NAT Help

alliasneoalliasneo Posts: 186Member
Hey Guys,

I've been banging my head against this for over an hour now. I've created two sites connected to an ISP in the middle and I've set up NAT on the two sites. HJowever when I try to ping from one to the other the pings don't get through because they are being translated once and the other side is letting the packets through but when they come back out of the other site they are translated again and I can't get the packets back? Does that make sense? My set up is below:




[FONT=Arial, verdana, sans-serif][/FONT]

[FONT=Arial, verdana, sans-serif]So R2 will translate a packet out using say 150.150.150.65 and when it gets to the other side R1 lets it through without translation. So it reaches the PC using the 150 address. But now when it comes back R1 translates it using say 150.150.150.1 and when R2 receives it, it doesn't have a translation for this address. How is this overcome?

I've also scribbled out the packet process below if it helps...

[/FONT][FONT=Arial, verdana, sans-serif]

[/FONT]

Thanks

Comments

  • NetworkVeteranNetworkVeteran Posts: 2,338Member ■■■■■■■■□□
    Can you post your actual NAT configurations for both routers?

    So R2 will translate a packet out using say 150.150.150.65 and
    Right:
    S=10.1.1.1 => D=150.150.150.1 becomes
    S=150.150.150.65 => D=150.150.150.1

    when it gets to the other side R1 lets it through without translation.
    That doesn't make sense. You need R1 to translate the destination address sorta like this:
    S=150.150.150.65 => D=10.2.2.2
    Maybe you didn't ensure 150.150.150.1 was already mapped?

    [So it reaches the PC using the 150 address.

    It can't reach the PC using the 150.150.150.1 address because the PC has no knowledge of that address.
    But now when it comes back R1 translates
    And certainly if the above happened there'd be no return packet for R1.

    Your explanation doesn't make sense. I will await real configs to make sense of this.

    Also, any output you feel is helpful that led you to your conclusions.
  • HondabuffHondabuff Posts: 667Member
    I would do a trace route and see where the packets are being dropped. Sounds like your missing a default route and the router is dropping the packet.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • phoeneousphoeneous Go ping yourself... Posts: 2,332Member ■■■■■■■□□□
    Are those typos in the first screenshot?

    R1 is 150.150.1.6/30
    R2 is 150.150.1.2/30

    Yet your pools on either router are 150.150.150.0/25?

    You really only need to do nat on the outside interface pointing to the isp.

    Post the config of all 3 routers.
  • johnifanx98johnifanx98 Posts: 329Member
    phoeneous wrote: »
    Are those typos in the first screenshot?

    R1 is 150.150.1.6/30
    R2 is 150.150.1.2/30

    Yet your pools on either router are 150.150.150.0/25?

    You really only need to do nat on the outside interface pointing to the isp.

    Post the config of all 3 routers.

    I love these questions...
  • alliasneoalliasneo Posts: 186Member
    R1's config:

    interface FastEthernet1/0
    ip address 10.1.254.2 255.255.255.252
    ip nat inside
    duplex full
    speed 100
    !
    interface Serial2/0
    ip address 150.150.1.6 255.255.255.252
    ip nat outside
    !
    ip nat pool NAT_POOL 150.150.150.0 150.150.150.50 netmask 255.255.255.192
    ip nat inside source list NAT pool NAT_POOL overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial2/0
    !
    !
    ip access-list standard NAT
    permit 10.1.64.0 0.0.7.255
    deny any
    !





    R2

    interface FastEthernet0/0
    ip address 172.16.14.1 255.255.255.252
    ip nat inside
    duplex auto
    speed auto
    !
    interface Serial2/0
    ip address 150.150.1.2 255.255.255.252
    ip nat outside
    !
    ip nat pool NAT_POOL 150.150.150.64 150.150.150.90 netmask 255.255.255.192
    ip nat inside source list NAT pool NAT_POOL overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial2/0



    ISP

    ip access-list standard ISP_BLOCKED_PRIVATE
    deny 10.0.0.0 0.255.255.255
    deny 172.0.0.0 0.255.255.255
    deny 192.0.0.0 0.255.255.255
    permit any
    !
  • alliasneoalliasneo Posts: 186Member
    phoeneous wrote: »
    Are those typos in the first screenshot?

    R1 is 150.150.1.6/30
    R2 is 150.150.1.2/30

    Yet your pools on either router are 150.150.150.0/25?

    No they're not typos. I've used a different range of addresses for NAT - is this not right? Do I have to use the same subnet range of addresses for NAT that I have configured on the interfaces? so instead of 150.150.1.0/30 I would use 150.150.1.0/25?
  • NetworkVeteranNetworkVeteran Posts: 2,338Member ■■■■■■■■□□
    Also, any output you feel is helpful that led you to your conclusions.
    I haven't reviewed your configuration yet, but I noticed you didn't provide the above yet.
  • alliasneoalliasneo Posts: 186Member
    OK so I've grabbed some screen shots as the packets go through the network:

    Ping going from the LAN of R2 to the LAN of R1 (right to left):


    Received at R1:


    The PING has reached the PC and now this is on the way back.

    PING arrives back at R1:


    PING arrives back at R2:


    R2 sends it back to the ISP and the ISP sends it back to R2 over and over.
    1.jpg 70.3K
    2.jpg 64.3K
    3.jpg 71.3K
    4.jpg 60.1K
  • NetworkVeteranNetworkVeteran Posts: 2,338Member ■■■■■■■■□□
    Thanks. Now the errors are becoming clearer.

    Image #1: You pinged 10.0.0.0/8. Your ISP should drop this.
    Image #2: Your ISP forwarded this, which points to an ISP misconfiguration--
    a. Configure an extended ACL on your ISP to drop all packets destined for private nets. Your current ACL only drops all packets sourced from private nets.
    b. Prevent your router from forwarding out packets with private IP addresses.

    Once your ISP is working, pinging 10.x.x.x from R2 should fail. That's correct behavior.
  • NetworkVeteranNetworkVeteran Posts: 2,338Member ■■■■■■■■□□
    Going a step further, it seems you want devices external to R1's LAN to be able to access R1's LAN PC. The way to accomplish this with NAT is to use static NAT for R1's LAN PC. This way it is always assigned the same public IP address--say 150.150.150.1--and that's the only address that outside devices will know and ping.
  • phoeneousphoeneous Go ping yourself... Posts: 2,332Member ■■■■■■■□□□
    alliasneo wrote: »
    No they're not typos. I've used a different range of addresses for NAT - is this not right? Do I have to use the same subnet range of addresses for NAT that I have configured on the interfaces? so instead of 150.150.1.0/30 I would use 150.150.1.0/25?


    Depends, what exactly are you trying to accomplish?
  • NetworkVeteranNetworkVeteran Posts: 2,338Member ■■■■■■■■□□
    phoeneous wrote: »
    Depends, what exactly are you trying to accomplish?
    Per screenshot #1, he's trying to ping a private IP across the Internet. That's going to fail every time. When pinging across the Internet, one must use public IPs.

    Any LAN addresses he wants reachable from the outside should be configured with static NAT. Currently, they are all configured for PAT / NAT Overloading.

    (Some form of VPN might be a solution here in the real world.)
  • alliasneoalliasneo Posts: 186Member
    Thanks. Now the errors are becoming clearer.

    Image #1: You pinged 10.0.0.0/8. Your ISP should drop this.

    Hmmm so even though I have NAT configured on R1 when the packet reaches the ISP it still has a destination of a private address, it's just been NAT'd out with a public address? I see.

    So how is this accomplished in the real world with a real ISP because as you can see from the sh ip route on the ISP I have all of the private addresses from my internal Network due to the EIGRP relationship.

    ISP#sh ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route


    Gateway of last resort is not set


    C 4.0.0.0/8 is directly connected, FastEthernet0/0
    10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
    D 10.1.64.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.66.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.68.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.69.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.70.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.71.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.254.0/30 [90/20514560] via 150.150.1.6, 00:00:35, Serial3/0
    150.150.0.0/16 is variably subnetted, 4 subnets, 2 masks
    C 150.150.1.0/30 is directly connected, Serial2/0
    C 150.150.1.4/30 is directly connected, Serial3/0
    S 150.150.150.0/26 is directly connected, Serial3/0
    S 150.150.150.64/26 is directly connected, Serial2/0
    172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
    D 172.16.0.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    D 172.16.2.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    D 172.16.4.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    D 172.16.10.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    [FONT=Arial, verdana, sans-serif]D 172.16.14.0/30 [90/20514560] via 150.150.1.2, 00:00:32, Serial2/0[/FONT]






    [FONT=Arial, verdana, sans-serif]Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?[/FONT]
  • NetworkVeteranNetworkVeteran Posts: 2,338Member ■■■■■■■■□□
    alliasneo wrote: »
    Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?
    You could purchase an MPLS VPN service. That's what my last enterprise used. Then your ISP learns your internal routes, but only uses them for forwarding your packets.

    Alternatively, sure, an IPSEC + GRE tunnel would work here!
  • phoeneousphoeneous Go ping yourself... Posts: 2,332Member ■■■■■■■□□□
    I love these questions...

    Huh? As in my question or his?
  • johnifanx98johnifanx98 Posts: 329Member
    phoeneous wrote: »
    Huh? As in my question or his?

    Yours,of course yours! Such a design should not be allowed for an ethernet interface. For a serial interface, it looks OK, but I still suspect potential risks...
  • phoeneousphoeneous Go ping yourself... Posts: 2,332Member ■■■■■■■□□□
    Yours,of course yours! Such a design should not be allowed for an ethernet interface. For a serial interface, it looks OK, but I still suspect potential risks...

    Again, huh? What risks?

    Just because the public facing subnet of R1 or R2 is a /30 doesnt mean it isn't part of a bigger subnet like a /29, /28, etc.. which is usually how internet facing deployments are provisioned from an ISP.

    If the OP is trying to create a real world scenario in where R1 lan can ping R2 lan then he can do a vpn tunnel, mpls, even frame relay.

    But if the OP is trying to do NAT Overload, or PAT then it looks like the NAT pools are in the wrong subnet (in my opinion). You can't just choose some random subnet for your public facing interface. The ISP has already allocated a range for you. Besides, I don't see anywhere in R1's or R2's interfaces or their routing tables the 150.150.150.X subnets. Where is it coming from?

    Unless I'm looking at this the wrong way, in which case just disregard everything I just said.
  • xXErebuSxXErebuS Posts: 230Member
    alliasneo wrote: »
    Hmmm so even though I have NAT configured on R1 when the packet reaches the ISP it still has a destination of a private address, it's just been NAT'd out with a public address? I see.

    So how is this accomplished in the real world with a real ISP because as you can see from the sh ip route on the ISP I have all of the private addresses from my internal Network due to the EIGRP relationship.

    ISP#sh ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route


    Gateway of last resort is not set


    C 4.0.0.0/8 is directly connected, FastEthernet0/0
    10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
    D 10.1.64.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.66.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.68.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.69.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.70.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.71.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
    D 10.1.254.0/30 [90/20514560] via 150.150.1.6, 00:00:35, Serial3/0
    150.150.0.0/16 is variably subnetted, 4 subnets, 2 masks
    C 150.150.1.0/30 is directly connected, Serial2/0
    C 150.150.1.4/30 is directly connected, Serial3/0
    S 150.150.150.0/26 is directly connected, Serial3/0
    S 150.150.150.64/26 is directly connected, Serial2/0
    172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
    D 172.16.0.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    D 172.16.2.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    D 172.16.4.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    D 172.16.10.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
    D 172.16.14.0/30 [90/20514560] via 150.150.1.2, 00:00:32, Serial2/0






    Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?

    You CAN create a site to site VPN with GRE and technically you don't even need to NAT the addresses!(you probably will want to to prevent overlapping / use of private addresses). I typically do bidirectional NAT to make it easier for the people that I'm working with; this is where you NAT your Source and Destination.

    Now what you need to do is create static NAT addresses for those; so instead of pinging 10.x.x.x you ping 150.150.1.x which is mapped to the 10.x.x.x address; this will work in your topology as long as you have a default gateway... but this would represent two seperate LANs i.e. if you were setting up a non VPN server client connection between two companies.

    As NetworkVeteran stated a MPLS / VPLS / Metro Ethernet will all work as well. I personally like Metro E; its very easy to setup and does QinQ tagging.
  • xXErebuSxXErebuS Posts: 230Member
    phoeneous wrote: »
    Again, huh? What risks?

    Just because the public facing subnet of R1 or R2 is a /30 doesnt mean it isn't part of a bigger subnet like a /29, /28, etc.. which is usually how internet facing deployments are provisioned from an ISP.

    If the OP is trying to create a real world scenario in where R1 lan can ping R2 lan then he can do a vpn tunnel, mpls, even frame relay.

    But if the OP is trying to do NAT Overload, or PAT then it looks like the NAT pools are in the wrong subnet (in my opinion). You can't just choose some random subnet for your public facing interface. The ISP has already allocated a range for you. Besides, I don't see anywhere in R1's or R2's interfaces or their routing tables the 150.150.150.X subnets. Where is it coming from?

    Unless I'm looking at this the wrong way, in which case just disregard everything I just said.


    I don't think so; I see what your saying; his NAT pool is outside his ISP link's subnet according to the other side's allocated address. If he is given 150.150.1.5 then he would need to nat to that... unless he owns 150.150.150.X and is running BGP. Considering this is in CCNA forum I don't think thats what he is trying to do.
  • alliasneoalliasneo Posts: 186Member
    I think I was looking at NAT all wrong in this scenario really. The ISP router I understand now would not have any private routes as, of course, this is on the internet.

    So yeah you can't ping a private address over the net unless it's NAT'd - this was the long and short of what I was trying to achieve. So basically I created a NAT pool on each side to allow 62 address to be used for all of my hosts.

    Maybe someone would be able to have a look at these queries I have....

    1) I NAT from one network and this public address hits the ISP. The ISP routes this traffic to the other site but.......When the other side gets it it passes it through without NAT translation (destination address is the private address I pinged). Is this how this would work in the real world? OR would you have to still have a private VPN through the ISP to route the traffic to the other site?

    But this is basically what it looks like:

    Packet leaving PC1:

    Source: 172.16.0.2
    Destination: 10.1.66.2


    R1 NAT:

    Source: 150.150.150.65
    Destination:
    10.1.66.2


    ISP routes this through as the source is a public address....this is correct behavior right?
    -What does the router look at when it gets a packet? The destination address surely so how would it route this private address? - maybe this is where I have my NAT set up incorrectly?


    R2 process this packet without NAT translation, checks the destination and routes it to the LAN - again is this correct?


    PC2 Echo Reply

    Source: 10.1.66.2
    Destination: 150.150.150.65

    R2 NAT's again:

    Source: 150.150.150.1
    Destination: 150.150.150.65


    -So now it's just a mess...
  • phoeneousphoeneous Go ping yourself... Posts: 2,332Member ■■■■■■■□□□
    alliasneo wrote: »
    So yeah you can't ping a private address over the net unless it's NAT'd

    No, not really. NAT doesnt specifically allow you to ping private addresses across the public internet.

    For the scope of what your're trying to learn, just understand that NAT will translate private addresses that arent routeable across the internet into public addresses that are routeable across the internet.

    There are many services that you can use to allow the private lan in one network to have reachability into another private lan in another network. Services like: vpn tunnels, frame relay, mpls, vpls, dmvpn, etc.. can accomplish this. And those services don't necessarily need nat to work.


    Here is a snippet from RFC 1918.


    3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
    An enterprise that decides to use IP addresses out of the address space defined in this document can do so without any coordination with IANA or an Internet registry. The address space can thus be used by many enterprises. Addresses within this private address space will only be unique within the enterprise, or the set of enterprises which choose to cooperate over this space so they may communicate with each other in their own private internet. As before, any enterprise that needs globally unique address space is required to obtain such addresses from an Internet registry. An enterprise that requests IP addresses for its external connectivity will never be assigned addresses from the blocks defined above.
    Think about it, if you want to ping a private address across the internet, then every ISP router that the packet hits will need to know how to get to the destination ip in your private address range. Well, if multiple enterprises use the same private ip range then how will the packet know which way to be routed? It wont unless you've establish some sort of link between the two sites like I mentioned earlier.
  • xXErebuSxXErebuS Posts: 230Member
    alliasneo wrote: »
    I think I was looking at NAT all wrong in this scenario really. The ISP router I understand now would not have any private routes as, of course, this is on the internet.

    So yeah you can't ping a private address over the net unless it's NAT'd - this was the long and short of what I was trying to achieve. So basically I created a NAT pool on each side to allow 62 address to be used for all of my hosts.

    Maybe someone would be able to have a look at these queries I have....

    1) I NAT from one network and this public address hits the ISP. The ISP routes this traffic to the other site but.......When the other side gets it it passes it through without NAT translation (destination address is the private address I pinged). Is this how this would work in the real world? OR would you have to still have a private VPN through the ISP to route the traffic to the other site?

    But this is basically what it looks like:

    Packet leaving PC1:

    Source: 172.16.0.2
    Destination: 10.1.66.2


    R1 NAT:

    Source: 150.150.150.65
    Destination:
    10.1.66.2


    ISP routes this through as the source is a public address....this is correct behavior right?
    -What does the router look at when it gets a packet? The destination address surely so how would it route this private address? - maybe this is where I have my NAT set up incorrectly?


    R2 process this packet without NAT translation, checks the destination and routes it to the LAN - again is this correct?


    PC2 Echo Reply

    Source: 10.1.66.2
    Destination: 150.150.150.65

    R2 NAT's again:

    Source: 150.150.150.1
    Destination: 150.150.150.65


    -So now it's just a mess...

    From PC1 you should be pinging 150.150.150.1 since thats what 10.1.66.2's public facing IP is.... Like I said before; you have several issues in this scenario. If you'd like PM me and I'll set you up a quick scenario that is what your essentially attempting to do.
Sign In or Register to comment.