Yes, it works that way.
Without add-route:
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/1
R2#
With add-route:
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.20.20.0 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/1
S 10.10.10.1/32 [1/0] via 20.20.20.1
R2#
Debug ip nat detailed without add-route:
*Nov 22 23:32:44.703: NAT*: o: icmp (20.20.20.1, 9) -> (20.20.20.3, 9) [13]
*Nov 22 23:32:44.707: NAT*: o: icmp (20.20.20.1, 9) -> (20.20.20.3, 9) [13]
*Nov 22 23:32:44.707: NAT*: s=20.20.20.1->10.10.10.1, d=20.20.20.3 [13]
*Nov 22 23:32:44.711: NAT*: s=10.10.10.1, d=20.20.20.3->10.10.10.3 [13]
With add-route:
*Nov 22 23:33:35.907: NAT*: o: icmp (20.20.20.1, 10) -> (20.20.20.3, 10)
[14]
*Nov 22 23:33:35.911: NAT*: o: icmp (20.20.20.1, 10) -> (20.20.20.3, 10)
[14]
*Nov 22 23:33:35.911: NAT*: s=20.20.20.1->10.10.10.1, d=20.20.20.3 [14]
*Nov 22 23:33:35.915: NAT*: s=10.10.10.1, d=20.20.20.3->10.10.10.3 [14]
*Nov 22 23:33:35.999: NAT: i: icmp (10.10.10.3, 10) -> (10.10.10.1, 10) [14]
*Nov 22 23:33:35.999: NAT: s=10.10.10.3->20.20.20.3, d=10.10.10.1 [14]
*Nov 22 23:33:36.003: NAT: s=20.20.20.3, d=10.10.10.1->20.20.20.1 [14]
It seems it is related with the "alias" behavior of NAT. I found this page
that explains this problem:
http://cciethebeginning.wordpress.com/2010/06/08/order-of-operations-nat-rou
ting-acl/
Thanks Tyson !
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
[email protected]
-----Original Message-----
From: Tyson Scott [mailto:[email protected]]
Sent: segunda-feira, 22 de Novembro de 2010 20:51
To: 'Antonio Soares'; [email protected]
Subject: RE: [OSL | CCIE_Security] Double NAT
Use the add-route option on the end of the outside NAT statement.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Antonio
Soares
Sent: Monday, November 22, 2010 1:49 PM
To: [email protected]
Subject: [OSL | CCIE_Security] Double NAT
Hello group,
I'm not getting the reason why this Basic Double NAT scenario doesn't work:
R1===R2===R3
R1:
!
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
!
R2:
!
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source static 10.10.10.3 20.20.20.3
ip nat outside source static 20.20.20.1 10.10.10.1
!
R3:
!
interface FastEthernet0/1
ip address 10.10.10.3 255.255.255.0
!
Traffic from R1 to R3 arrives to R3 and R3 sends back the traffic to R1 but
for some reason R2 blocks this return traffic.
Routers running 12.4.24T.
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
[email protected]
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
