one sided NAT - problem

Unanswered Question
Sep 25th, 2009

Following is the NAT related configuration.

We dont want NAT for one host to host and NAT for all others.

Accordingly we have configured access list 102 and eoute-map "nonat".

but pinging is happening from inside to outside with NAT but from outside to inside ping is not working.

It is router 3800 series.

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

!

interface Serial2/0

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

serial restart-delay 0

no dce-terminal-timing-enable

ip route 0.0.0.0 0.0.0.0 192.168.1.2

!

ip nat pool next 172.16.1.1 172.16.1.10 netmask 255.255.255.0

( this pool is routed towards our serial interface from other locations ).

ip nat inside source route-map nonat pool next

!

access-list 102 deny icmp host 10.1.1.1 host 10.1.2.1

access-list 102 permit icmp host 10.1.1.1 any

!

route-map nonat permit 10

match ip address 102

!

Ping working with NAT as show here indebug output.

R1#ping 10.1.3.1 sou

R1#ping 10.1.3.1 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!

*Mar 1 02:03:17.211: NAT: map match nonat

*Mar 1 02:03:17.215: NAT: New entry added to map hash table

*Mar 1 02:03:17.215: NAT: i: icmp (10.1.1.1, 37) -> (10.1.3.1, 37) [215]

*Mar 1 02:03:17.215: NAT: s=10.1.1.1->172.16.1.1, d=10.1.3.1 [215]

*Mar 1 02:03:17.491: NAT*: o: icmp (10.1.3.1, 37) -> (172.16.1.1, 37) [215]

*Mar 1 02:03:17.491: NAT*: s=10.1.3.1, d=172.16.1.1->10.1.1.1 [215]

*Mar 1 02:03:17.495: NAT: i: icmp (10.1.1.1, 37) -> (10.1.3.1, 37) [216]

*Mar 1 02:03:17.495: NAT: s=10.1.1.1->172.16.1.1, d=10.1.3.1 [216]

*Mar 1 02:03:17.711: NAT*: o: icmp (10.1.3.1, 37) -> (172.16.1.1, 37) [216]!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 100/209/284 ms

R1#

*Mar 1 02:03:17.711: NAT*: s=10.1.3.1, d=172.16.1.1->10.1.1.1 [216]

*Mar 1 02:03:17.715: NAT: i: icmp (10.1.1.1, 37) -> (10.1.3.1, 37) [217]

*Mar 1 02:03:17.715: NAT: s=10.1.1.1->172.16.1.1, d=10.1.3.1 [217]

*Mar 1 02:03:17.787: NAT*: o: icmp (10.1.3.1, 37) -> (172.16.1.1, 37) [217]

*Mar 1 02:03:17.787: NAT*: s=10.1.3.1, d=172.16.1.1->10.1.1.1 [217]

*Mar 1 02:03:17.819: NAT: i: icmp (10.1.1.1, 37) -> (10.1.3.1, 37) [218]

*Mar 1 02:03:17.819: NAT: s=10.1.1.1->172.16.1.1, d=10.1.3.1 [218]

*Mar 1 02:03:18.035: NAT*: o: icmp (10.1.3.1, 37) -> (172.16.1.1, 37) [218]

*Mar 1 02:03:18.035: NAT*: s=10.1.3.1, d=172.16.1.1->10.1.1.1 [218]

*Mar 1 02:03:18.039: NAT: i: icmp (10.1.1.1, 37) -> (10.1.3.1, 37) [219]

*Mar 1 02:03:18.039: NAT: s=10.1.1.1->172.16.1.1, d=10.1.3.1 [219]

*Mar 1 02:03:18.255: NAT*: o: icmp (10.1.3.1, 37) -> (172.16.1.1, 37) [219]

*Mar 1 02:03:18.255: NAT*: s=10.1.3.1, d=172.16.1.1->10.1.1.1 [219]

R1

If we initiate, a ping to 172.16.1.1 from source IP as 10.1.3.1 it is not pinging.

Please share the experience.

Thanks in advance

subodh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mszeftawy Fri, 09/25/2009 - 11:26

I think you are performing a wrong test you are trying to ping 172.16.1.1 which is an inside-global Ip address only configured in the nat pool, so there is no destination with this IP to respond to the ICMP

But if you tried to reach the inside local IP address it should work if the host 10.1.3.1 is correctly routed from your network towards your Ethernet interface.

But in this case one way NATing will be performed you will receive the ping message without modification and receive the Echo replay from the inside global IP address

For example

In normal case without NAT

Ping 192.168.1.2 source 10.1.3.1

at the other side You will receive the echo reply from source 192.168.1.2 to destination 10.1.3.1

With NAT

Ping 192.168.1.2 source 10.1.3.1

at the other end You will receive the echo reply from source 172.16.1.1 to destination 10.1.3.1

Actually I don't know how this work or how it is considered as a correct echo reply but it happens ;) and the ping is working i think it might cause problem in diffrent applications

Actions

This Discussion