Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

NAT translating Loopbacks and outside interface addresses

I have NAT set up on a 2501 with the ethernet interface ip nat inside and one serial interface ip nat outside. But when I ping from the router or extended using a loopback address it is NAT those too. I thought it should only NAT traffic from the inside interface. Can anyone explain? Heres the config

!

interface Loopback0

ip address 10.8.0.1 255.255.255.0

!

interface Loopback1

ip address 10.9.0.1 255.255.255.0

!

interface Ethernet0

ip address 10.1.0.1 255.255.255.0

ip nat inside

ip wccp web-cache group-listen

ip authentication mode eigrp 2001 md5

ip authentication key-chain eigrp 2001 eigrp-key

!

interface Serial0

ip address 172.16.0.2 255.255.255.252

ip access-group 102 in

ip access-group 101 out

ip accounting access-violations

ip nat outside

no fair-queue

clockrate 1300000

!

interface Serial0.2

!

interface Serial1

no ip address

shutdown

!

router eigrp 2001

redistribute static

passive-interface Serial0

network 10.1.0.0 0.0.0.255

network 10.8.0.0 0.0.0.255

network 10.9.0.0 0.0.0.255

auto-summary

no eigrp log-neighbor-changes

!

router bgp 200

bgp log-neighbor-changes

neighbor 10.1.0.2 remote-as 200

!

ip kerberos source-interface any

ip nat pool internet 128.129.0.1 128.129.0.1 netmask 255.255.255.0

ip nat inside source list 1 pool internet overload

ip nat inside source static 10.6.0.1 128.129.0.246

ip nat inside source static 10.4.0.1 128.129.0.245

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.0.1

ip http server

!

access-list 1 permit any

* * * and heres some output....

d2501# clear ip nat trans *

d2501#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 128.129.0.245 10.4.0.1 --- ---

--- 128.129.0.246 10.6.0.1 --- ---

d2501#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

d2501#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp 128.129.0.1:8947 172.16.0.2:8947 1.1.1.1:8947 1.1.1.1:8947

icmp 128.129.0.1:8948 172.16.0.2:8948 1.1.1.1:8948 1.1.1.1:8948

icmp 128.129.0.1:8949 172.16.0.2:8949 1.1.1.1:8949 1.1.1.1:8949

icmp 128.129.0.1:8950 172.16.0.2:8950 1.1.1.1:8950 1.1.1.1:8950

icmp 128.129.0.1:8951 172.16.0.2:8951 1.1.1.1:8951 1.1.1.1:8951

--- 128.129.0.245 10.4.0.1 --- ---

--- 128.129.0.246 10.6.0.1 --- ---

d2501#ping

Protocol [ip]:

Target IP address: 1.1.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.8.0.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms

d2501#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp 128.129.0.1:8947 172.16.0.2:8947 1.1.1.1:8947 1.1.1.1:8947

icmp 128.129.0.1:8948 172.16.0.2:8948 1.1.1.1:8948 1.1.1.1:8948

icmp 128.129.0.1:8949 172.16.0.2:8949 1.1.1.1:8949 1.1.1.1:8949

icmp 128.129.0.1:8950 172.16.0.2:8950 1.1.1.1:8950 1.1.1.1:8950

icmp 128.129.0.1:8951 172.16.0.2:8951 1.1.1.1:8951 1.1.1.1:8951

--- 128.129.0.245 10.4.0.1 --- ---

--- 128.129.0.246 10.6.0.1 --- ---

icmp 128.129.0.1:7425 10.8.0.1:7425 1.1.1.1:7425 1.1.1.1:7425

icmp 128.129.0.1:7426 10.8.0.1:7426 1.1.1.1:7426 1.1.1.1:7426

icmp 128.129.0.1:7427 10.8.0.1:7427 1.1.1.1:7427 1.1.1.1:7427

icmp 128.129.0.1:7428 10.8.0.1:7428 1.1.1.1:7428 1.1.1.1:7428

icmp 128.129.0.1:7429 10.8.0.1:7429 1.1.1.1:7429 1.1.1.1:7429

d2501#

The status shows that e0 is the only inside interface

d2501#sh ip nat stat

Total active translations: 2 (2 static, 0 dynamic; 0 extended)

Outside interfaces:

Serial0

Inside interfaces:

Ethernet0

Hits: 115 Misses: 54

Expired translations: 53

Dynamic mappings:

-- Inside Source

access-list 1 pool internet refcount 0

pool internet: netmask 255.255.255.0

start 128.129.0.1 end 128.129.0.1

type generic, total addresses 1, allocated 0 (0%), misses 0

2 REPLIES
New Member

Re: NAT translating Loopbacks and outside interface addresses

The access-list is the proble. You allow "any". This will NAT all addresses on your private network. Solution: Deny what NOT to NAt and ALloe what to NAT.

Bronze

Re: NAT translating Loopbacks and outside interface addresses

Thanks for the response but the way I understand it, and have implemented it before, the access-list is only suppossed to be applied to interfaces with IP NAT INSIDE. The loopback does not have that, the serial is configured IP NAT OUTSIDE. I know I can filter out the addresses I don't want but I shouldn't have to if I want to NAT all packets coming in an INSIDE interface and going out an OUTSIDE interface.

110
Views
0
Helpful
2
Replies