You can tell your customers the VPN purpose isn't ICMP but some other important things, as long as they work, they should stop "checking" and start to work! Just kidding...
-----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andy Saykao Sent: Tuesday, August 25, 2009 5:36 AM To: Ivan Pepelnjak; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NAT-ON-A-STICK for VRF Traffic I've been able to get this working using NVI but I'm finding the traceroute is a bit strange. It times out after the Internet GW interface (202.45.118.x) which is on NAT-PE. When I go back to using nat inside/outside interfaces, the traceroute goes through fine. Any ideas why a NVI would not give a full traceroute of all the hops. Internet connectivity is fine so can't complain but don't want VPN customers asking why the traceroute isn't showing properly. My topology is like this: CE1 --10.15.99.4/30--> PE1 -> P --202.45.118.x/30--> NAT-PE <--10.15.99.8/30-- CE2 >From CE1 side: C:\Documents and Settings\Andy>tracert www.google.com Tracing route to www.l.google.com [66.102.11.99] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 192.168.2.1 2 23 ms 21 ms 20 ms 10.15.99.5 3 19 ms 18 ms 20 ms 202.45.118.x 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. >From CE2 (directly connected to NAT-PE): C:\Users\sysadmin>tracert www.yahoo.com Tracing route to www-real.wa1.b.yahoo.com [209.131.36.158] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.15.99.9 2 <1 ms <1 ms <1 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 3 1 ms <1 ms <1 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 4 12 ms 12 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 5 12 ms 13 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 6 * * * Request timed out. 7 12 ms 12 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 8 172 ms 172 ms 172 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 9 173 ms 172 ms 172 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 10 173 ms 173 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 11 173 ms 173 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 12 173 ms 174 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] Trace complete. Not sure why all the hops don't show up when I do a traceroute from either CE's???? Thanks. Andy -----Original Message----- From: Ivan Pepelnjak [mailto:i...@ioshints.info] Sent: Monday, 17 August 2009 11:42 PM To: Andy Saykao; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] NAT-ON-A-STICK for VRF Traffic It's probably easier to use the NAT Virtual Interface ("ip nat enable" instead of "ip nat inside|outside") in a VRF environment. You also don't need NAT-on-a-stick with NVI. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Andy Saykao [mailto:andy.say...@staff.netspace.net.au] > Sent: Monday, August 17, 2009 2:59 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic > > I want to set up a NAT-PE Internet Gateway and NAT vrf traffic using > NAT-ON-A-STICK. Is this possible? > > Easy enough to do when it's IP traffic using policy-based routing as > per this article: > > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_ > note09186a > 0080094430.shtml > > Just wondering how you would apply the article in relation to when the > traffic is MPLS/VRF based. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4364 (20090824) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4364 (20090824) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/