NAT Help
alliasneo
Member Posts: 186
in CCNA & CCENT
Hey Guys,
I've been banging my head against this for over an hour now. I've created two sites connected to an ISP in the middle and I've set up NAT on the two sites. HJowever when I try to ping from one to the other the pings don't get through because they are being translated once and the other side is letting the packets through but when they come back out of the other site they are translated again and I can't get the packets back? Does that make sense? My set up is below:
[FONT=Arial, verdana, sans-serif][/FONT]
[FONT=Arial, verdana, sans-serif]So R2 will translate a packet out using say 150.150.150.65 and when it gets to the other side R1 lets it through without translation. So it reaches the PC using the 150 address. But now when it comes back R1 translates it using say 150.150.150.1 and when R2 receives it, it doesn't have a translation for this address. How is this overcome?
I've also scribbled out the packet process below if it helps...
[/FONT][FONT=Arial, verdana, sans-serif]
[/FONT]
Thanks
I've been banging my head against this for over an hour now. I've created two sites connected to an ISP in the middle and I've set up NAT on the two sites. HJowever when I try to ping from one to the other the pings don't get through because they are being translated once and the other side is letting the packets through but when they come back out of the other site they are translated again and I can't get the packets back? Does that make sense? My set up is below:
[FONT=Arial, verdana, sans-serif][/FONT]
[FONT=Arial, verdana, sans-serif]So R2 will translate a packet out using say 150.150.150.65 and when it gets to the other side R1 lets it through without translation. So it reaches the PC using the 150 address. But now when it comes back R1 translates it using say 150.150.150.1 and when R2 receives it, it doesn't have a translation for this address. How is this overcome?
I've also scribbled out the packet process below if it helps...
[/FONT][FONT=Arial, verdana, sans-serif]
[/FONT]
Thanks
Comments
-
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□Can you post your actual NAT configurations for both routers?
So R2 will translate a packet out using say 150.150.150.65 and
S=10.1.1.1 => D=150.150.150.1 becomes
S=150.150.150.65 => D=150.150.150.1
when it gets to the other side R1 lets it through without translation.
S=150.150.150.65 => D=10.2.2.2
Maybe you didn't ensure 150.150.150.1 was already mapped?
[So it reaches the PC using the 150 address.
It can't reach the PC using the 150.150.150.1 address because the PC has no knowledge of that address.But now when it comes back R1 translates
Your explanation doesn't make sense. I will await real configs to make sense of this.
Also, any output you feel is helpful that led you to your conclusions. -
Hondabuff Member Posts: 667 ■■■□□□□□□□I would do a trace route and see where the packets are being dropped. Sounds like your missing a default route and the router is dropping the packet.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
phoeneous Member Posts: 2,333 ■■■■■■■□□□Are those typos in the first screenshot?
R1 is 150.150.1.6/30
R2 is 150.150.1.2/30
Yet your pools on either router are 150.150.150.0/25?
You really only need to do nat on the outside interface pointing to the isp.
Post the config of all 3 routers. -
johnifanx98 Member Posts: 329Are those typos in the first screenshot?
R1 is 150.150.1.6/30
R2 is 150.150.1.2/30
Yet your pools on either router are 150.150.150.0/25?
You really only need to do nat on the outside interface pointing to the isp.
Post the config of all 3 routers.
I love these questions... -
alliasneo Member Posts: 186R1's config:
interface FastEthernet1/0
ip address 10.1.254.2 255.255.255.252
ip nat inside
duplex full
speed 100
!
interface Serial2/0
ip address 150.150.1.6 255.255.255.252
ip nat outside
!
ip nat pool NAT_POOL 150.150.150.0 150.150.150.50 netmask 255.255.255.192
ip nat inside source list NAT pool NAT_POOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial2/0
!
!
ip access-list standard NAT
permit 10.1.64.0 0.0.7.255
deny any
!
R2
interface FastEthernet0/0
ip address 172.16.14.1 255.255.255.252
ip nat inside
duplex auto
speed auto
!
interface Serial2/0
ip address 150.150.1.2 255.255.255.252
ip nat outside
!
ip nat pool NAT_POOL 150.150.150.64 150.150.150.90 netmask 255.255.255.192
ip nat inside source list NAT pool NAT_POOL overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial2/0
ISP
ip access-list standard ISP_BLOCKED_PRIVATE
deny 10.0.0.0 0.255.255.255
deny 172.0.0.0 0.255.255.255
deny 192.0.0.0 0.255.255.255
permit any
! -
alliasneo Member Posts: 186Are those typos in the first screenshot?
R1 is 150.150.1.6/30
R2 is 150.150.1.2/30
Yet your pools on either router are 150.150.150.0/25?
No they're not typos. I've used a different range of addresses for NAT - is this not right? Do I have to use the same subnet range of addresses for NAT that I have configured on the interfaces? so instead of 150.150.1.0/30 I would use 150.150.1.0/25? -
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□NetworkVeteran wrote:Also, any output you feel is helpful that led you to your conclusions.
-
alliasneo Member Posts: 186OK so I've grabbed some screen shots as the packets go through the network:
Ping going from the LAN of R2 to the LAN of R1 (right to left):
Received at R1:
The PING has reached the PC and now this is on the way back.
PING arrives back at R1:
PING arrives back at R2:
R2 sends it back to the ISP and the ISP sends it back to R2 over and over.
-
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□Thanks. Now the errors are becoming clearer.
Image #1: You pinged 10.0.0.0/8. Your ISP should drop this.
Image #2: Your ISP forwarded this, which points to an ISP misconfiguration--
a. Configure an extended ACL on your ISP to drop all packets destined for private nets. Your current ACL only drops all packets sourced from private nets.
b. Prevent your router from forwarding out packets with private IP addresses.
Once your ISP is working, pinging 10.x.x.x from R2 should fail. That's correct behavior. -
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□Going a step further, it seems you want devices external to R1's LAN to be able to access R1's LAN PC. The way to accomplish this with NAT is to use static NAT for R1's LAN PC. This way it is always assigned the same public IP address--say 150.150.150.1--and that's the only address that outside devices will know and ping.
-
phoeneous Member Posts: 2,333 ■■■■■■■□□□No they're not typos. I've used a different range of addresses for NAT - is this not right? Do I have to use the same subnet range of addresses for NAT that I have configured on the interfaces? so instead of 150.150.1.0/30 I would use 150.150.1.0/25?
Depends, what exactly are you trying to accomplish? -
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□Depends, what exactly are you trying to accomplish?
Any LAN addresses he wants reachable from the outside should be configured with static NAT. Currently, they are all configured for PAT / NAT Overloading.
(Some form of VPN might be a solution here in the real world.) -
alliasneo Member Posts: 186NetworkVeteran wrote: »Thanks. Now the errors are becoming clearer.
Image #1: You pinged 10.0.0.0/8. Your ISP should drop this.
Hmmm so even though I have NAT configured on R1 when the packet reaches the ISP it still has a destination of a private address, it's just been NAT'd out with a public address? I see.
So how is this accomplished in the real world with a real ISP because as you can see from the sh ip route on the ISP I have all of the private addresses from my internal Network due to the EIGRP relationship.
ISP#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 4.0.0.0/8 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D 10.1.64.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.66.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.68.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.69.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.70.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.71.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.254.0/30 [90/20514560] via 150.150.1.6, 00:00:35, Serial3/0
150.150.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 150.150.1.0/30 is directly connected, Serial2/0
C 150.150.1.4/30 is directly connected, Serial3/0
S 150.150.150.0/26 is directly connected, Serial3/0
S 150.150.150.64/26 is directly connected, Serial2/0
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D 172.16.0.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.2.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.4.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.10.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
[FONT=Arial, verdana, sans-serif]D 172.16.14.0/30 [90/20514560] via 150.150.1.2, 00:00:32, Serial2/0[/FONT]
[FONT=Arial, verdana, sans-serif]Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?[/FONT] -
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?
Alternatively, sure, an IPSEC + GRE tunnel would work here! -
phoeneous Member Posts: 2,333 ■■■■■■■□□□johnifanx98 wrote: »I love these questions...
Huh? As in my question or his? -
johnifanx98 Member Posts: 329Huh? As in my question or his?
Yours,of course yours! Such a design should not be allowed for an ethernet interface. For a serial interface, it looks OK, but I still suspect potential risks... -
phoeneous Member Posts: 2,333 ■■■■■■■□□□johnifanx98 wrote: »Yours,of course yours! Such a design should not be allowed for an ethernet interface. For a serial interface, it looks OK, but I still suspect potential risks...
Again, huh? What risks?
Just because the public facing subnet of R1 or R2 is a /30 doesnt mean it isn't part of a bigger subnet like a /29, /28, etc.. which is usually how internet facing deployments are provisioned from an ISP.
If the OP is trying to create a real world scenario in where R1 lan can ping R2 lan then he can do a vpn tunnel, mpls, even frame relay.
But if the OP is trying to do NAT Overload, or PAT then it looks like the NAT pools are in the wrong subnet (in my opinion). You can't just choose some random subnet for your public facing interface. The ISP has already allocated a range for you. Besides, I don't see anywhere in R1's or R2's interfaces or their routing tables the 150.150.150.X subnets. Where is it coming from?
Unless I'm looking at this the wrong way, in which case just disregard everything I just said. -
xXErebuS Member Posts: 230Hmmm so even though I have NAT configured on R1 when the packet reaches the ISP it still has a destination of a private address, it's just been NAT'd out with a public address? I see.
So how is this accomplished in the real world with a real ISP because as you can see from the sh ip route on the ISP I have all of the private addresses from my internal Network due to the EIGRP relationship.
ISP#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 4.0.0.0/8 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
D 10.1.64.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.66.0/23 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.68.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.69.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.70.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.71.0/24 [90/46114560] via 150.150.1.6, 00:00:35, Serial3/0
D 10.1.254.0/30 [90/20514560] via 150.150.1.6, 00:00:35, Serial3/0
150.150.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 150.150.1.0/30 is directly connected, Serial2/0
C 150.150.1.4/30 is directly connected, Serial3/0
S 150.150.150.0/26 is directly connected, Serial3/0
S 150.150.150.64/26 is directly connected, Serial2/0
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D 172.16.0.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.2.0/23 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.4.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.10.0/24 [90/46114560] via 150.150.1.2, 00:00:32, Serial2/0
D 172.16.14.0/30 [90/20514560] via 150.150.1.2, 00:00:32, Serial2/0
Am I right in thinking that in the real world you would configure a VPN tunnel between the two sites for the EIGRP Neighbour relationships?
You CAN create a site to site VPN with GRE and technically you don't even need to NAT the addresses!(you probably will want to to prevent overlapping / use of private addresses). I typically do bidirectional NAT to make it easier for the people that I'm working with; this is where you NAT your Source and Destination.
Now what you need to do is create static NAT addresses for those; so instead of pinging 10.x.x.x you ping 150.150.1.x which is mapped to the 10.x.x.x address; this will work in your topology as long as you have a default gateway... but this would represent two seperate LANs i.e. if you were setting up a non VPN server client connection between two companies.
As NetworkVeteran stated a MPLS / VPLS / Metro Ethernet will all work as well. I personally like Metro E; its very easy to setup and does QinQ tagging. -
xXErebuS Member Posts: 230Again, huh? What risks?
Just because the public facing subnet of R1 or R2 is a /30 doesnt mean it isn't part of a bigger subnet like a /29, /28, etc.. which is usually how internet facing deployments are provisioned from an ISP.
If the OP is trying to create a real world scenario in where R1 lan can ping R2 lan then he can do a vpn tunnel, mpls, even frame relay.
But if the OP is trying to do NAT Overload, or PAT then it looks like the NAT pools are in the wrong subnet (in my opinion). You can't just choose some random subnet for your public facing interface. The ISP has already allocated a range for you. Besides, I don't see anywhere in R1's or R2's interfaces or their routing tables the 150.150.150.X subnets. Where is it coming from?
Unless I'm looking at this the wrong way, in which case just disregard everything I just said.
I don't think so; I see what your saying; his NAT pool is outside his ISP link's subnet according to the other side's allocated address. If he is given 150.150.1.5 then he would need to nat to that... unless he owns 150.150.150.X and is running BGP. Considering this is in CCNA forum I don't think thats what he is trying to do. -
alliasneo Member Posts: 186I think I was looking at NAT all wrong in this scenario really. The ISP router I understand now would not have any private routes as, of course, this is on the internet.
So yeah you can't ping a private address over the net unless it's NAT'd - this was the long and short of what I was trying to achieve. So basically I created a NAT pool on each side to allow 62 address to be used for all of my hosts.
Maybe someone would be able to have a look at these queries I have....
1) I NAT from one network and this public address hits the ISP. The ISP routes this traffic to the other site but.......When the other side gets it it passes it through without NAT translation (destination address is the private address I pinged). Is this how this would work in the real world? OR would you have to still have a private VPN through the ISP to route the traffic to the other site?
But this is basically what it looks like:
Packet leaving PC1:
Source: 172.16.0.2
Destination: 10.1.66.2
R1 NAT:
Source: 150.150.150.65
Destination: 10.1.66.2
ISP routes this through as the source is a public address....this is correct behavior right?
-What does the router look at when it gets a packet? The destination address surely so how would it route this private address? - maybe this is where I have my NAT set up incorrectly?
R2 process this packet without NAT translation, checks the destination and routes it to the LAN - again is this correct?
PC2 Echo Reply
Source: 10.1.66.2
Destination: 150.150.150.65
R2 NAT's again:
Source: 150.150.150.1
Destination: 150.150.150.65
-So now it's just a mess... -
phoeneous Member Posts: 2,333 ■■■■■■■□□□So yeah you can't ping a private address over the net unless it's NAT'd
No, not really. NAT doesnt specifically allow you to ping private addresses across the public internet.
For the scope of what your're trying to learn, just understand that NAT will translate private addresses that arent routeable across the internet into public addresses that are routeable across the internet.
There are many services that you can use to allow the private lan in one network to have reachability into another private lan in another network. Services like: vpn tunnels, frame relay, mpls, vpls, dmvpn, etc.. can accomplish this. And those services don't necessarily need nat to work.
Here is a snippet from RFC 1918.
3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
An enterprise that decides to use IP addresses out of the address space defined in this document can do so without any coordination with IANA or an Internet registry. The address space can thus be used by many enterprises. Addresses within this private address space will only be unique within the enterprise, or the set of enterprises which choose to cooperate over this space so they may communicate with each other in their own private internet. As before, any enterprise that needs globally unique address space is required to obtain such addresses from an Internet registry. An enterprise that requests IP addresses for its external connectivity will never be assigned addresses from the blocks defined above. -
xXErebuS Member Posts: 230I think I was looking at NAT all wrong in this scenario really. The ISP router I understand now would not have any private routes as, of course, this is on the internet.
So yeah you can't ping a private address over the net unless it's NAT'd - this was the long and short of what I was trying to achieve. So basically I created a NAT pool on each side to allow 62 address to be used for all of my hosts.
Maybe someone would be able to have a look at these queries I have....
1) I NAT from one network and this public address hits the ISP. The ISP routes this traffic to the other site but.......When the other side gets it it passes it through without NAT translation (destination address is the private address I pinged). Is this how this would work in the real world? OR would you have to still have a private VPN through the ISP to route the traffic to the other site?
But this is basically what it looks like:
Packet leaving PC1:
Source: 172.16.0.2
Destination: 10.1.66.2
R1 NAT:
Source: 150.150.150.65
Destination: 10.1.66.2
ISP routes this through as the source is a public address....this is correct behavior right?
-What does the router look at when it gets a packet? The destination address surely so how would it route this private address? - maybe this is where I have my NAT set up incorrectly?
R2 process this packet without NAT translation, checks the destination and routes it to the LAN - again is this correct?
PC2 Echo Reply
Source: 10.1.66.2
Destination: 150.150.150.65
R2 NAT's again:
Source: 150.150.150.1
Destination: 150.150.150.65
-So now it's just a mess...
From PC1 you should be pinging 150.150.150.1 since thats what 10.1.66.2's public facing IP is.... Like I said before; you have several issues in this scenario. If you'd like PM me and I'll set you up a quick scenario that is what your essentially attempting to do.