Friday, December 26, 2008

NAT Hairpinning using NAT pools & PBR

Here is an interesting problem i met some days ago...



All hosts want to communicate each other by using their respective external (inside global) ip addresses, while dynamic/static NAT takes places in front of them.

1) Introducing the problem

This is an issue being "resolved" in RFC 4787 (for UDP) & RFC 5382 (for TCP), known also as NAT hairpinning, but Cisco doesn't seem to have implemented any of these in its routers (although Cisco's name is included in both RFCs). According to the 2nd RFC:

NATs that forward packets originating from an internal address, destined for an external address that matches the active mapping for an internal address, back to that internal address are defined in [BEHAVE-UDP] as supporting "hairpinning". If the NAT presents the hairpinned packet with an external source IP address and port (i.e., the mapped source address and port of the originating internal endpoint), then it is defined to have "External source IP address and port" for hairpinning. Hairpinning is necessary to allow two internal endpoints (known to each other only by their external mapped addresses) to communicate with each other. "External source IP address and port" behavior for hairpinning avoids confusing implementations that expect the external source IP address and port.

To make it more interesting i have added multiple wan connections, each one serving a specific block of ips, so a little bit of load-balancing plus redundancy is happening too.

HOST1 and HOST2 access the internet through the same wan connection, HOST3 uses another wan connection (through the same router as HOST1 and HOST2) and so does HOST4 (through a different router than all other hosts).

Concisely:

HOST1 -> HGW S1/0 -> R1 S1/0
HOST2 -> HGW S1/0 -> R1 S1/0
HOST3 -> HGW S1/1 -> R1 S1/1
HOST3 -> HGW S1/2 -> R2 S1/2

HGW is the router where all these hosts are directly connected, probably your home gateway. It has 3 wan connections to your ISP for load-balancing/redundancy reasons. This is where all the serious stuff (NAT & PBR) is taking place.

R1, R2 are the ISP routers where the wan connections are and CORE represents (in our case) the internet.

2) Finding solutions

In order to implement my solution, you'll need to have static ips for your wan connection plus a block of extra ips (one ip is enough) per static account. I couldn't think of a way to implement it without using extra ips (besides an idea of using VRFs, but i still don't feel confident enough to experiment with them; maybe in an later version). You'll also need some extra private ips for your HGW, but these come in cheap, so no need to worry.

The whole concept is heavily based on policy-based routing (PBR). The general idea is to have each host's source of the packet being translated to an ip not known internally (nat pool), so static NAT won't be used and PBR can actually take place.

3) Connection and ip details

WAN1 : 100.1.12.0/30 (extra ips : 100.10.12.0/30)
WAN2 : 100.1.33.0/30 (extra ips : 100.10.33.0/30)
WAN3 : 100.1.44.0/30 (extra ips : 100.10.44.0/30)

HOST1 : 10.10.10.1
HOST2 : 10.10.10.2
HOST3 : 10.10.10.3
HOST4 : 10.10.10.4

4) Configurations

HGW



! Interface Loopback0 is used as an intermediate hop for doing NAT and PBR
! for the inside->outside direction.

interface Loopback0
ip address 11.11.11.1 255.255.255.252
ip nat outside
ip virtual-reassembly
ip policy route-map LOOPBACK->OUTSIDE-ROUTE-MAP
!

! Interface Loopback1 is used as an intermediate hop for doing NAT
! for the outside->inside direction (PBR is not needed because
! all hosts are connected on the same inside interface).
! Since Loopback interfaces do not have a direction,
! we cannot use a single loopback for both directions (PBR will apply in both).
! If every host was using a different nat pool, then we wouldn't need
! this interface. We can probably avoid using this interface too,
! if we make ACLs used in PBR match ports as well as ips.

interface Loopback1
ip address 22.22.22.2 255.255.255.255
ip nat outside
ip virtual-reassembly
!

! Fa0/0 interface is the interface where all hosts are directly connected to.

interface FastEthernet0/0
ip address 10.10.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map INSIDE->OUTSIDE-ROUTE-MAP
!

! Interfaces S1/0, S1/1, S1/2 are the wan connections to the ISP,
! each one serving a specific block of host ips.

interface Serial1/0
description ** R1 S1/0 **
ip address 100.1.12.2 255.255.255.252
ip policy route-map OUTSIDE->INSIDE-ROUTE-MAP
!
interface Serial1/1
description ** R1 S1/1 **
ip address 100.1.33.2 255.255.255.252
ip policy route-map OUTSIDE->INSIDE-ROUTE-MAP
!
interface Serial1/2
description ** R2 S1/2 **
ip address 100.1.44.2 255.255.255.252
ip policy route-map OUTSIDE->INSIDE-ROUTE-MAP
!

! These default routes are not actually needed, if we use PBR for all our host ips.
! So we need these, only if we don't use PBR under Loopback0 and Fa0/0.

ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 0.0.0.0 0.0.0.0 Serial1/1
ip route 0.0.0.0 0.0.0.0 Serial1/2
!

! We use a nat pool for each group of hosts that we want to treat differently.

ip nat pool HOST12-NAT-POOL 100.10.12.1 100.10.12.1 prefix-length 30
ip nat pool HOST3-NAT-POOL 100.10.33.1 100.10.33.1 prefix-length 30
ip nat pool HOST4-NAT-POOL 100.10.44.1 100.10.44.1 prefix-length 30
ip nat inside source list HOST12-ACL pool HOST12-NAT-POOL overload
ip nat inside source list HOST3-ACL pool HOST3-NAT-POOL overload
ip nat inside source list HOST4-ACL pool HOST4-NAT-POOL overload
!

! We use static nat, so each host keeps an open port for incoming connections.
! Different hosts use different ports, so many of them can be used simultaneously
! with the same inside global ip.

ip nat inside source static tcp 10.10.10.1 1081 100.10.12.1 1081 extendable
ip nat inside source static tcp 10.10.10.2 1082 100.10.12.1 1082 extendable
ip nat inside source static tcp 10.10.10.3 1083 100.10.33.1 1083 extendable
ip nat inside source static tcp 10.10.10.4 1084 100.10.44.1 1084 extendable
!

! These ACLs are used when doing NAT and PBR under Fa0/0.

ip access-list extended HOST12-ACL
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended HOST3-ACL
permit ip host 10.10.10.3 any
ip access-list extended HOST4-ACL
permit ip host 10.10.10.4 any
!

! These ACLs are used when doing PBR under Loopback0.
! We match on the inside global ip as the source, because inside NAT has already happened,
! while outside hasn't.

ip access-list extended HOST12-NATTED-SRC-ACL
permit ip host 100.10.12.1 any
ip access-list extended HOST3-NATTED-SRC-ACL
permit ip host 100.10.33.1 any
ip access-list extended HOST4-NATTED-SRC-ACL
permit ip host 100.10.44.1 any
!

! This ACL is used when doing PBR under all Serial interfaces.
! We match on the inside global ip as the destination,
! because outside nat hasn't happened yet.

ip access-list extended HOSTS-NATTED-DST-ACL
permit ip any host 100.10.12.1
permit ip any host 100.10.33.1
permit ip any host 100.10.44.1
!

! This route-map is applied under Fa0/0 and forwards packets from all hosts to Loopback0.
! You can also use a single ACL for all hosts, instead of an ACL per group of hosts.
! In our case we have the ACLs ready because of nat.

route-map INSIDE->OUTSIDE-ROUTE-MAP permit 10
match ip address HOST12-ACL HOST3-ACL HOST4-ACL
set interface Loopback0
!

! This route-map is applied under Loopback0 and forwards packets
! to the correct Serial interface according to the natted (inside global) source ip.
! For redundancy reasons all Serial interfaces are defined as outgoing
! and for load-balancing reasons, each group uses the Serial interfaces
! in a specific order.

route-map LOOPBACK->OUTSIDE-ROUTE-MAP permit 10
match ip address HOST12-NATTED-SRC-ACL
set interface Serial1/0 Serial1/1 Serial1/2
!
route-map LOOPBACK->OUTSIDE-ROUTE-MAP permit 20
match ip address HOST3-NATTED-SRC-ACL
set interface Serial1/1 Serial1/2 Serial1/0
!
route-map LOOPBACK->OUTSIDE-ROUTE-MAP permit 30
match ip address HOST4-NATTED-SRC-ACL
set interface Serial1/2 Serial1/0 Serial1/1
!

! This route-map is applied under all Serial interfaces and forwards
! incoming (from ISP) packets to Loopback1, so the hosts' inside global ip can be translated
! to the appropriate inside local ip.

route-map OUTSIDE->INSIDE-ROUTE-MAP permit 10
match ip address HOSTS-NATTED-DST-ACL
set interface Loopback1


R1

interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 100.5.0.1 255.255.255.0
!
interface Serial1/0
description ** HGW S1/0 **
ip address 100.1.12.1 255.255.255.252
!
interface Serial1/1
description ** HGW S1/1 **
ip address 100.1.33.1 255.255.255.252
!
router ospf 100
router-id 1.1.1.1
redistribute connected subnets
redistribute static subnets
passive-interface Loopback0
network 1.1.1.1 0.0.0.0 area 0
network 100.5.0.1 0.0.0.0 area 0
!

! These static routes are used on the ISP router, so our incoming traffic can
! be forwarded to the appropriate interface.

ip route 100.10.12.0 255.255.255.252 100.1.12.2
ip route 100.10.33.0 255.255.255.252 100.1.33.2


R2

interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 100.5.0.2 255.255.255.0
!
interface Serial1/2
description ** HGW S1/2 **
ip address 100.1.44.1 255.255.255.252
!
router ospf 100
router-id 2.2.2.2
redistribute connected subnets
redistribute static subnets
passive-interface Loopback0
network 2.2.2.2 0.0.0.0 area 0
network 100.5.0.2 0.0.0.0 area 0
!

! These static routes are used on the ISP router, so our incoming traffic can
! be forwarded to the appropriate interface.

ip route 100.10.44.0 255.255.255.252 100.1.44.2


CORE

interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface FastEthernet0/0
ip address 100.5.0.5 255.255.255.0
ip ospf priority 2
!
router ospf 100
router-id 5.5.5.5
passive-interface Loopback0
network 5.5.5.5 0.0.0.0 area 0
network 100.5.0.5 0.0.0.0 area 0


HOST1,HOST2,HOST3,HOST4 do not have something special, besides an http server (each one on a different port), so incoming connections can be checked and verified.


5) Test cases

We're going to examine three different cases of connections between various hosts. Each host is acting as a client (initiating connections to the internet) and as a server (accepting connections from the internet). In our case, the internet can be any of the other hosts too.

We'll keep the following debugs enabled, so we can watch better what is happening.

"debug ip nat det"
"debug ip policy"
"debug ip packet det" - used partially

In a production environment, you'll probably want to take some precautions before enabling them.

Before we start, let's take a look the the nat translation table. Only static nat entries should be there.

HGW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 100.10.12.1:1081 10.10.10.1:1081 --- ---
tcp 100.10.12.1:1082 10.10.10.2:1082 --- ---
tcp 100.10.33.1:1083 10.10.10.3:1083 --- ---
tcp 100.10.44.1:1084 10.10.10.4:1084 --- ---


5.1) HOST1 is trying to access HOST2 (same wan connections, same router)

First we test HOST1's and HOST2's connectivity to the internet (dynamic NAT) :

HOST1#p 5.5.5.5 rep 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 200/200/200 ms

HOST2#p 5.5.5.5 rep 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 196/196/196 ms


HGW debugs


! Request from 10.10.10.1:7 (100.10.12.1:7) to 5.5.5.5:7 (5.5.5.5:7)

! Traffic leaving the router towards the ISP
! 10.10.10.1 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/0

Dec 26 14:37:55.367: IP: s=10.10.10.1 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 14:37:55.367: IP: s=10.10.10.1 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 14:37:55.375: IP: s=10.10.10.1 (FastEthernet0/0), d=5.5.5.5, len 100, policy match
Dec 26 14:37:55.375: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:37:55.379: IP: s=10.10.10.1 (FastEthernet0/0), d=5.5.5.5 (Loopback0), len 100, policy routed
Dec 26 14:37:55.383: IP: FastEthernet0/0 to Loopback0 5.5.5.5
Dec 26 14:37:55.383: NAT: address not stolen for 10.10.10.1, proto 1 port 7
Dec 26 14:37:55.387: mapping pointer available mapping:0
Dec 26 14:37:55.387: NAT: creating portlist proto 1 globaladdr 100.10.12.1
Dec 26 14:37:55.391: NAT: [0] Allocated Port for 10.10.10.1 -> 100.10.12.1: wanted 7 got 7
Dec 26 14:37:55.395: NAT: i: icmp (10.10.10.1, 7) -> (5.5.5.5, 7) [7]
Dec 26 14:37:55.399: NAT: s=10.10.10.1->100.10.12.1, d=5.5.5.5 [7]
Dec 26 14:37:55.403: IP: s=100.10.12.1 (Loopback0), d=5.5.5.5, len 100, policy match
Dec 26 14:37:55.403: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:37:55.407: IP: s=100.10.12.1 (Loopback0), d=5.5.5.5 (Serial1/0), len 100, policy routed
Dec 26 14:37:55.411: IP: Loopback0 to Serial1/0 5.5.5.5

! Reply from 5.5.5.5:7 (5.5.5.5:7) to 100.10.12.1:7 (10.10.10.1:7)

! Traffic entering the router from the ISP
! Serial1/0 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.1

Dec 26 14:37:55.463: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1, len 100, FIB policy match
Dec 26 14:37:55.467: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1, len 100, FIB policy match
Dec 26 14:37:55.475: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1, len 100, policy match
Dec 26 14:37:55.479: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:37:55.479: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1 (Loopback1), len 100, policy routed
Dec 26 14:37:55.483: IP: Serial1/0 to Loopback1 100.10.12.1
Dec 26 14:37:55.487: NAT: o: icmp (5.5.5.5, 7) -> (100.10.12.1, 7) [7]
Dec 26 14:37:55.491: NAT: s=5.5.5.5, d=100.10.12.1->10.10.10.1 [7]


! Request from 10.10.10.2:1 (100.10.12.1:1) to 5.5.5.5:1 (5.5.5.5:1)

! Traffic leaving the router towards the ISP
! 10.10.10.2 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/0

Dec 26 14:37:59.115: IP: s=10.10.10.2 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 14:37:59.119: IP: s=10.10.10.2 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 14:37:59.123: IP: s=10.10.10.2 (FastEthernet0/0), d=5.5.5.5, len 100, policy match
Dec 26 14:37:59.127: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:37:59.131: IP: s=10.10.10.2 (FastEthernet0/0), d=5.5.5.5 (Loopback0), len 100, policy routed
Dec 26 14:37:59.131: IP: FastEthernet0/0 to Loopback0 5.5.5.5
Dec 26 14:37:59.131: mapping pointer available mapping:0
Dec 26 14:37:59.135: NAT: [0] Allocated Port for 10.10.10.2 -> 100.10.12.1: wanted 1 got 1
Dec 26 14:37:59.135: NAT: i: icmp (10.10.10.2, 1) -> (5.5.5.5, 1) [1]
Dec 26 14:37:59.139: NAT: s=10.10.10.2->100.10.12.1, d=5.5.5.5 [1]
Dec 26 14:37:59.143: IP: s=100.10.12.1 (Loopback0), d=5.5.5.5, len 100, policy match
Dec 26 14:37:59.147: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:37:59.147: IP: s=100.10.12.1 (Loopback0), d=5.5.5.5 (Serial1/0), len 100, policy routed
Dec 26 14:37:59.151: IP: Loopback0 to Serial1/0 5.5.5.5

! Reply from 5.5.5.5:1 (5.5.5.5:1) to 100.10.12.1:1 (10.10.10.2:1)

! Traffic entering the router from the ISP
! Serial1/0 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.2

Dec 26 14:37:59.183: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1, len 100, FIB policy match
Dec 26 14:37:59.187: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1, len 100, FIB policy match
Dec 26 14:37:59.195: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1, len 100, policy match
Dec 26 14:37:59.199: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:37:59.203: IP: s=5.5.5.5 (Serial1/0), d=100.10.12.1 (Loopback1), len 100, policy routed
Dec 26 14:37:59.207: IP: Serial1/0 to Loopback1 100.10.12.1
Dec 26 14:37:59.211: NAT: o: icmp (5.5.5.5, 1) -> (100.10.12.1, 1) [1]
Dec 26 14:37:59.211: NAT: s=5.5.5.5, d=100.10.12.1->10.10.10.2 [1]


We check the nat translation table and two new dynamic entries have been created :

HGW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 100.10.12.1:7 10.10.10.1:7 5.5.5.5:7 5.5.5.5:7
tcp 100.10.12.1:1081 10.10.10.1:1081 --- ---
icmp 100.10.12.1:1 10.10.10.2:1 5.5.5.5:1 5.5.5.5:1
tcp 100.10.12.1:1082 10.10.10.2:1082 --- ---
tcp 100.10.33.1:1083 10.10.10.3:1083 --- ---
tcp 100.10.44.1:1084 10.10.10.4:1084 --- ---


Then we test connectivity between the 2 hosts (dynamic/static NAT) :

HOST1#tel 100.10.12.1 1082
Trying 100.10.12.1, 1082 ... Open


HOST2#sh tcp br
TCB Local Address Foreign Address (state)
66504154 10.10.10.2.1082 100.10.12.1.24495 ESTAB


HGW debugs


! Request from 10.10.10.1:24495 (100.10.12.1:24495) to 100.10.12.1:1082 (10.10.10.2:1082)

! Traffic leaving the router towards the ISP
! 10.10.10.1 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/0

Dec 26 14:16:21.007: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.011: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.015: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.12.1, len 44, policy match
Dec 26 14:16:21.019: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:16:21.019: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.12.1 (Loopback0), len 44, policy routed
Dec 26 14:16:21.023: IP: FastEthernet0/0 to Loopback0 100.10.12.1
Dec 26 14:16:21.027: NAT: address not stolen for 10.10.10.1, proto 6 port 24495
Dec 26 14:16:21.031: mapping pointer available mapping:0
Dec 26 14:16:21.031: NAT: [0] Allocated Port for 10.10.10.1 -> 100.10.12.1: wanted 24495 got 24495
Dec 26 14:16:21.035: NAT: i: tcp (10.10.10.1, 24495) -> (100.10.12.1, 1082) [24314]
Dec 26 14:16:21.039: NAT: s=10.10.10.1->100.10.12.1, d=100.10.12.1 [24314]
Dec 26 14:16:21.055: IP: s=100.10.12.1 (Loopback0), d=100.10.12.1, len 44, policy match
Dec 26 14:16:21.055: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:16:21.059: IP: s=100.10.12.1 (Loopback0), d=100.10.12.1 (Serial1/0), len 44, policy routed
Dec 26 14:16:21.063: IP: Loopback0 to Serial1/0 100.10.12.1

! Traffic entering the router from the ISP
! Serial1/0 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.2

Dec 26 14:16:21.087: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.091: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.095: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1, len 44, policy match
Dec 26 14:16:21.099: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:16:21.103: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1 (Loopback1), len 44, policy routed
Dec 26 14:16:21.103: IP: Serial1/0 to Loopback1 100.10.12.1
Dec 26 14:16:21.111: NAT: o: tcp (100.10.12.1, 24495) -> (100.10.12.1, 1082) [24314]
Dec 26 14:16:21.111: NAT: s=100.10.12.1, d=100.10.12.1->10.10.10.2 [24314]


! Reply from 10.10.10.2:1082 (100.10.12.1:1082) to 100.10.12.1:24495 (10.10.10.1:24495)

! Traffic leaving the router towards the ISP
! 10.10.10.2 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/0

Dec 26 14:16:21.187: IP: s=10.10.10.2 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.191: IP: s=10.10.10.2 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.195: IP: s=10.10.10.2 (FastEthernet0/0), d=100.10.12.1, len 44, policy match
Dec 26 14:16:21.199: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:16:21.203: IP: s=10.10.10.2 (FastEthernet0/0), d=100.10.12.1 (Loopback0), len 44, policy routed
Dec 26 14:16:21.207: IP: FastEthernet0/0 to Loopback0 100.10.12.1
Dec 26 14:16:21.211: NAT: i: tcp (10.10.10.2, 1082) -> (100.10.12.1, 24495) [61514]
Dec 26 14:16:21.211: NAT: s=10.10.10.2->100.10.12.1, d=100.10.12.1 [61514]
Dec 26 14:16:21.215: IP: s=100.10.12.1 (Loopback0), d=100.10.12.1, len 44, policy match
Dec 26 14:16:21.219: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:16:21.223: IP: s=100.10.12.1 (Loopback0), d=100.10.12.1 (Serial1/0), len 44, policy routed
Dec 26 14:16:21.227: IP: Loopback0 to Serial1/0 100.10.12.1

! Traffic entering the router from the ISP
! Serial1/0 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.1

Dec 26 14:16:21.247: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.247: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:16:21.259: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1, len 44, policy match
Dec 26 14:16:21.263: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:16:21.263: IP: s=100.10.12.1 (Serial1/0), d=100.10.12.1 (Loopback1), len 44, policy routed
Dec 26 14:16:21.267: IP: Serial1/0 to Loopback1 100.10.12.1
Dec 26 14:16:21.271: NAT: o: tcp (100.10.12.1, 1082) -> (100.10.12.1, 24495) [61514]
Dec 26 14:16:21.275: NAT: s=100.10.12.1, d=100.10.12.1->10.10.10.1 [61514]


We check the nat translation table and we see that :
a) a new dynamic entry for 10.10.10.1 has been created
b) a new dynamic entry based on the static nat for 10.10.10.2:1082 has been created

HGW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 100.10.12.1:1081 10.10.10.1:1081 --- ---
tcp 100.10.12.1:24495 10.10.10.1:24495 100.10.12.1:1082 100.10.12.1:1082
tcp 100.10.12.1:1082 10.10.10.2:1082 100.10.12.1:24495 100.10.12.1:24495
tcp 100.10.12.1:1082 10.10.10.2:1082 --- ---
tcp 100.10.33.1:1083 10.10.10.3:1083 --- ---
tcp 100.10.44.1:1084 10.10.10.4:1084 --- ---



5.2) HOST1 is trying to access HOST3 (different wan connections, same router)

First we test HOST3's connectivity to the internet (dynamic NAT) :

HOST3#p 5.5.5.5 rep 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 168/168/168 ms


HGW debugs


! Request from 10.10.10.3:0 (100.10.33.1:0) to 5.5.5.5:0 (5.5.5.5:0)

! Traffic leaving the router towards the ISP
! 10.10.10.3 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/1

Dec 26 14:43:07.567: IP: s=10.10.10.3 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 14:43:07.571: IP: s=10.10.10.3 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 14:43:07.579: IP: s=10.10.10.3 (FastEthernet0/0), d=5.5.5.5, len 100, policy match
Dec 26 14:43:07.579: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:43:07.583: IP: s=10.10.10.3 (FastEthernet0/0), d=5.5.5.5 (Loopback0), len 100, policy routed
Dec 26 14:43:07.587: IP: FastEthernet0/0 to Loopback0 5.5.5.5
Dec 26 14:43:07.587: NAT: address not stolen for 10.10.10.3, proto 1 port 0
Dec 26 14:43:07.591: mapping pointer available mapping:0
Dec 26 14:43:07.591: NAT: creating portlist proto 1 globaladdr 100.10.33.1
Dec 26 14:43:07.595: NAT: [0] Allocated Port for 10.10.10.3 -> 100.10.33.1: wanted 0 got 0
Dec 26 14:43:07.599: NAT: i: icmp (10.10.10.3, 0) -> (5.5.5.5, 0) [0]
Dec 26 14:43:07.603: NAT: s=10.10.10.3->100.10.33.1, d=5.5.5.5 [0]
Dec 26 14:43:07.607: IP: s=100.10.33.1 (Loopback0), d=5.5.5.5, len 100, policy match
Dec 26 14:43:07.607: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 20, permit
Dec 26 14:43:07.611: IP: s=100.10.33.1 (Loopback0), d=5.5.5.5 (Serial1/1), len 100, policy routed
Dec 26 14:43:07.611: IP: Loopback0 to Serial1/1 5.5.5.5

! Reply from 5.5.5.5:0 (5.5.5.5:0) to 100.10.33.1:0 (10.10.10.3:0)

! Traffic entering the router from the ISP
! Serial1/1 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.3

Dec 26 14:43:07.675: IP: s=5.5.5.5 (Serial1/1), d=100.10.33.1, len 100, FIB policy match
Dec 26 14:43:07.679: IP: s=5.5.5.5 (Serial1/1), d=100.10.33.1, len 100, FIB policy match
Dec 26 14:43:07.687: IP: s=5.5.5.5 (Serial1/1), d=100.10.33.1, len 100, policy match
Dec 26 14:43:07.687: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:43:07.691: IP: s=5.5.5.5 (Serial1/1), d=100.10.33.1 (Loopback1), len 100, policy routed
Dec 26 14:43:07.695: IP: Serial1/1 to Loopback1 100.10.33.1
Dec 26 14:43:07.699: NAT: o: icmp (5.5.5.5, 0) -> (100.10.33.1, 0) [0]
Dec 26 14:43:07.699: NAT: s=5.5.5.5, d=100.10.33.1->10.10.10.3 [0]


We check the nat translation table and a new dynamic entry has been created :

HGW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 100.10.12.1:1081 10.10.10.1:1081 --- ---
tcp 100.10.12.1:1082 10.10.10.2:1082 --- ---
icmp 100.10.33.1:0 10.10.10.3:0 5.5.5.5:0 5.5.5.5:0
tcp 100.10.33.1:1083 10.10.10.3:1083 --- ---
tcp 100.10.44.1:1084 10.10.10.4:1084 --- ---


Then we test connectivity between the 2 hosts (dynamic/static NAT) :

HOST1#tel 100.10.33.1 1083
Trying 100.10.33.1, 1083 ... Open

HOST3#sh tcp br
TCB Local Address Foreign Address (state)
65C3C7C8 10.10.10.3.1083 100.10.12.1.39074 ESTAB


HGW debugs


! Request from 10.10.10.1:39074 (100.10.12.1:39074) to 100.10.33.1:1083 (10.10.10.3:1083)

! Traffic leaving the router towards the ISP
! 10.10.10.1 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/0

Dec 26 14:57:15.111: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.33.1, len 44, FIB policy match
Dec 26 14:57:15.115: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.33.1, len 44, FIB policy match
Dec 26 14:57:15.119: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.33.1, len 44, policy match
Dec 26 14:57:15.123: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:57:15.127: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.33.1 (Loopback0), len 44, policy routed
Dec 26 14:57:15.131: IP: FastEthernet0/0 to Loopback0 100.10.33.1
Dec 26 14:57:15.131: NAT: address not stolen for 10.10.10.1, proto 6 port 39074
Dec 26 14:57:15.135: mapping pointer available mapping:0
Dec 26 14:57:15.135: NAT: [0] Allocated Port for 10.10.10.1 -> 100.10.12.1: wanted 39074 got 39074
Dec 26 14:57:15.139: NAT: i: tcp (10.10.10.1, 39074) -> (100.10.33.1, 1083) [33863]
Dec 26 14:57:15.143: NAT: s=10.10.10.1->100.10.12.1, d=100.10.33.1 [33863]
Dec 26 14:57:15.155: IP: s=100.10.12.1 (Loopback0), d=100.10.33.1, len 44, policy match
Dec 26 14:57:15.159: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:57:15.163: IP: s=100.10.12.1 (Loopback0), d=100.10.33.1 (Serial1/0), len 44, policy routed
Dec 26 14:57:15.167: IP: Loopback0 to Serial1/0 100.10.33.1

! Traffic entering the router from the ISP
! Serial1/1 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.3

Dec 26 14:57:15.215: IP: s=100.10.12.1 (Serial1/1), d=100.10.33.1, len 44, FIB policy match
Dec 26 14:57:15.219: IP: s=100.10.12.1 (Serial1/1), d=100.10.33.1, len 44, FIB policy match
Dec 26 14:57:15.223: IP: s=100.10.12.1 (Serial1/1), d=100.10.33.1, len 44, policy match
Dec 26 14:57:15.227: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:57:15.227: IP: s=100.10.12.1 (Serial1/1), d=100.10.33.1 (Loopback1), len 44, policy routed
Dec 26 14:57:15.231: IP: Serial1/1 to Loopback1 100.10.33.1
Dec 26 14:57:15.239: NAT: o: tcp (100.10.12.1, 39074) -> (100.10.33.1, 1083) [33863]
Dec 26 14:57:15.239: NAT: s=100.10.12.1, d=100.10.33.1->10.10.10.3 [33863]


! Reply from 10.10.10.3:1083 (100.10.33.1:1083) to 100.10.12.1:39074 (10.10.10.1:39074)

! Traffic leaving the router towards the ISP
! 10.10.10.3 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/1

Dec 26 14:57:15.363: IP: s=10.10.10.3 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:57:15.367: IP: s=10.10.10.3 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:57:15.375: IP: s=10.10.10.3 (FastEthernet0/0), d=100.10.12.1, len 44, policy match
Dec 26 14:57:15.375: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:57:15.379: IP: s=10.10.10.3 (FastEthernet0/0), d=100.10.12.1 (Loopback0), len 44, policy routed
Dec 26 14:57:15.383: IP: FastEthernet0/0 to Loopback0 100.10.12.1
Dec 26 14:57:15.387: NAT: i: tcp (10.10.10.3, 1083) -> (100.10.12.1, 39074) [31485]
Dec 26 14:57:15.387: NAT: s=10.10.10.3->100.10.33.1, d=100.10.12.1 [31485]
Dec 26 14:57:15.395: IP: s=100.10.33.1 (Loopback0), d=100.10.12.1, len 44, policy match
Dec 26 14:57:15.395: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 20, permit
Dec 26 14:57:15.399: IP: s=100.10.33.1 (Loopback0), d=100.10.12.1 (Serial1/1), len 44, policy routed
Dec 26 14:57:15.403: IP: Loopback0 to Serial1/1 100.10.12.1

! Traffic entering the router from the ISP
! Serial1/0 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.1

Dec 26 14:57:15.415: IP: s=100.10.33.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:57:15.415: IP: s=100.10.33.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 14:57:15.419: IP: s=100.10.33.1 (Serial1/0), d=100.10.12.1, len 44, policy match
Dec 26 14:57:15.423: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 14:57:15.423: IP: s=100.10.33.1 (Serial1/0), d=100.10.12.1 (Loopback1), len 44, policy routed
Dec 26 14:57:15.427: IP: Serial1/0 to Loopback1 100.10.12.1
Dec 26 14:57:15.431: NAT: o: tcp (100.10.33.1, 1083) -> (100.10.12.1, 39074) [31485]
Dec 26 14:57:15.435: NAT: s=100.10.33.1, d=100.10.12.1->10.10.10.1 [31485]


We check the nat translation table and we see that :
a) a new dynamic entry for 10.10.10.1 has been created
b) a new dynamic entry based on the static nat for 10.10.10.3:1083 has been created

HGW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 100.10.12.1:1081 10.10.10.1:1081 --- ---
tcp 100.10.12.1:39074 10.10.10.1:39074 100.10.33.1:1083 100.10.33.1:1083
tcp 100.10.12.1:1082 10.10.10.2:1082 --- ---
tcp 100.10.33.1:1083 10.10.10.3:1083 100.10.12.1:39074 100.10.12.1:39074
tcp 100.10.33.1:1083 10.10.10.3:1083 --- ---
tcp 100.10.44.1:1084 10.10.10.4:1084 --- ---



5.3) HOST1 is trying to access HOST4 (different wan connections, different routers)

First we test HOST4's connectivity to the internet (dynamic NAT) :

HOST4#p 5.5.5.5 rep 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 136/136/136 ms


HGW debugs


! Request from 10.10.10.4:0 (100.10.12.1:0) to 5.5.5.5:0 (5.5.5.5:0)

! Traffic leaving the router towards the ISP
! 10.10.10.4 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/2

Dec 26 15:12:02.591: IP: s=10.10.10.4 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 15:12:02.595: IP: s=10.10.10.4 (FastEthernet0/0), d=5.5.5.5, len 100, FIB policy match
Dec 26 15:12:02.599: IP: s=10.10.10.4 (FastEthernet0/0), d=5.5.5.5, len 100, policy match
Dec 26 15:12:02.603: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 15:12:02.607: IP: s=10.10.10.4 (FastEthernet0/0), d=5.5.5.5 (Loopback0), len 100, policy routed
Dec 26 15:12:02.607: IP: FastEthernet0/0 to Loopback0 5.5.5.5
Dec 26 15:12:02.611: NAT: address not stolen for 10.10.10.4, proto 1 port 0
Dec 26 15:12:02.615: mapping pointer available mapping:0
Dec 26 15:12:02.615: NAT: creating portlist proto 1 globaladdr 100.10.44.1
Dec 26 15:12:02.619: NAT: [0] Allocated Port for 10.10.10.4 -> 100.10.44.1: wanted 0 got 0
Dec 26 15:12:02.623: NAT: i: icmp (10.10.10.4, 0) -> (5.5.5.5, 0) [0]
Dec 26 15:12:02.623: NAT: s=10.10.10.4->100.10.44.1, d=5.5.5.5 [0]
Dec 26 15:12:02.631: IP: s=100.10.44.1 (Loopback0), d=5.5.5.5, len 100, policy match
Dec 26 15:12:02.631: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 30, permit
Dec 26 15:12:02.635: IP: s=100.10.44.1 (Loopback0), d=5.5.5.5 (Serial1/2), len 100, policy routed
Dec 26 15:12:02.639: IP: Loopback0 to Serial1/2 5.5.5.5

! Reply from 5.5.5.5:0 (5.5.5.5:0) to 100.10.44.1:0 (10.10.10.4:0)

! Traffic entering the router from the ISP
! Serial1/2 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.4

Dec 26 15:12:02.703: IP: s=5.5.5.5 (Serial1/2), d=100.10.44.1, len 100, FIB policy match
Dec 26 15:12:02.707: IP: s=5.5.5.5 (Serial1/2), d=100.10.44.1, len 100, FIB policy match
Dec 26 15:12:02.711: IP: s=5.5.5.5 (Serial1/2), d=100.10.44.1, len 100, policy match
Dec 26 15:12:02.715: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 15:12:02.719: IP: s=5.5.5.5 (Serial1/2), d=100.10.44.1 (Loopback1), len 100, policy routed
Dec 26 15:12:02.719: IP: Serial1/2 to Loopback1 100.10.44.1
Dec 26 15:12:02.723: NAT: o: icmp (5.5.5.5, 0) -> (100.10.44.1, 0) [0]
Dec 26 15:12:02.727: NAT: s=5.5.5.5, d=100.10.44.1->10.10.10.4 [0]


We check the nat translation table and a new dynamic entry has been created :

HGW# sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 100.10.12.1:1081 10.10.10.1:1081 --- ---
tcp 100.10.12.1:1082 10.10.10.2:1082 --- ---
tcp 100.10.33.1:1083 10.10.10.3:1083 --- ---
icmp 100.10.44.1:0 10.10.10.4:0 5.5.5.5:0 5.5.5.5:0
tcp 100.10.44.1:1084 10.10.10.4:1084 --- ---


Then we test connectivity between the 2 hosts (dynamic/static NAT) :

HOST1#tel 100.10.44.1 1084
Trying 100.10.44.1, 1084 ... Open

HOST4#sh tcp br
TCB Local Address Foreign Address (state)
663E8378 10.10.10.4.1084 100.10.12.1.14201 ESTAB


HGW debugs


! Request from 10.10.10.1:14201 (100.10.12.1:14201) to 100.10.44.1:1084 (10.10.10.4:1084)

! Traffic leaving the router towards the ISP
! 10.10.10.1 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/0

Dec 26 15:13:54.579: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.44.1, len 44, FIB policy match
Dec 26 15:13:54.583: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.44.1, len 44, FIB policy match
Dec 26 15:13:54.591: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.44.1, len 44, policy match
Dec 26 15:13:54.591: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 15:13:54.595: IP: s=10.10.10.1 (FastEthernet0/0), d=100.10.44.1 (Loopback0), len 44, policy routed
Dec 26 15:13:54.599: IP: FastEthernet0/0 to Loopback0 100.10.44.1
Dec 26 15:13:54.599: NAT: i: tcp (10.10.10.1, 14201) -> (100.10.44.1, 1084) [4409]
Dec 26 15:13:54.603: NAT: s=10.10.10.1->100.10.12.1, d=100.10.44.1 [4409]
Dec 26 15:13:54.607: IP: s=100.10.12.1 (Loopback0), d=100.10.44.1, len 44, policy match
Dec 26 15:13:54.611: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 15:13:54.611: IP: s=100.10.12.1 (Loopback0), d=100.10.44.1 (Serial1/0), len 44, policy routed
Dec 26 15:13:54.615: IP: Loopback0 to Serial1/0 100.10.44.1

! Traffic entering the router from the ISP
! Serial1/2 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.4

Dec 26 15:13:54.667: IP: s=100.10.12.1 (Serial1/2), d=100.10.44.1, len 44, FIB policy match
Dec 26 15:13:54.671: IP: s=100.10.12.1 (Serial1/2), d=100.10.44.1, len 44, FIB policy match
Dec 26 15:13:54.679: IP: s=100.10.12.1 (Serial1/2), d=100.10.44.1, len 44, policy match
Dec 26 15:13:54.683: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 15:13:54.683: IP: s=100.10.12.1 (Serial1/2), d=100.10.44.1 (Loopback1), len 44, policy routed
Dec 26 15:13:54.687: IP: Serial1/2 to Loopback1 100.10.44.1
Dec 26 15:13:54.691: NAT: o: tcp (100.10.12.1, 14201) -> (100.10.44.1, 1084) [4409]
Dec 26 15:13:54.695: NAT: s=100.10.12.1, d=100.10.44.1->10.10.10.4 [4409]


! Reply from 10.10.10.4:1084 (100.10.44.1:1084) to 100.10.12.1:14201 (10.10.10.1:14201)

! Traffic leaving the router towards the ISP
! 10.10.10.4 ==(PBR)(NAT)==> Loopback0 ==(PBR)==> Serial1/2

Dec 26 15:13:54.779: IP: s=10.10.10.4 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 15:13:54.779: IP: s=10.10.10.4 (FastEthernet0/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 15:13:54.783: IP: s=10.10.10.4 (FastEthernet0/0), d=100.10.12.1, len 44, policy match
Dec 26 15:13:54.787: IP: route map INSIDE->OUTSIDE-ROUTE-MAP, item 10, permit
Dec 26 15:13:54.791: IP: s=10.10.10.4 (FastEthernet0/0), d=100.10.12.1 (Loopback0), len 44, policy routed
Dec 26 15:13:54.791: IP: FastEthernet0/0 to Loopback0 100.10.12.1
Dec 26 15:13:54.791: NAT: i: tcp (10.10.10.4, 1084) -> (100.10.12.1, 14201) [13502]
Dec 26 15:13:54.795: NAT: s=10.10.10.4->100.10.44.1, d=100.10.12.1 [13502]
Dec 26 15:13:54.799: IP: s=100.10.44.1 (Loopback0), d=100.10.12.1, len 44, policy match
Dec 26 15:13:54.803: IP: route map LOOPBACK->OUTSIDE-ROUTE-MAP, item 30, permit
Dec 26 15:13:54.807: IP: s=100.10.44.1 (Loopback0), d=100.10.12.1 (Serial1/2), len 44, policy routed
Dec 26 15:13:54.807: IP: Loopback0 to Serial1/2 100.10.12.1

! Traffic entering the router from the ISP
! Serial1/0 ==(PBR)==> Loopback1 ==(NAT)==> 10.10.10.1

Dec 26 15:13:54.835: IP: s=100.10.44.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 15:13:54.835: IP: s=100.10.44.1 (Serial1/0), d=100.10.12.1, len 44, FIB policy match
Dec 26 15:13:54.843: IP: s=100.10.44.1 (Serial1/0), d=100.10.12.1, len 44, policy match
Dec 26 15:13:54.847: IP: route map OUTSIDE->INSIDE-ROUTE-MAP, item 10, permit
Dec 26 15:13:54.847: IP: s=100.10.44.1 (Serial1/0), d=100.10.12.1 (Loopback1), len 44, policy routed
Dec 26 15:13:54.847: IP: Serial1/0 to Loopback1 100.10.12.1
Dec 26 15:13:54.847: NAT: o: tcp (100.10.44.1, 1084) -> (100.10.12.1, 14201) [13502]
Dec 26 15:13:54.851: NAT: s=100.10.44.1, d=100.10.12.1->10.10.10.1 [13502]


We check the nat translation table and we see that :
a) a new dynamic entry for 10.10.10.1 has been created
b) a new dynamic entry based on the static nat for 10.10.10.4:1084 has been created

HGW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 100.10.12.1:1081 10.10.10.1:1081 --- ---
tcp 100.10.12.1:14201 10.10.10.1:14201 100.10.44.1:1084 100.10.44.1:1084
tcp 100.10.12.1:1082 10.10.10.2:1082 --- ---
tcp 100.10.33.1:1083 10.10.10.3:1083 --- ---
tcp 100.10.44.1:1084 10.10.10.4:1084 100.10.12.1:14201 100.10.12.1:14201
tcp 100.10.44.1:1084 10.10.10.4:1084 --- ---


6) Notes

6.1) In my test, all routers were 7200s and were running 12.4(20)T.

6.2) You'll be probably getting the following warning while configuring route-maps, but there is no need to worry, since everything will be working fine afterwards :

HGW(config-route-map)#set interface lo0
%Warning:Use P2P interface for routemap
set interface clause


6.3) Regarding the redundancy part, the HOST->CORE part is already configured. For the CORE->HOST part, you can use static routes & ospf route-maps with a bigger metric.

6 comments:

  1. Dear Tassos,
    I have some questions about your config and how it might apply in my case... Would it be possible to PM you? Thanks!

    pbrunnen1 [at] yahoo [dot] com

    ReplyDelete
  2. I think that PBR will not be hit on fa0/0 for routing to Loopback0 since the nat pools (100.10.x.y used as destination in packets from inside network) are local. The normal routing table will apply. So yes, it's a nice exercise but it's not working.

    ReplyDelete
  3. Great job!
    Any suggestions to work without extra IPS?

    ReplyDelete
  4. Anonymous,

    Nat pool doesn't create a locally connected route (by default), so these nat pools are not actually local to the router.

    After all, if you check the debugs, you'll see that pbr is working fine.

    ReplyDelete
  5. hello Tassos.i have many questions about this issue.How can i contact you?

    ReplyDelete
  6. You inspired me to go a little crazy with trying to get a "guest" subnet to be able to use public IPs for the DMZ subnet, both inside the network. I have a solid, easy solution -- run both NAT stacks (zoned/old and NVI/new) in tandem. Details here:

    http://systems-co.blogspot.com/2016/06/cisco-routers-easy-hair-pin-nat-for.html

    ReplyDelete

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.