What a horror!
Encountered a nasty one with Network Address Translation Overload, took me a while to figure this one out.
 | |
| NAT Overload |
The Scenario:
WWW : 209.65.200.241/29
ISP : 209.65.200.254 /29
: 209.65.200.226 /30
R1 : 209.65.200.225 /30
: 10.1.1.1 /30
R2 : 10.1.1.2 /30
----------------------------------------------------------------------------------------------------------------------------
As you can see, R1 has a public ip address to route on the internet and a private ip address to communicate with the internal network. As we all know RFC 1918 address aren't permitted on the internet so two things needs to be done.
1) NAT/PAT
2) An access list to restrict RFC1918
Here's the config on R1
So the above config should work right? or so believed
access group blocks RFC1918 addresses out to the internet and NAT overload set for internal clients. It took me hours to figure out what was wrong, combed google, read the cisco NAT / PAT config guide over and over, checked my notes, etc. I started to think maybe this is a bug in the IOS or something.
After clearing my head and troubleshooting from the bottom up, i noticed there were no log hits on the access-list 10 which means traffic wasn't being checked. This is after disabling the ip access-group 192 out on the serial interface to ISP
Turned on ICMP debug on ISP router and to my not-so-supprise i saw the private ip addresses, knociing at the ISP router's door
So, what does NAT and ACCESSLISTS have in common?
Why would the router route the traffic and not include NAT and ACCESSLISTS in the equation?
Answer = our good old friend CEF (Cisco Express Forwarding)
CEF is brilliant for bypassing the route processor and forwarding frames at wirespeed via hardware
So i quickly jumped to my console and typed "no ip route-cache"
And NAT in worked beautifully.
I also learned the old way of using
"ip nat inside source list ...."
"ip nat inside"
"ip nat outside"
can be replaced with
"ip nat enable"
"ip nat source list...."
https://learningnetwork.cisco.com/thread/26212
So there it is folks
interface Serial1/0
description : FRAME INTERFACE
no ip address
ip nat inside
encapsulation frame-relay
serial restart-delay 0
no frame-relay inverse-arp
!
interface Serial1/0.12 point-to-point
description : Link to R2
ip address 10.1.1.1 255.255.255.252
description : FRAME INTERFACE
no ip address
ip nat inside
encapsulation frame-relay
serial restart-delay 0
no frame-relay inverse-arp
!
interface Serial1/0.12 point-to-point
description : Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
frame-relay interface-dlci 101
!
interface Serial1/1
description : Link to ISP
ip address 209.65.200.225 255.255.255.252
frame-relay interface-dlci 101
!
interface Serial1/1
description : Link to ISP
ip address 209.65.200.225 255.255.255.252
ip access-group 192 out
ip nat outside
encapsulation ppp
serial restart-delay 0
no cdp enable
ppp authentication chap
ip nat outside
encapsulation ppp
serial restart-delay 0
no cdp enable
ppp authentication chap
ip nat source list 10 interface Serial1/1 overload
!
access-list 10 permit 10.0.0.0 0.7.255.255 log
access-list 192 deny ip 10.0.0.0 0.255.255.255 any log
access-list 192 deny ip 172.16.0.0 0.15.255.255 any log
access-list 192 deny ip 192.168.0.0 0.0.255.255 any log
!
access-list 10 permit 10.0.0.0 0.7.255.255 log
access-list 192 deny ip 10.0.0.0 0.255.255.255 any log
access-list 192 deny ip 172.16.0.0 0.15.255.255 any log
access-list 192 deny ip 192.168.0.0 0.0.255.255 any log
So the above config should work right? or so believed
access group blocks RFC1918 addresses out to the internet and NAT overload set for internal clients. It took me hours to figure out what was wrong, combed google, read the cisco NAT / PAT config guide over and over, checked my notes, etc. I started to think maybe this is a bug in the IOS or something.
After clearing my head and troubleshooting from the bottom up, i noticed there were no log hits on the access-list 10 which means traffic wasn't being checked. This is after disabling the ip access-group 192 out on the serial interface to ISP
Turned on ICMP debug on ISP router and to my not-so-supprise i saw the private ip addresses, knociing at the ISP router's door
So, what does NAT and ACCESSLISTS have in common?
Why would the router route the traffic and not include NAT and ACCESSLISTS in the equation?
Answer = our good old friend CEF (Cisco Express Forwarding)
CEF is brilliant for bypassing the route processor and forwarding frames at wirespeed via hardware
So i quickly jumped to my console and typed "no ip route-cache"
interface Serial1/1
description : Link to ISP
ip address 209.65.200.225 255.255.255.252ip access-group 192 out
ip nat enableno ip route-cacheno ip route-cache cef
encapsulation ppp
serial restart-delay 0
no cdp enable
ppp authentication chap
And NAT in worked beautifully.
I also learned the old way of using
"ip nat inside source list ...."
"ip nat inside"
"ip nat outside"
can be replaced with
"ip nat enable"
"ip nat source list...."
https://learningnetwork.cisco.com/thread/26212
So there it is folks
No comments:
Post a Comment