PAT on a PPP Link

ednardednard Member Posts: 75 ■■□□□□□□□□
I’m having trouble getting this to work and it’s infuriating me. I’ve set up a PPP link between the two branches, and I’ve enabled NAT overload (PAT) on them with what I believe to be the correct set up. I've used the following to enable it, can anyone identify where I'm going wrong?

Dundee(config)#int fa0/0
Dundee(config-if)#ip nat inside
Dundee(config-if)#int s0/0/0
Dundee(config-if)#ip nat outside
Glasgow(config)#int fa0/0
Glasgow(config-if)#ip nat inside
Glasgow(config-if)#int s0/0/0
Glasgow(config-if)#ip nat outside

Dundee(config)#access-list 1 permit 192.168.0.0 0.0.255.255
Dundee(config)#ip nat inside source list 1 int s0/0/0 overload

Glasgow (config)#access-list 1 permit 192.168.0.0 0.0.255.255
Glasgow(config)#ip nat inside source list 1 int s0/0/0 overload



I can't even ping from Glasgow PC to the Glasgow inside global address (200.100.50.2), or Dundee (200.100.50.2)

Any ideas?

Comments

  • tomtom1tomtom1 Member Posts: 375
    That should work. Is the default gateway setup correctly on the PC? Quick troubleshooting:

    1. Can the Glasgow PC ping the glasgow default gateway?
    2. Can the Glasgow router ping the Dundee router?
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    Both PC's are set up with Default Gateway's of 192.168.1.1

    Glasgow PC can ping the inside local address (obviously), but it can't ping the outside local address of Glasgow, or the outside global of Dundee, I get "Destination Host Unreachable" for both.
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    The problem doesn't seem to be that actually, I can't actually ping Router to Router, which is weird.
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    I'm not sure whats wrong but are you sure everything else is configured correctly?
    Are the routers communicating but the nat failing?
    Does it show anything in the "#show ip nat translations"
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    Jon_Cisco wrote: »
    I'm not sure whats wrong but are you sure everything else is configured correctly?
    Are the routers communicating but the nat failing?
    Does it show anything in the "#show ip nat translations"
    I've configured PPP and CHAP on both serial interfaces, and set on the clock rate on the Glasgow Router.

    Here's my "show int s0/0/0" for the Glasgow Router:

    show int s0/0/0
    Serial0/0/0 is up, line protocol is down (disabled)
    Hardware is HD64570
    Internet address is 200.100.50.2/24
    MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation PPP, loopback not set, keepalive set (10 sec)
    LCP Closed
    Closed: LEXCP, BRIDGECP, IPCP, CCP, CDPCP, LLC2, BACP
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0 (size/max/drops); Total output drops: 0
    Queueing strategy: weighted fair
    Output queue: 0/1000/64/0 (size/max total/threshold/drops)
    Conversations 0/0/256 (active/max active/max total)
    Reserved Conversations 0/0 (allocated/max allocated)
    Available Bandwidth 1158 kilobits/sec
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 1 interface resets
    0 output buffer failures, 0 output buffers swapped out
    0 carrier transitions
    DCD=up DSR=up DTR=up RTS=up CTS=up

    Here's the "show int s0/0/0" for the Dundee Router:

    Dundee#show int s0/0/0
    Serial0/0/0 is up, line protocol is down (disabled)
    Hardware is HD64570
    Internet address is 200.100.50.1/24
    MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation PPP, loopback not set, keepalive set (10 sec)
    LCP Closed
    Closed: LEXCP, BRIDGECP, IPCP, CCP, CDPCP, LLC2, BACP
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0 (size/max/drops); Total output drops: 0
    Queueing strategy: weighted fair
    Output queue: 0/1000/64/0 (size/max total/threshold/drops)
    Conversations 0/0/256 (active/max active/max total)
    Reserved Conversations 0/0 (allocated/max allocated)
    Available Bandwidth 1158 kilobits/sec
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 1 interface resets
    0 output buffer failures, 0 output buffers swapped out
    0 carrier transitions
    DCD=up DSR=up DTR=up RTS=up CTS=up
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    Also, when I use "show ip nat translations", I get the following blank...

    Dundee#show ip nat translations
    Dundee#

    Nothing comes up?
  • tomtom1tomtom1 Member Posts: 375
    Could you post the relevant s0/0/0 configuration for both routers?
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    I think we can ignore NAT until the protocol is up. You might get some info if you debug ppp.
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    This is the output from debugging the Glasgow branch PPP. I've never used debugging on PPP so I'm unsure of these outputs to be honest.

    Glasgow#debug ppp neg
    PPP protocol negotiation debugging is on
    Glasgow#
    *Mar 01, 01:42:48.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
    *Mar 01, 01:42:48.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
    *Mar 01, 01:42:49.4242: Serial0/0/0 LCP: State is Open
    *Mar 01, 01:42:49.4242: Serial0/0/0 PPP: Phase is AUTHENTICATING
    *Mar 01, 01:42:49.4242: Serial0/0/0 IPCP: O CONFREQ [Closed] id 1 len 10
    *Mar 01, 01:42:49.4242: Serial0/0/0 IPCP: I CONFACK [Closed] id 1 len 10
    *Mar 01, 01:42:51.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
    *Mar 01, 01:42:51.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
    *Mar 01, 01:42:54.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
    *Mar 01, 01:42:54.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
    *Mar 01, 01:42:55.4242: Serial0/0/0 LCP: State is Open
    *Mar 01, 01:42:55.4242: Serial0/0/0 PPP: Phase is AUTHENTICATING
    *Mar 01, 01:42:55.4242: Serial0/0/0 IPCP: O CONFREQ [Closed] id 1 len 10
    *Mar 01, 01:42:55.4242: Serial0/0/0 IPCP: I CONFACK [Closed] id 1 len 10
    *Mar 01, 01:42:56.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
    *Mar 01, 01:42:56.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
    *Mar 01, 01:42:59.4242: Serial0/0/0 IPCP: I CONFREQ [Closed] id 1 len 10
    *Mar 01, 01:42:59.4242: Serial0/0/0 IPCP: O CONFACK [Closed] id 1 len 10
    *Mar 01, 01:43:00.4343: Serial0/0/0 LCP: State is Open
    *Mar 01, 01:43:00.4343: Serial0/0/0 PPP: Phase is AUTHENTICATING
  • tomtom1tomtom1 Member Posts: 375
    Jon_Cisco wrote: »
    I think we can ignore NAT until the protocol is up. You might get some info if you debug ppp.

    Correct. I've labbed this out in GNS3 using 4 routers, no problem.

    R1
    R1#sh run | i username
    username R2 password 7 0822455D0A16
    R1#sh run | i access-list
    access-list 10 permit 192.168.1.0 0.0.0.255
    R1#sh run | i ip nat
    ip nat inside source list 10 interface Serial0/0 overload
    
    R1#sh run int s0/0
    Building configuration...
    
    
    Current configuration : 180 bytes
    !
    interface Serial0/0
     ip address 200.100.50.1 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ppp authentication chap
     clock rate 2000000
     ppp chap password 7 071B2E415A0614
    end
    
    R1#sh run int fa0/0
    Building configuration...
    
    
    Current configuration : 149 bytes
    !
    interface FastEthernet0/0
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     duplex auto
     speed auto
     no cdp enable
    end
    
    
    
    
    

    R2

    R2#sh run | i username
    username R1 password 7 0822455D0A16
    R2#sh run | i access-list
    access-list 10 permit 192.168.2.0 0.0.0.255
    R2#sh run | i ip nat inside source
    ip nat inside source list 10 interface Serial0/0 overload
    
    
    R2#sh run int s0/0
    Building configuration...
    
    
    Current configuration : 180 bytes
    !
    interface Serial0/0
     ip address 200.100.50.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     ppp authentication chap
     clock rate 2000000
     ppp chap password 7 0310540612002C
    end
    
    
    
    

    From a client (router) with default gateway pointing to R1:
    R3#ping 200.100.50.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 200.100.50.2, timeout is 2 seconds:
    !!!!!
    

    And during that ping, on R1:
    R1#sh ip nat trans
    Pro Inside global      Inside local       Outside local      Outside global
    icmp 200.100.50.1:3    192.168.1.2:3      200.100.50.2:3     200.100.50.2:3
    
  • tomtom1tomtom1 Member Posts: 375
    ednard wrote: »
    This is the output from debugging the Glasgow branch PPP. I've never used debugging on PPP so I'm unsure of these outputs to be honest.

    Could you show interface (s0/0/0) configuration + the username you've configured.
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    Dundee
    Dundee#show run
    !
    username Glasgow password 7 0806404F1A1E0A00
    username elliott password 7 082A494B071C
    username judy password 7 082C4D57
    !
    !
    interface Serial0/0/0
     ip address 200.100.50.1 255.255.255.0
     encapsulation ppp
     ppp authentication chap
     ip nat outside
    !
    

    Glasgow
    Glasgow#show run
    !username Dundee password 7 080559400D1C00
    username elliott password 7 082A494B071C
    username judy password 7 082C4D57
    !
    !
    interface Serial0/0/0
     ip address 200.100.50.2 255.255.255.0
     encapsulation ppp
     ppp authentication chap
     ip nat outside
     clock rate 128000
    !
    

    It appears that the password isn't set?
  • tomtom1tomtom1 Member Posts: 375
    Try the following commands

    Dundee:
    username Glasgow password 0 techexams
    int s0/0/0
    ppp chap password 0 techexams
    

    Glasgow
    username Dundee password 0 techexams
    int s0/0/0
    ppp chap password 0 techexams
    
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    Dundee(config-if)#username Glasgow password 0 techexams
    Dundee(config)#int s0/0/0
    Dundee(config-if)#ppp chap password 0 techexams
                          ^
    % Invalid input detected at '^' marker.
    

    I don't think PacketTracer supports this? But I'm about to test the whole thing on actual equipment, so I will try this on the real lab equipment and let you know. You're a hero if this work, it's been bugging me all day.
  • tomtom1tomtom1 Member Posts: 375
    Why don't you try GNS3? Works like a charm and a lot better than PT if you ask me. You only need to configure routers as clients, since it doesn't have the PC capability PT does.
  • mikeybinecmikeybinec Member Posts: 484 ■■■□□□□□□□
    You debug output shows your problems at the authentication area. Since you are using CHAP you should be seeing terms like CHALLENGE, RESPONSE ETC. as in the ouput below

    *Aug 23 18:19:55.063: Se0/0/1 CHAP: O CHALLENGE id 48 len 23 from "R2"
    *Aug 23 18:19:55.067: Se0/0/1 CHAP: I CHALLENGE id 2 len 23 from "R3"
    *Aug 23 18:19:55.067: Se0/0/1 CHAP: Using hostname from unknown source
    *Aug 23 18:19:55.067: Se0/0/1 CHAP: Using password from AAA
    *Aug 23 18:19:55.067: Se0/0/1 CHAP: O RESPONSE id 2 len 23 from "R2"
    *Aug 23 18:19:55.071: Se0/0/1 CHAP: I RESPONSE id 48 len 23 from "R3"
    *Aug 23 18:19:55.071: Se0/0/1 PPP: Sent CHAP LOGIN Request
    *Aug 23 18:19:55.071: Se0/0/1 PPP: Received LOGIN Response PASS
    *Aug 23 18:19:55.071: Se0/0/1 PPP: Sent LCP AUTHOR Request
    *Aug 23 18:19:55.075: Se0/0/1 PPP: Sent IPCP AUTHOR Request
    *Aug 23 18:19:55.075: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
    *Aug 23 18:19:55.075: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
    All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 14 of 20
    CCNA Exploration
    Accessing the WAN: PPP Lab 2.5.1: Basic PPP Configuration Lab
    *Aug 23 18:19:55.075: Se0/0/1 CHAP: O SUCCESS id 48 len 4
    *Aug 23 18:19:55.075: Se0/0/1 CHAP: I SUCCESS id 2 len 4
    *Aug 23 18:19:55.075: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
    *Aug 23 18:19:55.075: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
    *Aug 23 18:19:55.079: Se0/0/1 PPP: Sent IPCP AUTHOR Request
    *Aug 23 18:19:56.075: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
    R2(config-if)#
    *Aug 23 18:20:05.135: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.30.1 on
    Cisco NetAcad Cuyamaca College
    A.S. LAN Management 2010 Grossmont College
    B.S. I.T. Management 2013 National University
  • mikeybinecmikeybinec Member Posts: 484 ■■■□□□□□□□
    also, I didnt see a clock on the Glasgow serial interface (DCE)
    Cisco NetAcad Cuyamaca College
    A.S. LAN Management 2010 Grossmont College
    B.S. I.T. Management 2013 National University
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    tomtom1 wrote: »
    Why don't you try GNS3? Works like a charm and a lot better than PT if you ask me. You only need to configure routers as clients, since it doesn't have the PC capability PT does.
    Thank you so much for your help, tomtom1. It was the password that I hadn't set to authenticate the connection between the links. It all worked perfectly. I was testing the topology on PT before implementing in an actual lab and sure enough, it worked in the lab but I couldn't set the password in PT.

    I'll give GNS a download and have a play around to get used to it, thanks again.
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    Packet Tracer is a great tool to start with. I especially like the simulation mode for seeing where something fails.

    Once you get into you study a little further GNS3 will allow you to see all of the options available. You can use a lot more debugging with GNS3 where packet tracer has almost non.

    I'm glad you figured it out!
  • tomtom1tomtom1 Member Posts: 375
    Sure, have fun :)
  • ednardednard Member Posts: 75 ■■□□□□□□□□
    Jon_Cisco wrote: »
    Packet Tracer is a great tool to start with. I especially like the simulation mode for seeing where something fails.

    Once you get into you study a little further GNS3 will allow you to see all of the options available. You can use a lot more debugging with GNS3 where packet tracer has almost non.

    I'm glad you figured it out!
    Thanks for the help too, Jon. Appreciated.
Sign In or Register to comment.