In one moment NAT seems like the simplest and easiest technology in the
world. The next, it seems so confusing and complicated that when it works
it's like it's magic. I've been trying to remove my confusion on NAT
today by trying to recreate behavior that I don't understand and then
trying to figure out the logic behind it. Among other oddities I've hit
upon, I found something that was completely unexpected; the router seems
to be editing its own running-config based on what traffic is going
through it.
I've got a topology that looks like this:
R1
>---R2---R3
R2
-R2 is the device doing all the NAT. To the left of R2 is my NAT inside
while to the right is my NAT outside.
-I have a static NAT for R1 to inside global 1.1.1.1.
-I have a dynamic NAT for R2 to inside globals 1.1.1.0/24 including
1.1.1.1. I wanted to see what would happen when you overlap outside
global IPs available to static NAT verse dynamic NAT. I'm used to NAT on
ASAs where the ASA gives the static absolute precedence and it just works.
Bear with me through this output that I have not edited or summarized at
all, except to add notes prepended with "!---":
R2(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 1.1.1.3 10.0.12.1 --- ---
R2(config)#do sh run | in nat
ip nat inside
ip nat outside
ip nat inside
ip nat translation icmp-timeout 600
ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24
ip nat inside source list 1 pool POOL
!-- We have our static NAT command here:
ip nat inside source static 10.0.12.1 1.1.1.3
R2(config)#
R2(config)#
!-- Here I start pinging from R4 (10.0.24.9) to 10.0.23.3 (R3). R2
translates 10.0.24.9 to 1.1.1.1.
*Jan 8 13:06:04.251: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [65]
*Jan 8 13:06:04.271: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [65]
*Jan 8 13:06:04.279: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [66]
*Jan 8 13:06:04.283: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [66]
*Jan 8 13:06:04.287: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [67]
*Jan 8 13:06:04.291: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [67]
*Jan 8 13:06:04.295: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [68]
*Jan 8 13:06:04.303: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [68]
*Jan 8 13:06:04.307: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [69]
*Jan 8 13:06:04.311: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [69]
R2(config)#
!-- I changed R3's IP to 10.0.24.10 so that it would force a new dynamic
NAT translation. I ping from R4 (10.0.24.10) to 10.0.23.3 (R3). R2
translations 10.0.24.10 to 1.1.1.3, which overlaps with my static NAT.
*Jan 8 13:06:18.363: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [70]
*Jan 8 13:06:18.371: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [70]
*Jan 8 13:06:18.375: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [71]
*Jan 8 13:06:18.379: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [71]
*Jan 8 13:06:18.383: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [72]
*Jan 8 13:06:18.391: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [72]
*Jan 8 13:06:18.395: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [73]
*Jan 8 13:06:18.399: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [73]
*Jan 8 13:06:18.403: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [74]
*Jan 8 13:06:18.407: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [74]
!-- Amazingly, R2 seems to have dynamically removed my running-config
command that has the static nat? (ip nat inside source static 10.0.12.1
1.1.1.3)
R2(config)#do sh run | in nat
ip nat inside
ip nat outside
ip nat inside
ip nat translation icmp-timeout 600
ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24
ip nat inside source list 1 pool POOL
!-- NAT translation table shows the overlapping entries, including the
static NAT that is no longer in my config.
R2(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 1.1.1.3 10.0.12.1 --- --- !-- HERE
icmp 1.1.1.1:13 10.0.24.9:13 10.0.23.3:13 10.0.23.3:13
--- 1.1.1.1 10.0.24.9 --- ---
icmp 1.1.1.3:14 10.0.24.10:14 10.0.23.3:14 10.0.23.3:14
--- 1.1.1.3 10.0.24.10 --- --- !-- AND HERE
R2(config)#do clear ip nat trans *
!-- Kill the dynamic NAT entry we caused to overlap with our static NAT
entry, and the router readds the static nat config? !?!?
R2(config)#do sh run | in nat
ip nat inside
ip nat outside
ip nat inside
ip nat translation icmp-timeout 600
ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24
ip nat inside source list 1 pool POOL
ip nat inside source static 10.0.12.1 1.1.1.3
R2(config)#do sh ver | in 12.4
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version
12.4(24)T6, RELEASE SOFTWARE (fc2)
R2(config)#
I'm dumbfounded. I thought originally that I had some sort of typo in the
above output that would explain why the command seemed to go away, but I'm
just not finding one. I'm not used to the router changing its running
config based on traffic that goes through it. Can anyone shed any light
on this?
Tell me it's a typo somewhere or something simple that I overlooked so
that I can retreat back to my comfortable understanding that the router
doesn't edit its own config.
Thanks.
-Chris
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
http://onlinestudylist.com/mailman/listinfo/ccie_rs
