NAT Problem

Silver Bullet

I must be missing something here. Just playing around in my lab and this is what I am running into:


PC--- (out) R1 (in) ---- SW1 ---- SW2 ---- R2 ---- R3

R1 is natting for SW1, SW2, R2 and R3.

PC and R1's outside interface are on the same subnet 172.20.1.0/24

SW1, SW2, R2 and R3 are natting through R1 without any problems.

I can ping all routers and switches from PC, but the problem is that if I ping say R2 from PC, then I can't ping R3 until the nat translation has been cleared. Shouldn't I be able to ping all the devices without having to clear the nat translations?

I can ping PC from any router or switch back to back without having to clear nat translations.

I may just be having a mental breakdown... am I just missing something fundamental here?

here is the config on R1. It is pretty simple right now as I just reconfigured it trying to figure out what is going on here.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.20.1.100 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
 no fair-queue
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 network 10.1.1.1 0.0.0.0 area 0
 default-information originate
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.20.1.1
!
ip nat inside source list NAT_ADDRESSES interface FastEthernet0/0 overload
!
!
ip access-list standard NAT_ADDRESSES
 permit 10.0.0.0 0.255.255.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

tech-airman

Silver Bullet,

Silver Bullet wrote:

I must be missing something here. Just playing around in my lab and this is what I am running into:


PC--- (out) R1 (in) ---- SW1 ---- SW2 ---- R2 ---- R3

R1 is natting for SW1, SW2, R2 and R3.

PC and R1's outside interface are on the same subnet 172.20.1.0/24

SW1, SW2, R2 and R3 are natting through R1 without any problems.

I can ping all routers and switches from PC, but the problem is that if I ping say R2 from PC, then I can't ping R3 until the nat translation has been cleared. Shouldn't I be able to ping all the devices without having to clear the nat translations?

When you say "I can ping all routers and switches from PC..." are you talking from the terminal emulation program window or from the command prompt window?

Silver Bullet wrote:

I can ping PC from any router or switch back to back without having to clear nat translations.

I may just be having a mental breakdown... am I just missing something fundamental here?

here is the config on R1. It is pretty simple right now as I just reconfigured it trying to figure out what is going on here.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.20.1.100 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
 no fair-queue
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 network 10.1.1.1 0.0.0.0 area 0
 default-information originate
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.20.1.1
!
ip nat inside source list NAT_ADDRESSES interface FastEthernet0/0 overload
!
!
ip access-list standard NAT_ADDRESSES
 permit 10.0.0.0 0.255.255.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

Silver Bullet

Command prompt. But, I can only ping one and then not another until the translations table is cleared. Once nat translations is cleared, I can ping a different router or switch.

tech-airman

Silver Bullet wrote:

Command prompt. But, I can only ping one and then not another until the translations table is cleared. Once nat translations is cleared, I can ping a different router or switch.

Silver Bullet,

You do know that you're not supposed to be able to connected from NAT outside to NAT inside right? That's like expecting anyone from the Internet (NAT outside) to be able to freely connect to any of your networking devices and hosts on your internal network (NAT inside).

Silver Bullet

Yes.

This is a lab that is protected by a firewall from the internet. I could prevent PC from connecting with an ACL, but, nonetheless, you can connect to a device behind NAT if no such ACL or firewall rule is in place to prevent such. My query is that why is NAT only able to handle one translation from an external to internal connection.

I think I just answered my own question.