NAT Syntax Conundrum

After every ACL there is invisible Deny ip any any, yours sim is just showing that normally invisible statement

I've not checked your wildcard masks but the syntax is correct, I ran into a NAT pool problem in PT5 a few days ago when showing a colleague how to setup a nat pool.

Turns out PT5, is not that good

Best buy yourself a lab

Check out:

http://www.techexams.net/forums/ccna-ccent/42129-prob-pc5.html

All of the syntax are valid, its just different ways of expressing the same thing.
prefix 29 is just shorthand for prefix-length 29. Remember IOS you do not need to write the entire command, just enough to understand the unique command you want, just like int s0/0/0 means interface serial 0/0/0.
netmask is the same as prefix but written in a different notation. Whereas prefix-length means to use X number of bits for the subnetmask, netmask tells you to specify it in the traditional 255.255.255.0 notation. In this case, 255.255.255.0 is a prefix length of 24.
They're all valid and are all correct.
Not only that, but in some places you can use 1.1.1.1/24 instead of 1.1.1.1 255.255.255.0. It is not consistent where you can use one notation or another in IOS and different versions support different notations as well. The netmask in this case is the most supported so you can be more sure that it works.

Also Ninja, I tried your configuration (assumed your config) in PT5 with your NAT problem and it works fine. Post your pkt file and let me see why its not working for you.

ccnacertified2000 wrote: »

Also Ninja, I tried your configuration (assumed your config) in PT5 with your NAT problem and it works fine. Post your pkt file and let me see why its not working for you.

It on a friends laptop at work, if we even saved it. I'll just stick to using my lab for configs.

I was getting translations but the ping wasn't coming back. Went home and exact config work on my lab, strange.

Dont mean to hijack this thread, but Ninja, I assumed, in the config that you might have used a different network for the translation pool, so the router has 192.168.0.0/24 network and 2.2.2.0/24 network attached, but set the translation pool to 1.1.1.1/24. So the router doesn't actually have any interfaces with 1.1.1.1/24 in it but uses it for translations. Thats the config I used, and it didn't work at first because the other router has no route back to 1.1.1.1. In this scenario, I got translations but no replies. I added the static route to the 1.1.1.1 network via 2.2.2.0 network and it works. Assuming this would be your config, maybe you forgot to set a route back to the translation pool network?

ccnacertified2000 wrote: »

Dont mean to hijack this thread, but Ninja, I assumed, in the config that you might have used a different network for the translation pool, so the router has 192.168.0.0/24 network and 2.2.2.0/24 network attached, but set the translation pool to 1.1.1.1/24. So the router doesn't actually have any interfaces with 1.1.1.1/24 in it but uses it for translations. Thats the config I used, and it didn't work at first because the other router has no route back to 1.1.1.1. In this scenario, I got translations but no replies. I added the static route to the 1.1.1.1 network via 2.2.2.0 network and it works. Assuming this would be your config, maybe you forgot to set a route back to the translation pool network?

That what I did, but used 10.0.0.1 - 10.0.0.14 /28

I entered a network 10.0.0.0 in rip, worked at home -ideas?

I tried your config in a real router and it does not advertise the 10 network through RIP. I even added a loopback network of 5.5.5.0 to see if RIP is working, and indeed the 5.5.5.0 network is propagated, but the 10.0.0.0 network is not.
The only thing I can conclude is that in your real lab test, you already had some static default routes that point back to the NAT router. Try your config again but start with a clean config.

A lab at home would be ideal. Unfortunately, I don't have the funds nor time to put one together right now. We have a test lab at the NOC where I work, but I'm studying from home to avoid distractions. If I'm at work, somebody will always have some crisis that they need fix "NOW!!" LOL.

Anyone have any sample problems for practicing all types of NAT setup? It's depressing really, but I completely brain-farted the entirety of NAT and got 0% on NAT when I last took the CCNA. My overall score was 3.5% short of passing.

I'm assuming the last couple of replies have nothing whatsoever to do with my original question -- except they relate to somebody else's NAT troubles.

ccnacertified2000 wrote: »

I tried your config in a real router and it does not advertise the 10 network through RIP. I even added a loopback network of 5.5.5.0 to see if RIP is working, and indeed the 5.5.5.0 network is propagated, but the 10.0.0.0 network is not.
The only thing I can conclude is that in your real lab test, you already had some static default routes that point back to the NAT router. Try your config again but start with a clean config.

You're right and I'm an idiot.

When I tried it a few days ago I just used two unused serial ports from different routers, not thinkin thier config would interfere - dooh

Good lesson learned - many thanks.

godofthunder9010 wrote: »

A lab at home would be ideal. Unfortunately, I don't have the funds nor time to put one together right now. We have a test lab at the NOC where I work, but I'm studying from home to avoid distractions. If I'm at work, somebody will always have some crisis that they need fix "NOW!!" LOL.

Anyone have any sample problems for practicing all types of NAT setup? It's depressing really, but I completely brain-farted the entirety of NAT and got 0% on NAT when I last took the CCNA. My overall score was 3.5% short of passing.

I'm assuming the last couple of replies have nothing whatsoever to do with my original question -- except they relate to somebody else's NAT troubles.

No we just hi-jacked your thread - sorry

As I don't have a real lab to create such problems on hand, it's at least very educational. As stated, NAT was my Achilles heel, so I don't know if you'd want much advice from me on the subject.

Thanks everyone for the help. I'm still not sure that the IP and mask combination for the following line is correct:
RosettaStone(config)#access-list 1 permit 192.168.6.65 0.0.0.63
Shouldn't it be:
RosettaStone(config)#access-list 1 permit 192.168.6.64 0.0.0.63

Thoughts??

Lets examine what your question is:
RosettaStone(config)#access-list 1 permit 192.168.6.65 0.0.0.63
What does this mean? well, lets look at the last octet in binary
65
0100 0001
63
0011 1111

Shouldn't it be:
RosettaStone(config)#access-list 1 permit 192.168.6.64 0.0.0.63
64
0100 0000
63
0011 1111

What does the 1st ACL mean? The wildcard is 63, so all 1s means ignore it and match only the 0s. In this case, 0100 0001 matches. Which equals 64. Notice the bold part is all we care.
What does the 2nd ACL mean? The wildcard is 63, so all 1s means ignore it and match only the 0s. In this case, 0100 0000 matches, which equals 64. Notice the bold part is all we care.

What does two two statements mean? They are equivalent.

Thank you for the help with this. Much appreciated!

nevolved

Why are your pool addresses in a differnet subnet than you outside interface?