Nat overload issue

nel · August 2008

Hi guys,

Just playing around with NAT for my icnd2 studies and have come to abit of a stumbling block...

Firstly i have a simple topol with two routers with a back to back serial connecting them. All i am trying to do is allow the hosts on the LAN on each local side of the routers to use there serial IP address.

i have applied ip nat outside to both serial's and ip nat inside to both ethernets. i then create an standard acl with permit 192.168.1.0 0.0.0.255 and 192.168.2.0 0.0.0.255.

i then apply nat overload using ip nat inside source list 1 int s 0/0 overload.

So when i configure say, R1, hosts from R2's LAN can ping R1's lan and they get a source response of R1's serial int IP and all is OK. btw, hosts on R1's lan can also ping hosts on R2's at this time.

So when i configure NAT overload on R2, hosts from R1's lan cannot ping R2's LAN and vice versa.

Note: i have tried configuring R2 with overload first and when i then configure R1 the same issue happens again.

So when the problem occurs, if i disable nat overload on any one of the routers everything works again and the remaining router (with nat overload still enabled) translates addresses correctly again.

Note: that whether or not nat overload is enabled all interfaces are up and each router can ping all the necessary subnets on one another.

Does anyone have any suggestions on this? i had this working the other day!!!

Here are some show runs:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
enable secret 5 *****
!
username R2 password 0 cisco
ip subnet-zero
!
!
!
!
key chain 1
 key 1
  key-string cisco
!
controller E1 1/0
!
!
!
interface FastEthernet0/0
 description Local_Lan
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 description WAN_Connection to R2
 ip address 192.168.3.1 255.255.255.0
 ip nat outside
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 1
 encapsulation ppp
 no fair-queue
 ppp authentication chap
!
interface Serial0/1
 description WAN connection to R3
 ip address 192.168.5.2 255.255.255.0
!
router eigrp 1
 network 192.168.1.1 0.0.0.0
 network 192.168.3.1 0.0.0.0
 network 192.168.5.2 0.0.0.0
 no auto-summary
 eigrp router-id 192.168.3.2
 no eigrp log-neighbor-changes
!
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark NAT ACL
!
line con 0
 password **
 logging synchronous
 login
line aux 0
line vty 0 4
 password **
 logging synchronous
 login
line vty 5 15
 password **
 logging synchronous
 login
!
!
end

And here is R2:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
enable secret 5 ***
!
username R1 password 0 cisco
ip subnet-zero
!
!
!
!
key chain 1
 key 1
  key-string cisco
!
!
!
interface Ethernet0/0
 description Local_LAN
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 half-duplex
!
interface Serial0/0
 description WAN connection to R1
 ip address 192.168.3.2 255.255.255.0
 ip nat outside
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 1
 encapsulation ppp
 no fair-queue
 clockrate 512000
 ppp authentication chap
!
interface TokenRing0/0
 no ip address
 shutdown
 ring-speed 16
!
interface Serial0/1
 description WAN connection to R3
 ip address 192.168.4.2 255.255.255.0
 clockrate 512000
!
router eigrp 1
 network 192.168.2.1 0.0.0.0
 network 192.168.3.2 0.0.0.0
 network 192.168.4.2 0.0.0.0
 no auto-summary
 eigrp router-id 192.168.3.2
!
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip http server
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
line con 0
 password **
 logging synchronous
 login
line aux 0
line vty 0 4
 password **
 logging synchronous
 login
line vty 5 15
 password **
 logging synchronous
 login
!
end

Sorry for the long post but if anyone could help it would be much appreciated. Also when i run show ip nat stat, say if there were 10 hits then there would be 3-4 misses too (if that helps).

Thanks fella's

aragoen_celtdra · August 2008

FWIW.. I tried to lab it up real quick using your configs but minimizing the amount of clutter by taking out the authentication and all:

R1

interface FastEthernet0/0
description Local_Lan
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex half
no keepalive
!
interface Serial1/0
description WAN_Connection to R2
ip address 192.168.3.1 255.255.255.0
ip nat outside
serial restart-delay 0
no fair-queue
!
!
router eigrp 1
network 192.168.1.1 0.0.0.0
network 192.168.3.1 0.0.0.0
no auto-summary
!
ip nat inside source list 1 interface Serial1/0 overload
ip classless
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark NAT ACL
!

R2

interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
ip nat inside
duplex half
no keepalive
!
interface Serial1/0
description WAN_connection to R1
ip address 192.168.3.2 255.255.255.0
ip nat outside
serial restart-delay 0
no fair-queue
!
router eigrp 1
network 192.168.2.1 0.0.0.0
network 192.168.3.2 0.0.0.0
auto-summary
!
ip nat inside source list 1 interface Serial1/0 overload
ip classless
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
!

Here's what I got:

R1#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/56/96 ms

R1#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 192.168.3.1:2 192.168.1.1:2 192.168.2.1:2 192.168.2.1:2
icmp 192.168.3.1:3 192.168.1.1:3 192.168.2.1:3 192.168.2.1:3
icmp 192.168.3.1:4 192.168.1.1:4 192.168.2.1:4 192.168.2.1:4
R1#

R1#sh ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
Serial1/0
Inside interfaces:
FastEthernet0/0
Hits: 49 Misses: 11
Expired translations: 10
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Serial1/0 refcount 1

R2#ping 192.168.1.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/56/84 ms

R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.3.2:7 192.168.2.1:7 192.168.1.1:7 192.168.1.1:7
icmp 192.168.3.2:8 192.168.2.1:8 192.168.1.1:8 192.168.1.1:8
R2#

R2#sh ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
Serial1/0
Inside interfaces:
FastEthernet0/0
Hits: 24 Misses: 6
Expired translations: 4
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Serial1/0 refcount 2

Don't know if any of it helps. I actually wanted it to fail so I can try to troubleshoot myself. But (unfortunately this time) it actually works for me

The hits make sense to me because I tried to ping several times at different occasions.

With the misses, it also makes sense because the mappings keep getting reset and every time I try to ping again it records a miss when the first packet that comes along doesnt find a NAT entry.

Maybe you can try your configuration with only the barest configs and see if it still fails/works. Hopefully someone else can have a better explanation so we can both get some good schooling

nel · August 2008

Hopefully someone else can have a better explanation so we can both get some good schooling icon_biggrin.gif

haha, i know what you mean!

The only thing i would ask is did you use 2 hosts on the ethernet side and not just using the source as the ethernet IP? like i said i tried pinging on each router and it worked fine with nat enabled on both and could ping hosts, interfaces etc but when i used the hosts to ping it failed.

Ive tried it without the authentication etc and it still was the same result. It just happened that the config i had it on at the time had all that crap on it.

Im completely baffled by this as ive def had it working before...i was hoping maybe i had missed something easy

im at work till 1am so i may have another look when i get in.

aragoen_celtdra · August 2008

yeah, unfortunately, i threw in the configs into dynamips so I was left with only an extended ping for testing. If i have time tonight I'd like to test it on my home lab when I get home. In the meantime allow me to think through this with you and follow the flow of the packet. "Be the packet"

nel · August 2008

aragoen_celtdra wrote:

yeah, unfortunately, i threw in the configs into dynamips so I was left with only an extended ping for testing. If i have time tonight I'd like to test it on my home lab when I get home. In the meantime allow me to think through this with you and follow the flow of the packet. "Be the packet"

Least you didnt tell me to follow the white rabbit and offering me all kinds of pills

itdaddy · August 2008

Arageon is correct.

I would always get NAT working or ACLs working first before you use EIGRP or OSPF or RIP authentication. Do the bare bones first and get it going and then do the tests that Arageon did.
He is great at the stuff. Sick "G" how neat even your output looks. But that is what I always do too. I get the basic function working before I add a bunch of authentication. DO it layer by layer. Simple first...

nel · August 2008

Hi guys,

well im still no further forward and i didnt have the time when i got in after work but ive tried it again this morning and still no luck.

ive ran debug ip nat and i get this on R2:

00:30:34: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [838]
00:30:34: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [838]
R2#
00:30:38: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [839]
00:30:38: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [839]
R2#
00:30:42: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [840]
00:30:42: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [840]
R2#
00:30:46: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [841]
00:30:46: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [841]
R2#
00:30:51: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [843]
00:30:51: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [843]
R2#
00:30:56: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [844]
00:30:56: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [844]
R2#
00:31:01: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [845]
00:31:01: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [845]
R2#
00:31:06: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [846]
00:31:06: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [846]
R2#
00:31:11: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [847]
00:31:11: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [847]
R2#
00:31:16: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [848]
00:31:16: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [848]
R2#
00:31:21: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [849]
00:31:21: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [849]
R2#
00:31:26: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [850]
00:31:26: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [850]
R2#
00:31:31: NAT*: i: icmp (192.168.2.10, 1024) -> (192.168.1.10, 1024) [851]
00:31:31: NAT*: s=192.168.2.10->192.168.3.2, d=192.168.1.10 [851]

From R1:

0:38:02: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.2.10 [9484]
00:38:03: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.3.2 [9485]
R1#
00:38:08: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.2.10 [9486]
00:38:08: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.3.2 [9487]
R1#
R1#
00:38:13: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.2.10 [9490]
00:38:13: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.3.2 [9491]
R1#
00:38:18: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.3.2 [9492]
00:38:19: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.2.10 [9493]
R1#
00:38:23: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.3.2 [9494]
00:38:24: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.2.10 [9495]
R1#
00:38:28: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.3.2 [9498]
R1#
00:38:30: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.2.10 [9499]
R1#
00:38:33: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.3.2 [9500]
R1#
00:38:35: NAT*: s=192.168.1.10->192.168.3.1, d=192.168.2.10 [9501]

To me from that output it looks like there translating OK? unless im misinterpriting them?

Also when i run a tracert on each host it reaches the destination routers serial interface but when it does it times out on the destination router:

From Host on R1 local lan:

 1    <1 ms    <1 ms    <1 ms  192.168.1.1
 2     4 ms     4 ms     4 ms  192.168.3.2
 3     *        *        *     Request timed out.
 4     *        *        *     Request timed out.
 5     *        *        *     Request timed out.
 6     *        *        *     Request timed out.
 7     *        *        *     Request timed out.
 8     *        *        *     Request timed out.
 9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13  ^C

Any idea's? ive done stuff like clear ip nat t *, reload the routers, restart the hosts etc.

aragoen_celtdra · August 2008

Hey Nel,
Good morning to ya!

Still working on this. From the debug output it does look like it's translating. But going over our configuration again, and the output of the debug, it appears that you are sending an icmp packet from 192.168.1.10 and 192.168.2.10 addresses respectively. If our configurations are still the same, we don't have a route to those addresses, right? Because in eigrp we advertised 192.168.1.1 and 192.168.2.1 with a 0.0.0.0 mask. So there is no route to the .10 nodes.

Maybe in EIGRP, confgure the command "network 192.168.1.0 0.0.0.255" and "network 192.168.2.0 0.0.0.255" on R1 and R2 respectively. Something tells me that might be it.

I haven't been able to lab that one out so I'm going by what I think I know about the theory of it.

networker050184 · August 2008

aragoen_celtdra wrote:

Hey Nel,
Good morning to ya! Still working on this. From the debug output it does look like it's translating. But going over our configuration again, and the output of the debug, it appears that you are sending an icmp packet from 192.168.1.10 and 192.168.2.10 addresses respectively. If our configurations are still the same, we don't have a route to those addresses, right? Because in eigrp we advertised 192.168.1.1 and 192.168.2.1 with a 0.0.0.0 mask. So there is no route to the .10 nodes.

Maybe in EIGRP, confgure the command "network 192.168.1.0 0.0.0.255" and "network 192.168.2.0 0.0.0.255" on R1 and R2 respectively. Something tells me that might be it.

I haven't been able to lab that one out so I'm going by what I think I know about the theory of it.

The EIGRP network statement doesn't just advertise the host route with a 0.0.0.0 mask. When you configure the network command all you are doing is telling the router what interfaces to run EIGRP on, not what mask to advertise with that network.

nel,

Can you ping the other side of the serial link? If not strip all the extra stuff off and work from there.

aragoen_celtdra · August 2008

The EIGRP network statement doesn't just advertise the host route with a 0.0.0.0 mask. When you configure the network command all you are doing is telling the router what interfaces to run EIGRP on, not what mask to advertise with that network.

nel,

Can you ping the other side of the serial link? If not strip all the extra stuff off and work from there.

Ahhh! Thanks for the correction, Networker. For a moment there I was saying to myself, you gotta be crazy!

In my mind I was conviced that it was the network advertisement. A quick inventory of my brain cells and their proper alignmnets tell me now why that is: that is becuase all along I keep picturing that the nodes in question were separate interfaces on the router (because that's how I would configure it in dynamips), and thus needed to be defined in a network statement. When in fact, there is only one LAN interface per router, and as long as that int is advertised, the hosts in that interface will be advertised as well. Right?

That is why, my friends, dynamips can only help you so far. If you have the real hardware, like i do

, lab it up and test it yourself - lest you find yourself... confused!!!

nel · August 2008

Hey guys,

Sorry for the late reply ive been partying it up in the edinburgh festival

Aragoen, its like networker said about the network command. Infact when nat is enabled (or not enabled) on both routers you can still ping the routes learned via eigrp which to me tells me eigrp is working fine.

Anyway, i still went ahead and configured the network command like you say and it hasnt changed anything.

@ networker.... Yeah, its like i said i can ping everything - serials ints, ethernets, hosts. NAT even works when its enabled on only ONE of the routers - when i ping the internal node i get a response from the serial IP so NAT works fine then but when i enable it on the 2nd router the ping times out when ping each node on the LAN. Funny thing is if i try a ping from R1 to the node on R2's LAN then it works fine - even when NAT is enabled on both routers but the ping times out when pinging from the host PC's.

btw, if i use static / dynamic nat on both routers at the same time i have no issues whatsoever.

dtlokee · August 2008

The issue lies in how you have nat configured

You have (F0/0 nat inside) R1 (S1/0 nat outside) (S1/0 nat outside) R2 (F0/0 Nat inside)

So you have nat outside to nat outside yet your nat rules are going to nat traffic received on the inside interface. THe issue is that the entries in the translation tables are going to be created going from NAT inside to NAT outside based on the rule. When you are pinging fron R1 lan to R2 lan, R1 will translate it correctly, then R2 will look for an existing translation, will not find an entry and drop the packet. You need to create an outside translation or reverse the nat inside/outside on R2.

nel · August 2008

dtlokee wrote:

The issue lies in how you have nat configured

You have (F0/0 nat inside) R1 (S1/0 nat outside) (S1/0 nat outside) R2 (F0/0 Nat inside)

So you have nat outside to nat outside yet your nat rules are going to nat traffic received on the inside interface. THe issue is that the entries in the translation tables are going to be created going from NAT inside to NAT outside based on the rule. When you are pinging fron R1 lan to R2 lan, R1 will translate it correctly, then R2 will look for an existing translation, will not find an entry and drop the packet. You need to create an outside translation or reverse the nat inside/outside on R2.

Hi DT,

Thanks for the reply. Ill try that out when i get home and post how it goes.

Thanks

caothanh6 · August 2008

dtlokee wrote:

The issue lies in how you have nat configured

You have (F0/0 nat inside) R1 (S1/0 nat outside) (S1/0 nat outside) R2 (F0/0 Nat inside)

So you have nat outside to nat outside yet your nat rules are going to nat traffic received on the inside interface. THe issue is that the entries in the translation tables are going to be created going from NAT inside to NAT outside based on the rule. When you are pinging fron R1 lan to R2 lan, R1 will translate it correctly, then R2 will look for an existing translation, will not find an entry and drop the packet. You need to create an outside translation or reverse the nat inside/outside on R2.

Well, I agree with dtlokee! I think that the problem here is that you used a private ip address to ping to other private ip address ( R1's Lan to R2's Lan and vice versa) .In reality, this can't take place because the Lan in each your router will use Public IP address of your Router to communicate with outside's IP address. If the outside's IP address is private - As you know, any people can use private ip address for their Lan, all over the world - so,which network your router will send packet to if I, you, and dtlokee use the same private ip address is 192.168.1.0 and 192.168.2.0 for Lan of each people

: So,i think if you want to use private ip to ping to other private ip, you should use something called "Virtual Private Network (VPN)"

. It's my personal idea, if there is something wrong, forgive me, please !

Nat overload issue

Comments