Issue with traffic from usce interface Nat'd through router

Document created by cdnadmin on Jan 25, 2014
Version 1Show Document
  • View in full screen mode
This document was generated from CDN thread

Created by: Raymond Armstrong on 26-09-2012 05:20:38 AM
I am unable to ping / connect to the ip address of the server via ucse 2/0 nat'd through the router - I however can ping the address of the ucse also nat'd
#ping 21.8.10.49
PING 21.8.10.49 (21.8.10.49) 56(84) bytes of data.
64 bytes from 21.8.10.49: icmp_seq=1 ttl=253 time=79.2 ms
64 bytes from 21.8.10.49: icmp_seq=2 ttl=253 time=79.2 ms
64 bytes from 21.8.10.49: icmp_seq=3 ttl=253 time=79.2 ms

ping 21.8.10.55
PING 21.8.10.55 (21.8.10.55) 56(84) bytes of data.
have checked and can see traffic hit the router and get translated
*Sep 26 10:06:22.007: NAT*: s=69.184.0.24, d=21.8.10.55->69.184.252.23 [0]
*Sep 26 10:06:22.327: NAT*: s=69.184.0.24, d=21.8.10.55->69.184.252.23 [0]
*Sep 26 10:06:22.803: NAT*: s=69.184.1.24, d=21.8.10.55->69.184.252.23 [0]
however see no reply from the server getting out the router
I can however see the reply from the ucse interface
*Sep 26 10:06:33.403: NAT*: s=69.184.0.24, d=21.8.10.49->69.184.252.17 [0]
*Sep 26 10:06:33.403: NAT: s=69.184.252.17->21.8.10.49, d=69.184.0.24 [0]
I can ping locally
r107476#ping 69.184.252.23
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.184.252.23, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r107476#
and if I set up loopback1 ping 69.184.252.23 I see a reply so the nat is working correctly

interface Loopback1
 ip address 69.184.252.23 255.255.255.240

I can see the server generating a repy and sending it to the router
[root@israppliance ~]# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:33:09.856960 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 2912, seq 67, length 64
11:33:09.856987 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 2912, seq 67, length 64
11:33:10.234926 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 3418, seq 8214, length 64
11:33:10.234954 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 3418, seq 8214, length 64
11:33:10.576443 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 44876, seq 1, length 64
11:33:10.576459 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 44876, seq 1, length 64

the default gwy is set
[root@israppliance ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
69.184.252.16   *               255.255.255.240 U     0      0        0 eth0
default         69.184.252.17   0.0.0.0         UG    0      0        0 eth0
[root@israppliance ~]#
have tried adding a static route to the router also
!
interface ucse2/0
 ip address 69.184.252.17 255.255.255.240
!
ip nat inside source static 69.184.252.17 21.8.10.49 route-map 2-stat-nat-policy
ip nat inside source static 69.184.252.23 21.8.10.55 route-map 2-stat-nat-policy
ip route 69.184.252.23 255.255.255.255 ucse2/0

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Raymond Armstrong on 26-09-2012 05:31:07 AM
I can also see traffic when I ping between modules
*Sep 26 10:23:10.071: IP: s=69.184.252.17 (local), d=69.184.252.23, len 92, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 26 10:23:10.071: IP: s=69.184.252.17 (local), d=69.184.252.23 (ucse2/0), len 92, sending
*Sep 26 10:23:10.071: IP: s=69.184.252.17 (local), d=69.184.252.23 (ucse2/0), len 92, sending full packet
*Sep 26 10:23:10.071: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17, len 40, input feature, MCI Check(87), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 26 10:23:10.071: IP: tableid=0, s=69.184.252.23 (ucse2/0), d=69.184.252.17 (ucse2/0), routed via RIB
*Sep 26 10:23:10.071: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17 (ucse2/0), len 40, rcvd 3
*Sep 26 10:23:10.071: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17, len 40, stop process pak for forus packet
*Sep 26 10:23:10.075: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17, len 268, input feature, MCI Check(87), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 26 10:23:10.075: IP: tableid=0, s=69.184.252.23 (ucse2/0), d=69.184.252.17 (ucse2/0), routed via RIB
r107476#
however cannot see any traffic hitting router when ping from appliance to far end device
[root@israppliance ~]# ping 69.184.0.24
PING 69.184.0.24 (69.184.0.24) 56(84) bytes of data.
No traffic noted on router

I also tried the same for the MGF interface

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Raymond Armstrong on 26-09-2012 05:32:48 AM
please also note I can ssh between the router and server locally

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Brett Tiller on 26-09-2012 09:33:06 AM
Hi Raymond,
I've provided a working Nat configuration on this thread in the forum.
http://developer.cisco.com/web/ucse/forums/-/message_boards/message/6442759
After reconfiguring your router if you are still having issues, please respond with your full router configuration included
 
Thanks,
Brett

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Raymond Armstrong on 26-09-2012 11:00:00 AM
The configuration you mention appears to be for a connection via ESXi we are running no virtualisation and running the server with red hat 6.2 we simply want a traditional layer 2/3 connection from the router to the server.
The nat allows all ports cannot even ping internally
r107476#ping 69.184.252.17 source 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.184.252.17, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.2
.....
Success rate is 0 percent (0/5)
r107476#ping 69.184.252.23 source 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.184.252.23, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.2
.....
Success rate is 0 percent (0/5)

69.184.252.16/28     attached             ucse2/0
69.184.252.16/32     receive              ucse2/0
69.184.252.17/32     receive              ucse2/0
69.184.252.23/32     attached             ucse2/0 <<<<< have static
69.184.252.31/32     receive              ucse2/0

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Brett Tiller on 27-09-2012 07:18:42 PM
Hi Raymond,
Your NAT configuration would be simpler then since you are not using ESXI because you don't have to account for its ports.  As a result using the ESXi provided example in the previously mentioned thread, you would only need to use NAT for the IP assigned to the OS. So in the IP NAT translation configuration, rather than specifying 3 separate ports for the 192.168.1.83/172.25.209.199 translation specified in the example configuration, you would just have one configuration of "ip nat inside source static 192.168.1.83 172.25.209.199 extended".
As I mentioned in a previous response,  if you are still not having success getting this working please attach your router configuration.
Thanks,
Brett

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Raymond Armstrong on 04-10-2012 04:24:54 AM
Have attached the config still cannot get it working can see the traffic leaving the server
10:05:30.202578 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 7219, seq 1, length 64
10:05:30.202607 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 7219, seq 1, length 64
10:05:31.202441 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 7219, seq 2, length 64
10:05:31.202468 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 7219, seq 2, length 64
Then hitting the usce interface
r107476#debug ip cef packet ucse2/0 input rate 0 detail
IP CEF packets debugging is on ingress on ucse2/0 (detailed)
r107476#
*Oct  4 09:08:46.992: CEF-Debug: Packet from 69.184.252.23 (uc2/0) to 69.184.0.24
*Oct  4 09:08:46.992:   ihl=20, length=84, tos=0, ttl=63, checksum=37329, offset=0
*Oct  4 09:08:46.992:     ICMP type=0, code=0, checksum=22469
*Oct  4 09:08:46.992:          ECHO reply
r107476#
*Oct  4 09:08:48.000: CEF-Debug: Packet from 69.184.252.23 (uc2/0) to 69.184.0.24
*Oct  4 09:08:48.000:   ihl=20, length=84, tos=0, ttl=63, checksum=37328, offset=0
*Oct  4 09:08:48.000:     ICMP type=0, code=0, checksum=18849
*Oct  4 09:08:48.000:          ECHO reply

But that traffic is not getting nat'd back when I run a debug ip nat - the nat works if we set the loopback interface 1 to 69.184.252.23 and there is a cef route for the traffic

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Daniel Miller on 04-10-2012 12:01:19 PM
Hi Raymond,
I was able to get it to work by setting the Gigabit interface as the NAT outside interface, and ucse as the NAT inside interface.  Not sure if this is exactly what you want, but I was able to ping and SSH to the server from another machine outside the router with this setup.  I have included the relevant sections of my router and server config below.
Thanks,
Daniel
 
Router:
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
 service-module enable
!
interface GigabitEthernet0/0
 ip address 172.25.209.111 255.255.255.128
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
interface GigabitEthernet0/0/3
 no ip address
!
interface ucse1/0
 mac-address 0002.0003.0004
 ip address 10.0.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 imc ip address 172.25.209.109 255.255.255.128 default-gateway 172.25.209.1
 imc access-port shared-lom ge2
!
interface ucse1/1
 description Internal switch interface connected to Service Module
 no ip address
!
interface Vlan1
 no ip address
!
ip default-gateway 172.25.209.1
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static 10.0.0.1 172.25.209.117
ip route 0.0.0.0 0.0.0.0 172.25.209.1
ip route 10.0.0.1 255.255.255.255 ucse1/0
 
 
 
Server:

[root@localhost ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr F0:F7:55:12:07:1A
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::f2f7:55ff:fe12:71a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12715 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9534 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2404660 (2.2 Mi  TX bytes:1375955 (1.3 Mi
          Interrupt:19
 
eth1      Link encap:Ethernet  HWaddr F0:F7:55:12:07:1B
          inet6 addr: fe80::f2f7:55ff:fe12:71b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:326382 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22733876 (21.6 Mi  TX bytes:492 (492.0 b)
          Interrupt:16
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:105512 errors:0 dropped:0 overruns:0 frame:0
          TX packets:105512 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:38464036 (36.6 Mi  TX bytes:38464036 (36.6 Mi

[root@localhost ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
default         10.0.0.2        0.0.0.0         UG    0      0        0 eth0

Subject: RE: Issue with traffic from usce interface Nat'd through router
Replied by: Raymond Armstrong on 05-10-2012 08:24:41 AM
Thanks guy's all appears working now

Attachments

    Outcomes