NAT Help

Hey Guys,

I've been banging my head against this for over an hour now. I've created two sites connected to an ISP in the middle and I've set up NAT on the two sites. HJowever when I try to ping from one to the other the pings don't get through because they are being translated once and the other side is letting the packets through but when they come back out of the other site they are translated again and I can't get the packets back? Does that make sense? My set up is below:

[FONT=Arial, verdana, sans-serif][/FONT]

[FONT=Arial, verdana, sans-serif]So R2 will translate a packet out using say 150.150.150.65 and when it gets to the other side R1 lets it through without translation. So it reaches the PC using the 150 address. But now when it comes back R1 translates it using say 150.150.150.1 and when R2 receives it, it doesn't have a translation for this address. How is this overcome?

I've also scribbled out the packet process below if it helps...

[/FONT][FONT=Arial, verdana, sans-serif]

[/FONT]

Thanks

temp.jpg

2.jpg

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

NetworkVeteran

Can you post your actual NAT configurations for both routers?

So R2 will translate a packet out using say 150.150.150.65 and

Right:
S=10.1.1.1 => D=150.150.150.1 becomes
S=150.150.150.65 => D=150.150.150.1

when it gets to the other side R1 lets it through without translation.

That doesn't make sense. You need R1 to translate the destination address sorta like this:
S=150.150.150.65 => D=10.2.2.2
Maybe you didn't ensure 150.150.150.1 was already mapped?

[So it reaches the PC using the 150 address.

It can't reach the PC using the 150.150.150.1 address because the PC has no knowledge of that address.

But now when it comes back R1 translates

And certainly if the above happened there'd be no return packet for R1.

Your explanation doesn't make sense. I will await real configs to make sense of this.

Also, any output you feel is helpful that led you to your conclusions.

Hondabuff

I would do a trace route and see where the packets are being dropped. Sounds like your missing a default route and the router is dropping the packet.

johnifanx98

phoeneous wrote: »

Are those typos in the first screenshot?

R1 is 150.150.1.6/30
R2 is 150.150.1.2/30

Yet your pools on either router are 150.150.150.0/25?

You really only need to do nat on the outside interface pointing to the isp.

Post the config of all 3 routers.

I love these questions...

alliasneo

R1's config:

interface FastEthernet1/0
ip address 10.1.254.2 255.255.255.252
ip nat inside
duplex full
speed 100
!
interface Serial2/0
ip address 150.150.1.6 255.255.255.252
ip nat outside
!
ip nat pool NAT_POOL 150.150.150.0 150.150.150.50 netmask 255.255.255.192
ip nat inside source list NAT pool NAT_POOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial2/0
!
!
ip access-list standard NAT
permit 10.1.64.0 0.0.7.255
deny any
!

R2

interface FastEthernet0/0
ip address 172.16.14.1 255.255.255.252
ip nat inside
duplex auto
speed auto
!
interface Serial2/0
ip address 150.150.1.2 255.255.255.252
ip nat outside
!
ip nat pool NAT_POOL 150.150.150.64 150.150.150.90 netmask 255.255.255.192
ip nat inside source list NAT pool NAT_POOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial2/0

ISP

ip access-list standard ISP_BLOCKED_PRIVATE
deny 10.0.0.0 0.255.255.255
deny 172.0.0.0 0.255.255.255
deny 192.0.0.0 0.255.255.255
permit any
!

alliasneo

phoeneous wrote: »

Are those typos in the first screenshot?

R1 is 150.150.1.6/30
R2 is 150.150.1.2/30

Yet your pools on either router are 150.150.150.0/25?

No they're not typos. I've used a different range of addresses for NAT - is this not right? Do I have to use the same subnet range of addresses for NAT that I have configured on the interfaces? so instead of 150.150.1.0/30 I would use 150.150.1.0/25?

NetworkVeteran

NetworkVeteran wrote:

Also, any output you feel is helpful that led you to your conclusions.

I haven't reviewed your configuration yet, but I noticed you didn't provide the above yet.

alliasneo

OK so I've grabbed some screen shots as the packets go through the network:

Ping going from the LAN of R2 to the LAN of R1 (right to left):

Received at R1:

The PING has reached the PC and now this is on the way back.

PING arrives back at R1:

PING arrives back at R2:

R2 sends it back to the ISP and the ISP sends it back to R2 over and over.

1.jpg

2.jpg

3.jpg

4.jpg

5.jpg

NetworkVeteran

Thanks. Now the errors are becoming clearer.

Image #1: You pinged 10.0.0.0/8. Your ISP should drop this.
Image #2: Your ISP forwarded this, which points to an ISP misconfiguration--
a. Configure an extended ACL on your ISP to drop all packets destined for private nets. Your current ACL only drops all packets sourced from private nets.
b. Prevent your router from forwarding out packets with private IP addresses.

Once your ISP is working, pinging 10.x.x.x from R2 should fail. That's correct behavior.

NetworkVeteran

Going a step further, it seems you want devices external to R1's LAN to be able to access R1's LAN PC. The way to accomplish this with NAT is to use static NAT for R1's LAN PC. This way it is always assigned the same public IP address--say 150.150.150.1--and that's the only address that outside devices will know and ping.

NetworkVeteran

phoeneous wrote: »

Depends, what exactly are you trying to accomplish?

Per screenshot #1, he's trying to ping a private IP across the Internet. That's going to fail every time. When pinging across the Internet, one must use public IPs.

Any LAN addresses he wants reachable from the outside should be configured with static NAT. Currently, they are all configured for PAT / NAT Overloading.

(Some form of VPN might be a solution here in the real world.)

alliasneo

NetworkVeteran wrote: »

Thanks. Now the errors are becoming clearer.

Image #1: You pinged 10.0.0.0/8. Your ISP should drop this.

Hmmm so even though I have NAT configured on R1 when the packet reaches the ISP it still has a destination of a private address, it's just been NAT'd out with a public address? I see.

So how is this accomplished in the real world with a real ISP because as you can see from the sh ip route on the ISP I have all of the private addresses from my internal Network due to the EIGRP relationship.

ISP#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

C 4.0.0.0/8 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D 10.1.64.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.66.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.68.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.69.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.70.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.71.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.254.0/30 [90/20514560] via 150.150.1.6, 00:00:35, Serial3/0
150.150.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 150.150.1.0/30 is directly connected, Serial2/0
C 150.150.1.4/30 is directly connected, Serial3/0
S 150.150.150.0/26 is directly connected, Serial3/0
S 150.150.150.64/26 is directly connected, Serial2/0
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D 172.16.0.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.2.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.4.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.10.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
[FONT=Arial, verdana, sans-serif]D 172.16.14.0/30 [90/20514560] via 150.150.1.2, 00:00:32, Serial2/0[/FONT]

[FONT=Arial, verdana, sans-serif]Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?[/FONT]

NetworkVeteran

alliasneo wrote: »

Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?

You could purchase an MPLS VPN service. That's what my last enterprise used. Then your ISP learns your internal routes, but only uses them for forwarding your packets.

Alternatively, sure, an IPSEC + GRE tunnel would work here!

johnifanx98

phoeneous wrote: »

Huh? As in my question or his?

Yours,of course yours! Such a design should not be allowed for an ethernet interface. For a serial interface, it looks OK, but I still suspect potential risks...

xXErebuS

alliasneo wrote: »

Hmmm so even though I have NAT configured on R1 when the packet reaches the ISP it still has a destination of a private address, it's just been NAT'd out with a public address? I see.

So how is this accomplished in the real world with a real ISP because as you can see from the sh ip route on the ISP I have all of the private addresses from my internal Network due to the EIGRP relationship.

ISP#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

C 4.0.0.0/8 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D 10.1.64.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.66.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.68.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.69.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.70.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.71.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.254.0/30 [90/20514560] via 150.150.1.6, 00:00:35, Serial3/0
150.150.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 150.150.1.0/30 is directly connected, Serial2/0
C 150.150.1.4/30 is directly connected, Serial3/0
S 150.150.150.0/26 is directly connected, Serial3/0
S 150.150.150.64/26 is directly connected, Serial2/0
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D 172.16.0.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.2.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.4.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.10.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.14.0/30 [90/20514560] via 150.150.1.2, 00:00:32, Serial2/0

Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?

You CAN create a site to site VPN with GRE and technically you don't even need to NAT the addresses!(you probably will want to to prevent overlapping / use of private addresses). I typically do bidirectional NAT to make it easier for the people that I'm working with; this is where you NAT your Source and Destination.

Now what you need to do is create static NAT addresses for those; so instead of pinging 10.x.x.x you ping 150.150.1.x which is mapped to the 10.x.x.x address; this will work in your topology as long as you have a default gateway... but this would represent two seperate LANs i.e. if you were setting up a non VPN server client connection between two companies.

As NetworkVeteran stated a MPLS / VPLS / Metro Ethernet will all work as well. I personally like Metro E; its very easy to setup and does QinQ tagging.

xXErebuS

phoeneous wrote: »

Again, huh? What risks?

Just because the public facing subnet of R1 or R2 is a /30 doesnt mean it isn't part of a bigger subnet like a /29, /28, etc.. which is usually how internet facing deployments are provisioned from an ISP.

If the OP is trying to create a real world scenario in where R1 lan can ping R2 lan then he can do a vpn tunnel, mpls, even frame relay.

But if the OP is trying to do NAT Overload, or PAT then it looks like the NAT pools are in the wrong subnet (in my opinion). You can't just choose some random subnet for your public facing interface. The ISP has already allocated a range for you. Besides, I don't see anywhere in R1's or R2's interfaces or their routing tables the 150.150.150.X subnets. Where is it coming from?

Unless I'm looking at this the wrong way, in which case just disregard everything I just said.

I don't think so; I see what your saying; his NAT pool is outside his ISP link's subnet according to the other side's allocated address. If he is given 150.150.1.5 then he would need to nat to that... unless he owns 150.150.150.X and is running BGP. Considering this is in CCNA forum I don't think thats what he is trying to do.

alliasneo

I think I was looking at NAT all wrong in this scenario really. The ISP router I understand now would not have any private routes as, of course, this is on the internet.

So yeah you can't ping a private address over the net unless it's NAT'd - this was the long and short of what I was trying to achieve. So basically I created a NAT pool on each side to allow 62 address to be used for all of my hosts.

Maybe someone would be able to have a look at these queries I have....

1) I NAT from one network and this public address hits the ISP. The ISP routes this traffic to the other site but.......When the other side gets it it passes it through without NAT translation (destination address is the private address I pinged). Is this how this would work in the real world? OR would you have to still have a private VPN through the ISP to route the traffic to the other site?

But this is basically what it looks like:

Packet leaving PC1:

Source: 172.16.0.2
Destination: 10.1.66.2

R1 NAT:

Source: 150.150.150.65
Destination: 10.1.66.2

ISP routes this through as the source is a public address....this is correct behavior right?
-What does the router look at when it gets a packet? The destination address surely so how would it route this private address? - maybe this is where I have my NAT set up incorrectly?

R2 process this packet without NAT translation, checks the destination and routes it to the LAN - again is this correct?

PC2 Echo Reply

Source: 10.1.66.2
Destination: 150.150.150.65

R2 NAT's again:

Source: 150.150.150.1
Destination: 150.150.150.65

-So now it's just a mess...

xXErebuS

alliasneo wrote: »

I think I was looking at NAT all wrong in this scenario really. The ISP router I understand now would not have any private routes as, of course, this is on the internet.

So yeah you can't ping a private address over the net unless it's NAT'd - this was the long and short of what I was trying to achieve. So basically I created a NAT pool on each side to allow 62 address to be used for all of my hosts.

Maybe someone would be able to have a look at these queries I have....

1) I NAT from one network and this public address hits the ISP. The ISP routes this traffic to the other site but.......When the other side gets it it passes it through without NAT translation (destination address is the private address I pinged). Is this how this would work in the real world? OR would you have to still have a private VPN through the ISP to route the traffic to the other site?

But this is basically what it looks like:

Packet leaving PC1:

Source: 172.16.0.2
Destination: 10.1.66.2

R1 NAT:

Source: 150.150.150.65
Destination: 10.1.66.2

ISP routes this through as the source is a public address....this is correct behavior right?
-What does the router look at when it gets a packet? The destination address surely so how would it route this private address? - maybe this is where I have my NAT set up incorrectly?

R2 process this packet without NAT translation, checks the destination and routes it to the LAN - again is this correct?

PC2 Echo Reply

Source: 10.1.66.2
Destination: 150.150.150.65

R2 NAT's again:

Source: 150.150.150.1
Destination: 150.150.150.65

-So now it's just a mess...

From PC1 you should be pinging 150.150.150.1 since thats what 10.1.66.2's public facing IP is.... Like I said before; you have several issues in this scenario. If you'd like PM me and I'll set you up a quick scenario that is what your essentially attempting to do.