PAT dynamic questions

txn41655txn41655 Member Posts: 53 ■■□□□□□□□□
hi I hope someone could help me. I configured PAT Dynamic on both side of networks, when ping I can reach the destination from both side...but the packet cannot come back (view from simulation mode). Anything missing in my configurations? Thanks.



hostname inside-router-1
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO1941/K9 sn FTX15244Z76
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 10.0.99.3
ip nat inside
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 10.0.99.3
ip nat inside
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip helper-address 10.0.99.3
ip nat inside
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 200.10.1.1 255.255.255.0
ip nat outside
!
interface Serial0/0/1
ip address 200.10.2.1 255.255.255.0
ip nat outside
!
interface Serial0/1/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.0.0
network 200.10.1.0

!
ip nat pool pool-192.168 220.220.220.0 220.220.220.254 netmask 255.255.255.0
ip nat inside source list 1 pool pool-192.168 overload
ip classless
ip route 172.20.0.0 255.255.255.0 Serial0/0/0 91
ip route 10.0.99.0 255.255.255.0 Serial0/0/1 92
ip route 10.0.99.0 255.255.255.0 Serial0/0/0 91
ip route 172.20.0.0 255.255.0.0 Serial0/0/1 92
!
ip flow-export version 9
!
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end


================================================
hostname Outside-Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO1941/K9 sn FTX1524E4WP
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.99
encapsulation dot1Q 99
ip address 10.0.99.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 172.20.10.1 255.255.255.0
ip helper-address 10.0.99.3
ip nat inside
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 172.20.20.1 255.255.255.0
ip helper-address 10.0.99.3
ip nat inside
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 172.20.30.1 255.255.255.0
ip helper-address 10.0.99.3
ip nat inside
!
interface Serial0/0/0
ip address 200.10.1.2 255.255.255.0
ip nat outside
clock rate 2000000
!
interface Serial0/0/1
ip address 200.10.2.2 255.255.255.0
ip nat outside
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 10.0.99.0 0.0.0.255
network 172.20.0.0
network 200.10.1.0

!
ip nat pool pool-outside-router 240.240.240.0 240.240.240.254 netmask 255.255.255.0
ip nat inside source list 1 pool pool-outside-router overload
ip classless
ip route 192.168.0.0 255.255.0.0 Serial0/0/0 91
ip route 192.168.0.0 255.255.0.0 Serial0/0/1 92
!
ip flow-export version 9
!
!
access-list 1 permit 172.20.0.0 0.0.255.255
access-list 1 permit 10.0.99.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Comments

  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Upload the packet tracer file to some webshare so we can download it. No one wants to rebuild your entire lab. Its probably just a missing default route but I'm too lazy to rebuild the entire thing.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • d4nz1gd4nz1g Member Posts: 464
    what are you trying to ping? from what ip to what ip?

    1- check if both routers have routes to the NAT pool

    2- in PAT, you have translations only for those flows in -> out. Therefore, if you try to ping an address from the pool, you won't be able to reach the outside global ip simply because you don't have a state table for it on the other router (no outside local x global mapping).

    Edit:

    If you chose to assign "static" mappings to the nat table, just remove the overload keyword and the state entries will be created accordingly.

    For ex: pool / 24 and acl /24 should give you an one-to-one mapping
  • txn41655txn41655 Member Posts: 53 ■■□□□□□□□□
    Hondabuff wrote: »
    Upload the packet tracer file to some webshare so we can download it. No one wants to rebuild your entire lab. Its probably just a missing default route but I'm too lazy to rebuild the entire thing.

    there is the packet tracer file link. I hope some one can help me understand. this is a personal lab for me to learn. Thanks!
    http://www.filedropper.com/labpreparation11
  • d4nz1gd4nz1g Member Posts: 464
    i apologize about the delay.

    here is a pic explaining the routing part

    however, you need to take into account how PAT works. in your config, the PAT will only be triggered when there is a need to do so. This means that a NAT state will be created only when there are packets going inside to outside that match the access list. you should be able to ping the router's external interface. however, you will not be able to reach the hosts on the other side. the reason behind this is that the other router do not yet have a global to local mapping on its state table. a practical example is that you can't just ping my home computer sourcing from your computer, unless I do a static mapping on the router (if i am the destination, of course), so when "interesting" traffic is received, my router recognizes the outside-to-inside mapping, rewrites the packet header and then foward it accordingly.
  • txn41655txn41655 Member Posts: 53 ■■□□□□□□□□
    d4nz1g wrote: »
    i apologize about the delay.

    here is a pic explaining the routing part

    however, you need to take into account how PAT works. in your config, the PAT will only be triggered when there is a need to do so. This means that a NAT state will be created only when there are packets going inside to outside that match the access list. you should be able to ping the router's external interface. however, you will not be able to reach the hosts on the other side. the reason behind this is that the other router do not yet have a global to local mapping on its state table. a practical example is that you can't just ping my home computer sourcing from your computer, unless I do a static mapping on the router (if i am the destination, of course), so when "interesting" traffic is received, my router recognizes the outside-to-inside mapping, rewrites the packet header and then foward it accordingly.


    Thanks very much d4nz1g ! Now I clearly understand the purpose of PAT.icon_cheers.gif
  • d4nz1gd4nz1g Member Posts: 464
    Just a side note, you still can do static PAT that will work on your scenario too. The difference is that you will statically map a service (tcp/udp port or even icmp, gre, ipsec packets) to an inside server. This should be way more than you need to know on ccna level, but it is worth to be aware of such things.
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    I played around with it yesterday and changed the NAT statements. You need to have two ACL's and 2 Nat statements for each wan interface. One on Se0/0/0 and Se0/0/1. But to do it correctly you need to have tracking on the primary interface to fail over to the secondary WAN if your pretending this is a edge router with dual ISP. Packet tracer will not do it and you need to lab it out in GNS3. The Static default route will black hole the packets without tracking. If not you have to use EIGRP across the entire network to know when the primary WAN fails which is just not realistic in the real world dealing with an ISP but ok for labbing.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • txn41655txn41655 Member Posts: 53 ■■□□□□□□□□
    Hondabuff wrote: »
    I played around with it yesterday and changed the NAT statements. You need to have two ACL's and 2 Nat statements for each wan interface. One on Se0/0/0 and Se0/0/1. But to do it correctly you need to have tracking on the primary interface to fail over to the secondary WAN if your pretending this is a edge router with dual ISP. Packet tracer will not do it and you need to lab it out in GNS3. The Static default route will black hole the packets without tracking. If not you have to use EIGRP across the entire network to know when the primary WAN fails which is just not realistic in the real world dealing with an ISP but ok for labbing.


    thanks Honda!
Sign In or Register to comment.