Dynamic NAT problem

NightEye00

Hi everyone,


I just have a question: why doesn't dynamic NAT in my PT-lab operate at all?


The design includes 2 routers connected to each other via subnet of 211.90.33.0 /25 (router interface IPs: 211.90.33.41 and 42, interfaces Fa1/0 on Router1 and Fa0/0 on Router2).
2-2 hosts are connected to each router, which hosts have the IPs of 172.20.10.2 /28, 172.20.20.2 /28, 172.20.30.2 /28 and 172.20.40.2 /28 (gateway IPs are .1s from these subnets - correctly configured on all the hosts).
As I said, I'd like to make dynamic NAT work.


Configuration on the two routers are as follows:


Router1:


interface FastEthernet0/0
ip address 172.20.10.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.20.20.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 210.90.33.41 255.255.255.128
ip access-group 11 out
ip nat outside
duplex auto
speed auto


ip nat pool Test1 210.90.33.1 210.90.33.5 netmask 255.255.255.128
ip nat inside source list 11 pool Test1
ip classless
!
access-list 11 permit 172.20.10.0 0.0.0.16
access-list 11 permit 172.20.20.0 0.0.0.16


On Router2:


interface FastEthernet0/0
ip address 210.90.33.42 255.255.255.128
ip access-group 22 out
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.20.30.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.20.40.1 255.255.255.240
ip nat inside
duplex auto
speed auto


ip nat pool Test2 210.90.33.6 210.90.33.10 netmask 255.255.255.128
ip nat inside source list 22 pool Test2
ip classless
!
access-list 22 permit 172.20.30.0 0.0.0.16
access-list 22 permit 172.20.40.0 0.0.0.16


Do you have any idea why this configuration doesn't work?


Thank you in advance!

DCD

First use more conventional wild card mask on your access list. Next before you added the NAT configuration could both networks pass packet between both sides. Also you are wasting a lot of address space in your NAT pools.

NightEye00

Hi,

thanks for your answer!

Otherwise, I corrected my config but it still doesn't work:

Router1:

interface FastEthernet0/0
ip address 172.20.10.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.20.20.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 210.90.33.41 255.255.255.128
ip access-group 11 out
ip nat outside
duplex auto
speed auto
!
ip nat pool Test1 210.90.33.1 210.90.33.2 netmask 255.255.255.252
ip nat inside source list 11 pool Test1 overload
ip classless
!
access-list 11 permit host 172.20.10.2
access-list 11 permit host 172.20.20.2


Router2:


interface FastEthernet0/0
ip address 210.90.33.42 255.255.255.128
ip access-group 22 out
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.20.30.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.20.40.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!

ip nat pool Test2 210.90.33.5 210.90.33.6 netmask 255.255.255.252
ip nat inside source list 22 pool Test2 overload
ip classless
!
access-list 22 permit host 172.20.30.2
access-list 22 permit host 172.20.40.2

What do I wrong? :S

DCD

What your source material for this configuration? You canput your PT file on Dropbox or Gdrive. You still have a L3 problem base on yourconfig file. Which version of NAT are you trying to use Dynamic NAT, PAT or Dynamic PAT? Why are you using ip access-group?
You need to use these two commands “show ip nat translation”and “debug ip nat”.
The best way to do it is take out the NAT configuration andverify that network 172.20.10.0 and 172.20.20.0 can reach network 172.20.30.0and 172.20.40.0 the make sure it work inthe reverse. After that configure youNAT on R1 and verify that it is NATing correctly then configure NAT on R2.

NightEye00

Hi,

Hi,

What I did so far

1. I deleted the access list from the "out" direction and set it to "in" on the same interface on Router1 (from the other router I totally deleted the whole ACL), however, this time I modificated the statement in order to permit only the IP addresses from Router2's NAT pool.
The logic: if some hosts from a private network send IP traffic towards the Internet which therefore uses public addresses, NAT changes the addresses - OK. After a private address has been changed from private to a public one, an "out" ACL would be incorrect because it wouldn't allow the - already NATted - outgoing traffic in the direction of Router2 - OK. But with an ACL allowing the inbound traffic on Router 1 from Router2's NAT pool, traffic can pass the interface on Router1 and, because Router2 doesn't have any ACLs configured, it won't deny any traffic from Router 1.
I thought it should work, but it doesn't.

2. After that I deleted the dynamic NAT and replaced it with static NAT, without any ACLs on both routers, as follows:


Router1:


interface FastEthernet0/0
ip address 172.20.10.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.20.20.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 210.90.33.41 255.255.255.128
ip nat outside
duplex auto
speed auto
!
ip nat inside source static 172.20.10.2 210.90.33.1
ip nat inside source static 172.20.20.2 210.90.33.2


Router2:


interface FastEthernet0/0
ip address 210.90.33.42 255.255.255.128
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.20.30.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.20.40.1 255.255.255.240
ip nat inside
duplex auto
speed auto
!
ip nat inside source static 172.20.30.2 210.90.33.5
ip nat inside source static 172.20.40.2 210.90.33.6
ip classless


Pings from Router1 towards 172.20.40.2 and 30.2 can't be forwarded successfully!


New config - see below!

I don't understand the whole thing absolutely, so I tried the simpliest config, this time with only one router and 1-1 host on 2 interfaces of the router, only configured the proper IPs on the interfaces (a private subnet on the one side and a public on the other), nothing else. Worked as it should.

3. Next, I tried the same config with two routers 1-1 private subnets on the routers' LAN sides and a public one between the routers - without any NATs -, didn't work as it should, I thought, because of the need for NAT to translate - am I wrong?

4. I configured a simple static NAT without any ACLs on Router0 only, as you advised:


Router0:


interface FastEthernet0/0
ip address 172.20.10.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 211.211.211.211 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source static 172.20.10.2 211.211.211.201
ip classless


Router1:


interface FastEthernet0/0
ip address 211.211.211.212 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.20.20.1 255.255.0.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source static 172.20.20.2 211.211.211.202





And it didn' work!! Interfaces/IPs checked three or more times, everything looks to be correct.
When I try to ping Router1 on 211.211.211.212, show ip nat statistics shows that the hits as well as misses also grew and the ping is successful, but I can't reach 172.20.20.2...

PS: if you give me your mail address I can send you both PT labs


Can you help me pls? :S

NightEye00

Meanwhile my problem has bern solved by anothet user. It was about a basic routing problem namely that I simply didn't tell the routets how and where to forward packets, simply configured individual IPs on their interfaces
Now NAT also works fine

Thanks for everyone for support!

DCD

So it was like I said a L3 problem. Also I did say in your other post that should fix your NAT problem.