I'm about to open a case with Cisco regarding this issue, but I'm curious
if anyone out there has run into something similar:
Background:
A company is migrating networks. For various reasons, the following
network is in place.
Cisco 1720: has a fast ethernet connecting to the PIX, an ethernet
connecting to the old network, and a Serial connecting to the Internet.
Ethernet0 Interface has address 1.1.1.3/24, routing all "old-network"
traffic to 1.1.1.1. This is also a NAT Outside interface.
Fast Ethernet0 has address 2.2.2.1/26, routing all inbound "new network"
traffic to 2.2.2.2 (PIX Outside Interface). This is a NAT Inside interface.
Serial 0 is the default-route for all destinations not found in the route
table.
Problem:
When traffic is sent to a 1.1.1.x address, it gets translated properly into
a 2.2.2.x address and routed to the PIX. The PIX translates the 2.2.2.x
address to a (static) 10.x.x.x address. The traffic reaches the
destination machine inside the network. The machine then tries to respond
to the original source. The PIX recognizes and properly translates the
traffic. The Cisco 1720 does not translate any traffic where the
destination can only be reached by using the default route. If there is a
specific route for the destination in the 1720 routing table, the 1720
correctly translates and passes the traffic. If I originate traffic that
must use the default route from the 1720, the 1720 routes it correctly.
Now, I'm aware that the NAT will not work is there isn't a route to the
destination in the routing table, or if there are access lists blocking a
port. There are no access-lists in use anywhere in this scenario, other
than the one associated with NAT and the default route works correctly when
NAT isn't involved.
Curiously, and this may or may not be important, I notice that I get a
response to a 1.1.1.x address, but the router is only translating one
way. It appears, oddly enough, that the router is generating the ICMP echo
response for the (virtual) 1.1.1.x address.
Is there an issue with double-NAT of which I'm not aware?
Thoughts?
Craig
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5752&t=5752
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
