nat problem

Hi,
I have some problem with configuring static NAT.this is how my topology is
I have 2 router and 2 pc
Pc 2 ip address:10.0.0.139/25
Pc1:10.0.0.10 /25
R2
10.0.0.129:fa0/0
172.16.0.9:s0/0/0
R1
10.0.0.1:fa0/0
172.16.0.10:s0/0/0
I have configured a nat on R2 to translate all of the traffic coming from pc2(10.0.0.139) to be translated to 172.16.0.10 using following command
R2#ip nat inside source static 10.0.0.139 172.16.0.10
R2#int s0/0/0 ip nat outside
R2#int fa0/0 then ip nat inside

the reason for that is because i have set access list on fa0/0 R1 to block all traffic from 10.0.0.128/25 to 10.0.0.10/25
so the only way for 10.0.0.139/25 to get through to 10.0.0.10 is by setting up a nat which i have done by using the above command but the problem is that ping command from R2(172.16.0.10) to 10.0.0.10 is redirect it to 10.0.0.139 instead of 172.16.0.10

why should i do ?

any help appreciate it

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

networker050184

linux44 wrote: »

....
R1
10.0.0.1:fa0/0
172.16.0.10:s0/0/0
......
R2#ip nat inside source static 10.0.0.139 172.16.0.10

...

Whats up with that? Is that a typo or are you trying to NAT the inside address from R2 to the outside address of R1

Why not use R2s outside interface? Should work how you have it set up though.... Configs?

linux44

networker050184 wrote: »

Whats up with that? Is that a typo or are you trying to NAT the inside address from R2 to the outside address of R1

Why not use R2s outside interface? Should work how you have it set up though.... Configs?

sorry about the confusion
R1=172.16.0.9
R2=172.16.0.10

when i ping r1(172.16.0.9) from r2 (172.16.0.10) the echo reply is directed to 10.0.0.139
and ur command hasnt helped me to sort the problem out
any idea?

this is the router out put

R2#sh run
Building configuration...

Current configuration : 1379 bytes
!
version 12.4
no service password-encryption
!
hostname R2
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
ip ssh version 2
no ip domain-lookup
ip domain-name cisco
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 10.0.0.129 255.255.255.128
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
bandwidth 128
ip address 172.16.0.10 255.255.255.252
encapsulation frame-relay
frame-relay map ip 172.16.0.9 103 broadcast
frame-relay lmi-type ansi
ip access-group cisco in
ip nat outside
!
interface Serial0/0/1
ip address 172.16.0.6 255.255.255.252
ip access-group cisco in
!
interface Serial0/1/0
no ip address
!
interface Serial0/1/1
no ip address
!
interface Vlan1
no ip address
shutdown
!
router rip
passive-interface FastEthernet0/1
network 172.16.0.0
!
ip nat inside source static 10.0.0.139 172.16.0.10
ip classless
ip route 10.0.0.0 255.255.255.128 172.16.0.9
!
!
ip access-list extended cisco
permit tcp host 172.16.0.2 any eq telnet
permit tcp host 172.16.0.5 any eq telnet
deny tcp any any eq telnet
permit tcp any any
permit ip any any
permit icmp any any
permit udp any any
!
!
!
banner motd ^CAuthorised user only^C
line con 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

R1

R1#sh run
Building configuration...

Current configuration : 1895 bytes
!
version 12.4
no service password-encryption
!
hostname R1
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!

!
ip ssh version 1
no ip domain-lookup
ip domain-name cisco
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.128
ip access-group cisco1 out
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.0.1 255.255.255.252
encapsulation ppp
ppp authentication chap
ip access-group cisco in
clock rate 64000
!
interface Serial0/0/1
bandwidth 128
ip address 172.16.0.9 255.255.255.252
encapsulation frame-relay
frame-relay map ip 172.16.0.10 101 broadcast
frame-relay lmi-type ansi
ip access-group cisco in
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
passive-interface FastEthernet0/1
network 172.16.0.0
!
ip classless
ip route 10.0.0.128 255.255.255.128 172.16.0.10
!
!
ip access-list extended cisco
permit tcp host 172.16.0.2 any eq telnet
permit tcp host 172.16.0.5 any eq telnet
deny tcp any any eq telnet
permit ip any any
permit tcp any any
permit icmp any any
permit udp any any
ip access-list extended cisco1
deny tcp host 209.165.200.161 host 10.0.0.10 eq telnet
deny tcp host 209.165.200.161 host 10.0.0.10 eq ftp
deny tcp host 209.165.200.161 host 10.0.0.10 eq www
deny icmp 10.0.0.128 0.0.0.127 host 10.0.0.10
deny udp 10.0.0.128 0.0.0.127 host 10.0.0.10
deny tcp 10.0.0.128 0.0.0.127 host 10.0.0.10
deny ip 10.0.0.128 0.0.0.127 host 10.0.0.10
permit tcp any any
permit icmp any any
permit ip any any
permit udp any any
!
!
!
banner motd ^CAuthorised user only^C
line con 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

tim100

There's quite a few things wrong with your configurations. Let's try to correct some of them. First let's start with your NAT problem. You are trying to create a static NAT entry by assigning R2's serial interface IP to PC 2's IP address 10.0.0.139. You can't statically assign that IP for NAT since it is already assigned to R2's serial interface. try configuring it this way:

access-list 1 permit 10.0.0.139

ip nat inside source list 1 interface s0/0/0 overload

The "passive interface" commands are useless in this scenario since these networks are not included in the RIP process. Also, it is a good idea to use RIP version 2 and include the "no auto-summary" command. If you don't want traffic from 10.0.0.128/25 reaching 10.0.0.0/25 why not just get rid of the static route instead of going through the trouble of the ACL since you are using NAT?

linux44

tim100 wrote: »

There's quite a few things wrong with your configurations. Let's try to correct some of them. First let's start with your NAT problem. You are trying to create a static NAT entry by assigning R2's serial interface IP to PC 2's IP address 10.0.0.139. You can't statically assign that IP for NAT since it is already assigned to R2's serial interface. try configuring it this way:

access-list 1 permit 10.0.0.139

ip nat inside source list 1 interface s0/0/0 overload

The "passive interface" commands are useless in this scenario since these networks are not included in the RIP process. Also, it is a good idea to use RIP version 2 and include the "no auto-summary" command. If you don't want traffic from 10.0.0.128/25 reaching 10.0.0.0/25 why not just get rid of the static route instead of going through the trouble of the ACL since you are using NAT?

i have been asked to configure a static NAt
and that
access-list 1 permit 10.0.0.139

ip nat inside source list 1 interface s0/0/0 overload

is a dynamic map
any other suggestion please?

billyr

Yes, take good advice when its offered.

rossonieri#1

hello linux

the reason for that is because i have set access list on fa0/0 R1 to block all traffic from 10.0.0.128/25 to 10.0.0.10/25
so the only way for 10.0.0.139/25 to get through to 10.0.0.10 is by setting up a nat which i have done by using the above command but the problem is that ping command from R2(172.16.0.10) to 10.0.0.10 is redirect it to 10.0.0.139 instead of 172.16.0.10

yes, you are heading in the right direction except you have forgotten the port number for both outside and inside IP - so the translation will assume you were redirecting the whole 1 outside IP address to 1 inside IP address - not its port, hence the ping also redirected to that internal .139 IP.

so - take a closer look on that ip nat inside source static command - there are port options for both outside and inside IPs.

example :
ip nat inside source static 1.2.3.4 80 5.6.7.8 80

HTH.