Problem using NAT

Discussion in 'Cisco' started by Peter Jonas, Feb 10, 2004.

  1. Peter Jonas

    Peter Jonas Guest

    Hi,
    I am trying to setup a NAT example on my home network in the following
    way.
    Router B is doing NAT (see attached config). Based on an extended
    access list it should translate adresses of all packets coming from
    10.1.1.0/24 *and* going to 172.31.1.0/24. Router A is the source
    Router (10.1.1.3) from which I am pinging destination router C across
    the NAT router B.
    I am tracing the packet flow within the NAT router ("debug ip packet
    detail"), so I can see whether packets are translated or not. Here my
    observations:

    #Router A:
    ping 192.168.150.10 -> no success, packets are not translated (that's
    ok)
    ping 172.31.1.2 -> success, packets are translated (that's also
    good)
    again,
    ping 192.168.150.10 -> no success (because return path missing) BUT:
    packets are translated allthough the access list should avoid this
    :-((

    So this means that *every* packet is translated (for each destination)
    as soon as one packet which is conform to the acccess-list is already
    sent.
    When I clear the NAT table (clear ip nat translation *) the same play
    starts again.

    After some testing I rebuild the configuration on some other routers
    in a similar (but not the same) environment using IOS 12.2, and there
    it works as desired. So I assume that the mis-behaviour could be
    related to an IOS bug allthough I did not find any hints regarding
    such a bug on the cisco site.

    Any ideas what is going wrong?

    Thanks for help.
    Peter
    ----------------------------
    Here is my configuration (all routers using IOS 12.0 (27) IPplus)

    Router A (Cisco 2504, IOS 12.0-27):
    -----------------------------------
    interface Serial0
    ip address 10.1.1.3 255.255.255.0
    no ip directed-broadcast
    no ip route-cache
    ip route 0.0.0.0 0.0.0.0 10.1.1.1

    Router B (Cisco 2504, IOS 12.0-27):
    -----------------------------------
    interface Serial0
    ip address 10.1.1.1 255.255.255.0
    ip nat inside
    no ip directed-broadcast
    no ip route-cache
    clockrate 2000000

    interface Serial1
    ip address 172.31.1.1 255.255.255.0
    ip nat outside
    no ip directed-broadcast
    no ip route-cache
    clockrate 2000000

    ip nat pool BBR 192.168.1.1 192.168.1.254 netmask 255.255.255.0
    ip nat inside source list 100 pool BBR
    no ip classless
    ip route 0.0.0.0 0.0.0.0 172.31.1.2
    access-list 100 permit ip 10.1.1.0 0.0.0.255 172.31.1.0 0.0.0.255

    Router C (Cisco 2504, IOS 12.0-27):
    -----------------------------------
    interface Serial0
    ip address 172.31.1.2 255.255.255.0
    no ip directed-broadcast
    no ip route-cache

    interface Ethernet 0
    ip address 192.168.150.1 255.255.255.0
    no ip directed-broadcast
    no ip route-cache

    ip route 0.0.0.0 0.0.0.0 192.168.150.10
    ip route 192.168.1.1 255.255.255.0 172.31.1.1
    Peter Jonas, Feb 10, 2004
    #1
    1. Advertising

  2. Peter Jonas

    Peter Jonas Guest

    Re: Problem using NAT - need help

    Hello again,
    regarding my reported problem configuring NAT with extended acl's I
    have tried again using different IOS version (11.3, 12.0,12.2) leading
    to the same result. But I found that this seems to be only a problem,
    if NAT is configured on one my token ring routers (2504). The same NAT
    configuration on an ethernet router (2503) works as desired.

    As far as I understand the access list is only used once to create the
    translation table. When this is done there is no further check of the
    access list and packets with any destination are translated.

    Question:
    Is there any restriction using NAT specially on token ring routers,
    when using extended access lists?

    As I have spend now a lot of time to find out the reason, every help
    would be very appreciated.
    Thank you.
    Peter

    (Peter Jonas) wrote in message news:<>...
    > Hi,
    > I am trying to setup a NAT example on my home network in the following
    > way.
    > Router B is doing NAT (see attached config). Based on an extended
    > access list it should translate adresses of all packets coming from
    > 10.1.1.0/24 *and* going to 172.31.1.0/24. Router A is the source
    > Router (10.1.1.3) from which I am pinging destination router C across
    > the NAT router B.
    > I am tracing the packet flow within the NAT router ("debug ip packet
    > detail"), so I can see whether packets are translated or not. Here my
    > observations:
    >
    > #Router A:
    > ping 192.168.150.10 -> no success, packets are not translated (that's
    > ok)
    > ping 172.31.1.2 -> success, packets are translated (that's also
    > good)
    > again,
    > ping 192.168.150.10 -> no success (because return path missing) BUT:
    > packets are translated allthough the access list should avoid this
    > :-((
    >
    > So this means that *every* packet is translated (for each destination)
    > as soon as one packet which is conform to the acccess-list is already
    > sent.
    > When I clear the NAT table (clear ip nat translation *) the same play
    > starts again.
    >
    > After some testing I rebuild the configuration on some other routers
    > in a similar (but not the same) environment using IOS 12.2, and there
    > it works as desired. So I assume that the mis-behaviour could be
    > related to an IOS bug allthough I did not find any hints regarding
    > such a bug on the cisco site.
    >
    > Any ideas what is going wrong?
    >
    > Thanks for help.
    > Peter
    > ----------------------------
    > Here is my configuration (all routers using IOS 12.0 (27) IPplus)
    >
    > Router A (Cisco 2504, IOS 12.0-27):
    > -----------------------------------
    > interface Serial0
    > ip address 10.1.1.3 255.255.255.0
    > no ip directed-broadcast
    > no ip route-cache
    > ip route 0.0.0.0 0.0.0.0 10.1.1.1
    >
    > Router B (Cisco 2504, IOS 12.0-27):
    > -----------------------------------
    > interface Serial0
    > ip address 10.1.1.1 255.255.255.0
    > ip nat inside
    > no ip directed-broadcast
    > no ip route-cache
    > clockrate 2000000
    >
    > interface Serial1
    > ip address 172.31.1.1 255.255.255.0
    > ip nat outside
    > no ip directed-broadcast
    > no ip route-cache
    > clockrate 2000000
    >
    > ip nat pool BBR 192.168.1.1 192.168.1.254 netmask 255.255.255.0
    > ip nat inside source list 100 pool BBR
    > no ip classless
    > ip route 0.0.0.0 0.0.0.0 172.31.1.2
    > access-list 100 permit ip 10.1.1.0 0.0.0.255 172.31.1.0 0.0.0.255
    >
    > Router C (Cisco 2504, IOS 12.0-27):
    > -----------------------------------
    > interface Serial0
    > ip address 172.31.1.2 255.255.255.0
    > no ip directed-broadcast
    > no ip route-cache
    >
    > interface Ethernet 0
    > ip address 192.168.150.1 255.255.255.0
    > no ip directed-broadcast
    > no ip route-cache
    >
    > ip route 0.0.0.0 0.0.0.0 192.168.150.10
    > ip route 192.168.1.1 255.255.255.0 172.31.1.1
    Peter Jonas, Feb 22, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Dykes
    Replies:
    8
    Views:
    578
    Walter Roberson
    Oct 29, 2003
  2. Kevin M. Saucier
    Replies:
    2
    Views:
    586
    Kevin M. Saucier
    Dec 28, 2003
  3. JCVD
    Replies:
    1
    Views:
    450
    Martin Gallagher
    Feb 13, 2004
  4. Anonymous Poster
    Replies:
    0
    Views:
    10,588
    Anonymous Poster
    Apr 26, 2004
  5. Kenny D

    Identity Nat v Exemption NAT

    Kenny D, May 8, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,973
    Walter Roberson
    May 8, 2004
Loading...

Share This Page