I can't make my NAT work in my gns3 environment

krypto888

Hi everyone,

I have setup a gns3 topology where I was able to establish network connection from a c3725 virtual router to the live internet. I also have VPCS sitting on my network connecting to that router. However, I cannot ping from that virtual pc to anywhere other than its gateway i.e 10.0.0.1. Somehow my NAT is not working i suspect. I have checked several times but did not find any error in my NAT configuration. Can anyone tell me what is the problem. I'm in a hurry writing this, but if you guys need more information, please just ask me. I may as well have made silly mistake which I prolly overlooked-

Below is my running config-

R1#show run
Building configuration...


Current configuration : 3655 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4279256517
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4279256517
revocation-check none
rsakeypair TP-self-signed-4279256517
!
!
crypto pki certificate chain TP-self-signed-4279256517
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323739 32353635 3137301E 170D3032 30333031 30303030
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373932
35363531 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B7DA 97B1B59B FE006FC2 CD2E9A39 882A4587 08B0939A 6C758A57 DBA557C0
D618AF5D 7FC2C871 549B6312 51E6E99D B9DD463C 23F9C9DA 2C4325F1 D23F7AC3
44DB7957 1E42EEE6 34A55557 E1F05F44 A8A4D5FA 98290B40 9D4F1E8E 0831816B
D917AC25 76286E50 2F4B22AB 194981E4 0569574C 7F64F5A7 61860864 A228CA3B
41570203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523130 1F060355 1D230418 30168014 9F303460 EC7D52F7
0D712D77 316A958E 73DDE57C 301D0603 551D0E04 1604149F 303460EC 7D52F70D
712D7731 6A958E73 DDE57C30 0D06092A 864886F7 0D010104 05000381 81003C47
CC0075BE 07C91912 E7AD15C9 BA5AAB97 93E24424 767604EC 61D0C3AF D48BC18E
C7ADA02B 30396C97 09C468D2 FB27375B 88E9703E 6CAC0457 99312196 B9E5B867
2AE0DD1B 0CB295C0 356675E8 BB7DB578 FA4A5D9B F7672F14 E8C9570F 9CC56D90
FD905786 7353A541 CF431EEB 1A148769 4331A32D 7798C527 33895799 8D6E
quit
!
!
username admin privilege 15 secret 5 $1$l7gD$3Yt35O.twCljfIfOgGFfM1
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 192.168.137.137 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.137.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list ZBF interface FastEthernet0/0 overload
!
ip access-list standard ZBF
permit 10.0.0.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

PCTechLinc

I'm hoping you found the answer for which you've been looking. If not, maybe what I did might help.

When I was studying for CCNA Security (210-260), I created a virtual environment in GNS3 that I needed connected to the Internet. I used similar images as you, and ALWAYS had an issue connecting the GNS3 systems to the Internet through NAT, and I couldn't figure out the source. My internal network had no issues pinging the internal router interface, but it would connect to the Internet sporadically. I ended up creating a Windows Server 2012 R2 VM in VirtualBox with two NICs, and had that machine be my NAT device. It definitely was a shotgun to kill a fly, but it worked flawlessly. I just used an evaluation version that would stay active for 120 days, which was more than enough time for me.

Best of luck!

krypto888

PcTechLinc- Thanks for your reply.

As you rightly said it was a shotgun to kill a fly. However, I might give it a shot if nothing else works. Originally the whole point behind creating my gns3 topology was to configure a zone based firewall on the router and make it work with cisco configuration professional (ccp). It was supposed to be as simple as this. Anyhow, the NAT issue just keep coming back to my head and it is irritating to say the least.

But also it does look like the translation there is working while doing a 'trace' from the virtual pc to 8.8.8.8.

PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 10.0.0.1 9.997 ms 9.002 ms 9.001 ms
2 *192.168.137.1 16.085 ms 20.611 ms
3 * * *
4 192.168.0.1 20.150 ms 21.967 ms 21.159 ms
5 10.160.5.1 29.252 ms 32.156 ms 30.121 ms
6 10.20.247.6 32.176 ms 23.009 ms 19.889 ms
7 203.76.118.193 32.356 ms 32.414 ms 31.155 ms
8 203.76.104.1 21.003 ms 23.744 ms 31.129 ms


And then if I issue a 'show ip nat translation' from the router -

R1#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 192.168.137.137:4283 10.0.0.10:4283 8.8.8.8:4283 8.8.8.8:4283
icmp 192.168.137.137:4795 10.0.0.10:4795 8.8.8.8:4795 8.8.8.8:4795
icmp 192.168.137.137:5307 10.0.0.10:5307 8.8.8.8:5307 8.8.8.8:5307
icmp 192.168.137.137:5819 10.0.0.10:5819 8.8.8.8:5819 8.8.8.8:5819
icmp 192.168.137.137:6331 10.0.0.10:6331 8.8.8.8:6331 8.8.8.8:6331
udp 192.168.137.137:10417 10.0.0.10:10417 8.8.8.8:10418 8.8.8.8:10418
udp 192.168.137.137:10961 10.0.0.10:10961 8.8.8.8:10962 8.8.8.8:10962

So it is working right?

And then when I try to ping from the pc -

PC1> ping 8.8.8.8
8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout
8.8.8.8 icmp_seq=5 timeout

So the problem seems to lie in the 'icmp echo reply'. But then again I get ping reply from the router. O-O

rolando3321

does your pc have a default gateway set up?

krypto888

Hey thanks for your time.

Yes, it has a default gateway - 192.168.137.1

I created a microsoft loopback adapter which essentially get the IP (192.168.137.1) from the wifi adapter where my host pc is sitting as I turn the network sharing on there in that wifi adapter. My host pc has a gateway leading to the wifi router (192.168.0.1) and from there it is out open in the internet.

I issued a trace command from my virtual pc that I posted earlier can be a simple way identifying the gateway-

PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 10.0.0.1 9.997 ms 9.002 ms 9.001 ms
2 *192.168.137.1 16.085 ms 20.611 ms
3 * * *
4 192.168.0.1 20.150 ms 21.967 ms 21.159 ms
5 10.160.5.1 29.252 ms 32.156 ms 30.121 ms
6 10.20.247.6 32.176 ms 23.009 ms 19.889 ms
7 203.76.118.193 32.356 ms 32.414 ms 31.155 ms
8 203.76.104.1 21.003 ms 23.744 ms 31.129 ms

mikeybinec

usually, the outside local would have a default path back to you