03-14-2007 03:19 PM - edited 03-05-2019 02:55 PM
We have to deploy client routers that would connecte them to one of our servers. There are situations when the private IP range the client side is using may conflict with our IP ranges.
What I want is to completely isolate the two IP ranges and to hide them from each other.
The configuration of the
03-15-2007 01:26 AM
Hi
I actually thought what you had done should work so i emulated it in our lab. Note that i didn't use any of the route-map configuration but I managed to get the same problem as you.
I think the issue is the loopback 9 interface. If i removed the loopback9 interface the ping worked fine from the 172.16.9.2 server to the 172.16.8.2 client. If i put the loopback9 interface back in it stopped working again.
Now as i say i wasn't using your route-map config so you may need to use loopbacks. i suspect it is a routing/nat order issue on the client router.
Let me know if i can try anything else out for you
HTH
Jon
03-15-2007 06:58 AM
Hi
I tried to switch the inside and outside and I got the same result.
Did you try to NAT on just one loopback interface ?
I an not sure I understand what you did. Did you try 172.16.9.2 -> 10.2.2.1 and 172.16.8.2 ->10.1.1.2 ? This is what I need to obtain.
Thank you
Cristian
03-15-2007 07:00 AM
Cristian
Have to nip into meeting.
Should that be 172.16.9.2 -> 10.2.2.2 not 10.2.2.1.
All i did was remove the loopback interface 9 from the config on the router.
Will have another look when i get out
Jon
03-15-2007 09:00 AM
Yes sorry for that.
My mistake.
I tried this morning the scenario with one loopback interface and these settings
interface vlan 1
ip nat inside
interface fastethernet 4
ip nat inside
interface loopback 0
ip nat outside
ip address 10.3.3.1 255.255.255.0
ip nat inside source static 172.16.8.2 10.3.3.8
ip nat inside source static 172.16.9.2 10.3.3.9
I am still using the route maps to force the traffic to go through the loopback 0.
What I am seeing is this
Mar 3 18:48:33.173: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB
*Mar 3 18:48:33.173: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44106]
*Mar 3 18:48:33.173: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44106]
*Mar 3 18:48:33.173: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6
*Mar 3 18:48:33.173: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8
*Mar 3 18:48:33.173: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44106]
*Mar 3 18:48:33.1
NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44106]
*Mar 3 18:48:33.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB
*Mar 3 18:48:33.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending
*Mar 3 18:48:34.173: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB
*Mar 3 18:48:34.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44107]
*Mar 3 18:48:34.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44107]
*Mar 3 18:48:34.177
IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6
*Mar 3 18:48:34.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8
*Mar 3 18:48:34.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44107]
*Mar 3 18:48:34.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44107]
*Mar 3 18:48:34.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB
*Mar 3 18:48:34.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending
*Mar 3 18:48:35.177: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB
*Mar 3 18:48:35.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44108]
*Mar 3 18:48:35.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44108]
*Mar 3 18:48:35.177: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6
*Mar 3 18:48:35.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8
*Mar 3 18:48:35.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44108]
*Mar 3 18:48:35.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44108]
*Mar 3 18:48:35.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB
*Mar 3 18:48:35.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending
*Mar 3 18:48:36.177: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB
*Mar 3 18:48:36.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44109]
*Mar 3 18:48:36.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44109]
*Mar 3 18:48:36.177: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, recv 6
*Mar 3 18:48:36.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8
*Mar 3 18:48:36.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44109]
*Mar 3 18:48:36.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44109]
*Mar 3 18:48:36.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB
*Mar 3 18:48:36.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending
03-16-2007 12:41 AM
Hi
Sorry for the delay in replying.
What i did was to copy all your config with the exception of the route-maps. I assumed you were using the loopback interfaces so that the networks would be propogated into your IGP.
When i tested i got the same results as you. i could see the NAT working but when the return traffic from the client hit the client router it didn't go any further. I think, altho i'm guessing, that it was due to an issue with the routing/NAT order.
So i removed loopback 9. The loopback8 interface is still needed. I left the nat statements as they were.
it now works - both ways. I can ping from the cleint 172.16.8.2 to the server 172.16.9.2 and vice-versa.
Now if you want i can add in your route-map config but my question is do you really need this ?
Let me know
HTH
Jon
03-16-2007 10:54 AM
Hi Jon
Thak you for helping me with this.
Can you plese verify what source address is seen by each end ? My target was to hide 172.16.8.2 from 172.16.9.2 and viceversa.
With other words the client router is intended to completly isolate any two network ranges I may have on each side.
When you configure such a router all you have to do is to conveninetly select the IPs on each interface of the router so that you won't have a conflict with any side.
thank you
Cristia
03-16-2007 11:54 AM
Hi Christian
When i ping from 172.16.9.2 to 172.16.8.2 the source address that 172.16.8.2 sees is 10.1.1.2.
when i ping from 172.16.8.2 to 172.16.9.2 the source address that 172.16.9.2 sees is 10.2.2.2.
In effect the 2 networks 172.16.9.x and 172.16.8.x are completely unaware of each other which i believe is what you are trying to achieve.
I'm not at work now until next Wednesday so i can't access the lab where i tried this out but if i can help in any other way let me know.
If need be next Wednesday i can send you my exact configs
HTH
Jon
03-16-2007 12:01 PM
The idea is to ping 10.2.2.2 from 172.16.9.2
and 10.1.1.2 from 172.16.8.2.
When you ping from 172.16.9.2 to 10.2.2.2 the source address that 172.16.8.2 sees is 10.1.1.2.
when you ping from 172.16.8.2 to 10.1.1.2 the source address that 172.16.9.2 sees is 10.2.2.2.
Keep in mind that the two neworks do not know anything about each other,when you ping 172.16.8.2 (the clinet) you may reach someone else.
03-16-2007 12:09 PM
Sorry Christian, i should have been more specific.
1) from 172.16.9.2 i ping 10.2.2.2. When it gets to the client router 10.2.2.2 gets changed to 172.16.8.2 and 172.16.9.2 gets changed to 10.1.1.2
2) From 172.16.8.2 i ping 10.1.1.2. When it goes through the client router 172.16.8.2 gets changed 10.2.2.2 and 10.1.1.2 gets changed to 172.16.9.2
I think i just didn't explain clearly enough in my previous post.
Jon
03-16-2007 02:56 PM
Thanks Jon
I will give it a try on Monday then.
Cristian
03-16-2007 10:02 PM
Cristian
Attached is a doc explaining the order of operation in NAT.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Key thing to note is
When packets going from nat inside to nat outside routing is first then NAT.
when packets going from nat outside to nat inside interface NAT is first then routing.
I think this explains what we were both seeing.
When you ping 10.2.2.2 from 172.16.9.2 when the traffic gets to the client router it goes from the outside to the inside. So 172.16.9.2 becomes 10.1.1.2 and 10.2.2.2 becomes 172.16.8.2. Then it routes the packet to 172.16.8.2.
When 172.16.8.2 replies to 10.1.1.2 this traffic goes from the inside to the outside so routing is done first. But you have a loopback9 interface for 10.1.1.1 255.255.255.0 on your client router so it never leaves your client router.
I can't remember but in my lab i believe that i had a default route coming from the router that connects to 172.16.9.2. So when i removed the loopback9 interface the router looked up the route for 10.1.1.2, didn't find an entry but did find the default route, then natted 10.1.1.2 back to 172.16.9.2 and natted 172.16.8.2 to 10.2.2.2 and sent the packet.
I will only be able to confirm that i do have a default route in my lab middle of next week but i'm assuming there is one as the above seems to explain the behaviour we were seeing.
If you didn't want a default route i think you would have to propogate a route from the router attached to 172.16.9.2 for the 10.1.1.0/24 network. I will try this next week.
Let me know how you get on
HTH
Jon
03-24-2007 07:57 AM
Hi Jon
I tried your config in my lab at home. It didn't work. So let's recap what I know:
-you tested the config with one loopback
-you didn't use route-maps
-as per my config the router has no reasons to route the packets going from 172.16.9.0 to 172.16.8.0 through the loopback interface and because of this the NAT is not performed
This was confirmed by my test this morning.
How did you get the packets natted back and forth ?
Thank you
Cristian
03-24-2007 04:39 PM
Hi Cristian
I need to look at my lab at work on Monday to be sure but from memory
172.16.9.2 -> 172.16.9.1 / 172.16.1.9 ->
server router1
172.16.1.10 / 172.16.8.1 -> 172.16.8.2
router2 client
1) router1 is advertising a default route to router2
2) on router 2 the following NAT statements are setup:
ip nat inside source static 172.16.8.2 10.2.2.2
ip nat outside source static 172.16.9.2 10.1.1.2
3) router2 has a loopback interface: loopback8 10.2.2.1/24
This is needed to advertise the 10.2.2.0/24 network to router1.
I'll check this out on Monday. I will also get rid of the default route and advertise a route for 10.1.1.0 from router1.
HTH
Jon
** Edit - sorry the diag didn't come out very well
172.16.9.2 = server
172.16.9.1 / 172.16.1.9 = router1
172.16.1.10 / 172.16.8.1 = router2
172.16.8.2 = client **
03-21-2007 12:54 AM
Cristian
Did you get anywhere on this ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide