13.20 - NAT with Route-Maps Solution Not Working

Hello community,

I am wondering why R2 is not seing R5's replies when I ping 155.1.0.5 sourced from R2's loopback 0, yet R2 sees R3's replies and the configuration logic for both is exactly the same:

R2(config)#do sh run | s ip nat
 ip nat outside
 ip nat outside
ip nat pool Net23 155.1.23.200 155.1.23.200 prefix-length 24
ip nat pool Net2 155.1.0.200 155.1.0.200 prefix-length 24
ip nat inside source route-map ToR3 pool Net23
ip nat inside source route-map ToR3-NotLoop interface Serial1/1 overload
ip nat inside source route-map ToR5 pool Net2 overload
ip nat inside source route-map ToR5-NotLoop interface Serial1/0 overload
R2(config)#do sh route-m
route-map ToR5-NotLoop, deny, sequence 10
  Match clauses:
    ip address (access-lists): 1
    interface Serial1/0
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ToR5-NotLoop, permit, sequence 1000
  Match clauses:
    interface Serial1/0
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ToR3-NotLoop, deny, sequence 10
  Match clauses:
    ip address (access-lists): 1
    interface Serial1/1
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ToR3-NotLoop, permit, sequence 1000
  Match clauses:
    interface Serial1/1
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ToR3, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1
    interface Serial1/1
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ToR5, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1
    interface Serial1/0
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
R2(config)#do sh run int s1/1
Building configuration...

Current configuration : 169 bytes
!
interface Serial1/1
 ip address 155.1.23.2 255.255.255.0
 ip nat outside
 ip rip advertise 10
 ip virtual-reassembly in
 serial restart-delay 0
 clock rate 64000
end

R2(config)#do sh run int s1/0
Building configuration...

Current configuration : 369 bytes
!
interface Serial1/0
 ip address 155.1.0.2 255.255.255.0
 ip nat outside
 ip rip advertise 10
 ip virtual-reassembly in
 encapsulation frame-relay
 ip split-horizon
 serial restart-delay 0
 frame-relay map ip 155.1.0.1 205
 frame-relay map ip 155.1.0.3 205
 frame-relay map ip 155.1.0.4 205
 frame-relay map ip 155.1.0.5 205 broadcast
 no frame-relay inverse-arp
end
R2(config)#do ping 155.1.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/9 ms
R2(config)#do ping 155.1.23.3 sou lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.23.3, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms

 

R3(config)#
*Mar 20 23:47:37.043: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:37.052: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:37.061: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:37.070: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:37.079: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.2, topology BASE, dscp 0 topoid 0
R3(config)#
*Mar 20 23:47:42.653: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.200, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:42.662: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.200, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:42.672: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.200, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:42.681: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.200, topology BASE, dscp 0 topoid 0
*Mar 20 23:47:42.690: ICMP: echo reply sent, src 155.1.23.3, dst 155.1.23.200, topology BASE, dscp 0 topoid 0

 

R2(config)#do ping 155.1.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/18 ms
R2(config)#do ping 155.1.0.5 sou lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.0.5, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
.....
Success rate is 0 percent (0/5)

 

R5(config)#
*Mar 20 23:48:41.985: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:48:42.002: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:48:42.020: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:48:42.037: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.2, topology BASE, dscp 0 topoid 0
*Mar 20 23:48:42.056: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.2, topology BASE, dscp 0 topoid 0
R5(config)#
*Mar 20 23:48:44.429: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.200, topology BASE, dscp 0 topoid 0
R5(config)#
*Mar 20 23:48:46.433: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.200, topology BASE, dscp 0 topoid 0
R5(config)#
*Mar 20 23:48:48.433: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.200, topology BASE, dscp 0 topoid 0
R5(config)#
*Mar 20 23:48:50.433: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.200, topology BASE, dscp 0 topoid 0
R5(config)#
*Mar 20 23:48:52.436: ICMP: echo reply sent, src 155.1.0.5, dst 155.1.0.200, topology BASE, dscp 0 topoid 0

as you can see, both R3 and R5 are seeing R2's pings but R2 does not get R5's replies when R2 pings from loopback0. Maybe there is an error here and I am not seing it, would someone please take a quick look?

Thanks in advance!!!

Comments

  • I may be wrong, but i remember that NAT does not work with a route-map. You will need to use an ACL

     

    Alessio

  • GabeGabe ✭✭

    Hi Alessio, thanks for the response but most likely you are wrong due to a couple of facts:

    1. Pings to R3 work and I am using route maps too
    2. This is the suggested solution in INE's workbook

    you can see the pings from R2 to R3 getting 100% of the replies...

    Just in case, I forgot to mention the topology is:

    R3 serial1/3----------serial1/1 R2 serial1/0 --------FR-Cloud-----------serial1/0 R5

  • Hi Gabe,

    the problem that NAT was giving with route-map was not in terms of reachability. I will try to get back that doc but i am sure you had to use an ACL to let it work. Did you try to replace the route-map config with an ACL ? Should i find that doc i will publish it here [;)]

     

    Alessio

Sign In or Register to comment.