[nsp] Really strange NAT Problem

Adam Debus adam-lists at reachone.com
Wed Feb 25 13:32:25 EST 2004 

I'm continuing to beat my head against this problem and I've turned on some
more debug messages, and here's what I'm seeing. I can't find any
documentation to help me decode some of these, so I'm hoping that some of
you had run into them before.

The equipment is a 3620 running 12.2.10d. I'm trying to NAT VPN traffic
through it, via a Loopback interface. Here's the setup:

interface Loopback0
 ip address 216.177.234.137 255.255.255.255
 ip nat outside

interface FastEthernet0/1
 ip address 192.168.231.253 255.255.255.0
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto

ip nat inside source route-map nonat interface Loopback0 overload
ip nat inside source static udp 192.168.231.252 4500 interface Loopback0
4500
ip nat inside source static udp 192.168.231.252 500 interface Loopback0 500
ip nat inside source static udp 192.168.231.252 51 interface Loopback0 51
ip nat inside source static udp 192.168.231.252 50 interface Loopback0 50
ip nat inside source static tcp 192.168.231.252 10000 interface Loopback0
10000
ip nat inside source static tcp 192.168.231.252 500 interface Loopback0 500
ip nat inside source static tcp 192.168.231.252 51 interface Loopback0 51
ip nat inside source static tcp 192.168.231.252 50 interface Loopback0 50

access-list 155 remark *** Dont NAT Private to Private addresses ***
access-list 155 deny   ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 155 deny   ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 155 deny   ip 10.10.0.0 0.0.255.255 150.2.0.0 0.0.255.255
access-list 155 deny   ip 150.2.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 155 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 155 deny   ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 155 permit ip 10.10.0.0 0.0.255.255 any
access-list 155 permit ip 192.168.0.0 0.0.255.255 any

route-map nonat permit 10
 match ip address 155

The debug is showing the following pretty much over and over (each side
trying to ping the other through the system):

Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
d=216.177.234.137, len 112, rcvd 4, proto=50
Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
d=216.177.234.137, len 112, unknown protocol, proto=50
Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
Feb 25 09:10:02 PST: NAT: map match nonat
Feb 25 09:10:02 PST: NAT: map match nonat
Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
Feb 25 09:10:02 PST: NAT: map match nonat
Feb 25 09:10:02 PST: NAT: translation failed (A), dropping packet
s=192.168.231.252 d=216.177.232.14
Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252, len
56, cef process switched
Feb 25 09:10:02 PST:     ICMP type=3, code=1
Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252
(FastEthernet0/1), len 56, sending
Feb 25 09:10:02 PST:     ICMP type=3, code=1

Thanks,

Adam Debus
Network Engineer, ReachONE Internet
adam at reachone.com

More information about the cisco-nsp mailing list