NAT problem

I'm not an expert by any means and am still studying myself, but try setting nat to overload.
so change
ip nat inside source list 1 pool natest
to
ip nat inside source list 1 pool natest overload

nbeacham wrote: »

I'm not an expert by any means and am still studying myself, but try setting nat to overload.
so change
ip nat inside source list 1 pool natest
to
ip nat inside source list 1 pool natest overload

thanks for your try! but, no its not working, the interesting part of it is, that I could ping the same host from a different network which is connected through a frame relay network and I’m getting back a reply, so how come I can’t get out with this host? if I can get I reply from this host trough a different host in a different network with the NAT address why in the world cant I get out with this host itself, does it has to do with the ACL????

try setting up the access list differently
access-list 1 permit host 192.168.1.0 0.0.0.255

Again, i'm no expert so take these in stride.

Maybe if you can give us a little further detail into your problem.

MrRyte

solnsusie wrote: »

hi
im studying now NAT, and i have a problem which i just cant figure it out, i configured dynamic NAT with an access list and when i pingthe host on which i configured NAT from the router i see that its using the NAT address, but i cant ping other hosts from that host on which i configured NAT, this is my configuration

interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.1.1 255.255.255.248
ip nat inside
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.1.9 255.255.255.248
ip nat inside
!
interface Serial1/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
clock rate 800000

ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240
ip nat inside source list 1 pool natest

access-list 1 permit host 192.168.1.4
access-list 1 permit host 192.168.1.14

please get me on track!!!!

thnaks

Maybe I'm missing something, but I don't see how that comes into play in the network. Shouldn't the addresses being translated be within the subnet of the inside and outside interfaces being translated?

Also; do a traceroute to see EXACTLY where the hang up is.
(BTW-I'm no pro at this either; I'm just going by what I gathered from here:
http://www.routeralley.com/ra/docs/nat.pdf )

MrRyte wrote: »

Maybe I'm missing something, but I don't see how that comes into play in the network. Shouldn't the addresses being translated be within the subnet of the inside and outside interfaces being translated?

Also; do a traceroute to see EXACTLY where the hang up is.
(BTW-I'm no pro at this either; I'm just going by what I gathered from here:
http://www.routeralley.com/ra/docs/nat.pdf )

Also; do a traceroute to see EXACTLY where the hang up is. it’s getting stuck on its default gateway on the way out, where the NAT and ACL are configured.
and regarding the ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 configuration, that’s what I learned it should be set up, it means that the pool contains the range of this address.
but my question is, how can it be that a ping from outside is getting a reply, and a ping to the outside cant get out???

nbeacham wrote: »

try setting up the access list differently
access-list 1 permit host 192.168.1.0 0.0.0.255

Again, i'm no expert so take these in stride.

i did so, and with no luck!

is the 50.2.2.1/28 even assigned to an interface?

You need to NAT behind an interface so if 50.2.2.1 isn't assigned to an interface you're going no where.

drkat wrote: »

is the 50.2.2.1/28 even assigned to an interface?

You need to NAT behind an interface so if 50.2.2.1 isn't assigned to an interface you're going no where.

you mean that the NAT address need to be assigned to a phisical interface??? so how can you make a pool of address's, since you can have only one or a secondery ip address on a interface???? and also how can it be that when i ping this host from the outside im getting back the NAT address??

but i will try that out!!!

any help please on this?
thanks

drkat wrote: »

is the 50.2.2.1/28 even assigned to an interface?

You need to NAT behind an interface so if 50.2.2.1 isn't assigned to an interface you're going no where.

Did you try this?

yes i did! and its still not working, again, ther is no IP problem since im getting a reply from this host, and also when im taking off the NAT gonfiguration averything works great.

ok, I just figured out something, maybe this can help me, as I see now, that I can’t ping only to any other host which is configured to use NAT, in other words, 2 host's configured with NAT cant ping one the other, this is the facts, now, what is the cause, and what is the solution???

Can you please post your pings and traces? also a show ip int br would be nice and a show ip route

- you may want to debug ip nat or debug ip packet detail on your ACL so that you can see what is happening when you try to ping.

Also with regard to the pool.

Currently you're NATing 10x to 192x so your show ip nat translations would so an outside address of 10.x and inside of 192.x

What addresses are you pinging? your explanation is vague

im leaving now for the weekend, will get back sunday, with all this information.
thanks a lot

drkat wrote: »

Can you please post your pings and traces? also a show ip int br would be nice and a show ip route

- you may want to debug ip nat or debug ip packet detail on your ACL so that you can see what is happening when you try to ping.

i am posting now my settings, and i posted by the end also the NAT configuration of the gateway of the host 192.168.2.4

please let me know if you need something more, and if you need a image of my Packet tracer network please let me know how to post it.
thanks a lot

Router1-2#show ip int bri
Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES unset up up

FastEthernet0/0.2 192.168.1.1 YES manual up up

FastEthernet0/0.3 192.168.1.9 YES manual up up

Serial1/0 10.1.1.1 YES manual up up

Serial1/1 unassigned YES unset administratively down down

Serial1/2 unassigned YES unset administratively down down

Serial1/3 unassigned YES unset administratively down down

Router1-2#show ip rout
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
R 11.0.0.0/8 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
R 12.0.0.0/8 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
R 13.0.0.0/8 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
R 14.0.0.0/8 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
R 15.0.0.0/8 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
R 16.0.0.0/8 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
50.0.0.0/30 is subnetted, 1 subnets
C 50.2.2.0 is directly connected, Serial1/0
R 172.1.0.0/16 [120/1] via 50.2.2.2, 00:00:13, Serial1/0
R 172.2.0.0/16 [120/1] via 50.2.2.2, 00:00:13, Serial1/0
R 172.3.0.0/16 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
R 172.4.0.0/16 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
R 192.168.1.0/24 [120/1] via 50.2.2.2, 00:00:13, Serial1/0
C 192.168.1.0/29 is directly connected, FastEthernet0/0.2
C 192.168.1.8/29 is directly connected, FastEthernet0/0.3
R 192.168.2.0/24 [120/2] via 50.2.2.2, 00:00:13, Serial1/0
R 192.168.3.0/24 [120/3] via 50.2.2.2, 00:00:13, Serial1/0
R 192.168.4.0/24 [120/2] via 50.2.2.2, 00:00:13, Serial1/0

show running-config

interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.1.1 255.255.255.248
ip nat inside

interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.1.9 255.255.255.248
ip nat inside

interface Serial1/0
ip address 50.2.2.1 255.255.255.252
ip nat outside
clock rate 800000

router rip
version 2
network 50.0.0.0
network 192.168.1.0

ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240
ip nat inside source list 1 pool natest
ip classless

access-list 1 permit 192.168.1.4
access-list 1 permit 192.168.1.14

PC>tracert 192.168.2.4
Tracing route to 192.168.2.4 over a maximum of 30 hops:
1 31 ms 31 ms 46 ms 192.168.1.1
2 124 ms 109 ms 78 ms 50.2.2.2
3 80 ms 141 ms 111 ms 172.1.1.2
4 141 ms 125 ms 187 ms 11.1.1.1
5 * *
Control-C
^C
PC>ping 192.168.2.4
Pinging 192.168.2.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.2.4:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C
PC>

Router1-2#show ip nat s
Total translations: 0 (0 static, 0 dynamic, 0 extended)
Outside Interfaces: Serial1/0
Inside Interfaces: FastEthernet0/0.2 , FastEthernet0/0.3
Hits: 9 Misses: 137
Expired translations: 26
Dynamic mappings:
-- Inside Source
access-list 1 pool natest refCount 0
pool natest: netmask 255.255.255.240
start 50.2.2.1 end 50.2.2.10
type generic, total addresses 10 , allocated 0 (0%), misses 0

Router1-2#show ip nat t
Pro Inside global Inside local Outside local Outside global
icmp 50.2.2.1:33 192.168.1.4:33 192.168.2.4:33 192.168.2.4:33
icmp 50.2.2.1:34 192.168.1.4:34 192.168.2.4:34 192.168.2.4:34
icmp 50.2.2.1:35 192.168.1.4:35 192.168.2.4:35 192.168.2.4:35
icmp 50.2.2.1:36 192.168.1.4:36 192.168.2.4:36 192.168.2.4:36

********************************************************************************************************

this is the copy of the NAT configuration on the router to the host of 192.168.2.4

ip nat inside source static 192.168.2.4 50.1.1.1
ip nat inside source static 192.168.2.14 50.1.1.2

deth1k

The clue is in the subnet mask of your NAT pool:

ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 <<<<<<<<<<<<<<</28

ip address 50.2.2.1 255.255.255.252 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<</30

In this instance you should be using overload otherwise it aint going to work.

ip nat inside source list 1 interface se1/0 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
int se1/0
ip nat out
!
int fa0/0.2
ip nat in
!
int fa0/0.3
!
ip nat in

hiddenknight821

deth1k wrote: »

The clue is in the subnet mask of your NAT pool:

ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 <<<<<<<<<<<<<<</28

ip address 50.2.2.1 255.255.255.252 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<</30

In this instance you should be using overload otherwise it aint going to work.

ip nat inside source list 1 interface se1/0 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
int se1/0
ip nat out
!
int fa0/0.2
ip nat in
!
int fa0/0.3
!
ip nat in

I believe you are incorrect. Those two things doesn't necessarily have the same subnet mask. As long as the number of Inside Local (Individual Hosts) are less than or equal to the number of Inside Global (number of "registered" addresses), Dynamic NAT can work without overloading.

EDIT: I want to go into more details on this just to be more clear. What I meant is that you can obtain 14 registered addresses from a service provider. Let's say 50.2.2.0 network with subnet mask, 255.255.255.240. You can subnet this network even further using VLSM, and leave the two addresses for serial connection between two routers. However, I do not know how service provider works, so I can be wrong about how their process works, but I hope my point came through.

hiddenknight821

Believe it or not, I just finished the NAT stuff today, and I now have a solid understanding. I plan to take the ICND2 next week. Judging by your running-config on your router, Router1-2, I have to say your network is pretty foreign to my knowledge. I plan to do some layer-3 switching and build some labs in GNS3 over the next few days.

It is hard for me to look at the config here alone and find the underlying root cause. By looking at the "show ip nat statistic" and "show ip nat translation", I can definitely say that your NAT is not working properly as you have many "Misses" shown in the statistic. Also, your router failed to allocate the address from the pool, natest. You can see that the allocation percentage is zero.

NAT pool, natest, contains the address of the serial1/0 interface on Router1-2. I don't think you should have the interface IP address (50.2.2.1) listed there. You can use one of the 14 extra unused addresses since you have the 255.255.255.240 netmask. What the non-overload dynamic NAT does is that it takes the lowest IP address from the pool, but I am not sure if the router is smart enough to figure out that the address is already allocated and move on to the next available one. Perhaps it was being stubborn, because they expect the IP addresses in the pool to be obtained solely for purpose of NAT translation, and yet it hasn't acknowledged that the lottery has been made.

the interface ip would be allowed for nat. i havent had a chance to look this over yet been busy will later

alxx

Pro Inside global Inside local Outside local Outside global
icmp 50.2.2.1:33 192.168.1.4:33 192.168.2.4:33 192.168.2.4:33
icmp 50.2.2.1:34 192.168.1.4:34 192.168.2.4:34 192.168.2.4:34
icmp 50.2.2.1:35 192.168.1.4:35 192.168.2.4:35 192.168.2.4:35
icmp 50.2.2.1:36 192.168.1.4:36 192.168.2.4:36 192.168.2.4:36

Will that work with the same ip's and ports for outside local and outside global ?

deth1k wrote: »

The clue is in the subnet mask of your NAT pool:

ip nat pool natest 50.2.2.1 50.2.2.10 netmask 255.255.255.240 <<<<<<<<<<<<<<</28

ip address 50.2.2.1 255.255.255.252 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<</30

In this instance you should be using overload otherwise it aint going to work.

ip nat inside source list 1 interface se1/0 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
int se1/0
ip nat out
!
int fa0/0.2
ip nat in
!
int fa0/0.3
!
ip nat in

hi
as I learned in ODOM ICND2 book, you can use I totally different network number and a totally different mask number for the NAT Inside Global address then the original ip address of the other side of the internal network-router, and it will work, and even without the "overload" command, so this is not correct.
thanks anyways...

hiddenknight821 wrote: »

I believe you are incorrect. Those two things doesn't necessarily have the same subnet mask. As long as the number of Inside Local (Individual Hosts) are less than or equal to the number of Inside Global (number of "registered" addresses), Dynamic NAT can work without overloading.

EDIT: I want to go into more details on this just to be more clear. What I meant is that you can obtain 14 registered addresses from a service provider. Let's say 50.2.2.0 network with subnet mask, 255.255.255.240. You can subnet this network even further using VLSM, and leave the two addresses for serial connection between two routers. However, I do not know how service provider works, so I can be wrong about how their process works, but I hope my point came through.

you are right!
as I learned in ODOM ICND2 book, you can use I totally different network number and a totally different mask number for the NAT Inside Global address then the original ip address of the other side of the internal network-router, and it will work, and even without the "overload" command, so he is not correct.