NAT config question

Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
Hi, i have a simple NAT setup that isnt working at the moment, i have

1 PC 10.10.11.2
2 routers 192.5.5.1 and 192.5.5.2 both with a 255.255.255.248 mask

PC is connected to the router and can ping 192.5.5.1 and NAT inside is configured on the Ethernet interface connecting the PC and NAT outside is on connecting the serial interface to the other router of 192.5.5.2.

my NAT config is:

ip nat pool test 196.10.10.100 196.10.10.105 netmask 255.255.255.248
ip nat inside source list 1 pool test overload

Access list is:

access-list 1 permit 10.10.11.0 0.0.0.2


I have OSPF configured on both routers advertising their serial wan connections as well. Not sure what's wrong here?

Comments

  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    1) At first glance, 0.0.0.2 is not a valid wildcard mask. You could use 0.0.0.3.

    BTW, what "isn't working". Are you not able to ping the 2nd router?

    Is this the topology you are using?

    PC (10.10.11.2)--> (ip nat inside) R1 (192.5.5.1/255.255.255.252, ip nat outside) --> (192.5.5.2/255.255.255.252) R2

    2) Do you have a route to 196.10.10.96 255.255.255.248 on R2?

    3) Your NAT Pool covers 2 subnets -- 196.10.10.96/29 and 196.10.10.104/29.

    196.10.10.96/29 -- 196.10.10.97 - 196.10.10.102
    196.10.10.104/29 -- 196.10.10.105 - 196.10.10.110
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Hi, i changed the wildcard mask to 0.0.0.3 instead but still no luck on that, i changed the pool addresses to ip nat pool test 196.10.10.1 196.10.10.5 netmask 255.255.255.248, for simplicity for now, still no luck.

    An yes i am able to ping 192.5.5.2 which is the second router from the NAT router but the PC cannot ping 192.5.5.2, that router has no other interfaces configured on it, just that one address over a serial link to the NAT router which is 192.5.5.1.

    I dont have any routes pointing to 196.10.10.1-5 on any router. I have ospf enabled on both routers though and they're both neighbours.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    This is so strange but I'm getting Request Time Out messages on the PC in packet tracer BUT it's actually showing the NAT translations going through on the router:

    Inside global Inside local Outside local Outside global
    icmp 196.10.10.1:155 10.10.11.2:155 192.5.5.2:155 192.5.5.2:155
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    figured it out but its a bit confusing still haha, basically i needed to put a static route on router 2 0.0.0.0 0.0.0.0 s2/0 to force the packets back out because i'm assuming that they didn't know what to do with them when they received them.

    Because 196.10.10.1 wasn't in either routing table it didn't know what to do with them, however! When the NAT router received them back how did it know what to do with them? Was it because the source IP address remained them same 10.10.11.2 and from their the routing table on the NAT router knew to bounce them back to that MAC and IP address haha?
  • james43026james43026 Member Posts: 303 ■■□□□□□□□□
    You are correct, the return traffic (echo reply) was unable to traverse it's way back, as R2 didn't have a return path in it's routing table before. NAT traffic is kept in a stateful table so that return traffic can have the NAT translation reversed.
Sign In or Register to comment.