Well, so much for this weeke... this mon... this year.
Sleep schedule got shafted this weekend. Guess I know what I'm doing tomorrow.
Queue random junk:
Me: also, the routing table thing is kinda cool. http://127.0.0.1:65535/Orion/NetPerfMon/NodeDetails.aspx?NetObject=N:5
though I worry slightly at regularly polling that much information via SNMP.
Me: HAH. mobage support request form includes an "Emotional State" drop-down box. I am amused by this.
Co-Worker: Heh
Co-Worker: How come A01 only has BGP neighbours?
Me: probably for the same reason A02 only has BGP neighbours
Co-Worker: How come $NEWFEATURE only half-assed works?
Me: Because "Feature".
Queue cisco stuff:
Ran into the need to NAT traffic entering an 'outside' interface via a crypto map a while back. There were far more rational solutions to deal with this scenario, but, you know - the real world never has time for rational solutions.
In this case, ASA for SSL Mobility clients.
IPSEC Crypto-map from ASA to existing corporate gateway for LAN access (servers and junk). Could just NAT the ASA LAN traffic directly, but... real world, remember?
Traffic from 192.168.100.0/24 hits lo255 on R1, then gets NAT'd.
Queue visual aid:
Forgive the crudeness of the diagram. Diagramming on a laptop touch-pad and all that.
Since packets enter R1 from it's 'ip nat outside' interface, it's too late to NAT them directly. Can't use a pseudo 'tunnel' interface because of the ASA...
So, punt them ala route-map to an 'inside' interface so that NAT can occur, and then they're sent back out the interface from which they came.
Using 'set ip next-hop 192.168.255.2' in the route-map seemed to work much to my surprise rather than 192.168.255.1. I expect it has something to do with NAT order of operation, but I can't see why exactly.
Queue code:
hostname R1 ! crypto map gi0-0-out 10 ipsec-isakmp set peer 172.16.1.1 set transform-set AES256 match address 100 ! interface Loopback255 description Loopback target for NAT hairpin ip address 192.168.255.1 255.255.255.248 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0 ip address 172.16.0.1 255.255.255.0 ip nat outside ip policy route-map TELECOMMUTER-HAIRPIN crypto map gi0-0-out ! route-map TELECOMMUTER-HAIRPIN permit 10 match ip address HAIRPIN ! Still a bit fuzzy on this one, but I believe redirect to a host on lo255's subnet \ ! rather than the address, so the packets hit the 'interface' set ip next-hop 192.168.255.2 ! ip nat inside source list 101 interface GigabitEthernet0/0 overload ! access-list 100 remark ASA Interesting Traffic access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255 ! access-list 101 remark Don't NAT traffic to ASA LAN subnet, so it gets picked up by crypto map access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 101 remark Inside subnets to NAT access-list 101 permit ip 192.168.0.0 0.0.0.255 any ! ip access-list extended HAIRPIN remark For route-map to NAT traffic arriving via ASA crypto map remark Don't punt LAN-to-LAN traffic deny ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255 remark Redirect everything else permit ip 192.168.100.0 0.0.0.255 any ! end
Queue another Youtube video. The name "Porter Robinson" conjures up something completely different from this in my mind. Not sure why.
