Issue with traffic from usce interface Nat'd through router

Version 1
    This document was generated from CDN thread

    Created by: Raymond Armstrong on 26-09-2012 05:20:38 AM
    I am unable to ping / connect to the ip address of the server via ucse 2/0 nat'd through the router - I however can ping the address of the ucse also nat'd
    #ping 21.8.10.49
    PING 21.8.10.49 (21.8.10.49) 56(84) bytes of data.
    64 bytes from 21.8.10.49: icmp_seq=1 ttl=253 time=79.2 ms
    64 bytes from 21.8.10.49: icmp_seq=2 ttl=253 time=79.2 ms
    64 bytes from 21.8.10.49: icmp_seq=3 ttl=253 time=79.2 ms

    ping 21.8.10.55
    PING 21.8.10.55 (21.8.10.55) 56(84) bytes of data.
    have checked and can see traffic hit the router and get translated
    *Sep 26 10:06:22.007: NAT*: s=69.184.0.24, d=21.8.10.55->69.184.252.23 [0]
    *Sep 26 10:06:22.327: NAT*: s=69.184.0.24, d=21.8.10.55->69.184.252.23 [0]
    *Sep 26 10:06:22.803: NAT*: s=69.184.1.24, d=21.8.10.55->69.184.252.23 [0]
    however see no reply from the server getting out the router
    I can however see the reply from the ucse interface
    *Sep 26 10:06:33.403: NAT*: s=69.184.0.24, d=21.8.10.49->69.184.252.17 [0]
    *Sep 26 10:06:33.403: NAT: s=69.184.252.17->21.8.10.49, d=69.184.0.24 [0]
    I can ping locally
    r107476#ping 69.184.252.23
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 69.184.252.23, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
    r107476#
    and if I set up loopback1 ping 69.184.252.23 I see a reply so the nat is working correctly

    interface Loopback1
     ip address 69.184.252.23 255.255.255.240

    I can see the server generating a repy and sending it to the router
    [root@israppliance ~]# tcpdump icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:33:09.856960 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 2912, seq 67, length 64
    11:33:09.856987 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 2912, seq 67, length 64
    11:33:10.234926 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 3418, seq 8214, length 64
    11:33:10.234954 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 3418, seq 8214, length 64
    11:33:10.576443 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 44876, seq 1, length 64
    11:33:10.576459 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 44876, seq 1, length 64

    the default gwy is set
    [root@israppliance ~]# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    69.184.252.16   *               255.255.255.240 U     0      0        0 eth0
    default         69.184.252.17   0.0.0.0         UG    0      0        0 eth0
    [root@israppliance ~]#
    have tried adding a static route to the router also
    !
    interface ucse2/0
     ip address 69.184.252.17 255.255.255.240
    !
    ip nat inside source static 69.184.252.17 21.8.10.49 route-map 2-stat-nat-policy
    ip nat inside source static 69.184.252.23 21.8.10.55 route-map 2-stat-nat-policy
    ip route 69.184.252.23 255.255.255.255 ucse2/0

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Raymond Armstrong on 26-09-2012 05:31:07 AM
    I can also see traffic when I ping between modules
    *Sep 26 10:23:10.071: IP: s=69.184.252.17 (local), d=69.184.252.23, len 92, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Sep 26 10:23:10.071: IP: s=69.184.252.17 (local), d=69.184.252.23 (ucse2/0), len 92, sending
    *Sep 26 10:23:10.071: IP: s=69.184.252.17 (local), d=69.184.252.23 (ucse2/0), len 92, sending full packet
    *Sep 26 10:23:10.071: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17, len 40, input feature, MCI Check(87), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Sep 26 10:23:10.071: IP: tableid=0, s=69.184.252.23 (ucse2/0), d=69.184.252.17 (ucse2/0), routed via RIB
    *Sep 26 10:23:10.071: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17 (ucse2/0), len 40, rcvd 3
    *Sep 26 10:23:10.071: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17, len 40, stop process pak for forus packet
    *Sep 26 10:23:10.075: IP: s=69.184.252.23 (ucse2/0), d=69.184.252.17, len 268, input feature, MCI Check(87), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Sep 26 10:23:10.075: IP: tableid=0, s=69.184.252.23 (ucse2/0), d=69.184.252.17 (ucse2/0), routed via RIB
    r107476#
    however cannot see any traffic hitting router when ping from appliance to far end device
    [root@israppliance ~]# ping 69.184.0.24
    PING 69.184.0.24 (69.184.0.24) 56(84) bytes of data.
    No traffic noted on router

    I also tried the same for the MGF interface

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Raymond Armstrong on 26-09-2012 05:32:48 AM
    please also note I can ssh between the router and server locally

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Brett Tiller on 26-09-2012 09:33:06 AM
    Hi Raymond,
    I've provided a working Nat configuration on this thread in the forum.
    http://developer.cisco.com/web/ucse/forums/-/message_boards/message/6442759
    After reconfiguring your router if you are still having issues, please respond with your full router configuration included
     
    Thanks,
    Brett

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Raymond Armstrong on 26-09-2012 11:00:00 AM
    The configuration you mention appears to be for a connection via ESXi we are running no virtualisation and running the server with red hat 6.2 we simply want a traditional layer 2/3 connection from the router to the server.
    The nat allows all ports cannot even ping internally
    r107476#ping 69.184.252.17 source 172.16.1.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 69.184.252.17, timeout is 2 seconds:
    Packet sent with a source address of 172.16.1.2
    .....
    Success rate is 0 percent (0/5)
    r107476#ping 69.184.252.23 source 172.16.1.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 69.184.252.23, timeout is 2 seconds:
    Packet sent with a source address of 172.16.1.2
    .....
    Success rate is 0 percent (0/5)

    69.184.252.16/28     attached             ucse2/0
    69.184.252.16/32     receive              ucse2/0
    69.184.252.17/32     receive              ucse2/0
    69.184.252.23/32     attached             ucse2/0 <<<<< have static
    69.184.252.31/32     receive              ucse2/0

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Brett Tiller on 27-09-2012 07:18:42 PM
    Hi Raymond,
    Your NAT configuration would be simpler then since you are not using ESXI because you don't have to account for its ports.  As a result using the ESXi provided example in the previously mentioned thread, you would only need to use NAT for the IP assigned to the OS. So in the IP NAT translation configuration, rather than specifying 3 separate ports for the 192.168.1.83/172.25.209.199 translation specified in the example configuration, you would just have one configuration of "ip nat inside source static 192.168.1.83 172.25.209.199 extended".
    As I mentioned in a previous response,  if you are still not having success getting this working please attach your router configuration.
    Thanks,
    Brett

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Raymond Armstrong on 04-10-2012 04:24:54 AM
    Have attached the config still cannot get it working can see the traffic leaving the server
    10:05:30.202578 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 7219, seq 1, length 64
    10:05:30.202607 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 7219, seq 1, length 64
    10:05:31.202441 IP 69.184.0.24 > 69.184.252.23: ICMP echo request, id 7219, seq 2, length 64
    10:05:31.202468 IP 69.184.252.23 > 69.184.0.24: ICMP echo reply, id 7219, seq 2, length 64
    Then hitting the usce interface
    r107476#debug ip cef packet ucse2/0 input rate 0 detail
    IP CEF packets debugging is on ingress on ucse2/0 (detailed)
    r107476#
    *Oct  4 09:08:46.992: CEF-Debug: Packet from 69.184.252.23 (uc2/0) to 69.184.0.24
    *Oct  4 09:08:46.992:   ihl=20, length=84, tos=0, ttl=63, checksum=37329, offset=0
    *Oct  4 09:08:46.992:     ICMP type=0, code=0, checksum=22469
    *Oct  4 09:08:46.992:          ECHO reply
    r107476#
    *Oct  4 09:08:48.000: CEF-Debug: Packet from 69.184.252.23 (uc2/0) to 69.184.0.24
    *Oct  4 09:08:48.000:   ihl=20, length=84, tos=0, ttl=63, checksum=37328, offset=0
    *Oct  4 09:08:48.000:     ICMP type=0, code=0, checksum=18849
    *Oct  4 09:08:48.000:          ECHO reply

    But that traffic is not getting nat'd back when I run a debug ip nat - the nat works if we set the loopback interface 1 to 69.184.252.23 and there is a cef route for the traffic

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Daniel Miller on 04-10-2012 12:01:19 PM
    Hi Raymond,
    I was able to get it to work by setting the Gigabit interface as the NAT outside interface, and ucse as the NAT inside interface.  Not sure if this is exactly what you want, but I was able to ping and SSH to the server from another machine outside the router with this setup.  I have included the relevant sections of my router and server config below.
    Thanks,
    Daniel
     
    Router:
    interface Loopback0
     ip address 1.1.1.1 255.255.255.255
    !
    interface Embedded-Service-Engine0/0
     no ip address
     shutdown
     service-module enable
    !
    interface GigabitEthernet0/0
     ip address 172.25.209.111 255.255.255.128
     ip nat outside
     ip virtual-reassembly in
     duplex auto
     speed auto
     no keepalive
    !
    interface GigabitEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface GigabitEthernet0/2
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface GigabitEthernet0/0/0
     no ip address
    !
    interface GigabitEthernet0/0/1
     no ip address
    !
    interface GigabitEthernet0/0/2
     no ip address
    interface GigabitEthernet0/0/3
     no ip address
    !
    interface ucse1/0
     mac-address 0002.0003.0004
     ip address 10.0.0.2 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     imc ip address 172.25.209.109 255.255.255.128 default-gateway 172.25.209.1
     imc access-port shared-lom ge2
    !
    interface ucse1/1
     description Internal switch interface connected to Service Module
     no ip address
    !
    interface Vlan1
     no ip address
    !
    ip default-gateway 172.25.209.1
    ip forward-protocol nd
    !
    ip http server
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat inside source static 10.0.0.1 172.25.209.117
    ip route 0.0.0.0 0.0.0.0 172.25.209.1
    ip route 10.0.0.1 255.255.255.255 ucse1/0
     
     
     
    Server:

    [root@localhost ~]# ifconfig
    eth0      Link encap:Ethernet  HWaddr F0:F7:55:12:07:1A
              inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
              inet6 addr: fe80::f2f7:55ff:fe12:71a/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:12715 errors:0 dropped:0 overruns:0 frame:0
              TX packets:9534 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2404660 (2.2 Mi  TX bytes:1375955 (1.3 Mi
              Interrupt:19
     
    eth1      Link encap:Ethernet  HWaddr F0:F7:55:12:07:1B
              inet6 addr: fe80::f2f7:55ff:fe12:71b/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:326382 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:22733876 (21.6 Mi  TX bytes:492 (492.0 b)
              Interrupt:16
     
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:105512 errors:0 dropped:0 overruns:0 frame:0
              TX packets:105512 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:38464036 (36.6 Mi  TX bytes:38464036 (36.6 Mi

    [root@localhost ~]# route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
    default         10.0.0.2        0.0.0.0         UG    0      0        0 eth0

    Subject: RE: Issue with traffic from usce interface Nat'd through router
    Replied by: Raymond Armstrong on 05-10-2012 08:24:41 AM
    Thanks guy's all appears working now