NAT problem

solnsusiesolnsusie Member Posts: 128
in CCNA & CCENT
hi
im studying now NAT, and i have a problem which i just cant figure it out, i configured dynamic NAT with an access list and when i pingthe host on which i configured NAT from the router i see that its using the NAT address, but i cant ping other hosts from that host on which i configured NAT, this is my configuration


interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.1.1 255.255.255.248
ip nat inside
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.1.9 255.255.255.248
ip nat inside
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
clock rate 800000


ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240
ip nat inside source list 1 pool natest


access-list 1 permit host 192.168.1.4
access-list 1 permit host 192.168.1.14

please get me on track!!!!

thnaks
· Share on FacebookShare on Twitter

Comments

  • nbeachamnbeacham Users Awaiting Email Confirmation Posts: 23 ■□□□□□□□□□
    I'm not an expert by any means and am still studying myself, but try setting nat to overload.
    so change
    ip nat inside source list 1 pool natest
    to
    ip nat inside source list 1 pool natest overload
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    nbeacham wrote: »
    I'm not an expert by any means and am still studying myself, but try setting nat to overload.
    so change
    ip nat inside source list 1 pool natest
    to
    ip nat inside source list 1 pool natest overload
    thanks for your try! but, no its not working, the interesting part of it is, that I could ping the same host from a different network which is connected through a frame relay network and I’m getting back a reply, so how come I can’t get out with this host? if I can get I reply from this host trough a different host in a different network with the NAT address why in the world cant I get out with this host itself, does it has to do with the ACL????
    · Share on FacebookShare on Twitter
  • nbeachamnbeacham Users Awaiting Email Confirmation Posts: 23 ■□□□□□□□□□
    try setting up the access list differently
    access-list 1 permit host 192.168.1.0 0.0.0.255

    Again, i'm no expert so take these in stride.
    · Share on FacebookShare on Twitter
  • nbeachamnbeacham Users Awaiting Email Confirmation Posts: 23 ■□□□□□□□□□
    Maybe if you can give us a little further detail into your problem.
    · Share on FacebookShare on Twitter
  • MrRyteMrRyte Member Posts: 347 ■■■■□□□□□□
    solnsusie wrote: »
    hi
    im studying now NAT, and i have a problem which i just cant figure it out, i configured dynamic NAT with an access list and when i pingthe host on which i configured NAT from the router i see that its using the NAT address, but i cant ping other hosts from that host on which i configured NAT, this is my configuration


    interface FastEthernet0/0.2
    encapsulation dot1Q 2
    ip address 192.168.1.1 255.255.255.248
    ip nat inside
    !
    interface FastEthernet0/0.3
    encapsulation dot1Q 3
    ip address 192.168.1.9 255.255.255.248
    ip nat inside
    !
    interface Serial1/0
    ip address 10.1.1.1 255.255.255.252
    ip nat outside
    clock rate 800000


    ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240
    ip nat inside source list 1 pool natest


    access-list 1 permit host 192.168.1.4
    access-list 1 permit host 192.168.1.14

    please get me on track!!!!

    thnaks
    Maybe I'm missing something, but I don't see how that comes into play in the network. Shouldn't the addresses being translated be within the subnet of the inside and outside interfaces being translated?

    Also; do a traceroute to see EXACTLY where the hang up is.
    (BTW-I'm no pro at this either; I'm just going by what I gathered from here:
    http://www.routeralley.com/ra/docs/nat.pdf )
    NEXT UP: CompTIA Security+ :study:

    Life is a matter of choice not chance. The path to your destiny will be paved by the decisions that you make every day.
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    MrRyte wrote: »
    Maybe I'm missing something, but I don't see how that comes into play in the network. Shouldn't the addresses being translated be within the subnet of the inside and outside interfaces being translated?

    Also; do a traceroute to see EXACTLY where the hang up is.
    (BTW-I'm no pro at this either; I'm just going by what I gathered from here:
    http://www.routeralley.com/ra/docs/nat.pdf )
    Also; do a traceroute to see EXACTLY where the hang up is. it’s getting stuck on its default gateway on the way out, where the NAT and ACL are configured.
    and regarding the ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 configuration, that’s what I learned it should be set up, it means that the pool contains the range of this address.
    but my question is, how can it be that a ping from outside is getting a reply, and a ping to the outside cant get out???
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    nbeacham wrote: »
    try setting up the access list differently
    access-list 1 permit host 192.168.1.0 0.0.0.255

    Again, i'm no expert so take these in stride.
    i did so, and with no luck!
    · Share on FacebookShare on Twitter
  • drkatdrkat Banned Posts: 703
    is the 50.2.2.1/28 even assigned to an interface?

    You need to NAT behind an interface so if 50.2.2.1 isn't assigned to an interface you're going no where.
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    drkat wrote: »
    is the 50.2.2.1/28 even assigned to an interface?

    You need to NAT behind an interface so if 50.2.2.1 isn't assigned to an interface you're going no where.
    you mean that the NAT address need to be assigned to a phisical interface??? so how can you make a pool of address's, since you can have only one or a secondery ip address on a interface???? and also how can it be that when i ping this host from the outside im getting back the NAT address??

    but i will try that out!!!
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    any help please on this?
    thanks
    · Share on FacebookShare on Twitter
  • nbeachamnbeacham Users Awaiting Email Confirmation Posts: 23 ■□□□□□□□□□
    drkat wrote: »
    is the 50.2.2.1/28 even assigned to an interface?

    You need to NAT behind an interface so if 50.2.2.1 isn't assigned to an interface you're going no where.

    Did you try this?
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    yes i did! and its still not working, again, ther is no IP problem since im getting a reply from this host, and also when im taking off the NAT gonfiguration averything works great.
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    ok, I just figured out something, maybe this can help me, as I see now, that I can’t ping only to any other host which is configured to use NAT, in other words, 2 host's configured with NAT cant ping one the other, this is the facts, now, what is the cause, and what is the solution???
    · Share on FacebookShare on Twitter
  • drkatdrkat Banned Posts: 703
    Can you please post your pings and traces? also a show ip int br would be nice and a show ip route

    - you may want to debug ip nat or debug ip packet detail on your ACL so that you can see what is happening when you try to ping.
    · Share on FacebookShare on Twitter
  • drkatdrkat Banned Posts: 703
    Also with regard to the pool.

    Currently you're NATing 10x to 192x so your show ip nat translations would so an outside address of 10.x and inside of 192.x


    What addresses are you pinging? your explanation is vague
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    im leaving now for the weekend, will get back sunday, with all this information.
    thanks a lot
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    drkat wrote: »
    Can you please post your pings and traces? also a show ip int br would be nice and a show ip route

    - you may want to debug ip nat or debug ip packet detail on your ACL so that you can see what is happening when you try to ping.
    i am posting now my settings, and i posted by the end also the NAT configuration of the gateway of the host 192.168.2.4

    please let me know if you need something more, and if you need a image of my Packet tracer network please let me know how to post it.
    thanks a lot

    Router1-2#show ip int bri
    Interface IP-Address OK? Method Status Protocol

    FastEthernet0/0 unassigned YES unset up up

    FastEthernet0/0.2 192.168.1.1 YES manual up up

    FastEthernet0/0.3 192.168.1.9 YES manual up up

    Serial1/0 10.1.1.1 YES manual up up

    Serial1/1 unassigned YES unset administratively down down

    Serial1/2 unassigned YES unset administratively down down

    Serial1/3 unassigned YES unset administratively down down

    Router1-2#show ip rout
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route
    Gateway of last resort is not set
    R 11.0.0.0/8 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
    R 12.0.0.0/8 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
    R 13.0.0.0/8 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
    R 14.0.0.0/8 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
    R 15.0.0.0/8 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
    R 16.0.0.0/8 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
    50.0.0.0/30 is subnetted, 1 subnets
    C 50.2.2.0 is directly connected, Serial1/0
    R 172.1.0.0/16 [120/1] via 50.2.2.2, 00:00:13, Serial1/0
    R 172.2.0.0/16 [120/1] via 50.2.2.2, 00:00:13, Serial1/0
    R 172.3.0.0/16 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
    R 172.4.0.0/16 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
    192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
    R 192.168.1.0/24 [120/1] via 50.2.2.2, 00:00:13, Serial1/0
    C 192.168.1.0/29 is directly connected, FastEthernet0/0.2
    C 192.168.1.8/29 is directly connected, FastEthernet0/0.3
    R 192.168.2.0/24 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
    R 192.168.3.0/24 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
    R 192.168.4.0/24 [120/2] via 50.2.2.2, 00:00:13, Serial1/0

    show running-config

    interface FastEthernet0/0.2
    encapsulation dot1Q 2
    ip address 192.168.1.1 255.255.255.248
    ip nat inside

    interface FastEthernet0/0.3
    encapsulation dot1Q 3
    ip address 192.168.1.9 255.255.255.248
    ip nat inside

    interface Serial1/0
    ip address 50.2.2.1 255.255.255.252
    ip nat outside
    clock rate 800000

    router rip
    version 2
    network 50.0.0.0
    network 192.168.1.0

    ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240
    ip nat inside source list 1 pool natest
    ip classless

    access-list 1 permit 192.168.1.4
    access-list 1 permit 192.168.1.14


    PC>tracert 192.168.2.4
    Tracing route to 192.168.2.4 over a maximum of 30 hops:
    1 31 ms 31 ms 46 ms 192.168.1.1
    2 124 ms 109 ms 78 ms 50.2.2.2
    3 80 ms 141 ms 111 ms 172.1.1.2
    4 141 ms 125 ms 187 ms 11.1.1.1
    5 * *
    Control-C
    ^C
    PC>ping 192.168.2.4
    Pinging 192.168.2.4 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Ping statistics for 192.168.2.4:
    Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
    Control-C
    ^C
    PC>

    Router1-2#show ip nat s
    Total translations: 0 (0 static, 0 dynamic, 0 extended)
    Outside Interfaces: Serial1/0
    Inside Interfaces: FastEthernet0/0.2 , FastEthernet0/0.3
    Hits: 9 Misses: 137
    Expired translations: 26
    Dynamic mappings:
    -- Inside Source
    access-list 1 pool natest refCount 0
    pool natest: netmask 255.255.255.240
    start 50.2.2.1 end 50.2.2.10
    type generic, total addresses 10 , allocated 0 (0%), misses 0

    Router1-2#show ip nat t
    Pro Inside global Inside local Outside local Outside global
    icmp 50.2.2.1:33 192.168.1.4:33 192.168.2.4:33 192.168.2.4:33
    icmp 50.2.2.1:34 192.168.1.4:34 192.168.2.4:34 192.168.2.4:34
    icmp 50.2.2.1:35 192.168.1.4:35 192.168.2.4:35 192.168.2.4:35
    icmp 50.2.2.1:36 192.168.1.4:36 192.168.2.4:36 192.168.2.4:36



    ********************************************************************************************************

    this is the copy of the NAT configuration on the router to the host of 192.168.2.4

    ip nat inside source static 192.168.2.4 50.1.1.1
    ip nat inside source static 192.168.2.14 50.1.1.2
    · Share on FacebookShare on Twitter
  • deth1kdeth1k Member Posts: 312
    The clue is in the subnet mask of your NAT pool:

    ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 <<<<<<<<<<<<<<</28

    ip address 50.2.2.1 255.255.255.252 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<</30

    In this instance you should be using overload otherwise it aint going to work.


    ip nat inside source list 1 interface se1/0 overload
    !
    access-list 1 permit 192.168.0.0 0.0.255.255
    !
    int se1/0
    ip nat out
    !
    int fa0/0.2
    ip nat in
    !
    int fa0/0.3
    !
    ip nat in
    · Share on FacebookShare on Twitter
  • hiddenknight821hiddenknight821 Member Posts: 1,209 ■■■■■■□□□□
    deth1k wrote: »
    The clue is in the subnet mask of your NAT pool:

    ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 <<<<<<<<<<<<<<</28

    ip address 50.2.2.1 255.255.255.252 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<</30

    In this instance you should be using overload otherwise it aint going to work.


    ip nat inside source list 1 interface se1/0 overload
    !
    access-list 1 permit 192.168.0.0 0.0.255.255
    !
    int se1/0
    ip nat out
    !
    int fa0/0.2
    ip nat in
    !
    int fa0/0.3
    !
    ip nat in

    I believe you are incorrect. Those two things doesn't necessarily have the same subnet mask. As long as the number of Inside Local (Individual Hosts) are less than or equal to the number of Inside Global (number of "registered" addresses), Dynamic NAT can work without overloading.

    EDIT: I want to go into more details on this just to be more clear. What I meant is that you can obtain 14 registered addresses from a service provider. Let's say 50.2.2.0 network with subnet mask, 255.255.255.240. You can subnet this network even further using VLSM, and leave the two addresses for serial connection between two routers. However, I do not know how service provider works, so I can be wrong about how their process works, but I hope my point came through.
    · Share on FacebookShare on Twitter
  • hiddenknight821hiddenknight821 Member Posts: 1,209 ■■■■■■□□□□
    Believe it or not, I just finished the NAT stuff today, and I now have a solid understanding. I plan to take the ICND2 next week. Judging by your running-config on your router, Router1-2, I have to say your network is pretty foreign to my knowledge. I plan to do some layer-3 switching and build some labs in GNS3 over the next few days.


    It is hard for me to look at the config here alone and find the underlying root cause. By looking at the "show ip nat statistic" and "show ip nat translation", I can definitely say that your NAT is not working properly as you have many "Misses" shown in the statistic. Also, your router failed to allocate the address from the pool, natest. You can see that the allocation percentage is zero.


    NAT pool, natest, contains the address of the serial1/0 interface on Router1-2. I don't think you should have the interface IP address (50.2.2.1) listed there. You can use one of the 14 extra unused addresses since you have the 255.255.255.240 netmask. What the non-overload dynamic NAT does is that it takes the lowest IP address from the pool, but I am not sure if the router is smart enough to figure out that the address is already allocated and move on to the next available one. Perhaps it was being stubborn, because they expect the IP addresses in the pool to be obtained solely for purpose of NAT translation, and yet it hasn't acknowledged that the lottery has been made.
    · Share on FacebookShare on Twitter
  • drkatdrkat Banned Posts: 703
    the interface ip would be allowed for nat. i havent had a chance to look this over yet been busy will later
    · Share on FacebookShare on Twitter
  • alxxalxx Member Posts: 755
    Pro Inside global Inside local Outside local Outside global
    icmp 50.2.2.1:33 192.168.1.4:33 192.168.2.4:33 192.168.2.4:33
    icmp 50.2.2.1:34 192.168.1.4:34 192.168.2.4:34 192.168.2.4:34
    icmp 50.2.2.1:35 192.168.1.4:35 192.168.2.4:35 192.168.2.4:35
    icmp 50.2.2.1:36 192.168.1.4:36 192.168.2.4:36 192.168.2.4:36

    Will that work with the same ip's and ports for outside local and outside global ?
    Goals CCNA by dec 2013, CCNP by end of 2014
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    deth1k wrote: »
    The clue is in the subnet mask of your NAT pool:

    ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 <<<<<<<<<<<<<<</28

    ip address 50.2.2.1 255.255.255.252 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<</30

    In this instance you should be using overload otherwise it aint going to work.


    ip nat inside source list 1 interface se1/0 overload
    !
    access-list 1 permit 192.168.0.0 0.0.255.255
    !
    int se1/0
    ip nat out
    !
    int fa0/0.2
    ip nat in
    !
    int fa0/0.3
    !
    ip nat in

    hi
    as I learned in ODOM ICND2 book, you can use I totally different network number and a totally different mask number for the NAT Inside Global address then the original ip address of the other side of the internal network-router, and it will work, and even without the "overload" command, so this is not correct.
    thanks anyways...
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    hiddenknight821 wrote: »
    I believe you are incorrect. Those two things doesn't necessarily have the same subnet mask. As long as the number of Inside Local (Individual Hosts) are less than or equal to the number of Inside Global (number of "registered" addresses), Dynamic NAT can work without overloading.

    EDIT: I want to go into more details on this just to be more clear. What I meant is that you can obtain 14 registered addresses from a service provider. Let's say 50.2.2.0 network with subnet mask, 255.255.255.240. You can subnet this network even further using VLSM, and leave the two addresses for serial connection between two routers. However, I do not know how service provider works, so I can be wrong about how their process works, but I hope my point came through.

    you are right!
    as I learned in ODOM ICND2 book, you can use I totally different network number and a totally different mask number for the NAT Inside Global address then the original ip address of the other side of the internal network-router, and it will work, and even without the "overload" command, so he is not correct.
    · Share on FacebookShare on Twitter
  • solnsusiesolnsusie Member Posts: 128
    hiddenknight821 wrote: »
    Believe it or not, I just finished the NAT stuff today, and I now have a solid understanding. I plan to take the ICND2 next week. Judging by your running-config on your router, Router1-2, I have to say your network is pretty foreign to my knowledge. I plan to do some layer-3 switching and build some labs in GNS3 over the next few days.
    I have to say your network is pretty foreign to my knowledge. What do you mean? It’s not good? Or you don’t understand it? I did this just for studying,

    hiddenknight821 wrote: »
    It is hard for me to look at the config here alone and find the underlying root cause. By looking at the "show ip nat statistic" and "show ip nat translation", I can definitely say that your NAT is not working properly as you have many "Misses" shown in the statistic. Also, your router failed to allocate the address from the pool, natest. You can see that the allocation percentage is zero.

    that’s my question? I fallowed instructions how I learned it and I just can’t see why it’s not working, that’s why I came to this great forum to get this answer, and so far I didn’t got any right answer!!!!!

    hiddenknight821 wrote: »
    NAT pool, natest, contains the address of the serial1/0 interface on Router1-2. I don't think you should have the interface IP address (50.2.2.1) listed there. You can use one of the 14 extra unused addresses since you have the 255.255.255.240 netmask. What the non-overload dynamic NAT does is that it takes the lowest IP address from the pool, but I am not sure if the router is smart enough to figure out that the address is already allocated and move on to the next available one. Perhaps it was being stubborn, because they expect the IP addresses in the pool to be obtained solely for purpose of NAT translation, and yet it hasn't acknowledged that the lottery has been made.
    this address on the SE1/0 on Router 1-2 originally had a different one, a 10.1.1.1/30 address a changed it since they told me here I should try it should be the same address like the one in the pool, even I know that it’s not true,

    so as of now I changed it back to the original ip address and I still don’t have any luck with this, I know definitely that it’s a NAT problem since I can communicate with all other hosts and also when I take off this NAT configuration everything works fine, so what is the problem here, can you [lease help me???

    Thanks a lot
    · Share on FacebookShare on Twitter
Sign In or Register to comment.