Re: IP NAT outside. - Page 2

johnleeee · ‎11-29-2007

Hi all,

Id like to ask someone for help with a NAT

configuration. Id like to publish source

PC in a reverse manner but I dont know how. Reverse manner means next:

source-->router1--->(ip nat outside)router2(ip nat inside)--->router3--->destination

--> means some IP range

Communication should flow from source to destination.

What I want to see is a communication from source translated to IP range of router R2 on inside.

Is over there any solution? Pls. could someone send me a functional configuration?

Any idea?

jl

insccisco · ‎11-30-2007

:( ------------:((((((

So it does seem to be more complicated than anyone would think ah?

Edison, by any means, if you have to redo this 1841 configuration from scratch, please go ahead.

Main things we want are:

1)internet connectivity via ISP1

2)if ISP1 fails, router will re-route to ISP2

3)LAN-to-LAN tunnel with the 10.21.30.0 up.

As you already saw on the config, ip sla work, internet connectivity works, so again, it is the tunnel

If when in failover mode tunnel does not failover to ISP2, that is no problem. It is already a big issue to get it fixed via ISP1, so we dont want to have more nightmares specially when is not even working via ISP1 to begin with.

I was on-site and waiting :( but np. please let me know once we get it. You have my info.

Thank you very much again for your help. I really appreciate it

Edison Ortiz · ‎11-30-2007

Angel,

Please remain working with TAC since I'm working with other projects and I do this as volunteer in my spare time.

If this is a bug, TAC has the ability to contact the right people to address this issue.

I was trying to see if something was missing but based on your requirements, it's not a simple configuration and it will take some time on a proper design.

insccisco · ‎11-30-2007

np again.

But I still think is simple. There isn't really any requirements outside of a very simple configuration: LAN to LAN tunnel with overlapping networks.

If anyone can shed some light on this, that wil be more than helpfull.

The thing that kills me is that I have this implementation between a pix and an ASA and it took 2 lines on the pix. I thought routers would be easier.

ap

Edison Ortiz · ‎11-30-2007

Ok,

I got working by decreasing the NAT timers:

_____________

Here is what the host receives when the destination is a network other than 10.21.30/24

The source represents the overload F0/0 address

*Mar 1 01:50:34.187: IP: tableid=0, s=66.11.203.209 (Vlan1), d=10.0.2.1 (Loopback2), routed via RIB

*Mar 1 01:50:34.191: IP: s=66.11.203.209 (Vlan1), d=10.0.2.1, len 100, rcvd 4

*Mar 1 01:50:34.195: IP: tableid=0, s=10.0.2.1 (local), d=66.11.203.209 (Vlan1), routed via FIB

*Mar 1 01:50:34.199: IP: s=10.0.2.1 (local), d=66.11.203.209 (Vlan1), len 100, sending

*Mar 1 01:50:34.547: IP: tableid=0, s=66.11.203.209 (Vlan1), d=10.0.2.1 (Loopback2), routed via RIB

Now, it shows the NAT'd address as the source with destination 10.21.30.254

*Mar 1 01:50:36.763: IP: tableid=0, s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), routed via RIB

*Mar 1 01:50:36.767: IP: s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), len 100, rcvd 3

*Mar 1 01:50:36.771: IP: tableid=0, s=10.21.30.254 (local), d=10.12.0.254 (Vlan1), routed via FIB

*Mar 1 01:50:36.775: IP: s=10.21.30.254 (local), d=10.12.0.254 (Vlan1), len 100, sending

*Mar 1 01:50:37.251: IP: tableid=0, s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), routed via RIB

*Mar 1 01:50:37.255: IP: s=10.12.0.254 (Vlan1), d=10.21.30.254 (Vlan1), len 100, rcvd 3

*Mar 1 01:50:37.259: IP: tableid=0, s=10.21.30.254 (local), d=10.12.0.254 (Vlan1), routed via FIB

________________________

These are the changes in your config:

ip nat pool NET10 10.12.0.0 10.12.0.254 prefix-length 24 type match-host

ip nat inside source list NET192-TO-NET10 pool NET10

ip access-list extended NET192-TO-NET10

permit ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255

ip nat translation timeout 2

ip nat translation tcp-timeout 2

ip nat translation udp-timeout 2

ip nat translation icmp-timeout 2

insccisco · ‎11-30-2007

impossible.... too good to be true. :) ---

I will go ahead and implement it right away.

I happen to just be reading something about NAT time-outs when I read your post.

With theses changes, we are 100% sure that everything else will continue to work as it is, right? I mean inside (192.168.1.0/24 properly going to the internet and also the email server on the inside properly getting its traffic on port 25)?

just want to make sure.

Edison, thank you again.

Edison Ortiz · ‎11-30-2007

I don't see any static nat for port 25 in your config. NAT timeout at 2 second will create a problem with translation for email.

The only 2 static translation I see are for port 20 and 21.

insccisco · ‎11-30-2007

there is a line "ip nat inside source static tcp 192.168.1.3 25 66.11.203.210 25 route-map ISP1 extendable" and another one "access-list 100 permit tcp any host x.x.x.x eq smtp" that are taking care of the email server.

I guess you dont call it static nat, but rather port forwarding, right? please confirm if I am correct

insccisco · ‎11-30-2007

forgot to ask you if I should continue with the implementation... will the email server still be able to act normally after these codes?

Edison Ortiz · ‎11-30-2007

I did an implementation recently where the client had problems with email with the NAT timeout being too low.

Changing the timeout back to 60 seconds fixed it.

The problem with having a timeout so high is that the traffic will continue to use the pool list instead of the overload.

I suggest you try it and see if your email server is susceptible to this change.

If you really want to do this the right way. Place a device before the 1841 just doing the NAT for network 10.21.30.0/24 and let the 1841 do the NAT for overload.

Edison Ortiz · ‎11-30-2007

That is not in the config you sent to TAC.

See attached:

insccisco · ‎11-30-2007

Edison, here;s the current one

insccisco · ‎11-30-2007

Edison, I just finished and it works but only in one direction: from the 1841 to the ASA.

These are the lines I added to the config that I just sent you:

ip nat pool NET-10 10.12.0.0 10.12.0.254 prefix-length 24 type match-host

ip access-list extended NET192-TO-NET10

permit ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255

ip nat translation timeout 2

ip nat translation tcp-timeout 2

ip nat translation udp-timeout 2

ip nat translation icmp-timeout 2

ip nat inside source list NET192-TO-NET10 pool NET-10

Again, I added these lines to the current running config (the one I just updated you with).

Do I need to add other lines or modify some? Like the ones for the interesting traffic, they currently show as "access-list 190 deny ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255" and the other which is applied to the crypto map "permit ip 192.168.1.0 0.0.0.255 10.21.30.0 0.0.0.255"

let me know

insccisco · ‎11-30-2007

It didn't work. Every time a pc from the 192.168.1.0 side made a connection to the 10.21.30.0 side (by a simple ping for example), "ip sh nat tr" showed that the 192.168.1.3 device had a one to one translation to 10.12.0.3. The ping was successfull.

So all good. However, when that same 192.168.1.3 host tried to communicate to the outside world, this is what was happenning: it was timing out, it never really made a connection.

Also, when the ping was established from the 1841 side, the host was indeed pingable from the ASA side, but again, the 192.68.1.3 host couldnt communicate to anything else but the tunnel.

Bottom line is that it doesn't work :(

Any idea why this behavior?

Edison Ortiz · ‎12-01-2007

Angel,

You are bringing a new set of requirements along with a different configuration.

Sorry, I don't have the equipment to duplicate your scenario anymore, it was a loaner.

I will step out of this thread and let someone else help you or continue working with TAC.

insccisco · ‎12-01-2007

Edison I got it working. I remember an old dirty trick one cisco guy had suggested. Last night we went ahead and tried it and it worked.

all good.

thank you for the help

ap