Routing and NAT issue

Hey techies.

Stumped on this one.

The basic config at our DR location is:

192.168.199.0 -- ASA Firewall -- 192.168.198.0 -- MPLS 1841 ISR -- MPLS WAN -- HO

Vlan199 is the DR subnet, 198 is the "outside". All 199 IP's are natted on the 1841 to corresponding subnets from HO.

Here's the nat config from the 1841:

ip nat pool HO-SUPP 192.168.198.51 192.168.198.69 netmask 255.255.255.0
ip nat inside source list 7 pool HO-SUPP
ip nat inside source static 10.22.129.204 192.168.198.84
ip nat inside source static 10.22.129.205 192.168.198.85
ip nat inside source static 10.22.129.206 192.168.198.86
ip nat inside source static 10.22.129.207 192.168.198.87
ip nat inside source static 10.22.129.208 192.168.198.88
ip nat inside source static 10.22.160.162 192.168.198.91
ip nat inside source static 10.22.241.81 192.168.198.170
ip nat inside source static 10.22.241.82 192.168.198.171
ip nat inside source static 10.22.243.81 192.168.198.172
ip nat inside source static 10.22.243.82 192.168.198.173

The issue arises when I try to ping/tracert the nat from any device on the 199 subnet. For example, from a jumpbox server with an ip of 199.200, this tracert to the 192.168.198.170:

Tracing route to 192.168.198.170 over a maximum of 30 hops

1 2 ms <1 ms <1 ms 192.168.198.1
2 1 ms 1 ms 1 ms 192.168.198.170
3 36 ms 45 ms 12 ms 192.168.198.170
4 6 ms 5 ms 5 ms 192.168.198.170
5 6 ms 6 ms 6 ms 192.168.198.170
6 8 ms <1 ms 6 ms 192.168.198.170
7 6 ms 6 ms 6 ms 192.168.198.170

Trace complete.

I expected the second hop to be the ISR, and then hops as the packet crossed the MPLS to our core on its way to 10.22.241.81.

Anyone see my mistake?

Much obliged,
Mike

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

kryolla

the outside wont see the inside local address i.e 10. network all it will see is the inside global address. Thats what NAT is suppose to do

mikearama

Ah, gotcha... I think. I understood that by default, natting was bi-directional... that the ISR would get the hit on 192.168.198.170, see the inside source nat to that IP belonging to 10.22.241.81, and forward the packet.

I take it the workaround then is to create another set of nat's, sourced from the outside, pointing at the inside local IP's?

kryolla

mikearama wrote: »

Ah, gotcha... I think. I understood that by default, natting was bi-directional... that the ISR would get the hit on 192.168.198.170, see the inside source nat to that IP belonging to 10.22.241.81, and forward the packet.

I take it the workaround then is to create another set of nat's, sourced from the outside, pointing at the inside local IP's?

it is forwarding the packet you just wont see it, all the outside see is 198.170 and the nat router does the rest, thats why all the replies are from 198.170. By having a static entry it is bidirectional meaning the inside doesn't have to initiate the connection. Do you want the outside to see the inside local address of every hop?

mikearama

kryolla wrote: »

Do you want the outside to see the inside local address of every hop?

Ideally, that's what I'm looking for. If the ISR isn't the issue, then I need to look further, and to that end, knowing the last hop before the failure would help. Is that possible?

burbankmarc

This might be what your looking for

Network Address Translation on a Stick [IP Addressing Services] - Cisco Systems

NAT on a stick.

kryolla

mikearama wrote: »

Ideally, that's what I'm looking for. If the ISR isn't the issue, then I need to look further, and to that end, knowing the last hop before the failure would help. Is that possible?

I don't think thats possible if you think about what NAT does to the IP header, but I don't understand why you want to know, do you have access to all the routers why not just do a trace route from the nat router to 10. network and what type of failure are you trying to detect