Re: NAT Problem..

hyukin.kwon · ‎01-07-2007

Hi all

We have two 2600 series routers and there is a weird thing.

Diagram is

PC --- Router#1 ------Router#2

Router#1 is doing an NAT translation

configuratios is

Router#1

!

interface fas0/0

ip address 10.10.10.1 255.255.255.0

ip nat inside

!

interface fas0/1

ip address 10.10.20.1 255.255.255.0

ip nat outside

!

ip nat inside source-list route-map test interface fas0/1 overload

!

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

!

route-map test

match access-list 100

!

Router#2

!

interface fas0/0

ip add 10.10.20.2 255.255.255.0

!

Problem is..

Normaly this configuration works well, but Unconditionally I added

some static nat policy, that was..

"ip nat inside source static 1.1.1.1 int fas0/1"

of course, 1.1.1.1 is not real interface's ip address.

Router#1# sh run

interface fas0/0

ip address 10.10.10.1 255.255.255.0

ip nat inside

!

interface fas0/1

ip address 10.10.20.1 255.255.255.0

ip nat outside

!

ip nat inside source static 1.1.1.1 int fas0/1

ip nat inside source-list route-map test interface fas0/1 overload

!

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

!

route-map test

match access-list 100

!

then tested the ping from Router#1

Router#1#ping 10.10.20.2

.....

Suddenly, I couldn't ping from Router#1 to Router#2's interface which is directed connected

The debug result is ...

*Mar 1 00:29:37.003: NAT*: o: icmp (10.10.20.2, 23) -> (10.10.20.1, 23) [10053]

*Mar 1 00:29:37.003: NAT*: s=10.10.20.2, d=10.10.20.1->1.1.1.1 [10053].

*Mar 1 00:29:38.999: NAT*: o: icmp (10.10.20.2, 23) -> (10.10.20.1, 23) [10056]

*Mar 1 00:29:38.999: NAT*: s=10.10.20.2, d=10.10.20.1->1.1.1.1 [10056].

*Mar 1 00:29:40.999: NAT*: o: icmp (10.10.20.2, 23) -> (10.10.20.1, 23) [10060]

*Mar 1 00:29:40.999: NAT*: s=10.10.20.2, d=10.10.20.1->1.1.1.1 [10060].

*Mar 1 00:29:42.999: NAT*: o: icmp (10.10.20.2, 23) -> (10.10.20.1, 23) [10063]

*Mar 1 00:29:42.999: NAT*: s=10.10.20.2, d=10.10.20.1->1.1.1.1 [10063].

*Mar 1 00:29:44.999: NAT*: o: icmp (10.10.20.2, 23) -> (10.10.20.1, 23) [10070]

*Mar 1 00:29:44.999: NAT*: s=10.10.20.2, d=10.10.20.1->1.1.1.1 [10070].

I think the reason of ping fail is the router#1 tried to translate to 1.1.1.1

against the reply of Router#2 that is misconfigured NAT Rule...

Why this is happeing ? this is directed connected interface that means this case

no need to translate....

TIA....

sourabhagarwal · ‎01-07-2007

I can see that you have configured IP on fa0/0 interface on router as 10.10.10.1 which means that you have assigned 10.10.10.0/24 subnet to your LAN and same subnet you are matching in the ACL for NAT.

I'm not sure why you are creating static NAT for 1.1.1.1 IP because it's not part of your LAN subnet 10.10.10.0/24

can you tell where is this IP connected in your network? if you are trying to create s static NAT for a device in your network, then it should have from 10.10.10.0/24 subnet only.

hyukin.kwon · ‎01-08-2007

Hi sourabhagarwal,

I see your point. that is totally by accident. I know I cannot use 1.1.1.1.

But I'd like to know the reason.

TIA...

network.king · ‎01-08-2007

Hi

I think this is how it should work . I think ICMP doesnt distinguish directly connected interface or routed . In a ICMP packet with a source as other end ip and destination as router1 ip , and since ur destination ip has a static translation , it gets redirected to that .

Hope this helps

regards

vanesh k

rohit_agarawal · ‎01-08-2007

ip nat inside source route-map test interface fas0/1 overload

put above nat statement

hope it will work plzz rate ity if its work