NAT and routing protocols

I thought of sharing this with everyone. Searched the forum and didn't find this issue posted earlier.

I was working on the Vol 1, NAT: Policy NAT with Route-Maps lab when I hit upon this issue - quite by chance.

First the config, then the results & then the reason for failure & the fix.

1. Config
Intro: For the lab setup, please refer to the 'Common Configuration' in the NAT individual lab. There's OSPF & BGP running between R4 & R5 (not included in the output below). Only the relevant part is included here.
interface Ethernet0/0
ip nat inside
interface Serial1/0.1 point-to-point
ip nat outside
frame-relay interface-dlci 405
interface Serial1/1
ip nat outside
ip nat inside source route-map FR_INT interface Serial1/0.1 overload
ip nat inside source route-map SERIAL_INT interface Serial1/1 overload
route-map SERIAL_INT permit 10
match ip address INSIDE_OTHER
set interface Serial1/1
route-map FR_INT permit 10
match ip address INSIDE_TELNET
set interface Serial1/0.1
ip access-list extended INSIDE_OTHER
deny tcp any eq telnet
permit ip any any
ip access-list extended INSIDE_TELNET
permit tcp any eq telnet

2. Results
Output from: sh ip nat detail
*Mar 1 01:05:49.439: NAT: map match SERIAL_INT
*Mar 1 01:05:49.443: NAT: translation failed (F), dropping packet s= d=

So what happens here is that the OSPF adjacency will fail. In fact all routing protocols will fail.

3. Reason & Fix
After researching a bit I found this from the Cisco website.

Q. Does Cisco IOS NAT support ACLs that permit any or all packets?

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support the use of any or all packets in the ACLs used by NAT. If any or all packets are used, then unexpected behavior can occur.

If you look at my config above and compare it with the Vol 1 output, its like 100% same. (Note: I always try to do the labs on my own and then verify it with the solution provided).

But if you look carefully, you will notice one very small difference and that is...

>> My version
ip access-list extended INSIDE_OTHER
deny tcp any eq telnet
permit ip any any
>> Workbook version
ip access-list extended INSIDE_OTHER
deny tcp any eq telnet
permit ip any

So found out something really interesting and I guess a very crucial point; because this one line can break your whole lab and usually NAT is something that's done towards the end and you won't have the time or tools (google search or Cisco website search) to find out the problem during the lab. The only solution then would be to skip the NAT section - which you don't have to, now.


Sign In or Register to comment.