Options

nat problem

linux44linux44 Member Posts: 38 ■■□□□□□□□□
Hi,
I have some problem with configuring static NAT.this is how my topology is
I have 2 router and 2 pc
Pc 2 ip address:10.0.0.139/25
Pc1:10.0.0.10 /25
R2
10.0.0.129:fa0/0
172.16.0.9:s0/0/0
R1
10.0.0.1:fa0/0
172.16.0.10:s0/0/0
I have configured a nat on R2 to translate all of the traffic coming from pc2(10.0.0.139) to be translated to 172.16.0.10 using following command
R2#ip nat inside source static 10.0.0.139 172.16.0.10
R2#int s0/0/0 ip nat outside
R2#int fa0/0 then ip nat inside

the reason for that is because i have set access list on fa0/0 R1 to block all traffic from 10.0.0.128/25 to 10.0.0.10/25
so the only way for 10.0.0.139/25 to get through to 10.0.0.10 is by setting up a nat which i have done by using the above command but the problem is that ping command from R2(172.16.0.10) to 10.0.0.10 is redirect it to 10.0.0.139 instead of 172.16.0.10

why should i do ?

any help appreciate it

Comments

  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    linux44 wrote: »
    ....
    R1
    10.0.0.1:fa0/0
    172.16.0.10:s0/0/0
    ......
    R2#ip nat inside source static 10.0.0.139 172.16.0.10

    ...


    Whats up with that? Is that a typo or are you trying to NAT the inside address from R2 to the outside address of R1 icon_scratch.gif

    Why not use R2s outside interface? Should work how you have it set up though.... Configs?
    An expert is a man who has made all the mistakes which can be made.
  • Options
    linux44linux44 Member Posts: 38 ■■□□□□□□□□
    Whats up with that? Is that a typo or are you trying to NAT the inside address from R2 to the outside address of R1 icon_scratch.gif

    Why not use R2s outside interface? Should work how you have it set up though.... Configs?

    sorry about the confusion
    R1=172.16.0.9
    R2=172.16.0.10

    when i ping r1(172.16.0.9) from r2 (172.16.0.10) the echo reply is directed to 10.0.0.139
    and ur command hasnt helped me to sort the problem out
    any idea?

    this is the router out put

    R2#sh run
    Building configuration...

    Current configuration : 1379 bytes
    !
    version 12.4
    no service password-encryption
    !
    hostname R2
    !
    !
    enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
    !
    !
    !
    !
    ip ssh version 2
    no ip domain-lookup
    ip domain-name cisco
    !
    !
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    shutdown
    !
    interface FastEthernet0/1
    ip address 10.0.0.129 255.255.255.128
    ip nat inside
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    bandwidth 128
    ip address 172.16.0.10 255.255.255.252
    encapsulation frame-relay
    frame-relay map ip 172.16.0.9 103 broadcast
    frame-relay lmi-type ansi
    ip access-group cisco in
    ip nat outside
    !
    interface Serial0/0/1
    ip address 172.16.0.6 255.255.255.252
    ip access-group cisco in
    !
    interface Serial0/1/0
    no ip address
    !
    interface Serial0/1/1
    no ip address
    !
    interface Vlan1
    no ip address
    shutdown
    !
    router rip
    passive-interface FastEthernet0/1
    network 172.16.0.0
    !
    ip nat inside source static 10.0.0.139 172.16.0.10
    ip classless
    ip route 10.0.0.0 255.255.255.128 172.16.0.9
    !
    !
    ip access-list extended cisco
    permit tcp host 172.16.0.2 any eq telnet
    permit tcp host 172.16.0.5 any eq telnet
    deny tcp any any eq telnet
    permit tcp any any
    permit ip any any
    permit icmp any any
    permit udp any any
    !
    !
    !
    banner motd ^CAuthorised user only^C
    line con 0
    password cisco
    logging synchronous
    login
    line vty 0 4
    password cisco
    login
    line vty 5 15
    password cisco
    login
    !
    !
    end


    R1


    R1#sh run
    Building configuration...

    Current configuration : 1895 bytes
    !
    version 12.4
    no service password-encryption
    !
    hostname R1
    !
    !
    enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
    !
    !
    !
    !

    !
    ip ssh version 1
    no ip domain-lookup
    ip domain-name cisco
    !
    !
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    shutdown
    !
    interface FastEthernet0/1
    ip address 10.0.0.1 255.255.255.128
    ip access-group cisco1 out
    duplex auto
    speed auto
    !
    interface Serial0/0/0
    ip address 172.16.0.1 255.255.255.252
    encapsulation ppp
    ppp authentication chap
    ip access-group cisco in
    clock rate 64000
    !
    interface Serial0/0/1
    bandwidth 128
    ip address 172.16.0.9 255.255.255.252
    encapsulation frame-relay
    frame-relay map ip 172.16.0.10 101 broadcast
    frame-relay lmi-type ansi
    ip access-group cisco in
    !
    interface Serial0/1/0
    no ip address
    shutdown
    !
    interface Serial0/1/1
    no ip address
    shutdown
    !
    interface Vlan1
    no ip address
    shutdown
    !
    router rip
    passive-interface FastEthernet0/1
    network 172.16.0.0
    !
    ip classless
    ip route 10.0.0.128 255.255.255.128 172.16.0.10
    !
    !
    ip access-list extended cisco
    permit tcp host 172.16.0.2 any eq telnet
    permit tcp host 172.16.0.5 any eq telnet
    deny tcp any any eq telnet
    permit ip any any
    permit tcp any any
    permit icmp any any
    permit udp any any
    ip access-list extended cisco1
    deny tcp host 209.165.200.161 host 10.0.0.10 eq telnet
    deny tcp host 209.165.200.161 host 10.0.0.10 eq ftp
    deny tcp host 209.165.200.161 host 10.0.0.10 eq www
    deny icmp 10.0.0.128 0.0.0.127 host 10.0.0.10
    deny udp 10.0.0.128 0.0.0.127 host 10.0.0.10
    deny tcp 10.0.0.128 0.0.0.127 host 10.0.0.10
    deny ip 10.0.0.128 0.0.0.127 host 10.0.0.10
    permit tcp any any
    permit icmp any any
    permit ip any any
    permit udp any any
    !
    !
    !
    banner motd ^CAuthorised user only^C
    line con 0
    password cisco
    logging synchronous
    login
    line vty 0 4
    password cisco
    login
    line vty 5 15
    password cisco
    login
    !
    !
    end
  • Options
    tim100tim100 Member Posts: 162
    There's quite a few things wrong with your configurations. Let's try to correct some of them. First let's start with your NAT problem. You are trying to create a static NAT entry by assigning R2's serial interface IP to PC 2's IP address 10.0.0.139. You can't statically assign that IP for NAT since it is already assigned to R2's serial interface. try configuring it this way:

    access-list 1 permit 10.0.0.139

    ip nat inside source list 1 interface s0/0/0 overload

    The "passive interface" commands are useless in this scenario since these networks are not included in the RIP process. Also, it is a good idea to use RIP version 2 and include the "no auto-summary" command. If you don't want traffic from 10.0.0.128/25 reaching 10.0.0.0/25 why not just get rid of the static route instead of going through the trouble of the ACL since you are using NAT?
  • Options
    linux44linux44 Member Posts: 38 ■■□□□□□□□□
    tim100 wrote: »
    There's quite a few things wrong with your configurations. Let's try to correct some of them. First let's start with your NAT problem. You are trying to create a static NAT entry by assigning R2's serial interface IP to PC 2's IP address 10.0.0.139. You can't statically assign that IP for NAT since it is already assigned to R2's serial interface. try configuring it this way:

    access-list 1 permit 10.0.0.139

    ip nat inside source list 1 interface s0/0/0 overload

    The "passive interface" commands are useless in this scenario since these networks are not included in the RIP process. Also, it is a good idea to use RIP version 2 and include the "no auto-summary" command. If you don't want traffic from 10.0.0.128/25 reaching 10.0.0.0/25 why not just get rid of the static route instead of going through the trouble of the ACL since you are using NAT?

    i have been asked to configure a static NAt
    and that
    access-list 1 permit 10.0.0.139

    ip nat inside source list 1 interface s0/0/0 overload


    is a dynamic map
    any other suggestion please?
  • Options
    billyrbillyr Member Posts: 186
    Yes, take good advice when its offered.
  • Options
    rossonieri#1rossonieri#1 Member Posts: 799 ■■■□□□□□□□
    hello linux :)
    the reason for that is because i have set access list on fa0/0 R1 to block all traffic from 10.0.0.128/25 to 10.0.0.10/25
    so the only way for 10.0.0.139/25 to get through to 10.0.0.10 is by setting up a nat which i have done by using the above command but the problem is that ping command from R2(172.16.0.10) to 10.0.0.10 is redirect it to 10.0.0.139 instead of 172.16.0.10

    yes, you are heading in the right direction except you have forgotten the port number for both outside and inside IP - so the translation will assume you were redirecting the whole 1 outside IP address to 1 inside IP address - not its port, hence the ping also redirected to that internal .139 IP.

    so - take a closer look on that ip nat inside source static command - there are port options for both outside and inside IPs.

    example :
    ip nat inside source static 1.2.3.4 80 5.6.7.8 80

    HTH.
    the More I know, that is more and More I dont know.
Sign In or Register to comment.