It's there. R2#sh run | in access-list access-list 1 permit any
For completeness' sake: R1's config: http://dl.dropbox.com/u/5911499/2012-01-04%20NAT%20Editing%20Running-Config/configs/R1.cfg R2's config: http://dl.dropbox.com/u/5911499/2012-01-04%20NAT%20Editing%20Running-Config/configs/R2.cfg R3's config:http://dl.dropbox.com/u/5911499/2012-01-04%20NAT%20Editing%20Running-Config/configs/R3.cfg R4's config: http://dl.dropbox.com/u/5911499/2012-01-04%20NAT%20Editing%20Running-Config/configs/R4.cfg topology.net: http://dl.dropbox.com/u/5911499/2012-01-04%20NAT%20Editing%20Running-Config/topology.net -Chris > Chris, > > I don't see an access-list where you are permitting your traffic. You are > referencing 1 with no "access-list 1 permit X.X.X.X" > > Maybe that might help? > > Thank you, > Chris > > Christopher Lemish, CCNP/MCSE > Network Engineer > CDW > 260 Industrial Way West > Eatontown, NJ 07724 > Mobile: (646) 276-3466 > Email: [email protected] > > > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Sunday, January 08, 2012 2:38 PM > To: [email protected] > Subject: [OSL | CCIE_RS] The Strangest NAT Mechanic I've Ever Seen > > In one moment NAT seems like the simplest and easiest technology in the > world. The next, it seems so confusing and complicated that when it works > it's like it's magic. I've been trying to remove my confusion on NAT > today by trying to recreate behavior that I don't understand and then > trying to figure out the logic behind it. Among other oddities I've hit > upon, I found something that was completely unexpected; the router seems > to be editing its own running-config based on what traffic is going > through it. > > I've got a topology that looks like this: > R1 > >---R2---R3 > R2 > > -R2 is the device doing all the NAT. To the left of R2 is my NAT inside > while to the right is my NAT outside. > -I have a static NAT for R1 to inside global 1.1.1.1. > -I have a dynamic NAT for R2 to inside globals 1.1.1.0/24 including > 1.1.1.1. I wanted to see what would happen when you overlap outside > global IPs available to static NAT verse dynamic NAT. I'm used to NAT on > ASAs where the ASA gives the static absolute precedence and it just works. > > Bear with me through this output that I have not edited or summarized at > all, except to add notes prepended with "!---": > > R2(config)#do sh ip nat trans > Pro Inside global Inside local Outside local Outside > global > --- 1.1.1.3 10.0.12.1 --- --- > R2(config)#do sh run | in nat > ip nat inside > ip nat outside > ip nat inside > ip nat translation icmp-timeout 600 > ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24 ip nat inside source > list 1 pool POOL > !-- We have our static NAT command here: > ip nat inside source static 10.0.12.1 1.1.1.3 R2(config)# R2(config)# > !-- Here I start pinging from R4 (10.0.24.9) to 10.0.23.3 (R3). R2 > translates 10.0.24.9 to 1.1.1.1. > *Jan 8 13:06:04.251: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [65] *Jan 8 > 13:06:04.271: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [65] *Jan 8 > 13:06:04.279: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [66] *Jan 8 > 13:06:04.283: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [66] *Jan 8 > 13:06:04.287: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [67] *Jan 8 > 13:06:04.291: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [67] *Jan 8 > 13:06:04.295: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [68] *Jan 8 > 13:06:04.303: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [68] *Jan 8 > 13:06:04.307: NAT*: s=10.0.24.9->1.1.1.1, d=10.0.23.3 [69] *Jan 8 > 13:06:04.311: NAT*: s=10.0.23.3, d=1.1.1.1->10.0.24.9 [69] R2(config)# > !-- I changed R3's IP to 10.0.24.10 so that it would force a new dynamic > NAT translation. I ping from R4 (10.0.24.10) to 10.0.23.3 (R3). R2 > translations 10.0.24.10 to 1.1.1.3, which overlaps with my static NAT. > *Jan 8 13:06:18.363: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [70] *Jan > 8 13:06:18.371: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [70] *Jan 8 > 13:06:18.375: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [71] *Jan 8 > 13:06:18.379: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [71] *Jan 8 > 13:06:18.383: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [72] *Jan 8 > 13:06:18.391: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [72] *Jan 8 > 13:06:18.395: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [73] *Jan 8 > 13:06:18.399: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [73] *Jan 8 > 13:06:18.403: NAT*: s=10.0.24.10->1.1.1.3, d=10.0.23.3 [74] *Jan 8 > 13:06:18.407: NAT*: s=10.0.23.3, d=1.1.1.3->10.0.24.10 [74] > !-- Amazingly, R2 seems to have dynamically removed my running-config > command that has the static nat? (ip nat inside source static 10.0.12.1 > 1.1.1.3) > R2(config)#do sh run | in nat > ip nat inside > ip nat outside > ip nat inside > ip nat translation icmp-timeout 600 > ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24 ip nat inside source > list 1 pool POOL > !-- NAT translation table shows the overlapping entries, including the > static NAT that is no longer in my config. > R2(config)#do sh ip nat trans > Pro Inside global Inside local Outside local Outside > global > --- 1.1.1.3 10.0.12.1 --- --- !-- HERE > icmp 1.1.1.1:13 10.0.24.9:13 10.0.23.3:13 10.0.23.3:13 > --- 1.1.1.1 10.0.24.9 --- --- > icmp 1.1.1.3:14 10.0.24.10:14 10.0.23.3:14 10.0.23.3:14 > --- 1.1.1.3 10.0.24.10 --- --- !-- AND > HERE > R2(config)#do clear ip nat trans * > !-- Kill the dynamic NAT entry we caused to overlap with our static NAT > entry, and the router readds the static nat config? !?!? > R2(config)#do sh run | in nat > ip nat inside > ip nat outside > ip nat inside > ip nat translation icmp-timeout 600 > ip nat pool POOL 1.1.1.1 1.1.1.254 prefix-length 24 ip nat inside source > list 1 pool POOL ip nat inside source static 10.0.12.1 1.1.1.3 > R2(config)#do sh ver | in 12.4 Cisco IOS Software, 7200 Software > (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2) > R2(config)# > > I'm dumbfounded. I thought originally that I had some sort of typo in the > above output that would explain why the command seemed to go away, but I'm > just not finding one. I'm not used to the router changing its running > config based on traffic that goes through it. Can anyone shed any light > on this? > > Tell me it's a typo somewhere or something simple that I overlooked so > that I can retreat back to my comfortable understanding that the router > doesn't edit its own config. > > Thanks. > > -Chris > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
