cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
15
Replies

Hidding SrcIP DestIP for two networks (both ways) on one router

cristip
Level 1
Level 1

We have to deploy client routers that would connecte them to one of our servers. There are situations when the private IP range the client side is using may conflict with our IP ranges.

What I want is to completely isolate the two IP ranges and to hide them from each other.

The configuration of the

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

Hi

I actually thought what you had done should work so i emulated it in our lab. Note that i didn't use any of the route-map configuration but I managed to get the same problem as you.

I think the issue is the loopback 9 interface. If i removed the loopback9 interface the ping worked fine from the 172.16.9.2 server to the 172.16.8.2 client. If i put the loopback9 interface back in it stopped working again.

Now as i say i wasn't using your route-map config so you may need to use loopbacks. i suspect it is a routing/nat order issue on the client router.

Let me know if i can try anything else out for you

HTH

Jon

Hi

I tried to switch the inside and outside and I got the same result.

Did you try to NAT on just one loopback interface ?

I an not sure I understand what you did. Did you try 172.16.9.2 -> 10.2.2.1 and 172.16.8.2 ->10.1.1.2 ? This is what I need to obtain.

Thank you

Cristian

Cristian

Have to nip into meeting.

Should that be 172.16.9.2 -> 10.2.2.2 not 10.2.2.1.

All i did was remove the loopback interface 9 from the config on the router.

Will have another look when i get out

Jon

Yes sorry for that.

My mistake.

I tried this morning the scenario with one loopback interface and these settings

interface vlan 1

ip nat inside

interface fastethernet 4

ip nat inside

interface loopback 0

ip nat outside

ip address 10.3.3.1 255.255.255.0

ip nat inside source static 172.16.8.2 10.3.3.8

ip nat inside source static 172.16.9.2 10.3.3.9

I am still using the route maps to force the traffic to go through the loopback 0.

What I am seeing is this

Mar 3 18:48:33.173: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:33.173: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44106]

*Mar 3 18:48:33.173: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44106]

*Mar 3 18:48:33.173: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6

*Mar 3 18:48:33.173: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:33.173: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44106]

*Mar 3 18:48:33.1

NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44106]

*Mar 3 18:48:33.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:33.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

*Mar 3 18:48:34.173: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:34.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44107]

*Mar 3 18:48:34.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44107]

*Mar 3 18:48:34.177

IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6

*Mar 3 18:48:34.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:34.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44107]

*Mar 3 18:48:34.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44107]

*Mar 3 18:48:34.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:34.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

*Mar 3 18:48:35.177: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:35.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44108]

*Mar 3 18:48:35.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44108]

*Mar 3 18:48:35.177: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, rcvd 6

*Mar 3 18:48:35.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:35.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44108]

*Mar 3 18:48:35.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44108]

*Mar 3 18:48:35.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:35.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

*Mar 3 18:48:36.177: IP: tableid=0, s=172.16.8.2 (Vlan1), d=10.3.3.9 (Loopback0), routed via RIB

*Mar 3 18:48:36.177: NAT: i: icmp (172.16.8.2, 1024) -> (10.3.3.9, 1024) [44109]

*Mar 3 18:48:36.177: NAT: s=172.16.8.2->10.3.3.8, d=10.3.3.9 [44109]

*Mar 3 18:48:36.177: IP: s=10.3.3.8 (Vlan1), d=10.3.3.9, len 60, recv 6

*Mar 3 18:48:36.177: ICMP: echo reply sent, src 10.3.3.9, dst 10.3.3.8

*Mar 3 18:48:36.177: NAT: o: icmp (10.3.3.9, 1024) -> (10.3.3.8, 1024) [44109]

*Mar 3 18:48:36.177: NAT: s=10.3.3.9, d=10.3.3.8->172.16.8.2 [44109]

*Mar 3 18:48:36.177: IP: tableid=0, s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), routed via FIB

*Mar 3 18:48:36.177: IP: s=10.3.3.9 (local), d=172.16.8.2 (Vlan1), len 60, sending

Hi

Sorry for the delay in replying.

What i did was to copy all your config with the exception of the route-maps. I assumed you were using the loopback interfaces so that the networks would be propogated into your IGP.

When i tested i got the same results as you. i could see the NAT working but when the return traffic from the client hit the client router it didn't go any further. I think, altho i'm guessing, that it was due to an issue with the routing/NAT order.

So i removed loopback 9. The loopback8 interface is still needed. I left the nat statements as they were.

it now works - both ways. I can ping from the cleint 172.16.8.2 to the server 172.16.9.2 and vice-versa.

Now if you want i can add in your route-map config but my question is do you really need this ?

Let me know

HTH

Jon

Hi Jon

Thak you for helping me with this.

Can you plese verify what source address is seen by each end ? My target was to hide 172.16.8.2 from 172.16.9.2 and viceversa.

With other words the client router is intended to completly isolate any two network ranges I may have on each side.

When you configure such a router all you have to do is to conveninetly select the IPs on each interface of the router so that you won't have a conflict with any side.

thank you

Cristia

Hi Christian

When i ping from 172.16.9.2 to 172.16.8.2 the source address that 172.16.8.2 sees is 10.1.1.2.

when i ping from 172.16.8.2 to 172.16.9.2 the source address that 172.16.9.2 sees is 10.2.2.2.

In effect the 2 networks 172.16.9.x and 172.16.8.x are completely unaware of each other which i believe is what you are trying to achieve.

I'm not at work now until next Wednesday so i can't access the lab where i tried this out but if i can help in any other way let me know.

If need be next Wednesday i can send you my exact configs

HTH

Jon

The idea is to ping 10.2.2.2 from 172.16.9.2

and 10.1.1.2 from 172.16.8.2.

When you ping from 172.16.9.2 to 10.2.2.2 the source address that 172.16.8.2 sees is 10.1.1.2.

when you ping from 172.16.8.2 to 10.1.1.2 the source address that 172.16.9.2 sees is 10.2.2.2.

Keep in mind that the two neworks do not know anything about each other,when you ping 172.16.8.2 (the clinet) you may reach someone else.

Sorry Christian, i should have been more specific.

1) from 172.16.9.2 i ping 10.2.2.2. When it gets to the client router 10.2.2.2 gets changed to 172.16.8.2 and 172.16.9.2 gets changed to 10.1.1.2

2) From 172.16.8.2 i ping 10.1.1.2. When it goes through the client router 172.16.8.2 gets changed 10.2.2.2 and 10.1.1.2 gets changed to 172.16.9.2

I think i just didn't explain clearly enough in my previous post.

Jon

Thanks Jon

I will give it a try on Monday then.

Cristian

Cristian

Attached is a doc explaining the order of operation in NAT.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Key thing to note is

When packets going from nat inside to nat outside routing is first then NAT.

when packets going from nat outside to nat inside interface NAT is first then routing.

I think this explains what we were both seeing.

When you ping 10.2.2.2 from 172.16.9.2 when the traffic gets to the client router it goes from the outside to the inside. So 172.16.9.2 becomes 10.1.1.2 and 10.2.2.2 becomes 172.16.8.2. Then it routes the packet to 172.16.8.2.

When 172.16.8.2 replies to 10.1.1.2 this traffic goes from the inside to the outside so routing is done first. But you have a loopback9 interface for 10.1.1.1 255.255.255.0 on your client router so it never leaves your client router.

I can't remember but in my lab i believe that i had a default route coming from the router that connects to 172.16.9.2. So when i removed the loopback9 interface the router looked up the route for 10.1.1.2, didn't find an entry but did find the default route, then natted 10.1.1.2 back to 172.16.9.2 and natted 172.16.8.2 to 10.2.2.2 and sent the packet.

I will only be able to confirm that i do have a default route in my lab middle of next week but i'm assuming there is one as the above seems to explain the behaviour we were seeing.

If you didn't want a default route i think you would have to propogate a route from the router attached to 172.16.9.2 for the 10.1.1.0/24 network. I will try this next week.

Let me know how you get on

HTH

Jon

Hi Jon

I tried your config in my lab at home. It didn't work. So let's recap what I know:

-you tested the config with one loopback

-you didn't use route-maps

-as per my config the router has no reasons to route the packets going from 172.16.9.0 to 172.16.8.0 through the loopback interface and because of this the NAT is not performed

This was confirmed by my test this morning.

How did you get the packets natted back and forth ?

Thank you

Cristian

Hi Cristian

I need to look at my lab at work on Monday to be sure but from memory

172.16.9.2 -> 172.16.9.1 / 172.16.1.9 ->

server router1

172.16.1.10 / 172.16.8.1 -> 172.16.8.2

router2 client

1) router1 is advertising a default route to router2

2) on router 2 the following NAT statements are setup:

ip nat inside source static 172.16.8.2 10.2.2.2

ip nat outside source static 172.16.9.2 10.1.1.2

3) router2 has a loopback interface: loopback8 10.2.2.1/24

This is needed to advertise the 10.2.2.0/24 network to router1.

I'll check this out on Monday. I will also get rid of the default route and advertise a route for 10.1.1.0 from router1.

HTH

Jon

** Edit - sorry the diag didn't come out very well

172.16.9.2 = server

172.16.9.1 / 172.16.1.9 = router1

172.16.1.10 / 172.16.8.1 = router2

172.16.8.2 = client **

Cristian

Did you get anywhere on this ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: