PAT on a PPP Link

ednard · June 2014

I’m having trouble getting this to work and it’s infuriating me. I’ve set up a PPP link between the two branches, and I’ve enabled NAT overload (PAT) on them with what I believe to be the correct set up. I've used the following to enable it, can anyone identify where I'm going wrong?

Dundee(config)#int fa0/0
Dundee(config-if)#ip nat inside
Dundee(config-if)#int s0/0/0
Dundee(config-if)#ip nat outside
Glasgow(config)#int fa0/0
Glasgow(config-if)#ip nat inside
Glasgow(config-if)#int s0/0/0
Glasgow(config-if)#ip nat outside

Dundee(config)#access-list 1 permit 192.168.0.0 0.0.255.255
Dundee(config)#ip nat inside source list 1 int s0/0/0 overload

Glasgow (config)#access-list 1 permit 192.168.0.0 0.0.255.255
Glasgow(config)#ip nat inside source list 1 int s0/0/0 overload

I can't even ping from Glasgow PC to the Glasgow inside global address (200.100.50.2), or Dundee (200.100.50.2)

Any ideas?

tomtom1 · June 2014

That should work. Is the default gateway setup correctly on the PC? Quick troubleshooting:

1. Can the Glasgow PC ping the glasgow default gateway?
2. Can the Glasgow router ping the Dundee router?

ednard · June 2014

Both PC's are set up with Default Gateway's of 192.168.1.1

Glasgow PC can ping the inside local address (obviously), but it can't ping the outside local address of Glasgow, or the outside global of Dundee, I get "Destination Host Unreachable" for both.

ednard · June 2014

The problem doesn't seem to be that actually, I can't actually ping Router to Router, which is weird.

Jon_Cisco · June 2014

I'm not sure whats wrong but are you sure everything else is configured correctly?
Are the routers communicating but the nat failing?
Does it show anything in the "#show ip nat translations"

ednard · June 2014

Jon_Cisco wrote: »

I'm not sure whats wrong but are you sure everything else is configured correctly?
Are the routers communicating but the nat failing?
Does it show anything in the "#show ip nat translations"

I've configured PPP and CHAP on both serial interfaces, and set on the clock rate on the Glasgow Router.

Here's my "show int s0/0/0" for the Glasgow Router:

show int s0/0/0
Serial0/0/0 is up, line protocol is down (disabled)
Hardware is HD64570
Internet address is 200.100.50.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Closed
Closed: LEXCP, BRIDGECP, IPCP, CCP, CDPCP, LLC2, BACP
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up

Here's the "show int s0/0/0" for the Dundee Router:

Dundee#show int s0/0/0
Serial0/0/0 is up, line protocol is down (disabled)
Hardware is HD64570
Internet address is 200.100.50.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Closed
Closed: LEXCP, BRIDGECP, IPCP, CCP, CDPCP, LLC2, BACP
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up

ednard · June 2014

Also, when I use "show ip nat translations", I get the following blank...

Dundee#show ip nat translations
Dundee#

Nothing comes up?

tomtom1 · June 2014

Could you post the relevant s0/0/0 configuration for both routers?

Jon_Cisco · June 2014

I think we can ignore NAT until the protocol is up. You might get some info if you debug ppp.

ednard · June 2014

This is the output from debugging the Glasgow branch PPP. I've never used debugging on PPP so I'm unsure of these outputs to be honest.

Glasgow#debug ppp neg
PPP protocol negotiation debugging is on
Glasgow#
*Mar 01, 01:42:48.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
*Mar 01, 01:42:48.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
*Mar 01, 01:42:49.4242: Serial0/0/0 LCP: State is Open
*Mar 01, 01:42:49.4242: Serial0/0/0 PPP: Phase is AUTHENTICATING
*Mar 01, 01:42:49.4242: Serial0/0/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 01, 01:42:49.4242: Serial0/0/0 IPCP: I CONFACK [Closed] id 1 len 10
*Mar 01, 01:42:51.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
*Mar 01, 01:42:51.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
*Mar 01, 01:42:54.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
*Mar 01, 01:42:54.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
*Mar 01, 01:42:55.4242: Serial0/0/0 LCP: State is Open
*Mar 01, 01:42:55.4242: Serial0/0/0 PPP: Phase is AUTHENTICATING
*Mar 01, 01:42:55.4242: Serial0/0/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar 01, 01:42:55.4242: Serial0/0/0 IPCP: I CONFACK [Closed] id 1 len 10
*Mar 01, 01:42:56.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
*Mar 01, 01:42:56.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
*Mar 01, 01:42:59.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
*Mar 01, 01:42:59.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
*Mar 01, 01:43:00.4343: Serial0/0/0 LCP: State is Open
*Mar 01, 01:43:00.4343: Serial0/0/0 PPP: Phase is AUTHENTICATING

tomtom1 · June 2014

Jon_Cisco wrote: »

I think we can ignore NAT until the protocol is up. You might get some info if you debug ppp.

Correct. I've labbed this out in GNS3 using 4 routers, no problem.

R1

R1#sh run | i username
username R2 password 7 0822455D0A16
R1#sh run | i access-list
access-list 10 permit 192.168.1.0 0.0.0.255
R1#sh run | i ip nat
ip nat inside source list 10 interface Serial0/0 overload

R1#sh run int s0/0
Building configuration...


Current configuration : 180 bytes
!
interface Serial0/0
 ip address 200.100.50.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ppp authentication chap
 clock rate 2000000
 ppp chap password 7 071B2E415A0614
end

R1#sh run int fa0/0
Building configuration...


Current configuration : 149 bytes
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
end

R2

R2#sh run | i username
username R1 password 7 0822455D0A16
R2#sh run | i access-list
access-list 10 permit 192.168.2.0 0.0.0.255
R2#sh run | i ip nat inside source
ip nat inside source list 10 interface Serial0/0 overload


R2#sh run int s0/0
Building configuration...


Current configuration : 180 bytes
!
interface Serial0/0
 ip address 200.100.50.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ppp authentication chap
 clock rate 2000000
 ppp chap password 7 0310540612002C
end

From a client (router) with default gateway pointing to R1:

R3#ping 200.100.50.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.100.50.2, timeout is 2 seconds:
!!!!!

And during that ping, on R1:

R1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 200.100.50.1:3    192.168.1.2:3      200.100.50.2:3     200.100.50.2:3

tomtom1 · June 2014

ednard wrote: »

This is the output from debugging the Glasgow branch PPP. I've never used debugging on PPP so I'm unsure of these outputs to be honest.

Could you show interface (s0/0/0) configuration + the username you've configured.

ednard · June 2014

Dundee

Dundee#show run
!
username Glasgow password 7 0806404F1A1E0A00
username elliott password 7 082A494B071C
username judy password 7 082C4D57
!
!
interface Serial0/0/0
 ip address 200.100.50.1 255.255.255.0
 encapsulation ppp
 ppp authentication chap
 ip nat outside
!

Glasgow

Glasgow#show run
!username Dundee password 7 080559400D1C00
username elliott password 7 082A494B071C
username judy password 7 082C4D57
!
!
interface Serial0/0/0
 ip address 200.100.50.2 255.255.255.0
 encapsulation ppp
 ppp authentication chap
 ip nat outside
 clock rate 128000
!

It appears that the password isn't set?

tomtom1 · June 2014

Try the following commands

Dundee:

username Glasgow password 0 techexams
int s0/0/0
ppp chap password 0 techexams

Glasgow

username Dundee password 0 techexams
int s0/0/0
ppp chap password 0 techexams

ednard · June 2014

Dundee(config-if)#username Glasgow password 0 techexams
Dundee(config)#int s0/0/0
Dundee(config-if)#ppp chap password 0 techexams
                      ^
% Invalid input detected at '^' marker.

I don't think PacketTracer supports this? But I'm about to test the whole thing on actual equipment, so I will try this on the real lab equipment and let you know. You're a hero if this work, it's been bugging me all day.

tomtom1 · June 2014

Why don't you try GNS3? Works like a charm and a lot better than PT if you ask me. You only need to configure routers as clients, since it doesn't have the PC capability PT does.

mikeybinec · June 2014

You debug output shows your problems at the authentication area. Since you are using CHAP you should be seeing terms like CHALLENGE, RESPONSE ETC. as in the ouput below

*Aug 23 18:19:55.063: Se0/0/1 CHAP: O CHALLENGE id 48 len 23 from "R2"
*Aug 23 18:19:55.067: Se0/0/1 CHAP: I CHALLENGE id 2 len 23 from "R3"
*Aug 23 18:19:55.067: Se0/0/1 CHAP: Using hostname from unknown source
*Aug 23 18:19:55.067: Se0/0/1 CHAP: Using password from AAA
*Aug 23 18:19:55.067: Se0/0/1 CHAP: O RESPONSE id 2 len 23 from "R2"
*Aug 23 18:19:55.071: Se0/0/1 CHAP: I RESPONSE id 48 len 23 from "R3"
*Aug 23 18:19:55.071: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Aug 23 18:19:55.071: Se0/0/1 PPP: Received LOGIN Response PASS
*Aug 23 18:19:55.071: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Aug 23 18:19:55.075: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Aug 23 18:19:55.075: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Aug 23 18:19:55.075: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 14 of 20
CCNA Exploration
Accessing the WAN: PPP Lab 2.5.1: Basic PPP Configuration Lab
*Aug 23 18:19:55.075: Se0/0/1 CHAP: O SUCCESS id 48 len 4
*Aug 23 18:19:55.075: Se0/0/1 CHAP: I SUCCESS id 2 len 4
*Aug 23 18:19:55.075: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Aug 23 18:19:55.075: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Aug 23 18:19:55.079: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Aug 23 18:19:56.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config-if)#
*Aug 23 18:20:05.135: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on

mikeybinec · June 2014

also, I didnt see a clock on the Glasgow serial interface (DCE)

ednard · June 2014

tomtom1 wrote: »

Why don't you try GNS3? Works like a charm and a lot better than PT if you ask me. You only need to configure routers as clients, since it doesn't have the PC capability PT does.

Thank you so much for your help, tomtom1. It was the password that I hadn't set to authenticate the connection between the links. It all worked perfectly. I was testing the topology on PT before implementing in an actual lab and sure enough, it worked in the lab but I couldn't set the password in PT.

I'll give GNS a download and have a play around to get used to it, thanks again.

Jon_Cisco · June 2014

Packet Tracer is a great tool to start with. I especially like the simulation mode for seeing where something fails.

Once you get into you study a little further GNS3 will allow you to see all of the options available. You can use a lot more debugging with GNS3 where packet tracer has almost non.

I'm glad you figured it out!

tomtom1 · June 2014

Sure, have fun

ednard · June 2014

Jon_Cisco wrote: »

Packet Tracer is a great tool to start with. I especially like the simulation mode for seeing where something fails.

Once you get into you study a little further GNS3 will allow you to see all of the options available. You can use a lot more debugging with GNS3 where packet tracer has almost non.

I'm glad you figured it out!

Thanks for the help too, Jon. Appreciated.

PAT on a PPP Link

Comments