cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
630
Views
0
Helpful
4
Replies

outside source static NAT

Hi,

I've tested the following NAT configuration

hostname R4

!

no ip cef

!

interface Loopback104

ip address 172.16.104.1 255.255.255.0

!

interface Serial0/0.234 point-to-point

ip address 172.16.234.4 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache

snmp trap link-status

frame-relay interface-dlci 403

!

interface FastEthernet0/1

ip address 172.16.64.4 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip route-cache

!

!

ip nat outside source static 172.16.110.1 172.16.104.10

!

in which IP-CEF & IP-FASTSWITCHING are disabled to better understand debug messages related to IP routing & NAT processing

R4 is configured for "outside source static" translating and, as debug show, a ping packet entering from outside fast0/1 is translated (outside global -> ouside local) and then routed to ser0/0.234 outgoing i/f (inside i/f)

However pinging the remote loopabck router (3.3.3.3), attached on inside i/f, from 172.16.110.1, configured on a router attached on outside side, doesn't work !

Adding ip nat outside on loopback 104 i/f solve the issue; now debug shows

*Mar  1 00:57:44.203: IP: tableid=0, s=172.16.110.1 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB

*Mar  1 00:57:44.207: NAT: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [130]

*Mar  1 00:57:44.211: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward

*Mar  1 00:57:44.223: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB <--------------------- msg A

*Mar  1 00:57:44.227: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [130]              <--------------------------------------------------------- msg B

*Mar  1 00:57:44.227: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward <----------- msg C ???

*Mar  1 00:57:44.227: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB <------------- msg D

*Mar  1 00:57:44.227: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward

*Mar  1 00:57:44.231: NAT*: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [131]

*Mar  1 00:57:44.231: IP: tableid=0, s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB

*Mar  1 00:57:44.231: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward

*Mar  1 00:57:44.239: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB

*Mar  1 00:57:44.239: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [131]

*Mar  1 00:57:44.239: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward

*Mar  1 00:57:44.243: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB

*Mar  1 00:57:44.243: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward

*Mar  1 00:57:44.247: NAT*: s=172.16.110.1->172.16.104.10, d=3.3.3.3 [132]

*Mar  1 00:57:44.251: IP: tableid=0, s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), routed via RIB

*Mar  1 00:57:44.255: IP: s=172.16.104.10 (FastEthernet0/1), d=3.3.3.3 (Serial0/0.234), g=172.16.234.3, len 100, forward

*Mar  1 00:57:44.255: IP: tableid=0, s=3.3.3.3 (Serial0/0.234), d=172.16.104.10 (Loopback104), routed via RIB

*Mar  1 00:57:44.259: NAT: s=3.3.3.3, d=172.16.104.10->172.16.110.1 [132]

*Mar  1 00:57:44.259: IP: s=3.3.3.3 (Serial0/0.234), d=172.16.110.1 (Loopback104), g=172.16.110.1, len 100, forward

*Mar  1 00:57:44.263: IP: tableid=0, s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), routed via RIB

*Mar  1 00:57:44.263: IP: s=3.3.3.3 (Loopback104), d=172.16.110.1 (FastEthernet0/1), g=172.16.64.10, len 100, forward

Now, from my understanding, message A (highlighted) referes to IP routing from ser0/0.234 to Loopback104 and message B to outside local -> outside global translation performed on this interface.

Message D is related to the (natted)packet re-entering from Loopback104 forwarded to outside fa0/1 (gw = 172.16.64.10)

What about message C ? Why Loopback104 has to be configured with ip nat outside ?

thanks

4 Replies 4

Hi,

I don't know why the reply received by mail is not shown here in the thread....

******************************************************************

Carlo,

For outside static nat, you usually nat to an address that your router knows  how to get to. The result that you got was because the address that you're  natting to is on the loopback and not the f0/0 interface where I'm sure the  traffic is coming from. You would need to put "ip nat outside" on the loopback  interface in this scenario because you're telling the router that the address to  use as outgoing nat is the loopback interface. Otherwise, you can nat to an  address on your fa0/0 interface and your should be fine like:

ip nat outside source static 172.16.110.1 172.16.64.49

Then you'd be able to ping your loopback without putting a nat statement on  the interface.

HTH,

John

*************************************************************************

From http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml I can guess that in every case (Local->Global and Global->Local translation) the address translation itself is performed - from IOS point of view - on outside sw i/f

show int Lop104 switching counters before ping is issued:

R4#sh int loop104 switchi

Loopback104

    Protocol  IP

          Switching path    Pkts In   Chars In   Pkts Out  Chars Out

                 Process          2         56          2         56

            Cache misses          0          -          -          -

                    Fast          0          0          0          0

               Auton/SSE          0          0          0          0

    NOTE: all counts are cumulative and reset only after a reload.

R4#

R5#ping 3.3.3.3 source loop110 r 3

Type escape sequence to abort.

Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 172.16.110.1

!!!

Success rate is 100 percent (3/3), round-trip min/avg/max = 4/20/36 ms

And after ping:

R4#sh int loop104 switchi

Loopback104

    Protocol  IP

          Switching path    Pkts In   Chars In   Pkts Out  Chars Out

                 Process          5        356          5        356

            Cache misses          0          -          -          -

                    Fast          0          0          0          0

               Auton/SSE          0          0          0          0

    NOTE: all counts are cumulative and reset only after a reload.

R4#

Pkts In/Out, infact, increasead by 3 unit (3 ping packet)

so in this scenario outside i/f on which NAT is performed is Loop104

Does it make sense ?

Any idea ?

Thanks

Can you attach a diagram of how this is laid out?

Here's what I'm seeing and others can jump in here:

I laid out a topology like: RtrA ---> RtrB (2.2.2.2) ----> RtrC (NAT) -----> RtrD (4.4.4.4)

The first section is without nat enabled on the loopback. I drop traffic, but you'll notice on the last line that the destination is 3.3.3.50 and it doesn't go farther than that.

*Mar  1 00:41:12.019: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), routed via FIB

*Mar  1 00:41:12.019: IP: s=3.3.3.50 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), g=10.34.0.4, len 100, forward

*Mar  1 00:41:12.027: IP: tableid=0, s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50 (Loopback3), routed via RIB

*Mar  1 00:41:12.027: IP: s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50, len 100, rcvd 6

With nat enabled the router goes as far as to translate further to the destination of 2.2.2.2.

*Mar  1 00:41:56.179: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), routed via FIB

*Mar  1 00:41:56.183: IP: s=3.3.3.50 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), g=10.34.0.4, len 100, forward

*Mar  1 00:41:56.187: IP: tableid=0, s=4.4.4.4 (FastEthernet0/1), d=3.3.3.50 (Loopback3), routed via RIB

*Mar  1 00:41:56.187: IP: s=4.4.4.4 (FastEthernet0/1), d=2.2.2.2 (Loopback3), g=2.2.2.2, len 100, forward

*Mar  1 00:41:56.191: IP: tableid=0, s=4.4.4.4 (Loopback3), d=2.2.2.2 (FastEthernet0/0), routed via RIB

*Mar  1 00:41:56.191: IP: s=4.4.4.4 (Loopback3), d=2.2.2.2 (FastEthernet0/0), g=192.168.23.2, len 100, forward

My conclusion is that without NAT enabled on that interface, the router looks in the local routing table for the destination of 3.3.3.50 and realizes that it's local to the router...dropping the traffic. With NAT enabled, it looks in the translation table to see what it's translated to and then routes to the translated address.

Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                3.3.3.50           2.2.2.2

HTH, John *** Please rate all useful posts ***

Here Lab layout:

Yes, I agree with you.....for these reasons I can guess Outside->Inside and  Inside->Outside NAT translations are perfomed by IOS on software interface where ip nat outside is configured...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco