More NAT issues

More NAT behaviour problems

I have been hitting NAT hard as it is a tricky subject.

I was following a blog post that looked like a fairly simple excercise which I labbed up and found some more odd behaviour.  The toplogy is:

  R5

  |

  R1

 /  \

R2  R4

The task was that when R5 telnets to 10.10.10.10 port 23 it should land on R2, If R5 telnets to 10.10.10.10. on port 80 it should land on R4.  R1, R2, R5 should be able to telnet to 10.10.10.10 without being affected.

10.10.10.10 doesn't exist so I created it on R1 and advertised it into the IGP (OSPF) and applied the following NAT config:

int f0/0

desc ** Link to R5 **

ip add 100.100.15.1 255.255.255.0

ip nat outside

int f0/1.12

desc *** Link to R2 **

ip add 100.100.12.1 255.255.255.0

ip nat inside

int f0/1.14

desc *** Link to R4 **

ip add 100.100.14.1 255.255.255.0

ip nat inside

ip nat inside source static tcp 100.100.12.2 23 10.10.10.10 23 ext! 100.100.12.2 = R2

ip nat inside source static tcp 100.100.14.4 23 10.10.10.10 80 ext! 100.100.14.4 = R4

The NAT worked fine from R5 and also R2 and R4 were not affected, however, when I telnet from R1 to 10.10.10.10:

*May 24 23:32:08.307: NAT: o: tcp (10.10.10.10, 30868) -> (10.10.10.10, 23) [21783]     

*May 24 23:32:08.307: NAT: s=10.10.10.10, d=10.10.10.10->100.100.12.2 [21783]

*May 24 23:32:08.307: IP: s=10.10.10.10 (local), d=100.100.12.2, len 44, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*May 24 23:32:08.307: IP: s=10.10.10.10 (local), d=100.100.12.2 (FastEthernet0/1.12), len 44, sending

NAT kicks in and translates the destination and it fails...

I tried route-maps to only allow traffic sourced from R5 to be NAT'ed but nothing worked so I switched to NVI NAT:

interface FastEthernet0/0

 ip nat enable

interface FastEthernet0/1.12

 ip nat enable

interface FastEthernet0/1.14

 ip nat enable

ip nat source static tcp 100.100.12.2 23 10.10.10.10 23 extendable

ip nat source static tcp 100.100.14.4 23 10.10.10.10 80 extendable

From R5 only the first NAT rule works.  When I telnet 10.10.10.10 80 from R5 I get connection refused (from R1).  Even if I strip out the first rule the rule to port 80 doesn't work.

Also I don't see anything from "debug ip nat nvi"

Help...

Nick