Something wrong with my NAT lab

Unanswered Question
Apr 5th, 2009

Hi,


I have been trying to test NAT between offices that use the same LAN IP range. I based my config on another post in this forum.


Below are the 2 configs:


R0#sh run

Building configuration...


Current configuration : 950 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R0

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

no ip domain lookup

!

!

!

!

!

!

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Serial0/0

ip address 10.1.1.1 255.255.255.0

ip nat outside

clock rate 128000

!

ip forward-protocol nd

ip route 172.19.1.0 255.255.255.0 10.1.1.2

!

ip http server

no ip http secure-server

ip nat inside source static network 192.168.1.0 172.19.2.0 /24

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login

!

!

end


R1#sh run

Building configuration...


Current configuration : 911 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Serial0/0

ip address 10.1.1.2 255.255.255.0

ip nat outside

!

ip forward-protocol nd

ip route 172.19.2.0 255.255.255.0 10.1.1.1

!

ip http server

no ip http secure-server

ip nat inside source static network 192.168.1.0 172.19.1.0 /24

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login

!

!

end


If I ping from R0 and use the loopback as the source I get no replies:


R0#ping 172.19.1.1 source loopback 0


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

R0#


However I get this output on the remote R1 router, it is like is is receiving the ping but can't route/NAT it back over the WAN link.


R1#

*Mar 1 00:27:55.182: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [45]

*Mar 1 00:27:55.186: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:55.190: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:57.161: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [46]

*Mar 1 00:27:57.165: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:57.169: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:59.088: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [47]

*Mar 1 00:27:59.092: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:59.096: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:01.071: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [48]

*Mar 1 00:28:01.075: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:01.079: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:03.075: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [49]

*Mar 1 00:28:03.079: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:03.083: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:28:35.123: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 8 (8)


Am I missing something?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Sun, 04/05/2009 - 15:11

I think the problem is that when the packet arrives to R1 the source address is 192.168.1.1 and the destination address 172.19.1.1 is translated to 192.168.1.1, the same address.


When the reply to the ping is sent from 192.168.1.1, the destination address is the same, 192.168.1.1, so the reply is sent to itself, and it never gets out of R1 and never reaches R0.


You can seee it from the debug output:


*Mar 1 00:27:55.186: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:27:55.190: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1


within the same router.


Cheers:

Istvan



Marwan ALshawi Sun, 04/05/2009 - 16:10

i think Istvan

thats mean R1 not doing NAT

but i did same as your config copy past

becuase i found it right

and it is working

look bellow:


R0#ping 172.19.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 120/168/224 ms




R1#debug ip nat detailed

IP NAT detailed debugging is on

R1#

*Apr 6 10:16:31.319: NAT*: o: icmp (10.1.1.1, 1) -> (172.19.1.1, 1) [5]

*Apr 6 10:16:31.319: NAT*: o: icmp (10.1.1.1, 1) -> (172.19.1.1, 1) [5]

*Apr 6 10:16:31.319: NAT*: s=10.1.1.1, d=172.19.1.1->192.168.1.1 [5]

*Apr 6 10:16:31.323: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Apr 6 10:16:31.327: NAT: i: icmp (192.168.1.1, 1) -> (10.1.1.1, 1) [5]

*Apr 6 10:16:31.327: NAT: s=192.168.1.1->172.19.1.1, d=10.1.1.1 [5]

*Apr 6 10:16:31.451: NAT*: o: icmp (10.1.1.1, 1) -> (172.19.1.1, 1) [6]

*Apr 6 10:16:31.451: NAT*: s=10.1.1.1, d=172.19.1.1->192.168.1.1 [6]

*Apr 6 10:16:31.455: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Apr 6 10:16:31.455: NAT: i: icmp (192.168.1.1, 1) -> (10.1.1.1, 1) [6]

*Apr 6 10:16:31.455: NAT: s=192.168.1.1->172.19.1.1, d=10.1.1.1 [6]

*Apr 6 10:16:31.619: NAT*: o: icmp (10.1.1.1, 1) -> (172.19.1.1, 1) [7]

*Apr 6 10:16:31.619: NAT*: s=10.1.1.1, d=172.19.1.1->192.168.1.1 [7]

*Apr 6 10:16:31.623: ICMP: echo reply sent, src 192.168.1.1, dst 10.1.1.1

*Apr 6 10:16:31.627: NAT: i: icmp (192.168.1.1, 1) -> (10.1.1.1, 1) [7]

*Apr 6 10:16:31.627: NAT: s=192.168.1.1->172.19.1.1, d=10.1.1.1 [7]


thats why i told you try to clear ip nat ternaslation becuase maybe u need a refresh


good luck

HTH


jamesgonzo Mon, 04/06/2009 - 04:33

Hi, "ping 172.19.1.1" does work for me too, but try "ping 172.19.1.1 source loopback 0"

tim1csolutions Sun, 04/05/2009 - 21:36

Try configuring it this way:


R0:

ip nat inside source static network 192.168.1.0 172.19.2.0 /24

ip nat outside source static network 192.168.1.0 172.19.1.0 /24


ip route 172.19.1.0 255.255.255.0 10.1.1.2


R1:

(Remove NAT configuration)


ip route 172.19.2.0 255.255.255.0 10.1.1.1


Timothy Chin

CCIE #23866 (R&S)

jamesgonzo Mon, 04/06/2009 - 05:15

Hi,


I added what you mentioned so the NAT is on one side only but the ping only works from oneside (R1 > R0), I have the configs and debugs in the e attached file.





Attachment: 
tim1csolutions Mon, 04/06/2009 - 15:08

try pinging from R0 using the loopback interface as the source.


Timothy Chin

CCIE #23866 (R&S)

jamesgonzo Tue, 04/07/2009 - 11:57

Not able to ping:


R0#ping 172.19.1.1 source loopback 0


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

R0#


what is seen on R1 when I did the above:


*Mar 1 00:05:33.078: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [25]

*Mar 1 00:05:33.078: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [25]

*Mar 1 00:05:33.082: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:33.086: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:35.097: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [26]

*Mar 1 00:05:35.101: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [26]

*Mar 1 00:05:35.105: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:35.109: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:36.936: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [27]

*Mar 1 00:05:36.936: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [27]

*Mar 1 00:05:36.936: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:36.936: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:38.835: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [28]

*Mar 1 00:05:38.839: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [28]

*Mar 1 00:05:38.843: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:38.847: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:41.063: NAT*: o: icmp (192.168.1.1, 5) -> (172.19.1.1, 5) [29]

*Mar 1 00:05:41.063: NAT*: s=192.168.1.1, d=172.19.1.1->192.168.1.1 [29]

*Mar 1 00:05:41.067: ICMP: echo reply sent, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:41.075: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:06:02.570: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 4 (4)

*Mar 1 00:06:41.546: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 5 (5)




tim1csolutions Tue, 04/07/2009 - 15:00

Try one more thing. Since it is local router traffic on R0 configure this:


access-list 100 permit ip host 192.168.1.1 any


route-map LOCAL permit 10

match ip address 100

set interface loopback0


ip local policy route-map LOCAL


then ping 172.19.1.1 using the loopback interface as the source. What you are doing here is "directing" local router traffic to interface loopback0 which is your inside interface then the traffic is routed out the outside interface so the NAT policy can take effect.


Timothy Chin

CCIE #23866 (R&S)


jamesgonzo Wed, 04/08/2009 - 12:10

I think that worked:


r0:


Sending 1, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!

Success rate is 100 percent (1/1), round-trip min/avg/max = 277/277/277 ms

R0#

*Mar 1 00:05:05.600: NAT: i: icmp (192.168.1.1, 6) -> (172.19.1.1, 6) [30]

*Mar 1 00:05:05.604: NAT: s=192.168.1.1->172.19.2.1, d=172.19.1.1 [30]

*Mar 1 00:05:05.861: NAT*: o: icmp (192.168.1.1, 6) -> (172.19.2.1, 6) [30]

*Mar 1 00:05:05.865: NAT*: o: icmp (192.168.1.1, 6) -> (172.19.2.1, 6) [30]

*Mar 1 00:05:05.865: NAT*: s=192.168.1.1, d=172.19.2.1->192.168.1.1 [30]

*Mar 1 00:05:05.869: ICMP: echo reply rcvd, src 192.168.1.1, dst 192.168.1.1

*Mar 1 00:05:06.398: NAT: expiring 172.19.2.1 (192.168.1.1) icmp 5 (5)

*Mar 1 00:05:06.402: NAT: expiring 172.19.2.1 (192.168.1.1) icmp 5 (5)



R1:


*Mar 1 00:05:05.620: NAT*: o: icmp (172.19.2.1, 6) -> (172.19.1.1, 6) [30]

*Mar 1 00:05:05.620: NAT*: o: icmp (172.19.2.1, 6) -> (172.19.1.1, 6) [30]

*Mar 1 00:05:05.625: NAT*: s=172.19.2.1, d=172.19.1.1->192.168.1.1 [30]

*Mar 1 00:05:05.629: ICMP: echo reply sent, src 192.168.1.1, dst 172.19.2.1

*Mar 1 00:05:06.350: NAT: expiring 172.19.1.1 (192.168.1.1) icmp 5 (5)



This is a little more complicated than I first thought, should the first NAT setup I had of worked or is this policy map they I should do it? I'm not clear on the commands you gave me.


Thanks

Actions

This Discussion