Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1530
Views
5
Helpful
3
Replies

NAT before routing??? Confused

glenthms
Level 1
Level 1

‎10-15-2007 10:49 AM - edited ‎03-05-2019 07:06 PM

I have a 2800 series router running c2801-advsecurityk9-mz.124-10.bin. This is the internet facing router. We have an overload statement for internet users on the interface, and a static nat for a server on the internet. If any of the internal networks over VPN, GRE, or T1 behind this router try to connect to the internal server IP address for whatever reason the server then responds and the router sends that traffic out to the internet vs taking the routing path back to the destination host on the internal networks???? This doesn't make sense to me. What am I missing here?

Here is an example, if I try to telnet to TCP 3389 to the internal server IP address of 199.194.208.119 from remote over GRE tunnel using router source IP of 198.249.46.190 it puts it into the NAT table and out to the internet vs taking the path back thru the GRE tunnel to the remote network 198.249.46.128/25. What am I missing?

r.lamesa#sho ip nat trans | inclu 3389

tcp 69.39.91.45:3389 199.194.208.119:3389 198.249.46.190:28482 198.249.46.190:28482

tcp 69.39.91.45:3389 199.194.208.119:3389 198.249.46.190:39234 198.249.46.190:39234

tcp 69.39.91.45:3389 199.194.208.119:3389 ---

---

r.lamesa#sho ip route 198.249.46.190

Routing entry for 198.249.46.128/26

Known via "eigrp 600", distance 90, metric 235402496, type internal

Redistributing via eigrp 600

Last update from 172.30.255.9 on Tunnel1, 14:41:02 ago

Routing Descriptor Blocks:

* 172.30.255.9, from 172.30.255.9, 14:41:02 ago, via Tunnel1

Route metric is 235402496, traffic share count is 1

Total delay is 9000100 microseconds, minimum bandwidth is 512 Kbit

Reliability 255/255, minimum MTU 1476 bytes

Loading 1/255, Hops 1

r.lamesa#

Labels:
Preview file
5 KB
0 Helpful
3 Replies 3

Edison Ortiz
Hall of Fame
Hall of Fame

‎10-15-2007 04:26 PM

It's doing what's told, you have an ip nat outside on Tunnel1. As packets exit that interface, they will be NAT'd according to the ip nat inside statement.

lamav
Level 8
Level 8
In response to Edison Ortiz

‎10-15-2007 05:36 PM

Maybe I am misunderstanding what you are trying to say, since there is no accompanying diagram. But in the title of your post you mention an order of operations concern -- or so it seems like that.

When a packet is received on the INSIDE NAT interface of a router, it is routed first and then the NAT operation occurs.

On th eother hand, when a packet is received on the OUTSIDE NAT interface, it is NAT'ed first and then routed. This is why you can do a PAT overload to an OUTSIDE interface only.

Did that help you?

0 Helpful

KAROLY KOHEGYI
Level 2
Level 2
In response to Edison Ortiz

‎11-05-2007 03:08 AM

Hi Edison !

i made a config based on below link

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

i use 12.4.1 and nat was one of side only.

it is not working because the nat entry was not created in router when traffic arrived from outside. Based your response ( which wasextremely helpful ) i put the nat outside on the tunnel interface.

IT is working now.

PLease give a short description or link which shows why was wrong the example config. What is the process of order when i use crypto,nat,gre ?

Maybe was the IOS behavior changed ?

Thank in advance

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card