[nsp] Really strange NAT Problem
Félix Izquierdo
fizquierdo at l3consulting.com
Wed Feb 25 13:58:16 EST 2004
Why do you declare the loopback interface as "nat outside"? It has no
sense, and perhaps because any side effect it's the reason of the fail.
Adam Debus wrote:
> I'm continuing to beat my head against this problem and I've turned on some
> more debug messages, and here's what I'm seeing. I can't find any
> documentation to help me decode some of these, so I'm hoping that some of
> you had run into them before.
>
> The equipment is a 3620 running 12.2.10d. I'm trying to NAT VPN traffic
> through it, via a Loopback interface. Here's the setup:
>
> interface Loopback0
> ip address 216.177.234.137 255.255.255.255
> ip nat outside
>
> interface FastEthernet0/1
> ip address 192.168.231.253 255.255.255.0
> ip nat inside
> ip route-cache flow
> duplex auto
> speed auto
>
> ip nat inside source route-map nonat interface Loopback0 overload
> ip nat inside source static udp 192.168.231.252 4500 interface Loopback0
> 4500
> ip nat inside source static udp 192.168.231.252 500 interface Loopback0 500
> ip nat inside source static udp 192.168.231.252 51 interface Loopback0 51
> ip nat inside source static udp 192.168.231.252 50 interface Loopback0 50
> ip nat inside source static tcp 192.168.231.252 10000 interface Loopback0
> 10000
> ip nat inside source static tcp 192.168.231.252 500 interface Loopback0 500
> ip nat inside source static tcp 192.168.231.252 51 interface Loopback0 51
> ip nat inside source static tcp 192.168.231.252 50 interface Loopback0 50
>
> access-list 155 remark *** Dont NAT Private to Private addresses ***
> access-list 155 deny ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> access-list 155 deny ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
> access-list 155 deny ip 10.10.0.0 0.0.255.255 150.2.0.0 0.0.255.255
> access-list 155 deny ip 150.2.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> access-list 155 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
> access-list 155 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> access-list 155 permit ip 10.10.0.0 0.0.255.255 any
> access-list 155 permit ip 192.168.0.0 0.0.255.255 any
>
> route-map nonat permit 10
> match ip address 155
>
> The debug is showing the following pretty much over and over (each side
> trying to ping the other through the system):
>
> Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
> d=216.177.234.137, len 112, rcvd 4, proto=50
> Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
> d=216.177.234.137, len 112, unknown protocol, proto=50
> Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> Feb 25 09:10:02 PST: NAT: map match nonat
> Feb 25 09:10:02 PST: NAT: map match nonat
> Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> Feb 25 09:10:02 PST: NAT: map match nonat
> Feb 25 09:10:02 PST: NAT: translation failed (A), dropping packet
> s=192.168.231.252 d=216.177.232.14
> Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252, len
> 56, cef process switched
> Feb 25 09:10:02 PST: ICMP type=3, code=1
> Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252
> (FastEthernet0/1), len 56, sending
> Feb 25 09:10:02 PST: ICMP type=3, code=1
>
> Thanks,
>
> Adam Debus
> Network Engineer, ReachONE Internet
> adam at reachone.com
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list