Chris, I don't see an access-list where you are permitting your traffic. You are referencing 1 with no "access-list 1 permit X.X.X.X"
Maybe that might help? Thank you, Chris Christopher Lemish, CCNP/MCSE Network Engineer CDW 260 Industrial Way West Eatontown, NJ 07724 Mobile: (646) 276-3466 Email: [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Sunday, January 08, 2012 2:38 PM To: [email protected] Subject: [OSL | CCIE_RS] The Strangest NAT Mechanic I've Ever Seen In one moment NAT seems like the simplest and easiest technology in the world. The next, it seems so confusing and complicated that when it works it's like it's magic. I've been trying to remove my confusion on NAT today by trying to recreate behavior that I don't understand and then trying to figure out the logic behind it. Among other oddities I've hit upon, I found something that was completely unexpected; the router seems to be editing its own running-config based on what traffic is going through it. I've got a topology that looks like this: R1 >---R2---R3 R2 -R2 is the device doing all the NAT. To the left of R2 is my NAT inside while to the right is my NAT outside. -I have a static NAT for R1 to inside global 1.1.1.1. -I have a dynamic NAT for R2 to inside globals 1.1.1.0/24 including 1.1.1.1. I wanted to see what would happen when you overlap outside global IPs available to static NAT verse dynamic NAT. I'm used to NAT on ASAs where the ASA gives the static absolute precedence and it just works. Bear with me through this output that I have not edited or summarized at all, except to add notes prepended with "!---": R2(config)#do sh ip nat trans Pro Inside global Inside local Outside local Outside global --- 1.1.1.3 10.0.12.1 --- --- R2(config)#do sh run | in nat ip nat inside ip nat outside ip nat inside ip nat translation icmp-timeout 600 ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24 ip nat inside source list 1 pool POOL !-- We have our static NAT command here: ip nat inside source static 10.0.12.1 1.1.1.3 R2(config)# R2(config)# !-- Here I start pinging from R4 (10.0.24.9) to 10.0.23.3 (R3). R2 translates 10.0.24.9 to 1.1.1.1. *Jan 8 13:06:04.251: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [65] *Jan 8 13:06:04.271: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [65] *Jan 8 13:06:04.279: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [66] *Jan 8 13:06:04.283: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [66] *Jan 8 13:06:04.287: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [67] *Jan 8 13:06:04.291: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [67] *Jan 8 13:06:04.295: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [68] *Jan 8 13:06:04.303: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [68] *Jan 8 13:06:04.307: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [69] *Jan 8 13:06:04.311: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [69] R2(config)# !-- I changed R3's IP to 10.0.24.10 so that it would force a new dynamic NAT translation. I ping from R4 (10.0.24.10) to 10.0.23.3 (R3). R2 translations 10.0.24.10 to 1.1.1.3, which overlaps with my static NAT. *Jan 8 13:06:18.363: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [70] *Jan 8 13:06:18.371: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [70] *Jan 8 13:06:18.375: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [71] *Jan 8 13:06:18.379: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [71] *Jan 8 13:06:18.383: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [72] *Jan 8 13:06:18.391: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [72] *Jan 8 13:06:18.395: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [73] *Jan 8 13:06:18.399: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [73] *Jan 8 13:06:18.403: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [74] *Jan 8 13:06:18.407: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [74] !-- Amazingly, R2 seems to have dynamically removed my running-config command that has the static nat? (ip nat inside source static 10.0.12.1 1.1.1.3) R2(config)#do sh run | in nat ip nat inside ip nat outside ip nat inside ip nat translation icmp-timeout 600 ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24 ip nat inside source list 1 pool POOL !-- NAT translation table shows the overlapping entries, including the static NAT that is no longer in my config. R2(config)#do sh ip nat trans Pro Inside global Inside local Outside local Outside global --- 1.1.1.3 10.0.12.1 --- --- !-- HERE icmp 1.1.1.1:13 10.0.24.9:13 10.0.23.3:13 10.0.23.3:13 --- 1.1.1.1 10.0.24.9 --- --- icmp 1.1.1.3:14 10.0.24.10:14 10.0.23.3:14 10.0.23.3:14 --- 1.1.1.3 10.0.24.10 --- --- !-- AND HERE R2(config)#do clear ip nat trans * !-- Kill the dynamic NAT entry we caused to overlap with our static NAT entry, and the router readds the static nat config? !?!? R2(config)#do sh run | in nat ip nat inside ip nat outside ip nat inside ip nat translation icmp-timeout 600 ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24 ip nat inside source list 1 pool POOL ip nat inside source static 10.0.12.1 1.1.1.3 R2(config)#do sh ver | in 12.4 Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2) R2(config)# I'm dumbfounded. I thought originally that I had some sort of typo in the above output that would explain why the command seemed to go away, but I'm just not finding one. I'm not used to the router changing its running config based on traffic that goes through it. Can anyone shed any light on this? Tell me it's a typo somewhere or something simple that I overlooked so that I can retreat back to my comfortable understanding that the router doesn't edit its own config. Thanks. -Chris _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
