Having a Problem With NAT

Hey guys. I'm having a problem with NAT. I have my internet connection connected to Router1. There are 2 switches hanging off of that, with a few VLANs. My NAT is working fine there. Laptops in the different VLANs are able to browse the internet without issue. I have Router2 connected to Router1 through a serial connection. Router2 has a switch on it, and a couple of VLANs. Routing between the routers and ALL VLANs works flawlessly. I can ping all the way through on both ends. The only thing I can;t figure out, is how to get clients connected to Router2 out to the internet. I've added the networks to the NAT Access List on Router1. Obviously, something else needs to be done. Here are my lab diagram and the running config of Router1:

Lab Diagram:
https://www.dropbox.com/s/pub5h10ksp3afn0/Lab_Network.jpg?dl=0

Router1 Config:
https://www.dropbox.com/s/wqukmnu3x2ii5xl/RTR1_CONFIG.log?dl=0

Thanks for your help!!

Find more posts tagged with

Comments

james43026

There isn't enough information to determine the cause unfortunately. I would need the running config of both routers. You will also need to run some traceroutes from the network that can't make it through the NAT, and post the results as well. You need to determine which router is the issue first. I would guess that router 2 doesn't have a route / default route that would allow it to forward traffic past your simulated internet connection.

R2dTOO

Here is the config from Router2. I also did some traceroutes from the router. They are at the bottom of the config. The first is just a regular trace, and the second is a trace from the fa0/0.150 interface. I can do a trace from an actual laptop on that subnet if necessary.

https://www.dropbox.com/s/go0s7gnd2qbbzjg/RTR2_CONFIG.log?dl=0

james43026

Well, according to that traceroute you are making it past RTR 1, and hitting 192.168.0.1. But you are seeing that the traffic hasn't gone through NAT once it comes out of interface FA 0/1 on RTR 1? What device is connected to RTR 1 on FA 0/1? Is it a home router or a home internet gateway, like a router modem combo?

On a side note you have recursive routing setup on RTR 2, you can change ip route 0.0.0.0 0.0.0.0 192.168.0.1, to ip route 0.0.0.0 0.0.0.0 10.10.125.1, remove ip route 192.168.0.0 255.255.255.0 10.10.125.1, and it would save some resources on the router. Not going to make an impact in a lab, but in production could have an impact.

R2dTOO

I changed the routes that you mentioned. My default route was going to 10.10.125.1 at first. I changed it to see if it would make a difference.

FA0/1 is connected to a home gateway from Time Warner. It is a Motorola Surfboard SB6580.

NAT SHOULD be happening on FA0/1. It works flawlessly from the networks connected to RTR1. Do I need to turn on NAT on any of the interfaces on RTR2? Or, on the Serial interface on RTR1? I know that I had to do "ip nat inside" on the RTR1 interfaces.

Sorry for the questions. I only work with Cisco switches in my job. I'm used to routing and NAT from Palo Alto firewalls.

R2dTOO

BOOM!! I got it. I did "ip nat inside" on the S0/0/0 interface on RTR1. I am now able to get to the internet from RTR2.

Thanks for helping me work it out!

james43026

Perfect, I didn't want to give away the answer, so I was trying to lead you in the correct direction of RTR 1. Yeah with domain based NAT, interfaces are assigned to be either the inside or outside of a NAT domain, and there can be multiple inside and outside interfaces on the same router. Once you get into NVI you no longer have a need for NAT domains, and you no longer depend on the routing table for NAT decisions. In PanOS, NAT is associated with both interfaces and zones. I also have the pleasure of working with PanOS at work as well. How do you like PanOS vs Cisco IOS so far?

R2dTOO

I LOVE PanOS. I am PCNSE 6 and PCNSE 7, so I am a lot more comfortable in there! As far as IOS goes, I know what I need to know to get my daily jobs done. I'm trying to become more proficient. In both CLIs, the "?" is my best friend!

james43026

Yeah, in my opinion no one has a CLI that is better than Cisco IOS. The context sensitive help is terrific. PanOS, has a decent CLI, but their Web GUI is amazing. I've been considering pursuing some Palo Alto certs.

R2dTOO

Yeah. Cisco has had years to perfect their CLI. The PanOS CLI is decent. But, like you said, their GUI is really where they shine. The PCNSE exams aren't that bad. The main issue is that there is very little in the way of self study material. I was lucky that my company paid for a training class. Plus, PA firewalls are literally 80% of my job.

james43026

Nice, that always helps. Does the PCNSE cover just CLI, or does it cover the GUI as well?

R2dTOO

I'd say it's about 70% GUI. They also throw in some Panorama and general networking questions.

Experienced_ISN'T_old

If you are having a NAT problem or trouble with NATTING, try hair relaxers like Soul Glo, it has turned around the fortunes of an entire group or class of people, self-explanatory.