[c-nsp] Dual Homing and NAT via route-maps
Rodney Dunn
rodunn at cisco.com
Fri Jan 9 12:22:54 EST 2009
Get 'debug ip nat detailed' when you try to do the SSH.
I bet it's one of those "denying locally generated packets"
form bein'g nat'ed on the way back out issues.
Try putting a deny in the route-map instance referencing an
ACL that blocks any packets with a src ip of the outside interface
addresses.
Or explicitly match the ip inside subnet and deny all others.
Rodney
On Fri, Jan 09, 2009 at 11:26:23AM -0500, Jeremy Parr wrote:
> One can multi-home a router via object tracking, this works just fine.
> When NAT is added to the mix, things seem to get ugly and broken. The
> "ip nat inside" statement isn't applied with an access list as the
> argument, but rather a route-map. As soon as the ip nat statement is
> in use, the router can no longer be sshed to, or telneted to on either
> external interface. Port forwards to internal hosts continue to work.
> Below is an example config. If the line "ip nat inside source
> route-map BGC interface FastEthernet0 overload" is removed, or the
> line "route-map BGC permit 10", I am able to telnet/ssh to the router.
> Any ideas? I have tested this on various IOS revisions, currently
> running bleeding edge 12.4(11)XW9, but the latest in the T train
> behaves the same.
>
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Router
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> !
> !
> !
> !
> !
> ip cef
> !
> !
> !
> multilink bundle-name authenticated
> !
> !
> archive
> log config
> hidekeys
> !
> !
> !
> track 1 rtr 1 reachability
> !
> !
> !
> interface FastEthernet0
> ip address 172.16.10.99 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> !
> interface FastEthernet1
> ip address 1.1.1.2 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> shutdown
> !
> interface FastEthernet4
> !
> interface FastEthernet5
> shutdown
> !
> interface FastEthernet6
> shutdown
> !
> interface FastEthernet7
> shutdown
> !
> interface FastEthernet8
> shutdown
> !
> interface FastEthernet9
> shutdown
> !
> interface Dot11Radio0
> no ip address
> shutdown
> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
> 36.0 48.0 54.0
> station-role root
> !
> interface Dot11Radio1
> no ip address
> shutdown
> speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
> station-role root
> !
> interface Vlan1
> no ip address
> ip nat inside
> ip virtual-reassembly
> !
> interface Async1
> no ip address
> encapsulation slip
> !
> router eigrp 1
> network 192.168.1.0
> auto-summary
> !
> ip route 0.0.0.0 0.0.0.0 172.16.10.1 track 1
> ip route 0.0.0.0 0.0.0.0 1.1.1.1 254
> !
> !
> no ip http server
> no ip http secure-server
> ip nat inside source route-map BGC interface FastEthernet0 overload
> ip nat inside source route-map Backup interface FastEthernet1 overload
> !
> ip sla 1
> icmp-echo 172.16.10.1
> timeout 1000
> threshold 2
> frequency 3
> ip sla schedule 1 life forever start-time now
> !
> !
> !
> route-map Backup permit 10
> match interface FastEthernet1
> !
> route-map BGC permit 10
> match interface FastEthernet0
> !
> !
> !
> !
> control-plane
> !
> !
> line con 0
> line 1
> modem InOut
> stopbits 1
> speed 115200
> flowcontrol hardware
> line aux 0
> line vty 0 4
> password beans
> login
> !
>
> !
> webvpn cef
> end
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list