642-831 question has me stumped!

So I passed the 642-831 on my second try. Two questions:

1) Are the BCRAN and BSCI easier or tougher than the troubleshooting exam?

2) There was the same damn simulation on both exams: A router has three interfaces, two of which are "ip nat inside," and one of which is "ip nat outside". Currently, ip nats appear to be translating one inside local to an inside global. Nothing is working, and the nat looks roughly:

int loopback1 ip address 192.168.1.0 255.255.255.0

int f0/0 description internal ip address 10.0.0.1 255.255.255.0 ip nat inside

int f0/1 description dmz ip address 10.10.0.1 255.255.0.0 ip nat inside

int serial 1 int 172.1.1.1 255.255.255.252 ip nat outside

ip nat inside source static 10.10.10.10 192.168.1.32 ip nat inside source list 1 interface loopback1 overload

access-list 1 permit ip 10.0.0.0 0.255.255.255

All interfaces are up, no debug is allowed, "show ip nat statistics, and show ip nat translations are ok"

Show ip nat translations shows the one static translation, yet nobody can cross the serial link nor access the web server. Is this configuration just completely illegal or is there something that should be obvious to me?

Thanks, Owen

Reply to
Owen Roth
Loading thread data ...

yes, that was some number, let's say .1

Is it possible the second nat command is somehow pointing out the loopback, and should point out the serial?

-Owen

Reply to
Owen Roth

Has me stumped as well.

What is the address on the loopback?

ip address 192.168.1.0 255.255.255.0 is a base address and will not be allowed. Is this a typing error?

Beez

Reply to
Beezneez

I hate NAT!!!

I am thinking its something to do with the loopback also but I think it should work. I need to try it out on a test router. I will let you know if I find anything.

Beez

Reply to
Beezneez

Hi, I could be wrong, but it looks to me like part of the configuration has a dynamic translation set up between 10.x.x.x and the loopback interface. But the outside interface is designated as the serial port. In other words there appears to be a configuration mismatch.

Normally you want the INSIDE SOURCE.... INTERFACE _________ to match the Interface that you put the IP NAT OUTSIDE command on.

That is... ip nat inside source list 1 interface SER1 overload

does that make sense in this situation? Robert

Reply to
Bob by the Bay

Hmmm...

Were there routing protocols configured that included network 192.168.1.0?

Was the loopback interface used for anything else?

I'll assume "yes" and "no", and hazard a guess:

MOST of the time, folks use NAT with a private network inside, and want to present inside servers to the outside with acceptabe global addresses, and/or make inside clients' requests to the outside appear with routable source addresses. Usually, this is done by using one or more of the addresses on your outside interface for the nat pool. (Would have been 172.1.1.1.) In this case, it would appear that they wanted to use a different pool of addresses (192.168.1.0/24) instead. Trouble with using a totally different network number is, routers on the outside wouldn't know to return stuff to you, unless you tell them you have a route to that network. By using that number on a loopback interface and including it in your routing protocol, you advertise that network, so they'll send you packets for it. Once they come in, they get translated back, & go out the correct inside/dmz interface instead. What I THINK happened here (ICBW) is that once they had a loopback defined, they tried to take a shortcut and used the interface form of the NAT syntax instead of the pool form to define the global source addresses. Since the interface named is NOT the outside interface, it doesn't work. Fix would be to re-code the addresses as an explicit pool, rather than using "list 1 interface loopback1".

Reply to
Mike Dorn

Hi Mike

Looks like you are correct!!!

I tried it out on a test router with first of all using the interface form in the nat command

ip nat inside source list 1 int lo1 overload

when I ran debug ip nat detailed I get the message "NAT: Translation Failled dropping packet" BUT when I create a pool

ip nat inside source list 1 pool NATPOOL overload

it works!!!!!

Well I learned something today!!!!!!!!

Beez

Reply to
Beezneez

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.