Tyson, Yesterday after your email, I did little bit web search on NAT on Cisco web site and I think you are right.
We should have IP nat out side command on loop back 0 interface and I was not sure about this as it is virtual interface. I vaguely remember that when I did this lab before 2 days back, I used ip nat enable on lo0 instead of ip nat out side command. This was the catch as IOS 12.4 with route map do not support ip nat enable. Thank you very much for helping me to resolve this. This command is missing in DSG but you corrected it. Thank you once again.... Nilesh On Tue, Oct 26, 2010 at 8:50 AM, Tyson Scott <[email protected]> wrote: > Nilesh, > > > > I will try to follow this up tomorrow and check to see if this is a working > configuration > > > > I am busy with class today but should have time tomorrow. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Nilesh Mehta [mailto:[email protected]] > *Sent:* Monday, October 25, 2010 3:43 PM > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_RS] Lab-17 Task =17.14 > > > > Tyson, > > > > Actually I tried that and even after putting NAT statement on loop back 0 > interface it did not work. Also in DSG nothing about NAT statement on Loop > back 0. I think NAT statement should be on physical interface or sub > interfaces only but not on virtual interface like loop back. I am not sure > this one is true or not but please let me know your opinion as I am just > trying to understand this technology and little bit confused why its not > working.do you see any problem with my config ? One other thing I was not > able to understand was when I was trying to ping from CAT-4 to R1's loopback > I was not able to see any debug out put for NAT. I should be able to see > something even though NAT is not occurring. > > > > Nilesh > > On Mon, Oct 25, 2010 at 11:48 AM, Tyson Scott <[email protected]> wrote: > > You are missing the NAT statement on the loopback interface. Add > > > > ip nat outside > > > > on Loopback0 > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Nilesh Mehta > *Sent:* Monday, October 25, 2010 1:06 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_RS] Lab-17 Task =17.14 > > > > > > Lab-17----- task=17.14 > > > > In this task I put route-map, access-list and NAT configuration on R9. I > was able to see NAT translation for route map for fa0/0. It worked from Cat > -3 for IP address 150.100.221.7 with natted address of s0/2/0 and I was > able to ping 150.100.221.7, but other NAT configuration and route map did > not worked as per DSG. Not sure what could be problem but I was never able > to ping R1’s loop back interface or Vlan 150.100.12.1. Here is config > details for R9 and other debug out put…. > > > > > ---------------------------------------------------------------------------------------------------------------------------------------------- > > > > R9=== > > R9#sh run > > Building configuration... > > > > > > Current configuration : 2644 bytes > > ! > > version 12.4 > > service timestamps debug datetime msec > > service timestamps log datetime msec > > service password-encryption > > ! > > hostname R9 > > ! > > boot-start-marker > > warm-reboot > > boot-end-marker > > ! > > logging message-counter syslog > > enable secret 5 $1$z5mW$66Jkln/9qUS4XwVkuEPON/ > > ! > > no aaa new-model > > memory-size iomem 10 > > ! > > dot11 syslog > > ip source-route > > ! > > ! > > ip cef > > ! > > ! > > no ip domain lookup > > ip domain name ipexpert.com > > no ipv6 cef > > ! > > multilink bundle-name authenticated > > > > ! > > voice-card 0 > > ! > > archive > > log config > > hidekeys > > ! > > ! > > interface Loopback0 > > ip address 200.0.0.9 255.255.255.255 > > ! > > interface FastEthernet0/0 > > ip address 100.100.250.9 255.255.255.0 > > ip nat inside > > ip virtual-reassembly > > duplex auto > > speed auto > > ! > > interface FastEthernet0/1 > > ip address 150.100.91.9 255.255.255.0 > > ip nat inside > > ip virtual-reassembly > > duplex auto > > speed auto > > ! > > interface Serial0/2/0 > > bandwidth 128 > > ip address 150.100.69.9 255.255.255.0 > > ip verify unicast source reachable-via rx > > ip nat outside > > ip virtual-reassembly > > no fair-queue > > ! > > interface Serial0/2/1 > > bandwidth 128 > > ip address 150.100.96.9 255.255.255.0 > > ip verify unicast source reachable-via rx > > ! > > router ospf 1 > > log-adjacency-changes > > network 0.0.0.0 255.255.255.255 area 0 > > ! > > ip forward-protocol nd > > ip http server > > no ip http secure-server > > ! > > ! > > ip nat inside source route-map r2 interface Loopback0 overload > > ip nat inside source route-map r5 interface Serial0/2/0 overload > > ! > > access-list 101 permit ip 100.100.250.0 0.0.0.255 150.100.220.0 0.0.1.255 > > access-list 101 permit ip 150.100.91.0 0.0.0.255 150.100.220.0 0.0.1.255 > > access-list 101 permit ip 150.100.91.0 0.0.0.255 100.100.200.0 0.0.0.255 > > access-list 101 permit ip 150.100.91.0 0.0.0.255 150.100.81.0 0.0.0.255 > > access-list 101 permit ip 100.100.250.0 0.0.0.255 150.100.81.0 0.0.0.255 > > access-list 101 permit ip 100.100.250.0 0.0.0.255 100.100.200.0 0.0.0.255 > > access-list 102 permit ip 150.100.91.0 0.0.0.255 150.100.40.0 0.0.1.255 > > access-list 102 permit ip 100.100.250.0 0.0.0.255 150.100.40.0 0.0.1.255 > > access-list 102 permit ip 150.100.91.0 0.0.0.255 150.100.12.0 0.0.0.255 > > access-list 102 permit ip 100.100.250.0 0.0.0.255 150.100.12.0 0.0.0.255 > > access-list 102 permit ip 100.100.250.0 0.0.0.255 100.100.100.0 0.0.0.255 > > access-list 102 permit ip 150.100.91.0 0.0.0.255 100.100.100.0 0.0.0.255 > > ! > > ! > > ! > > ! > > route-map r2 permit 10 > > match ip address 102 > > ! > > route-map r5 permit 10 > > match ip address 101 > > ! > > ! > > ! > > control-plane! > > > > ! > > line con 0 > > exec-timeout 0 0 > > logging synchronous > > line aux 0 > > line vty 0 4 > > password 7 070C285F4D06 > > login > > transport input telnet ssh > > ! > > scheduler allocate 20000 1000 > > end > > R9# > > R9#ping 150.100.12.1 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds: > > !!!!! > > Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms > > > > > > *When we try to ping from Cat-3 and Cat-4 ---debug output * > > * * > > From cat -3 > > > > Cat3560-3(config)#do ping 150.100.221.7 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 150.100.221.7, timeout is 2 seconds: > > !!!!! > > Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/17 ms > > Cat3560-3(config)# > > ================================================================ > > R9(config)# > > *Mar 16 22:34:15.639: NAT: map match r5 > > *Mar 16 22:34:15.639: mapping pointer available mapping:0 > > *Mar 16 22:34:15.639: NAT: [0] Allocated Port for 150.100.91.13 -> > 150.100.69.9: wanted 13 got 13 > > *Mar 16 22:34:15.639: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, > 13) [65] > > *Mar 16 22:34:15.639: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, > 13) [65] > > *Mar 16 22:34:15.639: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 > [65] > > *Mar 16 22:34:15.655: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, > 13) [65] > > *Mar 16 22:34:15.655: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 > [65] > > *Mar 16 22:34:15.659: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, > 13) [66] > > *Mar 16 22:34:15.659: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 > [66] > > *Mar 16 22:34:15.671: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, > 13) [66] > > *Mar 16 22:34:15.671: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 > [66] > > *Mar 16 22:34:15.675: NAT*: i: icmp (150.100.91.13 > > R9(config)#, 13) -> (150.100.221.7, 13) [67] > > *Mar 16 22:34:15.675: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 > [67] > > *Mar 16 22:34:15.687: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, > 13) [67] > > *Mar 16 22:34:15.687: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 > [67] > > *Mar 16 22:34:15.691: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, > 13) [68] > > *Mar 16 22:34:15.695: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 > [68] > > *Mar 16 22:34:15.707: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, > 13) [68] > > *Mar 16 22:34:15.707: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 > [68] > > *Mar 16 22:34:15.711: NAT*: i: icmp (150.100.91.13, 13) -> (150.100.221.7, > 13) [69] > > *Mar 16 22:34:15.711: NAT*: s=150.100.91.13->150.100.69.9, d=150.100.221.7 > [69] > > *Mar 16 22:34:15.727: NAT*: o: icmp (150.100.221.7, 13) -> (150.100.69.9, > 13) [69] > > *Mar 16 22:34:15.727: NAT*: s=150.100.221.7, d=150.100.69.9->150.100.91.13 > [69] > > R9(config)# > > R9(config)#do sh ip nat tran > > Pro Inside global Inside local Outside local Outside global > > icmp 150.100.69.9:13 150.100.91.13:13 150.100.221.7:13 > 150.100.221.7:13 > > > ========================================================================================== > > *from Cat ==4* > > * * > > *Cat3560-4#ping 100.100.250.9* > > * * > > *Type escape sequence to abort.* > > *Sending 5, 100-byte ICMP Echos to 100.100.250.9, timeout is 2 seconds:* > > *!!!!!* > > *Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms* > > *Cat3560-4#ping 150.100.12.1* > > * * > > *Type escape sequence to abort.* > > *Sending 5, 100-byte ICMP Echos to 150.100.12.1, timeout is 2 seconds:* > > *.....* > > *Success rate is 0 percent (0/5)* > > > > Cat3560-4#ping 200.0.0.1 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds: > > ..... > > Success rate is 0 percent (0/5) > > ================================== > > > > *R9#debug ip nat detailed* > > *IP NAT detailed debugging is on* > > *R9#* > > ================= > > Config for Cat3560-4# > > > > Cat3560-4# > > > > ! > > interface FastEthernet0/9 > > description R9 Fa0/1 > > switchport access vlan 2300 > > ! > > interface FastEthernet0/10 > > ! > > interface FastEthernet0/11 > > ! > > interface FastEthernet0/12 > > ! > > interface FastEthernet0/13 > > ! > > interface FastEthernet0/14 > > ! > > interface FastEthernet0/15 > > ! > > interface FastEthernet0/16 > > ! > > interface FastEthernet0/17 > > ! > > interface FastEthernet0/18 > > ! > > interface FastEthernet0/19 > > switchport mode dynamic desirable > > ! > > interface FastEthernet0/20 > > switchport mode dynamic desirable > > ! > > interface FastEthernet0/21 > > switchport mode dynamic desirable > > ! > > interface FastEthernet0/22 > > switchport mode dynamic desirable > > ! > > interface FastEthernet0/23 > > ! > > interface FastEthernet0/24 > > ! > > interface GigabitEthernet0/1 > > ! > > interface GigabitEthernet0/2 > > ! > > interface Vlan1 > > no ip address > > ! > > interface Vlan300 > > ip address 100.100.250.14 255.255.255.0 > > ! > > ip default-gateway 100.100.250.9 > > ip classless > > ip http server > > ip http secure-server > > > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
