NAT Troubleshooting

Dubuku57 · 07-05-2009, 12:08 PM

Hi everyone,

I was trying out configuring NAT on Packet Tracer -all my steps seem correct(in-line with theory) but im still unable to get the desired output. Attached is the topo.

Im trying to only allow PC2(private add) to be able to ping Web(public add).

Running-config of Router A:

RouterA#sh run
Building configuration...
Current configuration : 743 bytes
!
version 12.4
no service password-encryption
!
hostname RouterA
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 200.152.200.2 255.255.255.252
ip nat outside
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248
ip nat inside source list 1 pool small-pool
ip classless
ip route 0.0.0.0 0.0.0.0 200.152.200.1
!
!
access-list 1 permit 192.168.100.128 0.0.0.3
!
!
!
line con 0
line vty 0 4
login
!
!
end

Running-config of ISP:

ISP#sh run
Building configuration...
Current configuration : 483 bytes
!
version 12.4
no service password-encryption
!
hostname ISP
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 25.16.59.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 200.152.200.1 255.255.255.252
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
end

Many Thanks in Advance!
P.s: Reference for the topo is Netsim LabManual

blackninja · 07-05-2009, 04:38 PM

Just had a quick look and you are missing a static route on the ISP router to allow traffic back to the NAT router

sandman748 · 02:34 PM

Quote:

Originally Posted by blackninja

Just had a quick look and you are missing a static route on the ISP router to allow traffic back to the NAT router

He shouldn't need a static route back to routerA from ISP as they are directly connected. The problem is that your

ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248

command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses.

ip nat pool small-pool 200.152.200.2 200.152.200.2 netmask 255.255.255.252 would work. If your insitent on using that range for whatever reason that serial interface going to the router needs to be configured with those addresses. I'm sure that could be done with subinterfaces but i've never actually tried using nat with several global ips.

networker050184 · 07-06-2009, 02:57 PM

Quote:

Originally Posted by sandman748

He shouldn't need a static route back to routerA from ISP as they are directly connected. The problem is that your

ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248

command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses.

ip nat pool small-pool 200.152.200.2 200.152.200.2 netmask 255.255.255.252 would work. If your insitent on using that range for whatever reason that serial interface going to the router needs to be configured with those addresses. I'm sure that could be done with subinterfaces but i've never actually tried using nat with several global ips.

You don't need the pool addresses tied to an interface to ping across. A static route pointing back should do the trick as blackninja pointed out.

sandman748 · 03:58 PM

Quote:

Originally Posted by networker050184

You don't need the pool addresses tied to an interface to ping across. A static route pointing back should do the trick as blackninja pointed out.

What would that static route be?

edit: nm, i see the static route thing would work. But thats assuming we have control of the routing table of the ISP. What if we couldnt add that route. Is that something that the ISP normally does? i.e a static route to whatever IP they've assigned us?

networker050184 · 07-06-2009, 04:10 PM

Quote:

Originally Posted by sandman748

What would that static route be?

edit: nm, i see the static route thing would work. But thats assuming we have control of the routing table of the ISP. What if we couldnt add that route. Is that something that the ISP normally does? i.e a static route to whatever IP they've assigned us?

The ISP would use a static route or BGP with the customer depending on the set up.

Dubuku57 · 07-07-2009, 11:29 PM

Quote:

Originally Posted by sandman748

He shouldn't need a static route back to routerA from ISP as they are directly connected. The problem is that your

ip nat pool small-pool 200.152.200.65 200.152.200.70 netmask 255.255.255.248

command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses.

ip nat pool small-pool 200.152.200.2 200.152.200.2 netmask 255.255.255.252 would work. If your insitent on using that range for whatever reason that serial interface going to the router needs to be configured with those addresses. I'm sure that could be done with subinterfaces but i've never actually tried using nat with several global ips.

In Dynamic NAT, a pool of addresses are used right? Anyway, how does one configure the serial interfaces with the addresses? Yes, the static route works..but just 1 qn, if i have a static route both to and fro the two routers, wouldnt that make my NAT useless? As in, i dun need the NAT there anymore since the static route tells my internal hosts how to get to the ISP?

Dubuku57 · 07-07-2009, 11:33 PM

Quote:

Originally Posted by Dubuku57

In Dynamic NAT, a pool of addresses are used right? Anyway, how does one configure the serial interfaces with the addresses? Yes, the static route works..but just 1 qn, if i have a static route both to and fro the two routers, wouldnt that make my NAT useless? As in, i dun need the NAT there anymore since the static route tells my internal hosts how to get to the ISP?

Also, the static route would be to the Lan side or the WAN side of the Router A from the ISP?

Dubuku57 · 07-07-2009, 11:56 PM

Quote:

Originally Posted by sandman748

He shouldn't need a static route back to routerA from ISP as they are directly connected.

What sandman mentions got me wondering -- if any two routers are directly connected, static routes over them would be redundant?

Why is it that when RouterA pings ISP, or the Web server, its fine, but when the host attached to the RouterA pings it doesnt work??

blucas · 07-08-2009, 12:11 AM

Quote:

Originally Posted by Dubuku57

What sandman mentions got me wondering -- if any two routers are directly connected, static routes over them would be redundant?

Why is it that when RouterA pings ISP, or the Web server, its fine, but when the host attached to the RouterA pings it doesnt work??

I'm too sleepy, and my head isn't working correctly, sorry if I'm saying something stupid, but does the PC have Gateway configured?
would be 192.168.100.1

Dubuku57 · 07-08-2009, 01:54 AM

Yep..configured the Gateway correctly...the PC can ping its own router(both interfaces S0/0 and f0/0) just not able to ping the Web host - while Router A is able to do so...

networker050184 · 07-08-2009, 02:59 AM

Quote:

Originally Posted by Dubuku57

What sandman mentions got me wondering -- if any two routers are directly connected, static routes over them would be redundant?

Why is it that when RouterA pings ISP, or the Web server, its fine, but when the host attached to the RouterA pings it doesnt work??

You wouldn't put a static route for the directly connected route. You would use static routes for anything behind that router.

The reason your RouterA can ping is because it will use the exit interface as the source of the ICMP packet (unless specified otherwise). The exit interface is the interface directly connected to the ISP router. So, the ISP router gets the ICMP packet sends it on to the destination, the webserver. When the webserver gets it it sends the reply to its default-gateway which is the ISP router, with RouterA's interface IP as the destination. Once the ISP router gets it it looks at the destination and since the ISP router has a connected route to the destination it forwards the packet and your ping is successful.

When the ISP router gets the ICMP packet sourced from the host it will still send it on to the webserver and the webserver will send the reply, with the destination set to the host's IP address, to its default-gateway the ISP router. Once the ISP router gets the reply and looks up the destination it does not have a route back to the hosts address and drops the packet.

So, you need to give the ISP router a route back to the hosts address (whether that be a NATed address or actual source address).

Dubuku57 · 07-08-2009, 03:11 AM

Thanks Networker, I understand that portion on Static routes!

Few ans about what Sandman mentioned earlier above:

"command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses."

1. Dynamic NAT uses a range of addies to convert the inside local to right?
2. Do these pool of adds need to be in the same subnet as the WAN link adds?
3. Why must any interface be configured with the adds from the pool?

sandman748 · 07-08-2009, 02:12 PM

Quote:

Originally Posted by Dubuku57

Thanks Networker, I understand that portion on Static routes!

Few ans about what Sandman mentioned earlier above:

"command is translating your local addresses to an ip in the range of 200.152.200.65 - 200.152.200.70 and do not have an interface configured with any of those addresses."

1. Dynamic NAT uses a range of addies to convert the inside local to right?
2. Do these pool of adds need to be in the same subnet as the WAN link adds?
3. Why must any interface be configured with the adds from the pool?

1. That is correct.

For 2 and 3 I'm not sure. I think I may have given the wrong answer above as networker050184 pointed out. I've never done it before, but apparently you don't have to have those addresses tied to one of your interfaces. The only reason I said it should is so that the source address after nat matched the directly connected route.

Here's whats happening right now. When RouterA pings ISP it sends out a packet with source address of 200.152.200.2. The ISP router is able to route back to that address as it has a directly connected route.

When the host pings, the router is converting that inside ip address to one of the addresses in the range 200.152.200.65 - 200.152.200.70/28 which are located on network 200.15.200.64 . The ISP does not have a route to that network as it is not directly connected. Therefore you need to put in a static route on the ISP router to that network in order to route back.

Dubuku57 · 07-09-2009, 01:54 AM

Okay its clear now..I shall try that out in the lab - the route to the inside global address group..Will let you knwo if any anomalies crop up there...Thanks lot guyzzz!!