Task 7.2

Hi,

the task does not explicitly allow PBR. Using "ip nat enable" could be a solution...

Regards,

Comments

  • In my SG allows, but does not actually allow to add additional ip address to R2's Fa0/0 interface :/

     

  • I've tested this using local policy on SW1 sourcing from a loopback withing 172.16/16 range.

    [...]

    *Mar  1 01:04:23.677: NAT: s=172.16.7.7->167.6.27.100, d=167.6.13.3 [2309]
    *Mar  1 01:04:23.741: NAT*: s=167.6.13.3, d=167.6.27.100->172.16.7.7 [2309]
    *Mar  1 01:04:23.745: NAT: s=172.16.7.7->167.6.27.100, d=167.6.13.3 [2310]
    *Mar  1 01:04:23.809: NAT*: s=167.6.13.3, d=167.6.27.100->172.16.7.7 [2310]

    [...]

    is the secondary address needed on R2? It would be if the hosts share the same vlan used as transit between R2 and SW1 ...what the..?!

  • In the SG we are pinging R3. How is R3 supposed to find its way back to SW1. It has no route for 167.x.27.0/24. It would have if we did not change the IP address. I do see incoming ICMP packets on R3 though so I know the NAT is working.

  • I missed that the IP should be added as secondary...

  • It took me some time to understand how this actually works; for those interested I put a packet walkthrough at http://mostlynetworking.wordpress.com/2012/01/20/nat-on-a-stick-3/

    Also note that the way task is worded suggests you should overload F0/0 ("Your design team has allocated this customer the IP address 167.1.27.2/24"), not use global pool.

  • I interpreted the wording the same. However, it is possible. This worked for me:

     


    ip acce st NAT_RULE

     permit 172.16.0.0 0.0.0.255

     

    ip acce ex PROUTE_RULES

     deny ip 172.16.0.0 0.0.0.255 host 167.14.27.2

     permit ip 172.16.0.0 0.0.0.255 any

     permit ip any host 167.14.27.2

     

    int l0

     ip nat inside

     

    int f0/0

     ip address 172.16.0.2 255.255.255.0 secondary

     ip nat outside

     ip policy route-map PROUTE_NAT

     

    route-map PROUTE_NAT

     match ip address PROUTE_RULES

     set ip next-hop 150.14.2.254

     

    ip nat inside source list NAT_RULE int f0/0 overload


  • NAT on stick not working

    I am not sure why its not working i am not able to ping from sw1 as give in SG verification i had followed what is in SG verfication (configured local policy)

    Sw1# ping 167.1.13.3 source 172.16.0.8

    ping fails even when pinging to sw2 with source 172.16.0.8 ping fails, but normal ping without source works fine

    interface Loopback0
     ip address 150.1.2.2 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     ip ospf network point-to-point


     interface FastEthernet0/0
     ip address 172.16.0.2 255.255.255.0 secondary
     ip address 167.1.27.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     ip policy route-map routemap
     speed 100
     full-duplex

    ip nat pool natpool 167.1.27.100 167.1.27.253 prefix-length 24

    route-map routemap permit 10
     match ip address insidelocal
     set interface Loopback0

    ip nat inside source list insidelocal pool natpool
    !
    ip access-list standard insidelocal
     permit 172.16.0.0 0.0.0.255

    Please can some one help on this ...

Sign In or Register to comment.