[nsp] Really strange NAT Problem

Adam Debus adam-lists at reachone.com
Wed Feb 25 14:30:43 EST 2004 

I've attached a JPG with a basic fairly simple network diagram. I've also
attached the full configuration for the router, minus passwords and tacacs
keys.

The Wireless Network in question is a point-to-multipoint wireless network,
and connects to FastEthernet0/0
The DS1 connects directly to the same router the wireless network connects
into, and is on Serial0/0

They run BGP between them for failover - manually configured to prefer the
wireless network as it has more bandwidth, but is more hops.

Customer 1 has a checkpoint firewall that his connection to us terminates
on, and has a real world IP address.
Customer 2 has a Cisco PIX that is port forwarding to a Cisco VPN box.
Putting a real world address on the PIX is not an option for political
reasons.

Thanks,

Adam Debus
Network Engineer, ReachONE Internet
adam at reachone.com
----- Original Message ----- 
From: "Church, Chuck" <cchurch at wamnetgov.com>
To: "Adam Debus" <adam-lists at reachone.com>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 25, 2004 11:06 AM
Subject: RE: [nsp] Really strange NAT Problem


Attempting to do NAT like this would require policy routing, so that the
NATed packets returning to the router get to the loopback for unNATing.  Or
maybe I'm not understanding what you're trying to accomplish correctly.  Got
a simple diagram?

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch at wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.com
-------------- next part --------------
version 12.2
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Capcom
!
logging buffered 10000 debugging
no logging console
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 defualt start-stop group tacacs+
!
memory-size iomem 10
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip cef
!
!
ip domain-name reachoneinternet.net
ip name-server 216.177.224.2
!
!
key chain Wireless
 key 1
  key-string 7 122F0C444B19052528
call rsvp-sync
!
!
!
!
!
!
!
location Capcom, Olympia, WA
!
interface Loopback0
 ip address 216.177.234.137 255.255.255.255
 ip nat outside
!
interface FastEthernet0/0
 ip address 216.177.237.18 255.255.255.248
 no ip redirects
 no ip unreachables
 ip nat outside
 ip rip authentication key-chain Wireless
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 216.177.232.22 255.255.255.252
 ip nat outside
 ip route-cache flow
!
interface FastEthernet0/1
 ip address 192.168.231.253 255.255.255.0
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/0
 network 216.177.237.0
 no auto-summary
!
router bgp 65534
 no synchronization
 bgp router-id 216.177.234.137
 bgp log-neighbor-changes
 network 216.177.234.136 mask 255.255.255.252
 neighbor 216.177.232.21 remote-as 14517
 neighbor 216.177.232.21 route-map increase_metric in
 neighbor 216.177.237.1 remote-as 14517
 neighbor 216.177.237.1 ebgp-multihop 10
 no auto-summary
!
ip nat inside source route-map nonat interface Loopback0 overload
ip nat inside source static udp 192.168.231.252 4500 interface Loopback0 4500
ip nat inside source static udp 192.168.231.252 500 interface Loopback0 500
ip nat inside source static udp 192.168.231.252 51 interface Loopback0 51
ip nat inside source static udp 192.168.231.252 50 interface Loopback0 50
ip nat inside source static tcp 192.168.231.252 10000 interface Loopback0 10000
ip nat inside source static tcp 192.168.231.252 500 interface Loopback0 500
ip nat inside source static tcp 192.168.231.252 51 interface Loopback0 51
ip nat inside source static tcp 192.168.231.252 50 interface Loopback0 50
ip classless
ip route 216.177.234.136 255.255.255.252 Null0 200
ip route 216.177.237.1 255.255.255.255 216.177.237.17
ip tacacs source-interface Loopback0
no ip http server
ip pim bidir-enable
!
logging facility local2
logging source-interface Loopback0
logging 216.177.224.7
access-list 1 permit 192.168.231.0 0.0.0.255
access-list 1 deny   any
access-list 99 permit 207.108.195.20
access-list 99 permit 207.108.195.29
access-list 99 permit 216.177.224.7
access-list 99 permit 216.177.232.224 0.0.0.31
access-list 99 deny   any
access-list 155 remark *** Dont NAT Private to Private addresses ***
access-list 155 deny   ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 155 deny   ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 155 deny   ip 10.10.0.0 0.0.255.255 150.2.0.0 0.0.255.255
access-list 155 deny   ip 150.2.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 155 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 155 deny   ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 155 permit ip 10.10.0.0 0.0.255.255 any
access-list 155 permit ip 192.168.0.0 0.0.255.255 any
route-map increase_metric permit 10
 set metric +10
!
route-map increase_metric permit 20
!
route-map nonat permit 10
 match ip address 155
!
tacacs-server host 216.177.224.7
snmp-server community s7OUdoAp RO 99
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
 session-timeout 30 
 access-class 99 in
 exec-timeout 15 0
 transport input telnet
line vty 5 15
 session-timeout 30 
 access-class 99 in
 exec-timeout 15 0
 transport input telnet
!
ntp server 216.177.224.4
ntp server 216.177.224.5
ntp server 216.177.224.7
end

More information about the cisco-nsp mailing list