NAT before routing??? Confused

Unanswered Question
Oct 15th, 2007
User Badges:

I have a 2800 series router running c2801-advsecurityk9-mz.124-10.bin. This is the internet facing router. We have an overload statement for internet users on the interface, and a static nat for a server on the internet. If any of the internal networks over VPN, GRE, or T1 behind this router try to connect to the internal server IP address for whatever reason the server then responds and the router sends that traffic out to the internet vs taking the routing path back to the destination host on the internal networks???? This doesn't make sense to me. What am I missing here?


Here is an example, if I try to telnet to TCP 3389 to the internal server IP address of 199.194.208.119 from remote over GRE tunnel using router source IP of 198.249.46.190 it puts it into the NAT table and out to the internet vs taking the path back thru the GRE tunnel to the remote network 198.249.46.128/25. What am I missing?


r.lamesa#sho ip nat trans | inclu 3389

tcp 69.39.91.45:3389 199.194.208.119:3389 198.249.46.190:28482 198.249.46.190:28482

tcp 69.39.91.45:3389 199.194.208.119:3389 198.249.46.190:39234 198.249.46.190:39234

tcp 69.39.91.45:3389 199.194.208.119:3389 ---



---

r.lamesa#sho ip route 198.249.46.190

Routing entry for 198.249.46.128/26

Known via "eigrp 600", distance 90, metric 235402496, type internal

Redistributing via eigrp 600

Last update from 172.30.255.9 on Tunnel1, 14:41:02 ago

Routing Descriptor Blocks:

* 172.30.255.9, from 172.30.255.9, 14:41:02 ago, via Tunnel1

Route metric is 235402496, traffic share count is 1

Total delay is 9000100 microseconds, minimum bandwidth is 512 Kbit

Reliability 255/255, minimum MTU 1476 bytes

Loading 1/255, Hops 1


r.lamesa#






Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Mon, 10/15/2007 - 16:26
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

It's doing what's told, you have an ip nat outside on Tunnel1. As packets exit that interface, they will be NAT'd according to the ip nat inside statement.



lamav Mon, 10/15/2007 - 17:36
User Badges:
  • Blue, 1500 points or more

Maybe I am misunderstanding what you are trying to say, since there is no accompanying diagram. But in the title of your post you mention an order of operations concern -- or so it seems like that.


When a packet is received on the INSIDE NAT interface of a router, it is routed first and then the NAT operation occurs.


On th eother hand, when a packet is received on the OUTSIDE NAT interface, it is NAT'ed first and then routed. This is why you can do a PAT overload to an OUTSIDE interface only.


Did that help you?

KAROLY KOHEGYI Mon, 11/05/2007 - 03:08
User Badges:

Hi Edison !


i made a config based on below link


http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml


i use 12.4.1 and nat was one of side only.


it is not working because the nat entry was not created in router when traffic arrived from outside. Based your response ( which wasextremely helpful ) i put the nat outside on the tunnel interface.


IT is working now.


PLease give a short description or link which shows why was wrong the example config. What is the process of order when i use crypto,nat,gre ?

Maybe was the IOS behavior changed ?

Thank in advance

Regards

Actions

This Discussion