Switches, Hubs, and Modems
1748171 Members
4038 Online
108758 Solutions
New Discussion юеВ

Re: NAT on loopback interface

 
_blkdog
Occasional Advisor

NAT on loopback interface

It concerns 7102 router.
I'd like to NAT several networks attached to different interfaces. Being lazy enough not to configure access-policy on each interface I created loop int for NATting

interface loop 1
ip address 192.168.0.104 255.255.255.255
no shutdown
access-policy NAT

ip policy-class NAT
nat destination list NAT_ACCESS address 192.168.2.70

ip access-list extended NAT_ACCESS
permit gre 192.168.0.0 0.0.1.255 host 192.168.0.104
permit tcp 192.168.0.0 0.0.1.255 host 192.168.0.104 eq 1723

So it means that I want to NAT all the PPTP traffic to the 192.168.2.70/30 server.

Although it works with separate interfaces it does not with the loopback.
Moreover, even applying explicit discard-all access-policy on the loopback does not affect the traffic over that interface whatsoever.
Is this a bug or a feature? I spent 2 hours investigating this issue with no apparent result. Please, share you opinion on this.
6 REPLIES 6
Mohieddin Kharnoub
Honored Contributor

Re: NAT on loopback interface

Hi

I think you should check this :
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

Good Luck !!!
Science for Everyone
_blkdog
Occasional Advisor

Re: NAT on loopback interface

Nice link, thanks a lot. This is almost exact setup that I want to configure myself and I bet on Cisco it would work like a charm.
But like I said before on 7102 even simple access-policy applied to the loopback does not work. For example:

interface loop 1
ip address 192.168.0.104 255.255.255.255
no shutdown
access-policy TEST

ip policy-class TEST
allow list ONLYONEHOST

ip access-list standard ONLYONEHOST
permit host 192.168.0.77

Despite access-policy TEST I am able to access loop1 interface from any address, not only from host 192.168.0.77.

I suspect that the fast-switching is implicitly enabled on loop1 and going to check it after the weekend. If it is not the case I am again clueless about what is wrong with my setup.
Mohieddin Kharnoub
Honored Contributor

Re: NAT on loopback interface

Have you tried this Policy on a Physical Interface ?

Whats your Firmware version ?

Good Luck !!!
Science for Everyone
_blkdog
Occasional Advisor

Re: NAT on loopback interface

Not exactly this policy because all the real/production interfaces already have applied policies and I don't exactly have time to build a new circuit for the simulation.
Firmaware - the lastest - 8.03

have you spotted any mistake in that config? I guess the part of config with the loop interface could be easily replicated so you may see it for youself.

As a part of an extra check I entered this config into cisco 3660 with some adjustments, of course. As I expected cisco can regulate access to the loop interface
Matt Hobbs
Honored Contributor

Re: NAT on loopback interface

I'd open a case with HP to see if this is expected behaviour or something that can be fixed in a software updaet.
_blkdog
Occasional Advisor

Re: NAT on loopback interface

how am I supposed to do so?