Tshoot 300-135 (Infrastructure service) NAT

Leave a Comment / By /

Ticket #6
R9 is translating 192.0.2.100 to the Server’s 10.9.9.100 address.
PC1 can’t ping the server at 192.0.2.100
Diagnose and resolve.
Don’t modify any NAT rules.

#### Try to ping the server 
PC1#ping 192.0.2.100

#### Try to ping the server
SW3#ping 192.0.2.100

#### Try to ping the server sourcing vlan100
SW3#ping 192.0.2.100 source vlan 100
#### Go to next-hop
R7#show ip cef 192.0.2.100
R7#traceroute 192.0.2.100 probe 1 timeout 1 ttl 1 22

### Go to next-hop
R8#show ip cef 192.168.100.100
R8#ping 192.0.2.100
R8#traceroute 192.0.2.100

#### Ping PC1
R8#show ip cef 192.0.2.100

#### Go to next-hop
R9#show ip cef 192.168.100.100
#### There is no route back to PC1
#### Time for debug
R9(config)#access-list 110 permit ip any host 192.0.2.100
R9#debug ip packet 110

#### Try to ping server from PC1
PC1#ping 192.0.2.100

#### R8 doesn't know how to return to PC1
R8#traceroute 192.168.100.100 probe 1 timeout 1 ttl 1 22

#### Check what's blocking (ACL? Redistribution? Route-Map PBR?)
#### Discovered we have uRPF in strict mode
#### Check if uRPF is blocking any traffic
R8#show ip traffic
#### Even tho uRPF is in strict mode, there is no asymmetric routing.
R8#show ip cef 192.168.100.100
R8#traceroute 192.168.100.100

#### Traffic satisfies the uPRF strict mode thus no need to remove uRPF config
#### Time for debug
R8(config)#access-list 110 permit ip  any host 192.0.2.100
R8#debug ip packet 110

#### Turn off cef on int to see the debug
R8(config)#int g2/x
R8(config-if)#no ip route-cache

#### Revert setting after the debug
R8#undebug all
R8(config-if)#ip route-cache cef
#### Time to dive deeper
#### Why is R7 changing source IP
R7#show run int g2/x
R7#show ip nat translations
R7 is performing NAT
#### Why this crazy NAT setting?
R7#show ip nat statistics

#### Discovered R7 has two NAT
#### Determine why using 2nd translation, not the first.
R7#show access-lists 167
R7#show access-lists 110
#### ACL 110 is not catching required traffic (source PC1)
R7(config)#ip access-list extended 110

#### Remove seq 10
R7(config-ext-nacl)#no 10
R7(config-ext-nacl)#permit ip 192.168.100.0 0.0.0.255 any

#### Clear NAT translation
R7#clear ip nat translation *

#### Verify fix
R7#show ip nat statistics
R7#show ip nat translations
#### R9 does not have route to R7
R9#show ip cef 198.51.100.17
R9#show ip bgp

#### Is R9 filtering any prefix? or Neighbor not advertising?
R9#show ip protocols
R9#show ip protocols | sec bgp 9

#### Discovered R9 has Incoming filter
#### Check out the Incoming filter (prefix-list) PL_DEFAULT
R9#show ip prefix-list
R9#show ip prefix-list PL_DEFAULT

#### Fix by removing the filter
R9(config)#no ip prefix-list PL_DEFAULT
R9#clear ip bgp * soft

#### Verify fix
R9#show ip bgp

Ticket #7
PC2 (192.168.200.100) can’t reach the server at 10.9.9.100
Diagnose and resolve. 

#### traceroute shows drop on R7
SW4#ping 10.9.9.100
SW4#traceroute 10.9.9.100

#### From R7, Path to server is good
R7#show ip cef 10.9.9.100

#### From R7, Path to PC2 is good
R7#show ip cef 192.168.200.100

#### Discovered asymmetric routing and traverse almost all devices
#### No time to troubleshoot one by one in the exam.

#### Time for debug
R7(config)#access-list 100 permit ip any host 10.9.9.100
R7#debug ip packet 100
R7(config)#int gx/x
R7(config-if)#no ip route-cache

#### Revert setting after debug
R7(config)#int gx/x
R7(config-if)#ip route-cache cef
R7#undebug all
Looks like traffic is coming from 10.12.12.10
#### Go to R1 having network 10.12.12.0
R1#show ip nat statistics
R1#show ip nat translations
Does not show interface name
R1#show ip nat nvi statistics
MSMR#show ip nat nvi translations
#### Now that we understand, R1 is doing NAT, check if R1 can reach server
R1#ping 10.9.9.9 source 10.12.12.1
R1#traceroute 10.9.9.9 source 10.12.12.1 probe 1 timeout 1 ttl 1 22

#### Traceroute drops at R8
#### Check if R8 has route to PC2
R8#show ip cef 192.168.200.100
R8#traceroute 192.168.200.100 source 192.0.2.8 probe 1 timeout 1 ttl 1 22

#### Check if R8 has route to R1
R8#show ip cef 10.12.12.0
R8#traceroute 10.12.12.1 source 192.0.2.8 probe 1 timeout 1 ttl 1 22

Even when meticulously follow a solid troubleshooting method, sometimes we need to make a choice to pursue one direction. This example, disable NAT or fix route back to R1.

#### Choose the option of fixing the route back to R1
R1#show ip route 10.12.12.0
#### No issue found on R1

#### Move on to next-hop
SW2#show ip ospf database external 10.12.12.0
SW2#show ip ospf border-routers
#### No issues found on SW2

#### Move on to next-hop
R7#show ip route 10.12.12.0
R7#show ip bgp 10.12.12.0
R7#show run | sec router bgp
#### Check out the route-map
R7#show route-map
R7#show route-map RM_OSPF->BGP

#### Follow the route-map to prefix-list
R7#show ip prefix-list
R7#show ip prefix-list PL_OSPF->BGP
10.12.12.0 prefix is not present 
#### Fix by adding the missing prefix
R7(config)#ip prefix-list PL_OSPF->BGP permit 10.12.12.0/24
R7#clear ip bgp *
R7#clear ip bgp * soft

#### Verify fix
R7#show ip bgp 10.12.12.0

Leave a Comment

Your email address will not be published. Required fields are marked *