kind of "ntp relay"
in [Cisco]
|
From: Laurent on 2 Feb 2010 08:34 Hi! My old 3640 router (192.168.254.1/24) just died. RIP. I put in its place a 1600 (12.0 ios) wich does not work as ntp server. As all my computers connect to it to set their time and date, and since I have a second ntp server (192.168.254.13), i thought to do double-nat (source and destination) on ntp port.. Of course, I only have one ethernet interface, and only one net (192.168.254.0/24). 254.0/24 --> 254.1:ntp ==> 254.1 --> 254.13:ntp and back.. Here is the configuration I made : interface Loopback0 ip address 192.168.253.1 255.255.255.252 ip nat inside ! interface Ethernet0 ip address 192.168.254.1 255.255.255.0 ip nat outside ip policy route-map Ntp ! ip nat inside source static udp 192.168.254.13 123 192.168.254.1 123 ip nat outside source static udp 192.168.254.1 123 192.168.254.13 123 ! access-list 101 permit udp any eq ntp host 192.168.254.1 eq ntp route-map Ntp permit 10 match ip address 101 set ip next-hop 192.168.253.2 .... but it doesn't work. It just do destination nat, then packets don't return to the correct source, and of course, they are dropped. :( Someone could tell me what I've done bad ? thank you :)
From: bod43 on 3 Feb 2010 00:49 On 2 Feb, 13:34, Laurent <lpo...(a)alussinan.org> wrote: > Hi! > > My old 3640 router (192.168.254.1/24) just died. RIP. > I put in its place a 1600 (12.0 ios) wich does not work as ntp server. > > As all my computers connect to it to set their time and date, and since > I have a second ntp server (192.168.254.13), i thought to do double-nat > (source and destination) on ntp port.. > > Of course, I only have one ethernet interface, and only one net > (192.168.254.0/24). > > 254.0/24 --> 254.1:ntp ==> 254.1 --> 254.13:ntp and back.. > > Here is the configuration I made : > > interface Loopback0 > ip address 192.168.253.1 255.255.255.252 > ip nat inside > ! > interface Ethernet0 > ip address 192.168.254.1 255.255.255.0 > ip nat outside > ip policy route-map Ntp > ! > ip nat inside source static udp 192.168.254.13 123 192.168.254.1 123 > ip nat outside source static udp 192.168.254.1 123 192.168.254.13 123 > ! > access-list 101 permit udp any eq ntp host 192.168.254.1 eq ntp > route-map Ntp permit 10 > match ip address 101 > set ip next-hop 192.168.253.2 > > ... but it doesn't work. It just do destination nat, then packets don't > return to the correct source, and of course, they are dropped. :( > > Someone could tell me what I've done bad ? > > thank you :) Maybe you should be using ip nat inside destination instead of outside source? I have never understood the difference between outside source and inside dest. But then I think I have only done double nat on cisco once. Annoyingly it was my first ever NAT job and it hurt my head a lot - I still remember it after about twelve years though:)
From: bod43 on 3 Feb 2010 00:58 On 3 Feb, 05:49, bod43 <Bo...(a)hotmail.co.uk> wrote: > On 2 Feb, 13:34, Laurent <lpo...(a)alussinan.org> wrote: > > > > > Hi! > > > My old 3640 router (192.168.254.1/24) just died. RIP. > > I put in its place a 1600 (12.0 ios) wich does not work as ntp server. > > > As all my computers connect to it to set their time and date, and since > > I have a second ntp server (192.168.254.13), i thought to do double-nat > > (source and destination) on ntp port.. > > > Of course, I only have one ethernet interface, and only one net > > (192.168.254.0/24). > > > 254.0/24 --> 254.1:ntp ==> 254.1 --> 254.13:ntp and back.. > > > Here is the configuration I made : > > > interface Loopback0 > > ip address 192.168.253.1 255.255.255.252 > > ip nat inside > > ! > > interface Ethernet0 > > ip address 192.168.254.1 255.255.255.0 > > ip nat outside > > ip policy route-map Ntp > > ! > > ip nat inside source static udp 192.168.254.13 123 192.168.254.1 123 > > ip nat outside source static udp 192.168.254.1 123 192.168.254.13 123 > > ! > > access-list 101 permit udp any eq ntp host 192.168.254.1 eq ntp > > route-map Ntp permit 10 > > match ip address 101 > > set ip next-hop 192.168.253.2 > > > ... but it doesn't work. It just do destination nat, then packets don't > > return to the correct source, and of course, they are dropped. :( > > > Someone could tell me what I've done bad ? > > > thank you :) > > Maybe you should be using ip nat inside destination > instead of outside source? > > I have never understood the difference between outside > source and inside dest. But then I think I have only > done double nat on cisco once. Annoyingly it was my > first ever NAT job and it hurt my head a lot - I still > remember it after about twelve years though:) I have read your post more thoroughly now and see that you are doing router on a stick. This will all be very problematic. You need to make sure that you don't get ICMP redirects otherwise the router will get bypassed. I guess you already checked that the source port for ntp is 123? Seems not unreasonable I suppose. that you are
|
Pages: 1 Prev: Questions about VPN phases on cisco Next: NAT of ip proto-41 to establish IPv6 6in4 tunnel |