How do you NAT locally generated Traffic?


So I was reviewing NAT this evening and its become painful.........Here was my goal which seemed simple

Telnet Traffic from R1 and R2 destined for 2.2.2.100 should be translated to 3.3.3.3 (r3's loopback)

R2
interface FastEthernet0/0
 ip address 12.12.12.2 255.255.255.0
 ip nat outside

interface FastEthernet0/1
 ip address 23.23.23.2 255.255.255.0
 ip nat inside

interface Loopback0
 ip address 2.2.2.2 255.255.255.0
 ip ospf network point-to-point

ip nat inside source static tcp 3.3.3.3 23 2.2.2.100 23 extendable

From R1 everything is perfect no problems...the above config NATs transit traffic  but not locally generated from R2.

Anybody got something like this to work before?

Comments

  • Try using policy-based routing to "trick" your router that you localy originated traffic is transit and that should trigger NAT

  • I played around quite a bit with PBR and thats what made it painful.  Having slept on it....I no longer believe this is a NAT issue.  I distinctly remember reading that one of the differences between using "nat enable" and "nat inside/outside" is that the later can handle locally generated traffic.  It doesn't seem to be a NAT issue I am actually getting the translations and I see a TCP SYN generated.

    I have some ideals and will lab it up again this evening.


  • So I was reviewing NAT this evening and its become painful.........Here was my goal which seemed simple

    Telnet Traffic from R1 and R2 destined for 2.2.2.100 should be translated to 3.3.3.3 (r3's loopback)

    R2
    interface FastEthernet0/0
     ip address 12.12.12.2 255.255.255.0
     ip nat outside

    interface FastEthernet0/1
     ip address 23.23.23.2 255.255.255.0
     ip nat inside

    interface Loopback0
     ip address 2.2.2.2 255.255.255.0
     ip ospf network point-to-point

    ip nat inside source static tcp 3.3.3.3 23 2.2.2.100 23 extendable

    From R1 everything is perfect no problems...the above config NATs transit traffic  but not locally generated from R2.

    Anybody got something like this to work before?

    Well NAT is working but R2 is resetting the connection because it doesn't like something.  So the 3-way handshake never completes...I have played around with Dynamic NAT, NAT with route maps, secondary addresses and Local PBR and nothing....So I am just going to assume for now that locally generated traffic can't be Nat'd (at least my me).  I just wanted a quick review of the NAT basics and that has been accomplished.  Here is the testing output for anyone you cares...  First the failure from R2 and then the success from R1.

    R2#telnet 2.2.2.100
    Trying 2.2.2.100 ...
    *Jun 30 14:54:18.219: IP: tableid=0, s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 14:54:18.219: IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), len 44, sending
    *Jun 30 14:54:18.219:     TCP src=35582, dst=23, seq=3690778416, ack=0, win=4128 SYN
    *Jun 30 14:54:18.223: IP: s=3.3.3.3 (FastEthernet0/1), d=2.2.2.2, len 44, rcvd 4
    *Jun 30 14:54:18.223:     TCP src=23, dst=35582, seq=2361378844, ack=3690778417, win=4128 ACK SYN
    *Jun 30 14:54:18.223: IP: tableid=0, s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 14:54:18.223: IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), len 40, sending
    *Jun 30 14:54:18.223:     TCP src=35582, dst=23, seq=3690778417, ack=0, win=0 RST                       <---Nope don't like you
    *Jun 30 14:54:20.219: IP: tableid=0, s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 14:54:20.219: IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), len 44, sending
    *Jun 30 14:54:20.219:     TCP src=35582, dst=23, seq=3690778416, ack=0, win=4128 SYN         <--- Please I really do like you
    *Jun 30 14:54:20.219: IP: s=3.3.3.3 (FastEthernet0/1), d=2.2.2.2, len 44, rcvd 4
    *Jun 30 14:54:20.223:     TCP src=23, dst=35582, seq=3924011057, ack=3690778417, win=4128 ACK SYN
    *Jun 30 14:54:20.223: IP: tableid=0, s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 14:54:20.223: IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/1), len 40, sending
    *Jun 30 14:54:20.223:     TCP src=35582, dst=23, seq=3690778417, ack=0, win=0 RST                 <---Nope
    % Connection timed out; remote host not responding                                                     <---Liar!  Even my routers are in Denial ;-)

    R2#sho ip nat trans verbose
    Pro Inside global      Inside local       Outside local      Outside global
    tcp 2.2.2.100:23       3.3.3.3:23         2.2.2.2:35582      2.2.2.2:35582
        create 00:00:10, use 00:00:08 timeout:86400000, left 00:00:51,
        flags:
    extended, use_count: 0, entry-id: 18, lc_entries: 0
    tcp 2.2.2.100:23       3.3.3.3:23         ---                ---
        create 00:12:36, use 00:00:10 timeout:0,
        flags:
    static, extended, extendable, use_count: 1, entry-id: 7, lc_entries: 0
    R2#

    Normal flow from R1 -- Nat'd on R2 --- R3

    R1#telnet 2.2.2.100
    Trying 2.2.2.100 ... Open


    User Access Verification

    Password:

    R2# (traffic captured on R2 fa0/1 interface same as above)
    *Jun 30 15:01:21.083: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 15:01:21.087: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 44, forward
    *Jun 30 15:01:21.087:     TCP src=23, dst=37054, seq=4262378964, ack=3981401604, win=4128 ACK SYN
    *Jun 30 15:01:21.087: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 15:01:21.087: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 15:01:21.087: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 15:01:21.095: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 52, forward
    *Jun 30 15:01:21.095:     TCP src=23, dst=37054, seq=4262378965, ack=3981401616, win=4116 ACK PSH
    *Jun 30 15:01:21.099: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), route
    R2#d via FIB
    *Jun 30 15:01:21.099: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 15:01:21.099: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 15:01:21.099: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 82, forward
    *Jun 30 15:01:21.099:     TCP src=23, dst=37054, seq=4262378977, ack=3981401616, win=4116 ACK PSH
    *Jun 30 15:01:21.099: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 43, forward
    *Jun 30 15:01:21.099:     TCP src=23, dst=37054, seq=4262379019, ack=3981401616, win=4116 ACK PSH
    *Jun 30 15:01:21.099: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 43, forward
    *Jun 30 15:01:21.099:     TCP src=23, dst=37054, seq=4262379022, ack=3981401616, win=4116 ACK PSH
    *Jun 30 15:01:21.103: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 46, forward
    *Jun 30 15:01:21.103:     TCP src=23, dst=37054, seq=4262379025, ack=3981401616, win=4116 ACK PSH
    *Jun 30 15:01:21.103: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    *Jun 30 15:01:21.103: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 43, forward
    *Jun 30 15:01:21.103:     TCP src=23, dst=37054, seq=4262379031, ack=3981401631, win=4101 ACK PSH
    *Jun 30 15:01:21.303: IP: s=2.2.2.100 (FastEthernet0/1), d=12.12.12.1 (FastEthernet0/0), g=12.12.12.1, len 40, forward
    *Jun 30 15:01:21.303:     TCP src=23, dst=37054, seq=4262379034, ack=3981401634, win=4098 ACK
    *Jun 30 15:01:21.303: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=3.3.3.3 (FastEthernet0/1), routed via FIB
    R2#
    R2#sho ip nat trans verbose
    Pro Inside global      Inside local       Outside local      Outside global
    tcp 2.2.2.100:23       3.3.3.3:23         12.12.12.1:37054   12.12.12.1:37054
        create 00:00:09, use 00:00:09 timeout:86400000, left 23:59:50,
        flags:
    extended, use_count: 0, entry-id: 20, lc_entries: 0
    tcp 2.2.2.100:23       3.3.3.3:23         ---                ---
        create 00:19:38, use 00:00:09 timeout:0,
        flags:
    static, extended, extendable, use_count: 2, entry-id: 7, lc_entries: 0
    R2#

     

  • I'm pretty sure I remember one of the Brians talking on one of their videos (either Advances Technologies or Open Lecture) that they did this using PBR.  I don't think that NAT works on its own with locally generated traffic.  But you can use PBR to make the local traffic come in through a loopback interface and then route out.  Since the traffic is now coming in through an interface, it can be natted.

    I never tried doing this myself, but it sounds like it should work.

  • Try using Local policy to route all Locally generated traffic out a loopback, sounds like it might be similar to the way Local traffic is not processed by ACL's.

    Just a thought :-)

  • maybe this works?

    int lo 0

    ip address 10.10.10.10 255.255.255.255

    ip nat inside

    ip policy route-map GOTOLO1

     

    int lo 1

    ip address 100.100.100.100 255.255.255.255

    ip nat outside

     

    ip local policy route-map GOTOLO0

    set interface lo 0/set ip next-hop 10.10.10.10

     

    ip nat inside source list x int lo 0 overload

    access-list x permit ip any any

     

     

  • I found an example of doing this in lab 18 of the R&S vol2 v4.1 workbook.  I think it's like the last task of the lab.  It shows how to NAT locally generated traffic.

Sign In or Register to comment.