Hi Antonio, I do understand that the problem is related to NAT order of operations, however in this scenario I can't the value of the add-route option in the scenario you described. I would appreciate any explanation.
However for a scenario like this: R1---R2---R3 R1--12.12.12.0/24--R2--23.23.23.0/24--R3 I want R3 when communicating with R1 to appear as 3.3.3.3 On R2 (assuming R1 is on the inside/R3 on the outside) ip nat outside source static 23.23.23.3 3.3.3.3 The problem now is clear, when R1 receives the packet it sees the source as 3.3.3.3, now R1 needs to respond with an echo reply to this address 3.3.3.3 (which R2 doesn't really have a route to), thus by adding the add-route option to the end of the nat statement you are saying that to reach 3.3.3.3->go to 23.23.23.3 which is directly connected. ip route 3.3.3.3 255.255.255.255 23.23.23.3 In this scenario it is clear that the problem pertains to the NAT order of operations (especially when going from inside to outside) Routing happens before NAT and R2 doesn't have a route to 3.3.3.3 (thus to work around this issue the add-route fits perfectly. In this case it makes sense to me. I would appreciate the explanation for the above scenario. Thanks :) On Mon, Nov 22, 2010 at 11:50 PM, Tyson Scott <[email protected]> wrote: > Use the add-route option on the end of the outside NAT statement. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Antonio > Soares > Sent: Monday, November 22, 2010 1:49 PM > To: [email protected] > Subject: [OSL | CCIE_Security] Double NAT > > Hello group, > > I'm not getting the reason why this Basic Double NAT scenario doesn't work: > > R1===R2===R3 > > R1: > > ! > interface FastEthernet0/0 > ip address 20.20.20.1 255.255.255.0 > ! > > R2: > > ! > interface FastEthernet0/0 > ip address 20.20.20.2 255.255.255.0 > ip nat outside > ip virtual-reassembly > ! > interface FastEthernet0/1 > ip address 10.10.10.2 255.255.255.0 > ip nat inside > ip virtual-reassembly > ! > ip nat inside source static 10.10.10.3 20.20.20.3 > ip nat outside source static 20.20.20.1 10.10.10.1 > ! > > R3: > > ! > interface FastEthernet0/1 > ip address 10.10.10.3 255.255.255.0 > ! > > Traffic from R1 to R3 arrives to R3 and R3 sends back the traffic to R1 but > for some reason R2 blocks this return traffic. > > Routers running 12.4.24T. > > > Thanks. > > Regards, > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > -- KJ
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
