Policybased nat around loopback interface - cant get it work...
hi out there
I need to be able to nat a Network on a router to circumwent some routing problems - we have a new dmz which has to be isolated from the main Network but has to be natted into the same ip Space
I expected that this was a simple task by defining a route-map and assig this route-map to the incoming interface which then would take the traffic from that vlan and loop around a loopback-interface to get it through a nat-outside interface.
This Work also to some extend - when I ping I can see that my nat-statement Works as expected - but when the reply is send back it is drpped in the router somewhere.
the config of my nat-router is fairly simple:
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup ip domain name lab.local ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! interface Loopback2 ip address 192.168.20.1 255.255.255.0 ip nat outside ip virtual-reassembly ! interface FastEthernet0/0 ip address 126.96.36.199 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map To_loop2 duplex auto speed auto ! interface FastEthernet0/1 ip address 188.8.131.52 255.255.255.0 duplex auto speed auto ! ip forward-protocol nd ip route 192.168.10.0 255.255.255.0 184.108.40.206 ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface Loopback2 overload ! access-list 1 permit 192.168.10.0 0.0.0.255 access-list 100 permit icmp any any time-exceeded ! route-map To_loop2 permit 10 match ip address 1 set interface Loopback2 ! !
When a do a ping with source ip 192.168.10.1 - entering the router on f 0/0 the following happens:
I ping from R1 to R3 with source ip from lo0 (192.168.10.1) and try to get it natted around lo2 on R2 where F0/0 is inside of nat and lo2 is outside - I expected this to be fairly simple because the concept is used in f.ex "lollipop" or "router on a stick" - but I cannot get it right - it is being correct natted as far as I can see but the reply packet from R3 doesn't hit the correct return path - it is dropped somewhere in R2
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...