NAT Troubleshooting

Dubuku57Dubuku57 Member Posts: 81 ■■□□□□□□□□
in CCNA & CCENT
Hi everyone,

I was trying out configuring NAT on Packet Tracer -all my steps seem correct(in-line with theory) but im still unable to get the desired output. Attached is the topo.

Im trying to only allow PC2(private add) to be able to ping Web(public add).

Running-config of Router A:

RouterA#sh run
Building configuration...
Current configuration : 743 bytes
!
version 12.4
no service password-encryption
!
hostname RouterA
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 200.152.200.2 255.255.255.252
ip nat outside
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248
ip nat inside source list 1 pool small-pool
ip classless
ip route 0.0.0.0 0.0.0.0 200.152.200.1
!
!
access-list 1 permit 192.168.100.128 0.0.0.3
!
!
!
line con 0
line vty 0 4
login
!
!
end

Running-config of ISP:

ISP#sh run
Building configuration...
Current configuration : 483 bytes
!
version 12.4
no service password-encryption
!
hostname ISP
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 25.16.59.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 200.152.200.1 255.255.255.252
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
end

Many Thanks in Advance!
P.s: Reference for the topo is Netsim LabManual
· Share on FacebookShare on Twitter

Comments

  • blackninjablackninja Member Posts: 385
    Just had a quick look and you are missing a static route on the ISP router to allow traffic back to the NAT router
    Currently studying:
    CCIE R&S - using INE workbooks & videos

    Currently reading:
    Everything. Twice ;)
    · Share on FacebookShare on Twitter
  • sandman748sandman748 Member Posts: 104
    blackninja wrote: »
    Just had a quick look and you are missing a static route on the ISP router to allow traffic back to the NAT router

    He shouldn't need a static route back to routerA from ISP as they are directly connected. The problem is that your

    ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248

    command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses.

    ip nat pool small-pool 200.152.200.2 200.152.200.2 netmask 255.255.255.252 would work. If your insitent on using that range for whatever reason that serial interface going to the router needs to be configured with those addresses. I'm sure that could be done with subinterfaces but i've never actually tried using nat with several global ips.
    Working on CCIE Collaboration:
    Written Exam Completed June 2015 ~ 100 hrs of study
    Lab Exam Scheduled for Dec 2015
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    sandman748 wrote: »
    He shouldn't need a static route back to routerA from ISP as they are directly connected. The problem is that your

    ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248

    command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses.

    ip nat pool small-pool 200.152.200.2 200.152.200.2 netmask 255.255.255.252 would work. If your insitent on using that range for whatever reason that serial interface going to the router needs to be configured with those addresses. I'm sure that could be done with subinterfaces but i've never actually tried using nat with several global ips.

    You don't need the pool addresses tied to an interface to ping across. A static route pointing back should do the trick as blackninja pointed out.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • sandman748sandman748 Member Posts: 104
    networker050184 wrote: »
    You don't need the pool addresses tied to an interface to ping across. A static route pointing back should do the trick as blackninja pointed out.

    What would that static route be?

    edit: nm, i see the static route thing would work. But thats assuming we have control of the routing table of the ISP. What if we couldnt add that route. Is that something that the ISP normally does? i.e a static route to whatever IP they've assigned us?
    Working on CCIE Collaboration:
    Written Exam Completed June 2015 ~ 100 hrs of study
    Lab Exam Scheduled for Dec 2015
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    sandman748 wrote: »
    What would that static route be?

    edit: nm, i see the static route thing would work. But thats assuming we have control of the routing table of the ISP. What if we couldnt add that route. Is that something that the ISP normally does? i.e a static route to whatever IP they've assigned us?

    The ISP would use a static route or BGP with the customer depending on the set up.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Dubuku57Dubuku57 Member Posts: 81 ■■□□□□□□□□
    sandman748 wrote: »
    He shouldn't need a static route back to routerA from ISP as they are directly connected. The problem is that your

    ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248

    command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses.

    ip nat pool small-pool 200.152.200.2 200.152.200.2 netmask 255.255.255.252 would work. If your insitent on using that range for whatever reason that serial interface going to the router needs to be configured with those addresses. I'm sure that could be done with subinterfaces but i've never actually tried using nat with several global ips.
    In Dynamic NAT, a pool of addresses are used right? Anyway, how does one configure the serial interfaces with the addresses? Yes, the static route works..but just 1 qn, if i have a static route both to and fro the two routers, wouldnt that make my NAT useless? As in, i dun need the NAT there anymore since the static route tells my internal hosts how to get to the ISP?
    · Share on FacebookShare on Twitter
  • Dubuku57Dubuku57 Member Posts: 81 ■■□□□□□□□□
    Dubuku57 wrote: »
    In Dynamic NAT, a pool of addresses are used right? Anyway, how does one configure the serial interfaces with the addresses? Yes, the static route works..but just 1 qn, if i have a static route both to and fro the two routers, wouldnt that make my NAT useless? As in, i dun need the NAT there anymore since the static route tells my internal hosts how to get to the ISP?
    Also, the static route would be to the Lan side or the WAN side of the Router A from the ISP?
    · Share on FacebookShare on Twitter
  • Dubuku57Dubuku57 Member Posts: 81 ■■□□□□□□□□
    sandman748 wrote: »
    He shouldn't need a static route back to routerA from ISP as they are directly connected.


    What sandman mentions got me wondering -- if any two routers are directly connected, static routes over them would be redundant?

    Why is it that when RouterA pings ISP, or the Web server, its fine, but when the host attached to the RouterA pings it doesnt work??
    · Share on FacebookShare on Twitter
  • blucasblucas Member Posts: 25 ■□□□□□□□□□
    Dubuku57 wrote: »
    What sandman mentions got me wondering -- if any two routers are directly connected, static routes over them would be redundant?

    Why is it that when RouterA pings ISP, or the Web server, its fine, but when the host attached to the RouterA pings it doesnt work??


    I'm too sleepy, and my head isn't working correctly, sorry if I'm saying something stupid, but does the PC have Gateway configured?
    would be 192.168.100.1
    · Share on FacebookShare on Twitter
  • Dubuku57Dubuku57 Member Posts: 81 ■■□□□□□□□□
    Yep..configured the Gateway correctly...the PC can ping its own router(both interfaces S0/0 and f0/0) just not able to ping the Web host - while Router A is able to do so...
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Dubuku57 wrote: »
    What sandman mentions got me wondering -- if any two routers are directly connected, static routes over them would be redundant?

    Why is it that when RouterA pings ISP, or the Web server, its fine, but when the host attached to the RouterA pings it doesnt work??

    You wouldn't put a static route for the directly connected route. You would use static routes for anything behind that router.

    The reason your RouterA can ping is because it will use the exit interface as the source of the ICMP packet (unless specified otherwise). The exit interface is the interface directly connected to the ISP router. So, the ISP router gets the ICMP packet sends it on to the destination, the webserver. When the webserver gets it it sends the reply to its default-gateway which is the ISP router, with RouterA's interface IP as the destination. Once the ISP router gets it it looks at the destination and since the ISP router has a connected route to the destination it forwards the packet and your ping is successful.

    When the ISP router gets the ICMP packet sourced from the host it will still send it on to the webserver and the webserver will send the reply, with the destination set to the host's IP address, to its default-gateway the ISP router. Once the ISP router gets the reply and looks up the destination it does not have a route back to the hosts address and drops the packet.

    So, you need to give the ISP router a route back to the hosts address (whether that be a NATed address or actual source address).
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Dubuku57Dubuku57 Member Posts: 81 ■■□□□□□□□□
    Thanks Networker, I understand that portion on Static routes!

    Few ans about what Sandman mentioned earlier above:

    "command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses."

    1. Dynamic NAT uses a range of addies to convert the inside local to right?
    2. Do these pool of adds need to be in the same subnet as the WAN link adds?
    3. Why must any interface be configured with the adds from the pool?
    · Share on FacebookShare on Twitter
  • sandman748sandman748 Member Posts: 104
    Dubuku57 wrote: »
    Thanks Networker, I understand that portion on Static routes!

    Few ans about what Sandman mentioned earlier above:

    "command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses."

    1. Dynamic NAT uses a range of addies to convert the inside local to right?
    2. Do these pool of adds need to be in the same subnet as the WAN link adds?
    3. Why must any interface be configured with the adds from the pool?

    1. That is correct.

    For 2 and 3 I'm not sure. I think I may have given the wrong answer above as networker050184 pointed out. I've never done it before, but apparently you don't have to have those addresses tied to one of your interfaces. The only reason I said it should is so that the source address after nat matched the directly connected route.

    Here's whats happening right now. When RouterA pings ISP it sends out a packet with source address of 200.152.200.2. The ISP router is able to route back to that address as it has a directly connected route.

    When the host pings, the router is converting that inside ip address to one of the addresses in the range 200.152.200.65 - 200.152.200.70/28 which are located on network 200.15.200.64 . The ISP does not have a route to that network as it is not directly connected. Therefore you need to put in a static route on the ISP router to that network in order to route back.
    Working on CCIE Collaboration:
    Written Exam Completed June 2015 ~ 100 hrs of study
    Lab Exam Scheduled for Dec 2015
    · Share on FacebookShare on Twitter
  • Dubuku57Dubuku57 Member Posts: 81 ■■□□□□□□□□
    Okay its clear now..I shall try that out in the lab - the route to the inside global address group..Will let you knwo if any anomalies crop up there...Thanks lot guyzzz!!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.