×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

outside source static NAT

Unanswered Question
Mar 27th, 2012
User Badges:

Hi,


I've tested the following NAT configuration


hostname R4

!

no ip cef

!

interface Loopback104

ip address 172.16.104.1 255.255.255.0

!

interface Serial0/0.234 point-to-point

ip address 172.16.234.4 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache

snmp trap link-status

frame-relay interface-dlci 403

!

interface FastEthernet0/1

ip address 172.16.64.4 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip route-cache

!

!

ip nat outside source static 172.16.110.1 172.16.104.10

!


in which IP-CEF & IP-FASTSWITCHING are disabled to better understand debug messages related to IP routing & NAT processing


R4 is configured for "outside source static" translating and, as debug show, a ping packet entering from outside fast0/1 is translated (outside global -> ouside local) and then routed to ser0/0.234 outgoing i/f (inside i/f)


However pinging the remote loopabck router (3.3.3.3), attached on inside i/f, from 172.16.110.1, configured on a router attached on outside side, doesn't work !


Adding ip nat outside on loopback 104 i/f solve the issue; now debug shows


*Mar  1 00:57:44.203: IP: tableid=0, s=172.16.110.1 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB

*Mar  1 00:57:44.207: NAT: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [130]

*Mar  1 00:57:44.211: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward


*Mar  1 00:57:44.223: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB <--------------------- msg A

*Mar  1 00:57:44.227: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [130]              <--------------------------------------------------------- msg B

*Mar  1 00:57:44.227: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward <----------- msg C ???


*Mar  1 00:57:44.227: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB <------------- msg D

*Mar  1 00:57:44.227: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward


*Mar  1 00:57:44.231: NAT*: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [131]

*Mar  1 00:57:44.231: IP: tableid=0, s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB

*Mar  1 00:57:44.231: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward

*Mar  1 00:57:44.239: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB

*Mar  1 00:57:44.239: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [131]

*Mar  1 00:57:44.239: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward

*Mar  1 00:57:44.243: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB

*Mar  1 00:57:44.243: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward

*Mar  1 00:57:44.247: NAT*: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [132]

*Mar  1 00:57:44.251: IP: tableid=0, s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB

*Mar  1 00:57:44.255: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward

*Mar  1 00:57:44.255: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB

*Mar  1 00:57:44.259: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [132]

*Mar  1 00:57:44.259: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward

*Mar  1 00:57:44.263: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB

*Mar  1 00:57:44.263: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward



Now, from my understanding, message A (highlighted) referes to IP routing from ser0/0.234 to Loopback104 and message B to outside local -> outside global translation performed on this interface.


Message D is related to the (natted)packet re-entering from Loopback104 forwarded to outside fa0/1 (gw = 172.16.64.10)


What about message C ? Why Loopback104 has to be configured with ip nat outside ?


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
CARLO CIANFARANI Wed, 03/28/2012 - 03:09
User Badges:

Hi,


I don't know why the reply received by mail is not shown here in the thread....


******************************************************************

Carlo,


For outside static nat, you usually nat to an address that your router knows  how to get to. The result that you got was because the address that you're  natting to is on the loopback and not the f0/0 interface where I'm sure the  traffic is coming from. You would need to put "ip nat outside" on the loopback  interface in this scenario because you're telling the router that the address to  use as outgoing nat is the loopback interface. Otherwise, you can nat to an  address on your fa0/0 interface and your should be fine like:


ip nat outside source static 172.16.110.1 172.16.64.49


Then you'd be able to ping your loopback without putting a nat statement on  the interface.


HTH,

John

*************************************************************************


From http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml I can guess that in every case (Local->Global and Global->Local translation) the address translation itself is performed - from IOS point of view - on outside sw i/f


show int Lop104 switching counters before ping is issued:


R4#sh int loop104 switchi

Loopback104


    Protocol  IP

          Switching path    Pkts In   Chars In   Pkts Out  Chars Out

                 Process          2         56          2         56

            Cache misses          0          -          -          -

                    Fast          0          0          0          0

               Auton/SSE          0          0          0          0


    NOTE: all counts are cumulative and reset only after a reload.

R4#


R5#ping 3.3.3.3 source loop110 r 3


Type escape sequence to abort.

Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 172.16.110.1

!!!

Success rate is 100 percent (3/3), round-trip min/avg/max = 4/20/36 ms


And after ping:


R4#sh int loop104 switchi

Loopback104


    Protocol  IP

          Switching path    Pkts In   Chars In   Pkts Out  Chars Out

                 Process          5        356          5        356

            Cache misses          0          -          -          -

                    Fast          0          0          0          0

               Auton/SSE          0          0          0          0


    NOTE: all counts are cumulative and reset only after a reload.

R4#


Pkts In/Out, infact, increasead by 3 unit (3 ping packet)


so in this scenario outside i/f on which NAT is performed is Loop104


Does it make sense ?

John Blakley Thu, 03/29/2012 - 03:31
User Badges:
  • Purple, 4500 points or more

Can you attach a diagram of how this is laid out?



Here's what I'm seeing and others can jump in here:


I laid out a topology like: RtrA ---> RtrB (2.2.2.2) ----> RtrC (NAT) -----> RtrD (4.4.4.4)


The first section is without nat enabled on the loopback. I drop traffic, but you'll notice on the last line that the destination is 3.3.3.50 and it doesn't go farther than that.


*Mar  1 00:41:12.019: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), routed via FIB

*Mar  1 00:41:12.019: IP: s=3.3.3.50 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), g=10.34.0.4, len 100, forward

*Mar  1 00:41:12.027: IP: tableid=0, s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50 (Loopback3), routed via RIB

*Mar  1 00:41:12.027: IP: s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50, len 100, rcvd 6





With nat enabled the router goes as far as to translate further to the destination of 2.2.2.2.


*Mar  1 00:41:56.179: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), routed via FIB

*Mar  1 00:41:56.183: IP: s=3.3.3.50 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), g=10.34.0.4, len 100, forward

*Mar  1 00:41:56.187: IP: tableid=0, s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50 (Loopback3), routed via RIB

*Mar  1 00:41:56.187: IP: s=4.4.4.4 (FastEthernet0/1), d=2.2.2.2 (Loopback3), g=2.2.2.2, len 100, forward

*Mar  1 00:41:56.191: IP: tableid=0, s=4.4.4.4 (Loopback3), d=2.2.2.2 (FastEthernet0/0), routed via RIB

*Mar  1 00:41:56.191: IP: s=4.4.4.4 (Loopback3), d=2.2.2.2 (FastEthernet0/0), g=192.168.23.2, len 100, forward


My conclusion is that without NAT enabled on that interface, the router looks in the local routing table for the destination of 3.3.3.50 and realizes that it's local to the router...dropping the traffic. With NAT enabled, it looks in the translation table to see what it's translated to and then routes to the translated address.


Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                3.3.3.50           2.2.2.2

CARLO CIANFARANI Thu, 03/29/2012 - 05:19
User Badges:

Here Lab layout:

Yes, I agree with you.....for these reasons I can guess Outside->Inside and  Inside->Outside NAT translations are perfomed by IOS on software interface where ip nat outside is configured...

Actions

This Discussion