Options

Explain this NAT behavior

acidsatyracidsatyr Member Posts: 111
in CCIE
I've been pondering about this for a while, maybe you can explain why this is working the way its working!!
Here's the scenario: 
lo100
 --------R1-----------------R2

R1 lo100 = 12.0.0.1

R1 should ping R2's interface, with lo100 source. R2 doesn't have route to 12.0.0.1.

The idea is to use NAT on R1 and translate source address to something R2 knows about.
Therefore there are two solutions - inside local to inside global (ip nat inside source...) and outside global to outside local (ip nat outside source).

Solution 1: ip nat inside source static 12.0.0.1 interface s1/0
int lo100 is ip nat inside
int s1/0 is ip nat outside
This works, lo100 is translated to s1/0 when going outside and R1 can ping R2.

Solution 2: ip nat outside source static 12.0.0.1 10.0.0.1
int lo100 is ip nat outside
int s1/0 is ip nat inside
This doesn't work! But i can't see why not - lo100 from outside should be translated to inside. The translation never happens.

Do you know why?
· Share on FacebookShare on Twitter

Comments

  • Options
    ilcram19-2ilcram19-2 Banned Posts: 436
    acidsatyr wrote: »
    I've been pondering about this for a while, maybe you can explain why this is working the way its working!!
    Here's the scenario: 
    lo100
 --------R1-----------------R2

    R1 lo100 = 12.0.0.1

    R1 should ping R2's interface, with lo100 source. R2 doesn't have route to 12.0.0.1.

    The idea is to use NAT on R1 and translate source address to something R2 knows about.
    Therefore there are two solutions - inside local to inside global (ip nat inside source...) and outside global to outside local (ip nat outside source).

    Solution 1: ip nat inside source static 12.0.0.1 interface s1/0
    int lo100 is ip nat inside
    int s1/0 is ip nat outside
    This works, lo100 is translated to s1/0 when going outside and R1 can ping R2.

    Solution 2: ip nat outside source static 12.0.0.1 10.0.0.1
    int lo100 is ip nat outside
    int s1/0 is ip nat inside
    This doesn't work! But i can't see why not - lo100 from outside should be translated to inside. The translation never happens.

    Do you know why?

    needs a translation back, when you stablish a session translatatting and inside address to a outside address that destination address is the one translatated not the source the source stays the same so when the packet get to the inside host the inside host doesnt know how to get back out, the reason it works for for the internet or when you are translatting for example smtp
    ip nat inside source static tcp 10.1.1.1 25 1.1.1.1 25
    is becasue you have this overload statement that is translatting back to 1.1.1.1
    ip nat inside source list inside_nated 10.1.1.1 overload
    ip access-list exteneded inside_nated
    permit 10.1.1.0 0.0.0.255 any
    otherwise the packet will be recived but it will never be sent back because the inside host doesnt know how to get back unless there is a route
    · Share on FacebookShare on Twitter
  • Options
    acidsatyracidsatyr Member Posts: 111
    I tried my best to understand what you are saying..

    When a packet gets on inside interface and there is IL->IG translation (ip nat inside source...) the source gets translated to IG. When the response gets on outside interface with IG as destination, the destination is translated back to IL.

    Likewise - when a packet gets on outside interface and there is OG->OL mapping (ip nat outside source...), the source of packet is translated to OL. When this packet is sent back, and received on inside interface, it is translated back to OG.

    In my second example, OG should be translated to OL ie. address that R2 knows about. But the point is that translation never happens.

    In my first scenario, IL is in fact translated to IG.

    In both cases address should be translated to something that R2 knows about.
    · Share on FacebookShare on Twitter
  • Options
    ilcram19-2ilcram19-2 Banned Posts: 436
    acidsatyr wrote: »
    I tried my best to understand what you are saying..

    When a packet gets on inside interface and there is IL->IG translation (ip nat inside source...) the source gets translated to IG. When the response gets on outside interface with IG as destination, the destination is translated back to IL.

    Likewise - when a packet gets on outside interface and there is OG->OL mapping (ip nat outside source...), the source of packet is translated to OL. When this packet is sent back, and received on inside interface, it is translated back to OG.

    In my second example, OG should be translated to OL ie. address that R2 knows about. But the point is that translation never happens.

    In my first scenario, IL is in fact translated to IG.

    In both cases address should be translated to something that R2 knows about.

    it doesnt translate back only the destanation is translated the source stays the same
    for xample i have this ip nat inside source static 10.1.1.1 1.1.1.1
    if im comming in to destination 1.1.1.1 from source 2.2.2.2 to inside host 10.1.1.1
    then the destination changes to 10.1.1.1 but the source stays the same if you dont have the overload statement it wont translate back to 1.1.1.1 and 10.1.1.1 wont know how to get back to 2.2.2.2
    · Share on FacebookShare on Twitter
  • Options
    tim100tim100 Member Posts: 162
    acidsatyr wrote: »

    Solution 1: ip nat inside source static 12.0.0.1 interface s1/0
    int lo100 is ip nat inside
    int s1/0 is ip nat outside
    This works, lo100 is translated to s1/0 when going outside and R1 can ping R2.

    Seeing that you are using R1's lo100 as the source there will be no NAT involved at all because R1 will not translate for itself. The workaround would be policy routing.
    acidsatyr wrote: »
    Solution 2: ip nat outside source static 12.0.0.1 10.0.0.1
    int lo100 is ip nat outside
    int s1/0 is ip nat inside
    This doesn't work! But i can't see why not - lo100 from outside should be translated to inside. The translation never happens.

    Do you know why?

    If 10.0.0.1 is R1's s1/0 IP address this won't work either. Try something like:

    ip nat outside source static 12.0.0.1 10.0.0.10

    Again, in order for all this to work you have to use policy routing. Try this:

    access-list 100 permit ip 12.0.0.0 0.0.0.255 any

    route-map LOCAL permit 10
    match ip address 100
    set interface Loopback100

    ip local policy route-map LOCAL

    Then ping R2 and specify R1's lo100 interface as the source.

    If you are using Frame-Relay on the serial interfaces you will have to map IP 10.0.0.10 to the DLCI.
    · Share on FacebookShare on Twitter
  • Options
    ilcram19-2ilcram19-2 Banned Posts: 436
    try a routing protocol
    · Share on FacebookShare on Twitter
  • Options
    tim100tim100 Member Posts: 162
    ilcram19-2 wrote: »
    try a routing protocol

    That won't accomplish anything in this scenario.
    · Share on FacebookShare on Twitter
  • Options
    ilcram19-2ilcram19-2 Banned Posts: 436
    tim100 wrote: »
    That won't accomplish anything in this scenario.

    R1 should ping R2's interface, with lo100 source. R2 doesn't have route to 12.0.0.1.


    i see why
    · Share on FacebookShare on Twitter
  • Options
    tim100tim100 Member Posts: 162
    ilcram19-2 wrote: »
    R1 should ping R2's interface, with lo100 source. R2 doesn't have route to 12.0.0.1.


    i see why

    Explain why you would need a route to 12.0.0.1 if you are using NAT.
    · Share on FacebookShare on Twitter
  • Options
    acidsatyracidsatyr Member Posts: 111
    Hey tim100, you understand the scenario.

    I know the policy routing seems like logical solution, the thing is why does R1 need it ONLY when doing ip nat outside source translation??

    See when i do ip nat inside source and the packet is sources from lo100, R1 does translate it!

    When R1 tries OG->OL translation (lo100 is now *outside interface*) the trnaslation never happens!

    ps. there is another issue here -> when a packet comes to outside interface the NAT translation is done before routing. When packet arrives on inside (as is the case when lo100 is outside int.), the packet that arrives from R2 on R1's serial is first done with routing lookup and then translation. This is irrelevant to scenario as R1 never does that OG->OL translation; even if there is translation R1 will get echo-reply on its S1/0 not lo100.
    But i need to know why translation never happens.
    · Share on FacebookShare on Twitter
  • Options
    tim100tim100 Member Posts: 162
    acidsatyr wrote: »
    See when i do ip nat inside source and the packet is sources from lo100, R1 does translate it!

    Do a "debug ip nat detail" on R1 and a "debug ip packet" on R2 and then source another ping from lo100. Let me know what debugging output you get from both routers. Also post a "sh ip route" from both routers.
    · Share on FacebookShare on Twitter
  • Options
    acidsatyracidsatyr Member Posts: 111
    Scenario 1

    R1 config 
    ip nat inside source static 12.0.0.1 10.0.0.1

interface lo100
 ip nat inside
interface s1/0
 ip nat outside


debug ip nat detail
debug ip packet detail


    R1#ping 10.0.0.2 source lo100 re 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 12.0.0.1 
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 8/14/20 ms
R1#
*Apr  2 10:09:17.059: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:09:17.063: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:09:17.063:     ICMP type=8, code=0
*Apr  2 10:09:17.063: NAT: i: icmp (12.0.0.1, 0) -> (10.0.0.2, 0) [0]     
*Apr  2 10:09:17.063: NAT: s=12.0.0.1->10.0.0.1, d=10.0.0.2 [0]
*Apr  2 10:09:17.075: NAT*: o: icmp (10.0.0.2, 0) -> (10.0.0.1, 0) [0]
*Apr  2 10:09:17.075: NAT*: s=10.0.0.2, d=10.0.0.1->12.0.0.1 [0]
*Apr  2 10:09:17.079: IP: tableid=0, s=10.0.0.2 (Serial1/0), d=12.0.0.1 (Loopback100), routed via RIB
*Apr  2 10:09:17.079: IP: s=10.0.0.2 (Serial1/0), d=12.0.0.1, len 100, rcvd 4
*Apr  2 10:09:17.079:     ICMP type=0, code=0
*Apr  2 10:09:17.079: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:09:17.079: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:09:17.083:     ICMP type=8, code=0
*Apr  2 10:09:17.083: NAT: i: icmp (12.0.0.1, 0) -> (10.0.0.2, 0) [1]     
*Apr  2 10:09:17.083: NAT: s=12.0.0.1->10.0.0.1, d=10.0.0.2 [1]
*Apr  2 10:09:17.087: NAT*: o: icmp (10.0.0.2, 0) -> (10.0.0.1, 0) [1]
*Apr  2 10:09:17.087: NAT*: s=10.0.0.2, d=10.0.0.1->12.0.0.1 [1]
*Apr  2 10:09:17.087: IP: tableid=0, s=10.0.0.2 (Serial1/0), d=12.0.0.1 (Loopback100), routed via RIB

    R2:
    *Apr  2 10:09:17.643: IP: tableid=0, s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:09:17.647: IP: s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:09:17.651: IP: tableid=0, s=10.0.0.2 (local), d=10.0.0.1 (Serial1/0), routed via FIB
*Apr  2 10:09:17.655: IP: s=10.0.0.2 (local), d=10.0.0.1 (Serial1/0), len 100, sending
*Apr  2 10:09:17.679: IP: tableid=0, s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:09:17.679: IP: s=10.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:09:17.679: IP: tableid=0, s=10.0.0.2 (local), d=10.0.0.1 (Serial1/0), routed via FIB

    As you can see the NAT is working when Inside local is translated to Inside Global.

    Scenario 2

    Ri config 
    ip nat outside source static 12.0.0.1 10.0.0.1

interface lo100
 ip nat outside
interface s1/0
 ip nat inside


    R1#ping 10.0.0.2 source lo100 re 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 12.0.0.1 

*Apr  2 10:15:43.015: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:15:43.015: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:15:43.015:     ICMP type=8, code=0.
*Apr  2 10:15:45.015: IP: tableid=0, s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), routed via FIB
*Apr  2 10:15:45.019: IP: s=12.0.0.1 (local), d=10.0.0.2 (Serial1/0), len 100, sending
*Apr  2 10:15:45.023:     ICMP type=8, code=0.
Success rate is 0 percent (0/2)

    R2#
*Apr  2 10:15:43.591: IP: tableid=0, s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:15:43.595: IP: s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:15:43.599: IP: s=10.0.0.2 (local), d=12.0.0.1, len 100, unroutable
R2#
*Apr  2 10:15:45.643: IP: tableid=0, s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), routed via RIB
*Apr  2 10:15:45.643: IP: s=12.0.0.1 (Serial1/0), d=10.0.0.2 (Serial1/0), len 100, rcvd 3
*Apr  2 10:15:45.643: IP: s=10.0.0.2 (local), d=12.0.0.1, len 100, unroutable

    No NAT translation. Why does NAT work only when local sourced address is on inside an not on outside?
    · Share on FacebookShare on Twitter
  • Options
    jason_lundejason_lunde Member Posts: 567
    scratch that; I had an idea but I labbed it up, it didnt work....sorry dude.
    · Share on FacebookShare on Twitter
  • Options
    acidsatyracidsatyr Member Posts: 111
    I guess this falls into one of those "by design" issues. It just work or doesn't.
    Still, interesting, and i couldn't find documentation on this particular scenario in cisco documentation.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.