NAT with OSPF not working

Unanswered Question
Apr 12th, 2009

Hello,

I have 2 routers in my lab connected together via the serial ports, on Router 1 I want any IP from 192.168.100.192/27 (Fas0/0) to get NAT'ed to 172.16.1.2-254 when going over the WAN.

If I use my laptop on 192.168.100.194 and ping 192.168.100.97 which is a loopback on Router 0 it will noy work, but I see the traffic getting there, but it seems to be the route back is not working, so maybe my OSPF isn't working to well, if I add a static route like below it works:

Router0(config)#ip route 172.16.1.0 255.255.255.0 10.10.10.14

Configs:

Router0#sh run

!

interface Loopback0

ip address 192.168.100.97 255.255.255.224

!

interface FastEthernet0/0

ip address 192.168.100.129 255.255.255.252

duplex auto

speed auto

!

interface Serial0/0

description WAN link to RouterA

ip address 10.10.10.13 255.255.255.252

no fair-queue

!

interface Serial0/1

no ip address

!

router ospf 1

log-adjacency-changes

network 10.10.10.12 0.0.0.3 area 0

network 192.168.100.96 0.0.0.31 area 0

network 192.168.100.128 0.0.0.3 area 0

!

ip http server

no ip http secure-server

ip classless

!

end

---------------------------------------

Router1#sh run

!

no ip domain-lookup

!

ip dhcp pool client

network 192.168.100.192 255.255.255.224

default-router 10.10.10.14

!

ip audit notify log

ip audit po max-events 100

!

!

interface Loopback0

ip address 172.16.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 192.168.100.193 255.255.255.224

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

ip address 10.10.10.14 255.255.255.252

ip nat outside

no fair-queue

clock rate 4000000

!

interface Serial0/1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

network 10.10.10.12 0.0.0.3 area 0

network 172.16.1.0 0.0.0.255 area 0

!

ip nat pool Andy 172.16.1.2 172.16.1.254 netmask 255.255.255.0

ip nat inside source list 100 pool Andy overload

ip classless

ip http server

!

access-list 100 permit ip 192.168.100.192 0.0.0.31 192.168.100.96 0.0.0.31

!

Router1#

Router 0 debug

Router0#sh ip route

Gateway of last resort is not set

172.16.0.0/32 is subnetted, 1 subnets

O 172.16.1.1 [110/65] via 10.10.10.14, 00:19:41, Serial0/0

10.0.0.0/30 is subnetted, 1 subnets

C 10.10.10.12 is directly connected, Serial0/0

192.168.100.0/27 is subnetted, 1 subnets

C 192.168.100.96 is directly connected, Loopback0

Router0#

Debug on R0

01:13:56: NAT: address not stolen for 192.168.100.194, proto 1 port 512

01:13:56: NAT: installing alias for address 172.16.1.4

01:13:56: NAT: creating portlist proto 1 globaladdr 172.16.1.4

01:13:56: NAT: Allocated Port for 192.168.100.194 -> 172.16.1.4: wanted 512 got 512

01:13:56: NAT: i: icmp (192.168.100.194, 512) -> (192.168.100.97, 512) [40908]

01:13:56: NAT: s=192.168.100.194->172.16.1.4, d=192.168.100.97 [40908]

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
t-yamashita Sun, 04/12/2009 - 23:21

Hi Andy,

A closer look at the routing table.

>O 172.16.1.1 [110/65] via 10.10.10.14, 00:19:41, Serial0/0

It's a host route. This is a feature of loopbak interface.

So, first of all, I would like to suggest you specify a "ip ospf network point-to-point" on the loopback interface.

And perhaps it'll work.

HTH

Tomoyuki

rpfinneran Sun, 04/12/2009 - 23:47

Very good Tomoyuki, I labbed it up and verified. This is interesting, I haven't come accross this issue before.

Router0#show run !I modified below for what is needed

interface Loopback0

ip address 10.0.0.1 255.255.255.0

end

!

router ospf 100

log-adjacency-changes

network 10.0.0.0 0.0.0.255 area 0

network 200.0.0.0 0.0.0.3 area 0

end

!

Router0#sho ip ospf int lo0

Loopback0 is up, line protocol is up

Internet Address 10.0.0.1/24, Area 0

Process ID 100, Router ID 10.0.0.1, Network Type LOOPBACK, Cost: 1

Loopback interface is treated as a stub Host

Router1#sho ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 8.0.0.2 to network 0.0.0.0

200.0.0.0/30 is subnetted, 1 subnets

C 200.0.0.0 is directly connected, FastEthernet1/0

10.0.0.0/32 is subnetted, 1 subnets

O 10.0.0.1 [110/2] via 100.0.0.2, 00:00:02, FastEthernet1/0

S* 0.0.0.0/0 [1/0] via 8.0.0.2

-------------------- AFTER CHANGE --------------------

Router0#show run !I modified below for what is needed

interface Loopback0

ip address 10.0.0.1 255.255.255.0

ip ospf network point-to-point

end

!

router ospf 100

log-adjacency-changes

network 10.0.0.0 0.0.0.255 area 0

network 200.0.0.0 0.0.0.3 area 0

end

!

Router0#sho ip ospf int lo0

Loopback0 is up, line protocol is up

Internet Address 10.0.0.1/24, Area 0

Process ID 100, Router ID 10.0.0.1, Network Type POINT_TO_POINT, Cost: 1

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Supports Link-local Signaling (LLS)

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 0, maximum is 0

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 0, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)

Router1#sho ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 8.0.0.2 to network 0.0.0.0

200.0.0.0/30 is subnetted, 1 subnets

C 200.0.0.0 is directly connected, FastEthernet1/0

10.0.0.0/24 is subnetted, 1 subnets

O 10.0.0.0 [110/2] via 200.0.0.2, 00:04:21, FastEthernet1/0

S* 0.0.0.0/0 [1/0] via 8.0.0.2

whiteford Sun, 04/12/2009 - 23:54

I see, if I hadn't of used a loopback it would of worked?

What does "ip ospf network point-to-point" do?

rpfinneran Mon, 04/13/2009 - 00:09

The network type specifies how OSPF will work on the interface. For example, in a BROADCAST network type, OSPF knows that on that interface their will be an election for DR/BDR and that if the router is elected, it should listen on 224.0.0.5 and 224.0.0.6.

If you had not used a loopback, it would have worked. Cisco treats loopbacks as stub hosts (see output above).

HTH,

Ryan

t-yamashita Mon, 04/13/2009 - 01:26

>I see, if I hadn't of used a loopback it would of worked?

More properly, R0 needed to receive the exactly route.

For example, it has been able to work if it specify a "default-information originate always" on the ospf.

>What does "ip ospf network point-to-point" do?

As Ryan indicated and follows, ospf works by "loopback type" when you define ospf on the loopback interface.

------

Router#sh ip ospf interface loopback 1

Loopback1 is up, line protocol is up

Internet Address 1.1.1.1/24, Area 0

Process ID 1, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 1

Loopback interface is treated as a stub Host

------

In the loopback type, LSA advertises the route in /32.

So, "ip ospf network" changes this type.

And OSPF makes it possible to advertise exactly subnet of the loopback interface.

HTH

Tomoyuki

whiteford Mon, 04/13/2009 - 10:17

Now this is working, I just have a question about the NAT I have and how it works.

From my laptop (192.168.100.194 Router0 side) if I ping 192.168.100.97 on the Router1 side it translates to 172.16.1.2 and works, then I notice the translation expires.

This is great for one direction say if I need to access resources on that side (Router0), however I have noticed that from the Router0 side (opposite direction) they can't ping 172.16.1.x IP's as they don't exist I suppose as they just get translated then expire and get removed, any way round this?

sdoremus33 Mon, 04/13/2009 - 18:17

The IOS firewall maintains an idle timer for each type of translation table entry. Each time a packet matching a translation entry is forwarded, the idle timer is reset. As soon as the idle timer expires, that translation table entry is removed.

So for ping ICMP to never expire you can add the

ICMP entries

IOSFirewall(config)# ip nat translation icmp-timeout {seconds | never}

60 seconds (1 minute)

By default it time out in 60 sec.

This is done for security purposes, so it is recommended notr to use the never keyword, and stick with the default value

Below is a table that will helpful

Commands and Default Values Translation Type

Command Syntax

Default Value

Dynamic NAT entries

IOSFirewall(config)# ip nat translation timeout {seconds | never}

86,400 seconds (24 hours)

ICMP entries

IOSFirewall(config)# ip nat translation icmp-timeout {seconds | never}

60 seconds (1 minute)

DNS entries

IOSFirewall(config)# ip nat translation dns-timeout {seconds | never}

60 seconds (1 minute)

Specific UDP port entries

IOSFirewall(config)# ip nat translation port-timeout udp port {seconds | never}

All other UDP entries

IOSFirewall(config)# ip nat translation timeout {seconds | never}

300 seconds (5 minutes)

TCP entries from the SYN packet to the next packet

IOSFirewall(config)# ip nat translation syn-timeout {seconds | never}

60 seconds (1 minute)

TCP after FIN or RST packet

IOSFirewall(config)# ip nat translation finrst-timeout {seconds | never}

60 seconds (1 minute)

PPTP entries

IOSFirewall(config)# ip nat translation pptp-timeout {seconds | never}

86,400 seconds (24 hours)

Specific TCP port entries

IOSFirewall(config)# ip nat translation port-timeout tcp port {seconds | never}

whiteford Mon, 04/13/2009 - 22:02

Thanks this is useful to know.

As you can see in my scenario I am NATing in one direction, I'm sort of treating it as if I'm a user going to some servers over the WAN, now I think it would work, but what happens if a server or engineer needed to get to my pc they would need to use my NAT address which expires, I know you can stop the NAT expiring but I can imagine in the real world I might come up against two LAN's having the same IP range and can't be changed so would a NAT have to be created each direction or some sort of NAT policy?

Actions

This Discussion