Answer the question
In order to leave comments, you need to log in
NAT over iBGP through tunnels with MPLS TE, why pings go and the web does not open?
Good day, ladies and gentlemen! A very difficult question over which I fought and two more specialists much cooler than me. But unfortunately they don’t have quarantine and access now (we can’t give it).
And so imagine the scheme, two routers, between which GRE tunnels with MPLS + TE, BGP (as200, i.e. IBGP) is raised.
Behind the first network 192.168.38.0/24
Behind the second 192.168.113.2/30, nat outside. The web server where we want to "reach out" 192.168.13.3 is located behind the gateway 192.168.113.1 which is NATted accordingly.
192.168.13.3 is available through 192.168.113.1 Also behind the second there is another network 10.32.0.0/24 from it 192.168.13.3 opens on the WEB! but from 192.168.38.0/24 it does NOT open
and so, when I try to open node 192.168.13.3 from the network 192.168.38.0/24 I see that NAT works
sh ip nat translations | i 192.168.13.3
everything is OK! Accordingly, the pings are ideal from ALL nodes, both 192.168.38.0/24 and 10.32.0.0/24
Played with MTU and ip tcp adjust-mss, nothing helped
Tell me where to dig? A very specific problem, but perhaps someone has come across?
I will wait for questions, I can’t give a complete config, unfortunately, but of course I’ll throw off the parts that I need.
Answer the question
In order to leave comments, you need to log in
Try to check ping google.com
If there is no resolution, then I can assume that your DNS servers are not resolving. If the access is only to the local web, then you can put the domain name on the IP address and see if it resolves from the target device to confirm that the networks have the same domain space. Perhaps the iptables setting is also needed, because pings go as icmp packets, unlike the web.
192.168.13.3 - check the return route and traffic policy settings on it.
As it turned out, NAT does not work on tcp traffic, everything is ok with icmp.
On the web, colleagues launched a sniffer and saw that a packet was coming from 192.168.38.xx, how is this possible?
Here is access-list NAT'a
permit ip 192.168.38.0 0.0.0.255 host 192.168.13.3
deny ip any any
how so? Here after all not specified so, if so was the logical.
permit icmp 192.168.38.0 0.0.0.255 host 192.168.13.3
deny tcp 192.168.38.0 0.0.0.255 host 192.168.13.3
deny ip any any
How is this possible?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question