[nsp] Really strange NAT Problem

Adam Debus adam-lists at reachone.com
Mon Feb 16 12:15:19 EST 2004 

Unfortuantely, we don't use the Cisco ISC, so this doesn't really help us
all that much.

I did implement the route-map that was suggested by Randy Rooney, however
because both my clients are closed today I won't be able to test it until
tomorrow.

I really think I'm working under two seperate issues here, one where it is
dropping the traffic that is being tunneled out, and the second where the
checkpoint doesn't respond to pings if I try and ping it from the Loop0
interface's ip (but works fine when I ping it from any other IP on the box).

My only concern with the route-map is that by the time the traffic reaches
my router, it's already in a tunnel, so in theory it should never match that
route-map's deny criteria. Or am I mistaken about that?

Thanks,

Adam Debus
Network Engineer, ReachONE Internet
adam at reachone.com
----- Original Message ----- 
From: "Peter Burggasser" <p.burggasser at uta1002.at>
To: "'Adam Debus'" <adam-lists at reachone.com>
Sent: Sunday, February 15, 2004 3:01 PM
Subject: RE: [nsp] Really strange NAT Problem


> Mabe this link gives you help
>
>
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_c
> hapter09186a00801e1996.html#51580
>
> Cu, pit
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Adam Debus
> Sent: Saturday, February 14, 2004 12:30 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Really strange NAT Problem
>
> I've got a really odd NAT problem with a Cisco 3620 running 12.2.10d
>
> In this particular scenario my router is acting as the middleman between
the
> Internet (and another one of my customers) and a private access network
for
> another customer.
>
> On the side of my customer, they have a Checkpoint firewall (NGAI) running
> on a Win2k box.
> On the side of the county, they have a PIX 515 protecting a Cisco 3005 VPN
> Concentrator.
>
> I have the aforementioned 3620, at the physical location of the private
> access network, with two connections to the outside world: 1 FastEthernet
to
> a wireless network and 1 T1. I have a second FastEthernet port to the
> private network. I'm running routing protocols on the outside ports to
> provide high-availability. I have a Loopback port setup with a public IP
for
> the nat translations.
>
> What is happening is this: Both sides report that the VPN tunnel is being
> established. When the customer with the PIX tries to ping via the VPN to
the
> customer with the checkpoint my 3620 gives me the following info from a
> "debug ip nat":
>
> Feb 13 14:51:50 PST: NAT: translation failed (A), dropping packet
> s=192.168.x.252 d=x.x.232.14
>
> Additionally, when the VPN is not configured on the Checkpoint, I can do a
> "ping ip" and ping from the 234.137 address to the 232.14 address.
However,
> when the VPN is configured on the Checkpoint, I cannot. I can ping from
any
> other address on the router, and it works fine no matter what.
>
> Here's the relevant portions of my configuration:
>
> interface Loopback0
>  ip address x.x.234.137 255.255.255.255
>  ip nat outside
> !
> interface FastEthernet0/0
>  ip address x.x.237.18 255.255.255.248
>  no ip redirects
>  no ip unreachables
>  ip nat outside
>  ip rip authentication key-chain Wireless  ip route-cache flow  duplex
auto
> speed auto !
> interface Serial0/0
>  ip address x.x.232.22 255.255.255.252
>  ip nat outside
>  ip route-cache flow
> !
> interface FastEthernet0/1
>  ip address 192.168.x.253 255.255.255.0
>  ip nat inside
>  ip route-cache flow
>  duplex auto
>  speed auto
>
> ip nat inside source list 1 interface Loopback0 overload ip nat inside
> source static tcp 192.168.x.252 10000 interface Loopback0 10000 ip nat
> inside source static udp 192.168.x.252 4500 interface Loopback0 4500 ip
nat
> inside source static udp 192.168.x.252 500 interface Loopback0 500 ip nat
> inside source static tcp 192.168.x.252 500 interface Loopback0 500 ip nat
> inside source static udp 192.168.x.252 51 interface Loopback0 51 ip nat
> inside source static tcp 192.168.x.252 51 interface Loopback0 51 ip nat
> inside source static udp 192.168.x.252 50 interface Loopback0 50 ip nat
> inside source static tcp 192.168.x.252 50 interface Loopback0 50
>
> access-list 1 permit 192.168.x.0 0.0.0.255
> access-list 1 deny   any
> Thanks,
>
> Adam Debus
> Network Engineer, ReachONE Internet
> adam at reachone.com
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.587 / Virus Database: 371 - Release Date: 12.02.2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.588 / Virus Database: 372 - Release Date: 13.02.2004
>
>
>
>
>

More information about the cisco-nsp mailing list