NAT Syntax Conundrum

godofthunder9010

Studying away for the CCNA exam and I keep running into NAT issues that are just making NAT more confusing. My network emulator seems to like one syntax, while the practice exam offers a different syntax and adds a “deny any” line to the ACL that I do not understand at all. Books and help sites specify yet another syntax. Yet my up-to-date version of Packet Tracer (my network emulator) won't take that syntax. (“prefix 29” vs “prefix-length 29” vs “netmask 255.255.255.248”) And then there's the line on the practice exam's answer that I can't make sense out of "access-list 1 deny any." Meh, I'll just paste what it all looks like and bold the items that are confusing and giving me grief. If someone can tell me whether the syntax of this is anywhere close to right, I would greatly appreciate it!! Here’s the Lab question:
ISP provided public IP's: 198.18.32.65-70
Users on Private Network needing Internet Access: 60 (192.168.6.65-125)
Router LAN IP: 192.168.6.126
Router WAN IP: 192.168.2.113



Router1(config)#hostname RosettaStone
RosettaStone(config)#int fa0/0
RosettaStone(config-if)#ip address 192.168.6.126 255.255.255.0
RosettaStone(config-if)#no shut
RosettaStone(config-if)#ip nat inside

RosettaStone(config)#int s0/0
RosettaStone(config-if)#ip address 192.168.2.113 255.255.255.0
RosettaStone(config-if)#clock rate 64000
RosettaStone(config-if)#no shut
RosettaStone(config-if)#ip nat outside

RosettaStone(config)#access-list 1 permit 192.168.6.65 0.0.0.63
RosettaStone(config)#access-list 1 deny any
RosettaStone(config)#ip nat pool MyPool 198.18.32.65 198.18.32.70 netmask 255.255.255.248
RosettaStone(config)#ip nat inside source list 1 pool MyPool overload

blackninja

After every ACL there is invisible Deny ip any any, yours sim is just showing that normally invisible statement

I've not checked your wildcard masks but the syntax is correct, I ran into a NAT pool problem in PT5 a few days ago when showing a colleague how to setup a nat pool.

Turns out PT5, is not that good

Best buy yourself a lab

Check out:

http://www.techexams.net/forums/ccna-ccent/42129-prob-pc5.html

ccnacertified2000

All of the syntax are valid, its just different ways of expressing the same thing.
prefix 29 is just shorthand for prefix-length 29. Remember IOS you do not need to write the entire command, just enough to understand the unique command you want, just like int s0/0/0 means interface serial 0/0/0.
netmask is the same as prefix but written in a different notation. Whereas prefix-length means to use X number of bits for the subnetmask, netmask tells you to specify it in the traditional 255.255.255.0 notation. In this case, 255.255.255.0 is a prefix length of 24.
They're all valid and are all correct.
Not only that, but in some places you can use 1.1.1.1/24 instead of 1.1.1.1 255.255.255.0. It is not consistent where you can use one notation or another in IOS and different versions support different notations as well. The netmask in this case is the most supported so you can be more sure that it works.

Also Ninja, I tried your configuration (assumed your config) in PT5 with your NAT problem and it works fine. Post your pkt file and let me see why its not working for you.

blackninja

ccnacertified2000 wrote: »

Also Ninja, I tried your configuration (assumed your config) in PT5 with your NAT problem and it works fine. Post your pkt file and let me see why its not working for you.

It on a friends laptop at work, if we even saved it. I'll just stick to using my lab for configs.

I was getting translations but the ping wasn't coming back. Went home and exact config work on my lab, strange.

ccnacertified2000

Dont mean to hijack this thread, but Ninja, I assumed, in the config that you might have used a different network for the translation pool, so the router has 192.168.0.0/24 network and 2.2.2.0/24 network attached, but set the translation pool to 1.1.1.1/24. So the router doesn't actually have any interfaces with 1.1.1.1/24 in it but uses it for translations. Thats the config I used, and it didn't work at first because the other router has no route back to 1.1.1.1. In this scenario, I got translations but no replies. I added the static route to the 1.1.1.1 network via 2.2.2.0 network and it works. Assuming this would be your config, maybe you forgot to set a route back to the translation pool network?

blackninja

ccnacertified2000 wrote: »

Dont mean to hijack this thread, but Ninja, I assumed, in the config that you might have used a different network for the translation pool, so the router has 192.168.0.0/24 network and 2.2.2.0/24 network attached, but set the translation pool to 1.1.1.1/24. So the router doesn't actually have any interfaces with 1.1.1.1/24 in it but uses it for translations. Thats the config I used, and it didn't work at first because the other router has no route back to 1.1.1.1. In this scenario, I got translations but no replies. I added the static route to the 1.1.1.1 network via 2.2.2.0 network and it works. Assuming this would be your config, maybe you forgot to set a route back to the translation pool network?

That what I did, but used 10.0.0.1 - 10.0.0.14 /28

I entered a network 10.0.0.0 in rip, worked at home -ideas?

ccnacertified2000

I tried your config in a real router and it does not advertise the 10 network through RIP. I even added a loopback network of 5.5.5.0 to see if RIP is working, and indeed the 5.5.5.0 network is propagated, but the 10.0.0.0 network is not.
The only thing I can conclude is that in your real lab test, you already had some static default routes that point back to the NAT router. Try your config again but start with a clean config.

godofthunder9010

A lab at home would be ideal. Unfortunately, I don't have the funds nor time to put one together right now. We have a test lab at the NOC where I work, but I'm studying from home to avoid distractions. If I'm at work, somebody will always have some crisis that they need fix "NOW!!" LOL.

Anyone have any sample problems for practicing all types of NAT setup? It's depressing really, but I completely brain-farted the entirety of NAT and got 0% on NAT when I last took the CCNA. My overall score was 3.5% short of passing.

I'm assuming the last couple of replies have nothing whatsoever to do with my original question -- except they relate to somebody else's NAT troubles.

blackninja

ccnacertified2000 wrote: »

I tried your config in a real router and it does not advertise the 10 network through RIP. I even added a loopback network of 5.5.5.0 to see if RIP is working, and indeed the 5.5.5.0 network is propagated, but the 10.0.0.0 network is not.
The only thing I can conclude is that in your real lab test, you already had some static default routes that point back to the NAT router. Try your config again but start with a clean config.

You're right and I'm an idiot.

When I tried it a few days ago I just used two unused serial ports from different routers, not thinkin thier config would interfere - dooh

Good lesson learned - many thanks.

blackninja

godofthunder9010 wrote: »

A lab at home would be ideal. Unfortunately, I don't have the funds nor time to put one together right now. We have a test lab at the NOC where I work, but I'm studying from home to avoid distractions. If I'm at work, somebody will always have some crisis that they need fix "NOW!!" LOL.

Anyone have any sample problems for practicing all types of NAT setup? It's depressing really, but I completely brain-farted the entirety of NAT and got 0% on NAT when I last took the CCNA. My overall score was 3.5% short of passing.

I'm assuming the last couple of replies have nothing whatsoever to do with my original question -- except they relate to somebody else's NAT troubles.

No we just hi-jacked your thread - sorry

godofthunder9010

As I don't have a real lab to create such problems on hand, it's at least very educational. As stated, NAT was my Achilles heel, so I don't know if you'd want much advice from me on the subject.

godofthunder9010

Thanks everyone for the help. I'm still not sure that the IP and mask combination for the following line is correct:
RosettaStone(config)#access-list 1 permit 192.168.6.65 0.0.0.63
Shouldn't it be:
RosettaStone(config)#access-list 1 permit 192.168.6.64 0.0.0.63

Thoughts??

ccnacertified2000

Lets examine what your question is:
RosettaStone(config)#access-list 1 permit 192.168.6.65 0.0.0.63
What does this mean? well, lets look at the last octet in binary
65
0100 0001
63
0011 1111

Shouldn't it be:
RosettaStone(config)#access-list 1 permit 192.168.6.64 0.0.0.63
64
0100 0000
63
0011 1111

What does the 1st ACL mean? The wildcard is 63, so all 1s means ignore it and match only the 0s. In this case, 0100 0001 matches. Which equals 64. Notice the bold part is all we care.
What does the 2nd ACL mean? The wildcard is 63, so all 1s means ignore it and match only the 0s. In this case, 0100 0000 matches, which equals 64. Notice the bold part is all we care.

What does two two statements mean? They are equivalent.

godofthunder9010

Thank you for the help with this. Much appreciated!

nevolved

Why are your pool addresses in a differnet subnet than you outside interface?

ccnacertified2000

Its perfectly ok to do that. Lets say you have a subnet assigned to you, but its not enough for you so you do NAT. Using a different subnet allows you to use all of the addresses in the subnet for one, and the second is that you want to use your own subnet IPs for outside, not just using the outside interface ip.