[nsp] Really strange NAT Problem
Adam Debus
adam-lists at reachone.com
Wed Feb 25 14:16:37 EST 2004
I'm declaring the loopback interface as "ip nat outside" because that's the
address I'm trying to NAT to. I've got two interfaces that lead back into
our network: FastEthernet0/0 and Serial0/0. These interfaces run some
routing protocols so that if one were to go down, traffic would fail over to
the other. These two interfaces are declared as "ip nat outside" as well.
Thanks,
Adam Debus
Network Engineer, ReachONE Internet
adam at reachone.com
----- Original Message -----
From: "Félix Izquierdo" <fizquierdo at l3consulting.com>
To: "Adam Debus" <adam-lists at reachone.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 25, 2004 10:58 AM
Subject: Re: [nsp] Really strange NAT Problem
> Why do you declare the loopback interface as "nat outside"? It has no
> sense, and perhaps because any side effect it's the reason of the fail.
>
>
> Adam Debus wrote:
>
> > I'm continuing to beat my head against this problem and I've turned on
some
> > more debug messages, and here's what I'm seeing. I can't find any
> > documentation to help me decode some of these, so I'm hoping that some
of
> > you had run into them before.
> >
> > The equipment is a 3620 running 12.2.10d. I'm trying to NAT VPN traffic
> > through it, via a Loopback interface. Here's the setup:
> >
> > interface Loopback0
> > ip address 216.177.234.137 255.255.255.255
> > ip nat outside
> >
> > interface FastEthernet0/1
> > ip address 192.168.231.253 255.255.255.0
> > ip nat inside
> > ip route-cache flow
> > duplex auto
> > speed auto
> >
> > ip nat inside source route-map nonat interface Loopback0 overload
> > ip nat inside source static udp 192.168.231.252 4500 interface Loopback0
> > 4500
> > ip nat inside source static udp 192.168.231.252 500 interface Loopback0
500
> > ip nat inside source static udp 192.168.231.252 51 interface Loopback0
51
> > ip nat inside source static udp 192.168.231.252 50 interface Loopback0
50
> > ip nat inside source static tcp 192.168.231.252 10000 interface
Loopback0
> > 10000
> > ip nat inside source static tcp 192.168.231.252 500 interface Loopback0
500
> > ip nat inside source static tcp 192.168.231.252 51 interface Loopback0
51
> > ip nat inside source static tcp 192.168.231.252 50 interface Loopback0
50
> >
> > access-list 155 remark *** Dont NAT Private to Private addresses ***
> > access-list 155 deny ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> > access-list 155 deny ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
> > access-list 155 deny ip 10.10.0.0 0.0.255.255 150.2.0.0 0.0.255.255
> > access-list 155 deny ip 150.2.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> > access-list 155 deny ip 192.168.0.0 0.0.255.255 192.168.0.0
0.0.255.255
> > access-list 155 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> > access-list 155 permit ip 10.10.0.0 0.0.255.255 any
> > access-list 155 permit ip 192.168.0.0 0.0.255.255 any
> >
> > route-map nonat permit 10
> > match ip address 155
> >
> > The debug is showing the following pretty much over and over (each side
> > trying to ping the other through the system):
> >
> > Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> > Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
> > d=216.177.234.137, len 112, rcvd 4, proto=50
> > Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
> > d=216.177.234.137, len 112, unknown protocol, proto=50
> > Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> > Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> > Feb 25 09:10:02 PST: NAT: map match nonat
> > Feb 25 09:10:02 PST: NAT: map match nonat
> > Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
> > Feb 25 09:10:02 PST: NAT: map match nonat
> > Feb 25 09:10:02 PST: NAT: translation failed (A), dropping packet
> > s=192.168.231.252 d=216.177.232.14
> > Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252,
len
> > 56, cef process switched
> > Feb 25 09:10:02 PST: ICMP type=3, code=1
> > Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252
> > (FastEthernet0/1), len 56, sending
> > Feb 25 09:10:02 PST: ICMP type=3, code=1
> >
> > Thanks,
> >
> > Adam Debus
> > Network Engineer, ReachONE Internet
> > adam at reachone.com
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
More information about the cisco-nsp
mailing list