Re: Question About Local Policy Route-map + NAT (IE CoreLab

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Mon Apr 17 2006 - 02:36:08 GMT-3

• Next message: HUZEFA RATLAMWALA: "PIX issue"
• Previous message: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Maybe in reply to: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 Hi Jian
I'm using the same scenario like Lin, I yes the global ip add is
reachable

Rack1R2#ping 150.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Rack1R2#

Jian Gu escribis:

  This does not seem to be a complicated configuration, and it worked fine for
  me. I tested in on 2600 running 12.3(12.10). Are you sure your loopback0
  network has been successfully advertised via OSPF? you did not include your
  CONNECTED->OSPF route-map configuration.
  
  On 4/15/06, Jung-I Lin <easyman.lin@gmail.com> wrote:

    Dear All,
    
    I have a question which is related to Local PBR + NAT.
    The scenario is like this
    
    R5 has several interface participate in OSPF , the only exception is E1/0.
    The goal is to have the packets which is sourced from R5's E1/0 can
    reach other and correctly reply back.
    And the restriction is you can only use one "ip nat outside" command
    on an interface.
    
    So I use local policy route-map + nat , part of the config is as following
    
    !
    interface Loopback0
    ip address 150.1.5.5 255.255.255.0
    ip nat outside
    !
    interface Ethernet0/0
    ip address 144.1.5.5 255.255.255.0
    half-duplex
    !
    interface Serial0/0
    no ip address
    encapsulation frame-relay
    clockrate 125000
    no fair-queue
    !
    interface Serial0/0.501 multipoint
    ip address 144.1.15.5 255.255.255.0
    ip ospf network point-to-point
    frame-relay map ip 144.1.15.1 501 broadcast
    !
    interface BRI0/0
    no ip address
    shutdown
    !
    interface Serial0/1
    ip unnumbered Ethernet0/0
    encapsulation ppp
    clockrate 64000
    !
    interface Ethernet1/0
    ip address 144.1.55.5 255.255.255.0
    ip nat inside
    half-duplex
    !
    router ospf 1
    log-adjacency-changes
    redistribute connected subnets route-map CONNECTED->OSPF
    network 144.1.5.5 0.0.0.0 area 0
    network 144.1.15.5 0.0.0.0 area 0
    !
    ip local policy route-map POLICY
    ip nat inside source list 1 interface Loopback0 overload
    access-list 1 permit 144.1.55.0 0.0.0.255
    access-list 100 permit ip host 144.1.55.5 any
    !
    route-map POLICY permit 10
    match ip address 100
    set interface Loopback0
    
    R5 is able to ping other router without sourced from E1/0
    Rack1R5#p 144.1.15.1
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms

    But if I sourced from E1/0 the ping is not ok.
    Rack1R5#ping 144.1.15.1 source Ethernet1/0
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 144.1.15.1, timeout is 2 seconds:
    Packet sent with a source address of 144.1.55.5
    .....
    Success rate is 0 percent (0/5)

    I use debug ip policy and debug ip nat, and the output
    *Mar 1 19:11:01.599: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
    policy match
    *Mar 1 19:11:01.603: IP: route map POLICY, item 10, permit
    *Mar 1 19:11:01.603: IP: s=144.1.55.5 (local), d=144.1.15.1
    (Loopback0), len 100, policy routed
    *Mar 1 19:11:01.603: IP: local to Loopback0 144.1.15.1.
    *Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
    policy match
    *Mar 1 19:11:03.598: IP: route map POLICY, item 10, permit
    *Mar 1 19:11:03.598: IP: s=144.1.55.5 (local), d=144.1.15.1
    (Loopback0), len 100, policy routed
    *Mar 1 19:11:03.598: IP: local to Loopback0 144.1.15.1
    *Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
    policy match
    *Mar 1 19:11:05.601: IP: route map POLICY, item 10, permit
    *Mar 1 19:11:05.601: IP: s=144.1.55.5 (local), d=144.1.15.1
    (Loopback0), len 100, policy routed
    *Mar 1 19:11:05.601: IP: local to Loopback0 144.1.15.1.
    *Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
    policy match
    *Mar 1 19:11:07.604: IP: route map POLICY, item 10, permit
    *Mar 1 19:11:07.604: IP: s=144.1.55.5 (local), d=144.1.15.1
    (Loopback0), len 100, policy routed
    *Mar 1 19:11:07.604: IP: local to Loopback0 144.1.15.1.
    *Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1, len 100,
    policy match
    *Mar 1 19:11:09.608: IP: route map POLICY, item 10, permit
    *Mar 1 19:11:09.608: IP: s=144.1.55.5 (local), d=144.1.15.1
    (Loopback0), len 100, policy routed
    *Mar 1 19:11:09.608: IP: local to Loopback0 144.1.15.1.
    
    It seems that the Local PBR is fine, but the NAT did not work.
    Any comments?
    --
    Thanks
    Best Regards,
    
    Jung-I Lin
    
    _______________________________________________________________________
    Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

• Next message: HUZEFA RATLAMWALA: "PIX issue"
• Previous message: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Maybe in reply to: Victor Cappuccio: "Re: Question About Local Policy Route-map + NAT (IE CoreLab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:57 GMT-3