Marshall Fri, 03/16/2007 - 00:41

Hi


Sorry for the delay in replying.


What i did was to copy all your config with the exception of the route-maps. I assumed you were using the loopback interfaces so that the networks would be propogated into your IGP.


When i tested i got the same results as you. i could see the NAT working but when the return traffic from the client hit the client router it didn't go any further. I think, altho i'm guessing, that it was due to an issue with the routing/NAT order.


So i removed loopback 9. The loopback8 interface is still needed. I left the nat statements as they were.


it now works - both ways. I can ping from the cleint 172.16.8.2 to the server 172.16.9.2 and vice-versa.


Now if you want i can add in your route-map config but my question is do you really need this ?


Let me know


HTH


Jon

cristip Fri, 03/16/2007 - 10:54

Hi Jon


Thak you for helping me with this.

Can you plese verify what source address is seen by each end ? My target was to hide 172.16.8.2 from 172.16.9.2 and viceversa.


With other words the client router is intended to completly isolate any two network ranges I may have on each side.

When you configure such a router all you have to do is to conveninetly select the IPs on each interface of the router so that you won't have a conflict with any side.


thank you

Cristia


Jon Marshall Fri, 03/16/2007 - 11:54

Hi Christian


When i ping from 172.16.9.2 to 172.16.8.2 the source address that 172.16.8.2 sees is 10.1.1.2.


when i ping from 172.16.8.2 to 172.16.9.2 the source address that 172.16.9.2 sees is 10.2.2.2.


In effect the 2 networks 172.16.9.x and 172.16.8.x are completely unaware of each other which i believe is what you are trying to achieve.


I'm not at work now until next Wednesday so i can't access the lab where i tried this out but if i can help in any other way let me know.


If need be next Wednesday i can send you my exact configs


HTH


Jon

cristip Fri, 03/16/2007 - 12:01

The idea is to ping 10.2.2.2 from 172.16.9.2

and 10.1.1.2 from 172.16.8.2.


When you ping from 172.16.9.2 to 10.2.2.2 the source address that 172.16.8.2 sees is 10.1.1.2.


when you ping from 172.16.8.2 to 10.1.1.2 the source address that 172.16.9.2 sees is 10.2.2.2.



Keep in mind that the two neworks do not know anything about each other,when you ping 172.16.8.2 (the clinet) you may reach someone else.

Jon Marshall Fri, 03/16/2007 - 12:09

Sorry Christian, i should have been more specific.


1) from 172.16.9.2 i ping 10.2.2.2. When it gets to the client router 10.2.2.2 gets changed to 172.16.8.2 and 172.16.9.2 gets changed to 10.1.1.2


2) From 172.16.8.2 i ping 10.1.1.2. When it goes through the client router 172.16.8.2 gets changed 10.2.2.2 and 10.1.1.2 gets changed to 172.16.9.2


I think i just didn't explain clearly enough in my previous post.


Jon

cristip Fri, 03/16/2007 - 14:56

Thanks Jon


I will give it a try on Monday then.


Cristian

Jon Marshall Fri, 03/16/2007 - 22:02

Cristian


Attached is a doc explaining the order of operation in NAT.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


Key thing to note is


When packets going from nat inside to nat outside routing is first then NAT.


when packets going from nat outside to nat inside interface NAT is first then routing.


I think this explains what we were both seeing.


When you ping 10.2.2.2 from 172.16.9.2 when the traffic gets to the client router it goes from the outside to the inside. So 172.16.9.2 becomes 10.1.1.2 and 10.2.2.2 becomes 172.16.8.2. Then it routes the packet to 172.16.8.2.


When 172.16.8.2 replies to 10.1.1.2 this traffic goes from the inside to the outside so routing is done first. But you have a loopback9 interface for 10.1.1.1 255.255.255.0 on your client router so it never leaves your client router.


I can't remember but in my lab i believe that i had a default route coming from the router that connects to 172.16.9.2. So when i removed the loopback9 interface the router looked up the route for 10.1.1.2, didn't find an entry but did find the default route, then natted 10.1.1.2 back to 172.16.9.2 and natted 172.16.8.2 to 10.2.2.2 and sent the packet.


I will only be able to confirm that i do have a default route in my lab middle of next week but i'm assuming there is one as the above seems to explain the behaviour we were seeing.


If you didn't want a default route i think you would have to propogate a route from the router attached to 172.16.9.2 for the 10.1.1.0/24 network. I will try this next week.


Let me know how you get on


HTH


Jon


cristip Sat, 03/24/2007 - 07:57

Hi Jon


I tried your config in my lab at home. It didn't work. So let's recap what I know:


-you tested the config with one loopback

-you didn't use route-maps

-as per my config the router has no reasons to route the packets going from 172.16.9.0 to 172.16.8.0 through the loopback interface and because of this the NAT is not performed


This was confirmed by my test this morning.

How did you get the packets natted back and forth ?

Thank you

Cristian

Jon Marshall Sat, 03/24/2007 - 16:39

Hi Cristian


I need to look at my lab at work on Monday to be sure but from memory


172.16.9.2 -> 172.16.9.1 / 172.16.1.9 ->

server router1

172.16.1.10 / 172.16.8.1 -> 172.16.8.2

router2 client



1) router1 is advertising a default route to router2

2) on router 2 the following NAT statements are setup:


ip nat inside source static 172.16.8.2 10.2.2.2

ip nat outside source static 172.16.9.2 10.1.1.2


3) router2 has a loopback interface: loopback8 10.2.2.1/24

This is needed to advertise the 10.2.2.0/24 network to router1.


I'll check this out on Monday. I will also get rid of the default route and advertise a route for 10.1.1.0 from router1.


HTH


Jon


** Edit - sorry the diag didn't come out very well


172.16.9.2 = server

172.16.9.1 / 172.16.1.9 = router1

172.16.1.10 / 172.16.8.1 = router2

172.16.8.2 = client **

cristip Wed, 03/21/2007 - 05:01

Hi Jon


Sory for not aswering to this yet.

I want to test it today if I have the time.

I was asked to test a configuration where the NAT was done in a strange way. On the very interface where the packet enteres the router.


Like this:


int Fe4

ip address 172.16.9.1. 255.255.255.0

in nat inside


route 10.1.1.9 255.255.255.0 interface Fe4

in nat static source 172.16.9.2 10.1.1.9


I will try your suggestion today, I red the article you sent me and what they say there explanins the behaviour of the raouter. I still have to test it, I will post the results here.


Thank you

Cristian


Actions

This Discussion