10-15-2007 10:49 AM - edited 03-05-2019 07:06 PM
I have a 2800 series router running c2801-advsecurityk9-mz.124-10.bin. This is the internet facing router. We have an overload statement for internet users on the interface, and a static nat for a server on the internet. If any of the internal networks over VPN, GRE, or T1 behind this router try to connect to the internal server IP address for whatever reason the server then responds and the router sends that traffic out to the internet vs taking the routing path back to the destination host on the internal networks???? This doesn't make sense to me. What am I missing here?
Here is an example, if I try to telnet to TCP 3389 to the internal server IP address of 199.194.208.119 from remote over GRE tunnel using router source IP of 198.249.46.190 it puts it into the NAT table and out to the internet vs taking the path back thru the GRE tunnel to the remote network 198.249.46.128/25. What am I missing?
r.lamesa#sho ip nat trans | inclu 3389
tcp 69.39.91.45:3389 199.194.208.119:3389 198.249.46.190:28482 198.249.46.190:28482
tcp 69.39.91.45:3389 199.194.208.119:3389 198.249.46.190:39234 198.249.46.190:39234
tcp 69.39.91.45:3389 199.194.208.119:3389 ---
---
r.lamesa#sho ip route 198.249.46.190
Routing entry for 198.249.46.128/26
Known via "eigrp 600", distance 90, metric 235402496, type internal
Redistributing via eigrp 600
Last update from 172.30.255.9 on Tunnel1, 14:41:02 ago
Routing Descriptor Blocks:
* 172.30.255.9, from 172.30.255.9, 14:41:02 ago, via Tunnel1
Route metric is 235402496, traffic share count is 1
Total delay is 9000100 microseconds, minimum bandwidth is 512 Kbit
Reliability 255/255, minimum MTU 1476 bytes
Loading 1/255, Hops 1
r.lamesa#
10-15-2007 04:26 PM
It's doing what's told, you have an ip nat outside on Tunnel1. As packets exit that interface, they will be NAT'd according to the ip nat inside statement.
10-15-2007 05:36 PM
Maybe I am misunderstanding what you are trying to say, since there is no accompanying diagram. But in the title of your post you mention an order of operations concern -- or so it seems like that.
When a packet is received on the INSIDE NAT interface of a router, it is routed first and then the NAT operation occurs.
On th eother hand, when a packet is received on the OUTSIDE NAT interface, it is NAT'ed first and then routed. This is why you can do a PAT overload to an OUTSIDE interface only.
Did that help you?
11-05-2007 03:08 AM
Hi Edison !
i made a config based on below link
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml
i use 12.4.1 and nat was one of side only.
it is not working because the nat entry was not created in router when traffic arrived from outside. Based your response ( which wasextremely helpful ) i put the nat outside on the tunnel interface.
IT is working now.
PLease give a short description or link which shows why was wrong the example config. What is the process of order when i use crypto,nat,gre ?
Maybe was the IOS behavior changed ?
Thank in advance
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: