You are missing the NAT statement on the loopback interface. Add
ip nat outside on Loopback0 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Nilesh Mehta Sent: Monday, October 25, 2010 1:06 PM To: [email protected] Subject: [OSL | CCIE_RS] Lab-17 Task =17.14 Lab-17----- task=17.14 In this task I put route-map, access-list and NAT configuration on R9. I was able to see NAT translation for route map for fa0/0. It worked from Cat -3 for IP address 150.100.221.7 with natted address of s0/2/0 and I was able to ping 150.100.221.7, but other NAT configuration and route map did not worked as per DSG. Not sure what could be problem but I was never able to ping R1's loop back interface or Vlan 150.100.12.1. Here is config details for R9 and other debug out put.. ---------------------------------------------------------------------------- ------------------------------------------------------------------ R9=== R9#sh run Building configuration... Current configuration : 2644 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R9 ! boot-start-marker warm-reboot boot-end-marker ! logging message-counter syslog enable secret 5 $1$z5mW$66Jkln/9qUS4XwVkuEPON/ ! no aaa new-model memory-size iomem 10 ! dot11 syslog ip source-route ! ! ip cef ! ! no ip domain lookup ip domain name ipexpert.com <http://ipexpert.com/> no ipv6 cef ! multilink bundle-name authenticated ! voice-card 0 ! archive log config hidekeys ! ! interface Loopback0 ip address 200.0.0.9 255.255.255.255 ! interface FastEthernet0/0 ip address 100.100.250.9 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 150.100.91.9 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Serial0/2/0 bandwidth 128 ip address 150.100.69.9 255.255.255.0 ip verify unicast source reachable-via rx ip nat outside ip virtual-reassembly no fair-queue ! interface Serial0/2/1 bandwidth 128 ip address 150.100.96.9 255.255.255.0 ip verify unicast source reachable-via rx ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip nat inside source route-map r2 interface Loopback0 overload ip nat inside source route-map r5 interface Serial0/2/0 overload ! access-list 101 permit ip 100.100.250.0 0.0.0.255 150.100.220.0 0.0.1.255 access-list 101 permit ip 150.100.91.0 0.0.0.255 150.100.220.0 0.0.1.255 access-list 101 permit ip 150.100.91.0 0.0.0.255 100.100.200.0 0.0.0.255 access-list 101 permit ip 150.100.91.0 0.0.0.255 150.100.81.0 0.0.0.255 access-list 101 permit ip 100.100.250.0 0.0.0.255 150.100.81.0 0.0.0.255 access-list 101 permit ip 100.100.250.0 0.0.0.255 100.100.200.0 0.0.0.255 access-list 102 permit ip 150.100.91.0 0.0.0.255 150.100.40.0 0.0.1.255 access-list 102 permit ip 100.100.250.0 0.0.0.255 150.100.40.0 0.0.1.255 access-list 102 permit ip 150.100.91.0 0.0.0.255 150.100.12.0 0.0.0.255 access-list 102 permit ip 100.100.250.0 0.0.0.255 150.100.12.0 0.0.0.255 access-list 102 permit ip 100.100.250.0 0.0.0.255 100.100.100.0 0.0.0.255 access-list 102 permit ip 150.100.91.0 0.0.0.255 100.100.100.0 0.0.0.255 ! ! ! ! route-map r2 permit 10 match ip address 102 ! route-map r5 permit 10 match ip address 101 ! ! ! control-plane! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 password 7 070C285F4D06 login transport input telnet ssh ! scheduler allocate 20000 1000 end R9# R9#ping 150.100.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms When we try to ping from Cat-3 and Cat-4 ---debug output >From cat -3 Cat3560-3(config)#do ping 150.100.221.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.221.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms Cat3560-3(config)# ================================================================ R9(config)# *Mar 16 22:34:15.639: NAT: map match r5 *Mar 16 22:34:15.639: mapping pointer available mapping:0 *Mar 16 22:34:15.639: NAT: [0] Allocated Port for 150.100.91.13 -> 150.100.69.9 <http://150.100.69.9/> : wanted 13 got 13 *Mar 16 22:34:15.639: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, 13) [65] *Mar 16 22:34:15.639: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, 13) [65] *Mar 16 22:34:15.639: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 [65] *Mar 16 22:34:15.655: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, 13) [65] *Mar 16 22:34:15.655: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 [65] *Mar 16 22:34:15.659: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, 13) [66] *Mar 16 22:34:15.659: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 [66] *Mar 16 22:34:15.671: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, 13) [66] *Mar 16 22:34:15.671: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 [66] *Mar 16 22:34:15.675: NAT*: i: icmp (150.100.91.13 R9(config)#, 13) -> (150.100.221.7, 13) [67] *Mar 16 22:34:15.675: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 [67] *Mar 16 22:34:15.687: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, 13) [67] *Mar 16 22:34:15.687: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 [67] *Mar 16 22:34:15.691: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, 13) [68] *Mar 16 22:34:15.695: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 [68] *Mar 16 22:34:15.707: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, 13) [68] *Mar 16 22:34:15.707: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 [68] *Mar 16 22:34:15.711: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, 13) [69] *Mar 16 22:34:15.711: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 [69] *Mar 16 22:34:15.727: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, 13) [69] *Mar 16 22:34:15.727: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 [69] R9(config)# R9(config)#do sh ip nat tran Pro Inside global Inside local Outside local Outside global icmp 150.100.69.9:13 <http://150.100.69.9:13/> 150.100.91.13:13 <http://150.100.91.13:13/> 150.100.221.7:13 <http://150.100.221.7:13/> 150.100.221.7:13 <http://150.100.221.7:13/> ============================================================================ ============== from Cat ==4 Cat3560-4#ping 100.100.250.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.100.250.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms Cat3560-4#ping 150.100.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Cat3560-4#ping 200.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) ================================== R9#debug ip nat detailed IP NAT detailed debugging is on R9# ================= Config for Cat3560-4# Cat3560-4# ! interface FastEthernet0/9 description R9 Fa0/1 switchport access vlan 2300 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 switchport mode dynamic desirable ! interface FastEthernet0/20 switchport mode dynamic desirable ! interface FastEthernet0/21 switchport mode dynamic desirable ! interface FastEthernet0/22 switchport mode dynamic desirable ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address ! interface Vlan300 ip address 100.100.250.14 255.255.255.0 ! ip default-gateway 100.100.250.9 ip classless ip http server ip http secure-server
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
