Options

Routing and NAT issue

mikearamamikearama Member Posts: 749
in CCNP
Hey techies.

Stumped on this one.

The basic config at our DR location is:

192.168.199.0 -- ASA Firewall -- 192.168.198.0 -- MPLS 1841 ISR -- MPLS WAN -- HO

Vlan199 is the DR subnet, 198 is the "outside". All 199 IP's are natted on the 1841 to corresponding subnets from HO.

Here's the nat config from the 1841:

ip nat pool HO-SUPP 192.168.198.51 192.168.198.69 netmask 255.255.255.0
ip nat inside source list 7 pool HO-SUPP
ip nat inside source static 10.22.129.204 192.168.198.84
ip nat inside source static 10.22.129.205 192.168.198.85
ip nat inside source static 10.22.129.206 192.168.198.86
ip nat inside source static 10.22.129.207 192.168.198.87
ip nat inside source static 10.22.129.208 192.168.198.88
ip nat inside source static 10.22.160.162 192.168.198.91
ip nat inside source static 10.22.241.81 192.168.198.170
ip nat inside source static 10.22.241.82 192.168.198.171
ip nat inside source static 10.22.243.81 192.168.198.172
ip nat inside source static 10.22.243.82 192.168.198.173


The issue arises when I try to ping/tracert the nat from any device on the 199 subnet. For example, from a jumpbox server with an ip of 199.200, this tracert to the 192.168.198.170:

Tracing route to 192.168.198.170 over a maximum of 30 hops

1 2 ms <1 ms <1 ms 192.168.198.1
2 1 ms 1 ms 1 ms 192.168.198.170
3 36 ms 45 ms 12 ms 192.168.198.170
4 6 ms 5 ms 5 ms 192.168.198.170
5 6 ms 6 ms 6 ms 192.168.198.170
6 8 ms <1 ms 6 ms 192.168.198.170
7 6 ms 6 ms 6 ms 192.168.198.170

Trace complete.

I expected the second hop to be the ISR, and then hops as the packet crossed the MPLS to our core on its way to 10.22.241.81.

Anyone see my mistake?

Much obliged,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.

CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
· Share on FacebookShare on Twitter

Comments

  • Options
    kryollakryolla Member Posts: 785
    the outside wont see the inside local address i.e 10. network all it will see is the inside global address. Thats what NAT is suppose to do
    Studying for CCIE and drinking Home Brew
    · Share on FacebookShare on Twitter
  • Options
    mikearamamikearama Member Posts: 749
    Ah, gotcha... I think. I understood that by default, natting was bi-directional... that the ISR would get the hit on 192.168.198.170, see the inside source nat to that IP belonging to 10.22.241.81, and forward the packet.

    I take it the workaround then is to create another set of nat's, sourced from the outside, pointing at the inside local IP's?
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
    · Share on FacebookShare on Twitter
  • Options
    kryollakryolla Member Posts: 785
    mikearama wrote: »
    Ah, gotcha... I think. I understood that by default, natting was bi-directional... that the ISR would get the hit on 192.168.198.170, see the inside source nat to that IP belonging to 10.22.241.81, and forward the packet.

    I take it the workaround then is to create another set of nat's, sourced from the outside, pointing at the inside local IP's?

    it is forwarding the packet you just wont see it, all the outside see is 198.170 and the nat router does the rest, thats why all the replies are from 198.170. By having a static entry it is bidirectional meaning the inside doesn't have to initiate the connection. Do you want the outside to see the inside local address of every hop?
    Studying for CCIE and drinking Home Brew
    · Share on FacebookShare on Twitter
  • Options
    mikearamamikearama Member Posts: 749
    kryolla wrote: »
    Do you want the outside to see the inside local address of every hop?

    Ideally, that's what I'm looking for. If the ISR isn't the issue, then I need to look further, and to that end, knowing the last hop before the failure would help. Is that possible?
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
    · Share on FacebookShare on Twitter
  • Options
    burbankmarcburbankmarc Member Posts: 460
    This might be what your looking for

    Network Address Translation on a Stick [IP Addressing Services] - Cisco Systems

    NAT on a stick.
    · Share on FacebookShare on Twitter
  • Options
    kryollakryolla Member Posts: 785
    mikearama wrote: »
    Ideally, that's what I'm looking for. If the ISR isn't the issue, then I need to look further, and to that end, knowing the last hop before the failure would help. Is that possible?

    I don't think thats possible if you think about what NAT does to the IP header, but I don't understand why you want to know, do you have access to all the routers why not just do a trace route from the nat router to 10. network and what type of failure are you trying to detect
    Studying for CCIE and drinking Home Brew
    · Share on FacebookShare on Twitter
Sign In or Register to comment.