[nsp] Really strange NAT Problem

Félix Izquierdo fizquierdo at l3consulting.com
Wed Feb 25 14:28:27 EST 2004 

The ip address that you want to overloading for nat can be configured in 
a loopback, and it's the more elegant configuration, but the loopback 
isn't inside or outside for the nat semantic, it's nothing, because the 
traffic doesn't flow through it.


Adam Debus wrote:

> I'm declaring the loopback interface as "ip nat outside" because that's the
> address I'm trying to NAT to. I've got two interfaces that lead back into
> our network: FastEthernet0/0 and Serial0/0. These interfaces run some
> routing protocols so that if one were to go down, traffic would fail over to
> the other. These two interfaces are declared as "ip nat outside" as well.
> 
> Thanks,
> 
> Adam Debus
> Network Engineer, ReachONE Internet
> adam at reachone.com
> ----- Original Message ----- 
> From: "Félix Izquierdo" <fizquierdo at l3consulting.com>
> To: "Adam Debus" <adam-lists at reachone.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, February 25, 2004 10:58 AM
> Subject: Re: [nsp] Really strange NAT Problem
> 
> 
> 
>>Why do you declare the loopback interface as "nat outside"? It has no
>>sense, and perhaps because any side effect it's the reason of the fail.
>>
>>
>>Adam Debus wrote:
>>
>>
>>>I'm continuing to beat my head against this problem and I've turned on
> 
> some
> 
>>>more debug messages, and here's what I'm seeing. I can't find any
>>>documentation to help me decode some of these, so I'm hoping that some
> 
> of
> 
>>>you had run into them before.
>>>
>>>The equipment is a 3620 running 12.2.10d. I'm trying to NAT VPN traffic
>>>through it, via a Loopback interface. Here's the setup:
>>>
>>>interface Loopback0
>>> ip address 216.177.234.137 255.255.255.255
>>> ip nat outside
>>>
>>>interface FastEthernet0/1
>>> ip address 192.168.231.253 255.255.255.0
>>> ip nat inside
>>> ip route-cache flow
>>> duplex auto
>>> speed auto
>>>
>>>ip nat inside source route-map nonat interface Loopback0 overload
>>>ip nat inside source static udp 192.168.231.252 4500 interface Loopback0
>>>4500
>>>ip nat inside source static udp 192.168.231.252 500 interface Loopback0
> 
> 500
> 
>>>ip nat inside source static udp 192.168.231.252 51 interface Loopback0
> 
> 51
> 
>>>ip nat inside source static udp 192.168.231.252 50 interface Loopback0
> 
> 50
> 
>>>ip nat inside source static tcp 192.168.231.252 10000 interface
> 
> Loopback0
> 
>>>10000
>>>ip nat inside source static tcp 192.168.231.252 500 interface Loopback0
> 
> 500
> 
>>>ip nat inside source static tcp 192.168.231.252 51 interface Loopback0
> 
> 51
> 
>>>ip nat inside source static tcp 192.168.231.252 50 interface Loopback0
> 
> 50
> 
>>>access-list 155 remark *** Dont NAT Private to Private addresses ***
>>>access-list 155 deny   ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
>>>access-list 155 deny   ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
>>>access-list 155 deny   ip 10.10.0.0 0.0.255.255 150.2.0.0 0.0.255.255
>>>access-list 155 deny   ip 150.2.0.0 0.0.255.255 10.10.0.0 0.0.255.255
>>>access-list 155 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0
> 
> 0.0.255.255
> 
>>>access-list 155 deny   ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
>>>access-list 155 permit ip 10.10.0.0 0.0.255.255 any
>>>access-list 155 permit ip 192.168.0.0 0.0.255.255 any
>>>
>>>route-map nonat permit 10
>>> match ip address 155
>>>
>>>The debug is showing the following pretty much over and over (each side
>>>trying to ping the other through the system):
>>>
>>>Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
>>>Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
>>>d=216.177.234.137, len 112, rcvd 4, proto=50
>>>Feb 25 09:10:02 PST: IP: s=216.177.232.14 (FastEthernet0/0),
>>>d=216.177.234.137, len 112, unknown protocol, proto=50
>>>Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
>>>Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
>>>Feb 25 09:10:02 PST: NAT: map match nonat
>>>Feb 25 09:10:02 PST: NAT: map match nonat
>>>Feb 25 09:10:02 PST: IP: NAT enab = 1 trans = 0 flags = 80
>>>Feb 25 09:10:02 PST: NAT: map match nonat
>>>Feb 25 09:10:02 PST: NAT: translation failed (A), dropping packet
>>>s=192.168.231.252 d=216.177.232.14
>>>Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252,
> 
> len
> 
>>>56, cef process switched
>>>Feb 25 09:10:02 PST:     ICMP type=3, code=1
>>>Feb 25 09:10:02 PST: IP: s=192.168.231.253 (local), d=192.168.231.252
>>>(FastEthernet0/1), len 56, sending
>>>Feb 25 09:10:02 PST:     ICMP type=3, code=1
>>>
>>>Thanks,
>>>
>>>Adam Debus
>>>Network Engineer, ReachONE Internet
>>>adam at reachone.com
>>>
>>>_______________________________________________
>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>>
> 
> 
>

More information about the cisco-nsp mailing list