It was the IOS!!!!!
I had been using c3640-jk9o3s-mz.124-16.bin. Changed it to c3640-i-mz.122-46.bin
and that was it, return icmp echo-reply packets got natted back
hmmm, i thought they use the 12.4 version IOS in the exam lab - yikes!
*Mar 1 00:33:08.795: IP: tableid=0, s=10.1.1.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), routed via RIB
*Mar 1 00:33:08.795: NAT: i: icmp (10.1.1.3, 2) -> (201.114.37.5, 2) [2]
*Mar 1 00:33:08.799: NAT: s=10.1.1.3->204.15.86.3, d=201.114.37.5 [2]
*Mar 1 00:33:08.803: IP: s=204.15.86.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), g=199.100.35.253, len 100, forward
*Mar 1 00:33:08.803: ICMP type=8, code=0
*Mar 1 00:33:08.959: NAT: o: icmp (201.114.37.5, 2) -> (204.15.86.3, 2) [2]
*Mar 1 00:33:08.959: NAT: s=201.114.37.5->10.1.3.1, d=204.15.86.3 [2]
*Mar 1 00:33:08.963: NAT: s=10.1.3.1, d=204.15.86.3->10.1.1.3 [2]
*Mar 1 00:33:08.967: IP: tableid=0, s=10.1.3.1 (Serial1/0), d=10.1.1.3 (Ethernet0/0), routed via RIB
*Mar 1 00:33:08.967: IP: s=10.1.3.1 (Serial1/0), d=10.1.1.3 (Ethernet0/0), g=10.1.1.3, len 100, forward
*Mar 1 00:33:08.971: ICMP type=0, code=0
-a.c
2/05/2009
2/02/2009
Lost in translation - Help!!!
Matzalan#sh ip nat translations
1 Pro Inside global Inside local Outside local Outside global
2 --- --- --- 10.1.3.1 201.114.37.5
3 --- --- --- 10.1.3.2 201.114.37.1
4 icmp 204.15.87.1:39 10.1.1.3:39 201.114.37.5:39 201.114.37.5:39
5 --- 204.15.87.1 10.1.1.3 --- ---
6 icmp 204.15.87.2:9 10.1.2.2:9 201.114.37.5:9 201.114.37.5:9
7 --- 204.15.87.2 10.1.2.2 --- ---
Line 2 implies, 201.114.37.5 should get translated internally as 10.1.3.1.But if you look at line 4, you see this is not true. When the inside local IP initiates the icmp request, the response packet arrives as the OG and reaches the host with the source as 201.114.37.5
According to the book, the ICMP response (echo-reply) is supposed to have been translated. But this is not the case.
A#ping 201.114.37.5
*Mar 1 01:23:50.423: ICMP: echo reply rcvd, src 201.114.37.5, dst 10.1.1.3
*Mar 1 01:23:50.543: ICMP: echo reply rcvd, src 201.114.37.5, dst 10.1.1.3
Matzalan#
*Mar 1 18:01:00.127: IP: tableid=0, s=10.1.1.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), routed via RIB
*Mar 1 18:01:00.131: NAT: i: icmp (10.1.1.3, 56) -> (201.114.37.5, 56) [232]
*Mar 1 18:01:00.135: NAT: s=10.1.1.3->204.15.87.1, d=201.114.37.5 [232]
*Mar 1 18:01:00.139: IP: s=204.15.87.1 (Ethernet0/0), d=201.114.37.5 (Serial1/0), g=199.100.35.253, len 100, forward
*Mar 1 18:01:00.143: ICMP type=8, code=0
*Mar 1 18:01:00.203: NAT*: o: icmp (201.114.37.5, 56) -> (204.15.87.1, 56) [232]
*Mar 1 18:01:00.207: NAT*: s=201.114.37.5, d=204.15.87.1->10.1.1.3 [232]
*Mar 1 18:01:00.215: IP: tableid=0, s=201.114.37.5 (Serial1/0), d=10.1.1.3 (Ethernet0/0), routed via RIB
*Mar 1 18:01:00.219: IP: s=201.114.37.5 (Serial1/0), d=10.1.1.3 (Ethernet0/0), g=10.1.1.3, len 100, forward
*Mar 1 18:01:00.223: ICMP type=0, code=0
A#ping 10.1.3.1
*Mar 1 01:24:00.803: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
*Mar 1 01:24:00.903: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
*Mar 1 01:24:01.023: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
*Mar 1 01:24:01.143: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
Matzalan#
*Mar 1 18:07:07.083: IP: tableid=0, s=10.1.1.3 (Ethernet0/0), d=10.1.3.1 (Serial1/0), routed via RIB
*Mar 1 18:07:07.087: NAT: i: icmp (10.1.1.3, 61) -> (10.1.3.1, 61) [237]
*Mar 1 18:07:07.091: NAT: s=10.1.1.3->204.15.87.1, d=10.1.3.1 [237]
*Mar 1 18:07:07.091: NAT: s=204.15.87.1, d=10.1.3.1->201.114.37.5 [237]
*Mar 1 18:07:07.095: IP: s=204.15.87.1 (Ethernet0/0), d=201.114.37.5 (Serial1/0), g=199.100.35.253, len 100, forward
*Mar 1 18:07:07.099: ICMP type=8, code=0
*Mar 1 18:07:07.163: NAT*: o: icmp (201.114.37.5, 61) -> (204.15.87.1, 61) [237]
*Mar 1 18:07:07.163: NAT*: s=201.114.37.5->10.1.3.1, d=204.15.87.1 [237]
*Mar 1 18:07:07.167: NAT*: s=10.1.3.1, d=204.15.87.1->10.1.1.3 [237]
*Mar 1 18:07:07.175: IP: tableid=0, s=10.1.3.1 (Serial1/0), d=10.1.1.3 (Ethernet0/0), routed via RIB
*Mar 1 18:07:07.179: IP: s=10.1.3.1 (Serial1/0), d=10.1.1.3 (Ethernet0/0), g=10.1.1.3, len 100, forward
*Mar 1 18:07:07.179: ICMP type=0, code=0
Configs:
interface Serial1/0
ip address 199.100.35.254 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache
serial restart-delay 0
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
full-duplex
ip nat inside source static 10.1.1.3 204.15.87.1
ip nat inside source static 10.1.2.2 204.15.87.2
ip nat outside source static 201.114.37.5 10.1.3.1
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 10.1.2.0 255.255.255.0 10.1.1.2
More observations:
Disabling inside NAT and defining a route to 10.1.1.0/24 (at the remote router) makes the icmp-echo reply packet to behave correctly.
A#ping 201.114.37.5 re 1
A#
*Mar 1 05:06:42.866: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
Matzalan#
*Mar 1 03:59:20.607: IP: tableid=0, s=10.1.1.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), routed via RIB
*Mar 1 03:59:20.611: IP: s=10.1.1.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), g=201.114.37.5, len 100, forward
*Mar 1 03:59:20.615: ICMP type=8, code=0
*Mar 1 03:59:20.719: NAT: Processing out-2-in packet in after_routing2
*Mar 1 03:59:20.723: NAT: s=201.114.37.5->10.1.3.1, d=10.1.1.3 [36]
Interestingly, in this scenario, we can ping 201.114.37.5 but not telnet - this is because icmp does not check for the src/dest IP addressm but just a ICMP identifier which should match.
A#telnet 201.114.37.5
Trying 201.114.37.5 ...
A#telnet 10.1.3.1
Trying 10.1.3.1 ... Open
From all the above tests, I find that I can never get NAT to translate both ways...
IG IL OL OG
Either : 10.1.1.3:54164 10.1.1.3:54164 10.1.3.1:23 201.114.37.5:23
or : 204.15.87.1:21 10.1.1.3:21 201.114.37.5:21 201.114.37.5:21
How do i achive:
IG IL OL OG
204.15.87.1 10.1.1.3 10.1.3.1 201.114.37.5
1 Pro Inside global Inside local Outside local Outside global
2 --- --- --- 10.1.3.1 201.114.37.5
3 --- --- --- 10.1.3.2 201.114.37.1
4 icmp 204.15.87.1:39 10.1.1.3:39 201.114.37.5:39 201.114.37.5:39
5 --- 204.15.87.1 10.1.1.3 --- ---
6 icmp 204.15.87.2:9 10.1.2.2:9 201.114.37.5:9 201.114.37.5:9
7 --- 204.15.87.2 10.1.2.2 --- ---
Line 2 implies, 201.114.37.5 should get translated internally as 10.1.3.1.But if you look at line 4, you see this is not true. When the inside local IP initiates the icmp request, the response packet arrives as the OG and reaches the host with the source as 201.114.37.5
According to the book, the ICMP response (echo-reply) is supposed to have been translated. But this is not the case.
A#ping 201.114.37.5
*Mar 1 01:23:50.423: ICMP: echo reply rcvd, src 201.114.37.5, dst 10.1.1.3
*Mar 1 01:23:50.543: ICMP: echo reply rcvd, src 201.114.37.5, dst 10.1.1.3
Matzalan#
*Mar 1 18:01:00.127: IP: tableid=0, s=10.1.1.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), routed via RIB
*Mar 1 18:01:00.131: NAT: i: icmp (10.1.1.3, 56) -> (201.114.37.5, 56) [232]
*Mar 1 18:01:00.135: NAT: s=10.1.1.3->204.15.87.1, d=201.114.37.5 [232]
*Mar 1 18:01:00.139: IP: s=204.15.87.1 (Ethernet0/0), d=201.114.37.5 (Serial1/0), g=199.100.35.253, len 100, forward
*Mar 1 18:01:00.143: ICMP type=8, code=0
*Mar 1 18:01:00.203: NAT*: o: icmp (201.114.37.5, 56) -> (204.15.87.1, 56) [232]
*Mar 1 18:01:00.207: NAT*: s=201.114.37.5, d=204.15.87.1->10.1.1.3 [232]
*Mar 1 18:01:00.215: IP: tableid=0, s=201.114.37.5 (Serial1/0), d=10.1.1.3 (Ethernet0/0), routed via RIB
*Mar 1 18:01:00.219: IP: s=201.114.37.5 (Serial1/0), d=10.1.1.3 (Ethernet0/0), g=10.1.1.3, len 100, forward
*Mar 1 18:01:00.223: ICMP type=0, code=0
A#ping 10.1.3.1
*Mar 1 01:24:00.803: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
*Mar 1 01:24:00.903: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
*Mar 1 01:24:01.023: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
*Mar 1 01:24:01.143: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
Matzalan#
*Mar 1 18:07:07.083: IP: tableid=0, s=10.1.1.3 (Ethernet0/0), d=10.1.3.1 (Serial1/0), routed via RIB
*Mar 1 18:07:07.087: NAT: i: icmp (10.1.1.3, 61) -> (10.1.3.1, 61) [237]
*Mar 1 18:07:07.091: NAT: s=10.1.1.3->204.15.87.1, d=10.1.3.1 [237]
*Mar 1 18:07:07.091: NAT: s=204.15.87.1, d=10.1.3.1->201.114.37.5 [237]
*Mar 1 18:07:07.095: IP: s=204.15.87.1 (Ethernet0/0), d=201.114.37.5 (Serial1/0), g=199.100.35.253, len 100, forward
*Mar 1 18:07:07.099: ICMP type=8, code=0
*Mar 1 18:07:07.163: NAT*: o: icmp (201.114.37.5, 61) -> (204.15.87.1, 61) [237]
*Mar 1 18:07:07.163: NAT*: s=201.114.37.5->10.1.3.1, d=204.15.87.1 [237]
*Mar 1 18:07:07.167: NAT*: s=10.1.3.1, d=204.15.87.1->10.1.1.3 [237]
*Mar 1 18:07:07.175: IP: tableid=0, s=10.1.3.1 (Serial1/0), d=10.1.1.3 (Ethernet0/0), routed via RIB
*Mar 1 18:07:07.179: IP: s=10.1.3.1 (Serial1/0), d=10.1.1.3 (Ethernet0/0), g=10.1.1.3, len 100, forward
*Mar 1 18:07:07.179: ICMP type=0, code=0
Configs:
interface Serial1/0
ip address 199.100.35.254 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache
serial restart-delay 0
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
full-duplex
ip nat inside source static 10.1.1.3 204.15.87.1
ip nat inside source static 10.1.2.2 204.15.87.2
ip nat outside source static 201.114.37.5 10.1.3.1
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 10.1.2.0 255.255.255.0 10.1.1.2
More observations:
Disabling inside NAT and defining a route to 10.1.1.0/24 (at the remote router) makes the icmp-echo reply packet to behave correctly.
A#ping 201.114.37.5 re 1
A#
*Mar 1 05:06:42.866: ICMP: echo reply rcvd, src 10.1.3.1, dst 10.1.1.3
Matzalan#
*Mar 1 03:59:20.607: IP: tableid=0, s=10.1.1.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), routed via RIB
*Mar 1 03:59:20.611: IP: s=10.1.1.3 (Ethernet0/0), d=201.114.37.5 (Serial1/0), g=201.114.37.5, len 100, forward
*Mar 1 03:59:20.615: ICMP type=8, code=0
*Mar 1 03:59:20.719: NAT: Processing out-2-in packet in after_routing2
*Mar 1 03:59:20.723: NAT: s=201.114.37.5->10.1.3.1, d=10.1.1.3 [36]
Interestingly, in this scenario, we can ping 201.114.37.5 but not telnet - this is because icmp does not check for the src/dest IP addressm but just a ICMP identifier which should match.
A#telnet 201.114.37.5
Trying 201.114.37.5 ...
A#telnet 10.1.3.1
Trying 10.1.3.1 ... Open
From all the above tests, I find that I can never get NAT to translate both ways...
IG IL OL OG
Either : 10.1.1.3:54164 10.1.1.3:54164 10.1.3.1:23 201.114.37.5:23
or : 204.15.87.1:21 10.1.1.3:21 201.114.37.5:21 201.114.37.5:21
How do i achive:
IG IL OL OG
204.15.87.1 10.1.1.3 10.1.3.1 201.114.37.5
Subscribe to:
Posts (Atom)
Posts
