nat problem
in [Cisco]
|
Prev: PIX 515E remote access vpn with DHCP pushed to the client
Next: automating username/password when ssh to cisco router
From: Laurent on 14 Apr 2008 04:28 Hello ! I want to do address translation on a cisco 1600. (IOS (tm) 1600 Software (C1600-Y-M), Version 12.0(9)) ip packet from 192.168.254 and having 172.20.2 destination must be first source translated in 10.20.210.240 host, and then rerouted to another router. All work fine but a single thing : the translation isn't working when the ip packets are comming back. (ie from 192.168.254.110, i do a ping to 172.20.2.75, the nat is ok, the rerouting is ok, the ping reply is ok and arrives at loopback interface, but not to the host i made the ping from) this is the configuration i made : ---- begin ---- ! interface Loopback0 ip address 10.200.210.240 255.255.255.0 ip nat outside ip policy route-map routenat ! interface Ethernet0 ip address 192.168.254.4 255.255.255.0 ip nat inside ip policy route-map natsource ! ip nat inside source list 101 interface Loopback0 overload ip classless ip route 0.0.0.0 0.0.0.0 192.168.254.6 ! access-list 101 permit ip 192.168.254.0 0.0.0.255 172.20.2.0 0.0.0.255 access-list 110 permit ip 10.200.210.0 0.0.0.255 172.20.2.0 0.0.0.255 ! route-map natsource permit 10 match ip address 101 set ip next-hop 10.200.210.1 ! route-map routenat permit 10 match ip address 110 set ip next-hop 192.168.254.6 ! ---- end ---- if someone could tells me what's wrong .. thank you :)
From: News Reader on 14 Apr 2008 12:37 Laurent wrote: > Hello ! > > I want to do address translation on a cisco 1600. > (IOS (tm) 1600 Software (C1600-Y-M), Version 12.0(9)) > > ip packet from 192.168.254 and having 172.20.2 destination must be first > source translated in 10.20.210.240 host, and then rerouted to another Presumably you mean 10.200.210.240. > router. Out a physical interface other than Ethernet0? > > All work fine but a single thing : the translation isn't working when > the ip packets are comming back. > (ie from 192.168.254.110, i do a ping to 172.20.2.75, the nat is ok, the > rerouting is ok, the ping reply is ok and arrives at loopback interface, > but not to the host i made the ping from) > > this is the configuration i made : > > ---- begin ---- > ! > interface Loopback0 > ip address 10.200.210.240 255.255.255.0 > ip nat outside > ip policy route-map routenat > ! > interface Ethernet0 > ip address 192.168.254.4 255.255.255.0 > ip nat inside > ip policy route-map natsource > ! > ip nat inside source list 101 interface Loopback0 overload > ip classless > ip route 0.0.0.0 0.0.0.0 192.168.254.6 > ! > access-list 101 permit ip 192.168.254.0 0.0.0.255 172.20.2.0 0.0.0.255 > access-list 110 permit ip 10.200.210.0 0.0.0.255 172.20.2.0 0.0.0.255 Wouldn't your return traffic be: access-list 110 permit ip 172.20.2.0 0.0.0.255 10.200.210.240 0.0.0.0 > ! > route-map natsource permit 10 > match ip address 101 > set ip next-hop 10.200.210.1 > ! > route-map routenat permit 10 > match ip address 110 > set ip next-hop 192.168.254.6 If the ping was sourced from a host 192.168.254.x, and the router has a connected route to 192.168.254.0, why would you need to specify a next-hop on 192.168.254.0? Why would you need a route-map on Loopback0? > ! > ---- end ---- > > if someone could tells me what's wrong .. > > > thank you :) Best Regards, News Reader
From: Laurent on 15 Apr 2008 04:07 News Reader a �crit : > Out a physical interface other than Ethernet0? No, i only have one interface (eth 0), that's why i set up a loopback interface for nat >> access-list 110 permit ip 10.200.210.0 0.0.0.255 172.20.2.0 0.0.0.255 > > Wouldn't your return traffic be: > > access-list 110 permit ip 172.20.2.0 0.0.0.255 10.200.210.240 0.0.0.0 yes, but the access-list 110 is for the route map to 192.168.254.6 > If the ping was sourced from a host 192.168.254.x, and the router has a > connected route to 192.168.254.0, why would you need to specify a > next-hop on 192.168.254.0? Why would you need a route-map on Loopback0? because only the packets sourced from 10.200.210.240 have to be routed to 192.168.254.6 (even if i have the default route to 192.168.254.6, it won't be the final gateway)
From: Laurent on 15 Apr 2008 04:16 News Reader a �crit : > If the ping was sourced from a host 192.168.254.x, and the router has a > connected route to 192.168.254.0, why would you need to specify a > next-hop on 192.168.254.0? Why would you need a route-map on Loopback0? As it's only a test for the moment, i removed the route-map on loopback, et keep the default route to 192.168.254.6. it's not working better... it worked the same way.
From: News Reader on 15 Apr 2008 10:17
Laurent wrote: > Hello ! > > I want to do address translation on a cisco 1600. > (IOS (tm) 1600 Software (C1600-Y-M), Version 12.0(9)) > > ip packet from 192.168.254 and having 172.20.2 destination must be first > source translated in 10.20.210.240 host, and then rerouted to another > router. > > All work fine but a single thing : the translation isn't working when > the ip packets are comming back. > (ie from 192.168.254.110, i do a ping to 172.20.2.75, the nat is ok, the > rerouting is ok, the ping reply is ok and arrives at loopback interface, > but not to the host i made the ping from) > > this is the configuration i made : > > ---- begin ---- > ! Are there any ACLs on L0 or E0 that are not shown in the output below? > interface Loopback0 > ip address 10.200.210.240 255.255.255.0 > ip nat outside > ip policy route-map routenat > ! > interface Ethernet0 > ip address 192.168.254.4 255.255.255.0 > ip nat inside > ip policy route-map natsource > ! > ip nat inside source list 101 interface Loopback0 overload > ip classless > ip route 0.0.0.0 0.0.0.0 192.168.254.6 > ! > access-list 101 permit ip 192.168.254.0 0.0.0.255 172.20.2.0 0.0.0.255 > access-list 110 permit ip 10.200.210.0 0.0.0.255 172.20.2.0 0.0.0.255 > ! > route-map natsource permit 10 > match ip address 101 > set ip next-hop 10.200.210.1 > ! > route-map routenat permit 10 > match ip address 110 > set ip next-hop 192.168.254.6 > ! > ---- end ---- > > if someone could tells me what's wrong .. > > > thank you :) Best Regards, News Reader |