I have a problem with NAT configuration. It is somewhat similar to 'NAT-on-a-stick' situation, with NATing on a loopback interface.
I have a simple network with 2 hosts connected to 2 Fastethernet ports of a router, and one loopback interface on that router. NAT has to be done inside router, before exiting to 'public' network.
I send ping from 'private' to 'public' host, and traffic is going into router, with policy routing is forwarded to loopback, then nated, and routed to 'public' network. Just fine.
Problem is that reply from 'public' host
(and any other traffic as well) comes into router, but is never nated back to private address, so my 'private' host never gets answer.
I attached image, config of a router, and outputs of some show and debug commands.
Thank you in advance.
Can i ask why you are policy routing through the loopback interface ?
If you modify the config as follows
1) Move the "ip nat outside" statement from the loopback interface to the fa0/1 interface.
2) Remove the "ip policy route-map .. " config from fa0/0
then it should work.
If i have misinterpreted your requirements please let me know.
Yes, it should work in simple case, but i have a situation where my traffic must be nated before going out fa0/1 interface, and 'ip nat outside' is not an option because of other reasons (real network is not this simple, there are other issues why 'ip nat outside' cannot be on this fa0/1)
Very interesting, something I haven't come across before. It's a pity you don't divulge more on the real network.
I would like to LAB this but can't at the moment, looking at the debugs the next thing I'll attempt would be policy routing in reverse direction.
access-list 2 deny 10.10.10.0 0.0.0.255
access-list 2 permit any
route-map Nat-fast permit 10
match ip address 2
set interface FastEthernet0/0
ip policy route-map Nat-fast
I have just seen Your post. Thank You for sugestion. I think of this one too, but haven't tried it yet.
I hope You will see my other post, I attached configuration I tried on 2600 router, and this one worked fine, but problem still not solved, because it doesn't work on 6500, where it should be.
By the way, I will try with this reverse policy routing, and let You know results.
In the meantime, I hope You will have some comment about this working config, why it doesn't work on 6500, and is there a way to make it work.
I have tried little bit different config on test platform with router 2600, and this one worked perfectly.
But when I put configuration on 6500, where it should be, nothing worked again.
I know 2600 wouldn't be exactly nice test platform for something that should work on 6500, but it was all I've got :(
Does anyone know why?
Could this be caused because of cef, or something similar, or this could be some strange issue with 6500 IOS...
Any suggestion would be appreciated.
If you dont mind, what is it that is stoppin you from applying "ip nat outside" on the fa0/1 interface? If you give reasons, we can suggest alternatives.
As I said, real situation is not this simple. On that device there are many many interfaces, vlan interfaces, and much much traffic.
Traffic from Fa0/0 from image is, let's say tiny, comparing to the traffic on other interfaces, and putting 'ip nat outside' caused that device processed against nat acl every packet leaving fa0/1 interface, no matter if it is comming from fa0/0, or some other interface, so causing CPU to rise for amount that is not acceptable.
That is why I try to solve problem trying this little bit complicating config.
One update of this info.
On 6500, with this config, in one moment I have accidentally put on fa0/1 acl that denied all traffic except traffic from nat pool ip, and in that moment nat worked. When I removed it, or put permit any at the end, it didn't work again.
Maybe this info could help someone to find out why it doesn't work, and how to make it work.
can u furnish some debugs like
debug ip nat
debug ip packet ACL
sh ip nat translations
both during working condition and failure
Unfortunatelly, I can't get this info for working condition on 6500, because I can't put same acl on same interface again (it was put accidentaly).
From 2600 I can get working info, but I don't know how relevant it is.
And non working info from 6500 I will get as soon as I can.
Leave the config as it is, but put ip nat outside on the interface FastEthernet 0/1.
Traffic that hits acces-list 1 will be nated on loopback1.
Return traffic goes directly to 126.96.36.199, without going to the loopback1.