Options
NAT: am I missing something?
bermovick
Member Posts: 1,135 ■■■■□□□□□□
in CCNA & CCENT
Yeah, it's a bit embarassing asking about something I should know. 
I'm brushing up on some of the old commands to refresh my memory on some basic configuration for an upcoming hands-on ... interview thing. NAT was never my strong point, so I'm running a few labs with it, but I can't seem to get it to work.
Simple lab in gns3. R1 and R2 connected via serial link. R3 and R4 are pretending to be PC's on the other side of R2. The NAT will be done on R2, with R1 pretending to be the internet.
R1 has loopbacks for 10.0.0.1/24 and 10.0.1.1/24.
R1-R2 is 172.16.0.0/30
R2's lan is 192.168.0.0/24
Here's the pertinent running-config from R2:
This is all correct, as far as I can tell, but after pinging 10.0.0.1 from one of my "PCs", no NAT is being performed:
Debugging on R1 confirms both the ping success, and the lack of NAT being performed.
I figured while I investigate further, I'd throw this out here to see if extra eyes might see/figure out what I'm not seeing/figuring out.
I'm brushing up on some of the old commands to refresh my memory on some basic configuration for an upcoming hands-on ... interview thing. NAT was never my strong point, so I'm running a few labs with it, but I can't seem to get it to work.
Simple lab in gns3. R1 and R2 connected via serial link. R3 and R4 are pretending to be PC's on the other side of R2. The NAT will be done on R2, with R1 pretending to be the internet.
R1 has loopbacks for 10.0.0.1/24 and 10.0.1.1/24.
R1-R2 is 172.16.0.0/30
R2's lan is 192.168.0.0/24
Here's the pertinent running-config from R2:
interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface Serial0/0 ip address 172.16.0.2 255.255.255.0 ip nat outside clock rate 2000000 ip nat inside source list 1 interface Serial0/0 overload ! access-list 1 permit 192.168.0.0 0.0.255.255 log
This is all correct, as far as I can tell, but after pinging 10.0.0.1 from one of my "PCs", no NAT is being performed:
R3#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/27/44 ms
R2#sh ip nat translations R2#
Debugging on R1 confirms both the ping success, and the lack of NAT being performed.
R1# *Mar 1 00:24:36.455: ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.3 *Mar 1 00:24:36.499: ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.3 *Mar 1 00:24:36.543: ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.3 *Mar 1 00:24:36.575: ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.3 *Mar 1 00:24:36.583: ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.3 R1#
I figured while I investigate further, I'd throw this out here to see if extra eyes might see/figure out what I'm not seeing/figuring out.
Latest Completed: CISSP
Current goal: Dunno
Current goal: Dunno
Comments
-
Options
mzinz
Member Posts: 328
Configuration looks right to me. Possible GNS3 bug?_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801 -
Options
Forsaken_GA
Member Posts: 4,024
Don't advertise the 192.168.0.0/24 network to R1, for starters, otherwise you're defeating the purpose of NAT. -
OptionsForsaken_GA
Member Posts: 4,024
The problem is with your access list, it's not matching, so it's not translating the source IP.
-
OptionsForsaken_GA
Member Posts: 4,024
Weird, it may be a GNS bug.
I mocked up your setup real quick, got the same issues as you, and after I changed the accesslist to permit any for giggles, it worked.
So i put it back the way it was, noted it wasnt matching on that access list. Turned on debugging of nat on the middle router, and then it started working. -
Optionsbermovick
Member Posts: 1,135 ■■■■□□□□□□
Actually after a handful of near-duplicate labs, as far as I can tell, the problem was with my default-route line.
ip route 0.0.0.0 0.0.0.0 s0/0 didn't work
ip route 0.0.0.0 0.0.0.0 172.16.0.1 worked
I'm not sure why and I suppose I should dig back into my books and see if the first command is incorrect somehow.
Although from your experiences... maybe it is just a gns thing. I may try hooking up my hardware just to check out of curiosity, although I already sat for the technical interview where I knew this would come up and didn't have any issues.Latest Completed: CISSP
Current goal: Dunno -
OptionsForsaken_GA
Member Posts: 4,024
Actually after a handful of near-duplicate labs, as far as I can tell, the problem was with my default-route line.
ip route 0.0.0.0 0.0.0.0 s0/0 didn't work
ip route 0.0.0.0 0.0.0.0 172.16.0.1 worked
I'm not sure why and I suppose I should dig back into my books and see if the first command is incorrect somehow.
Although from your experiences... maybe it is just a gns thing. I may try hooking up my hardware just to check out of curiosity, although I already sat for the technical interview where I knew this would come up and didn't have any issues.
No, I set the default route to use the IP instead of the interface (That's a habit, there are issues if you use a default route pointing to an interface on ethernet).
It was incredibly strange, one ping from the right router failed, left routers debug showed the real ip as the source, turned on nat debugging on the middle router, sent the ping from the right router again, and it worked fine.
