1. Home
  2. Cisco Certification
  3. NAT Troubles

NAT Troubles

I have an issue with NAT. I'm trying to test the NAT config in the Cisco doc

formatting link
I have setup my CCNA network simulator lab as follows:

NAT Router S0 172.16.10.64/24 Fa0/0 10.10.10.1

WWW Router S0 172.16.10.65/24 Fa0/0 172.16.11.1/24

I also have two pc clients off each router via a switch. Two NAT clients are 10.10.10.3 & 10.10.10.4. The two WWW clients are

172.16.11.3 and 172.16.11.4.

I configured the NAT router as follows:

S0 ip address 172.16.10.64 255.255.255.0 ip nat outside

Fa0/0 ip address 10.10.10.1 255.255.255.0 ip nat inside

First I tried to configure as per cisco doc ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24 ip nat inside source list 7 pool no-overload access-list 7 permit 10.10.10.0 0.0.0.31

When this didn't work, I then got rid of the dynamic stuff and just put in ip nat inside source static 10.10.10.3 172.16.10.70

On both occasions, I can't ping any of the WWW clients from my NAT client. I can't ping any further than 172.16.10.64 from the NAT client. What gives? If I implement routing between NAT and WWW it all works. Is routing still required in this situation? I would have thought the WWW router could relay traffic from hosts on the

172.16.10.0 network to the 172.16.11.0 network since the networks are directly connected to the router. All the examples I've seen state to NAT the inside local (in this case my NAT client IP) to the inside global (which is supposed to be an IP address on the other side- serial interface- of the NAT router)

Any help greatly appreciated!

RB

Reply to
rb33339
Loading thread data ...

formatting link

I also plugged in all your values in Bosons NetSim and ran it, I ended up with the same as yourself. I could ping from the hosts all to way to the S0 interface of the router ( from both sides). Once I enabled routing (RIP, and only advertised 172.16.10.0 on each side), I could reach to the other end of the Serial line each way.

I still can not ping from NAT Hosts to WWW Hosts, but Show IP NAT TRANS on my NAT router says one way translations are occuring. Then I advertised the 10.10.10.0 network from the NAT router. Now I am able to ping all the way across each way. However I realized this defeats the purpose of "hiding" those 10.10.10.x host machines with NAT translations.

I shouldn't have to advertise the 10.10.10.0 network from the NAT router in order for this to work. Nat should translate the

10.10.10.1-10.10.10.31 to inside global range of 172.16.10.1-172.16.10.63. So to the WWW Router and its hosts, they communicate with the NAT hosts via the 172.16.10.X addresses and not the 10.10.10.x addresses. However when I remove the RIP Network 10.10.10.0 from the NAT router, and WWW drops that route from its routing, I can no longer ping to the hosts.

I then realize I need a simple default route on the NAT router to fix this issue.

ip route 0.0.0.0 0.0.0.0 172.16.10.65 (gateway of last resort)

Now a few pings from NAT hosts to 172.16.11.x hosts and some from the WWW hosts back to the inside global addresses translated from NAT for the 10.10.10.0 hosts, and you can really watch the SHOW IP NAT TRANSLATIONS screen fill with entries.

Reply to
Chad

How does the NAT router know about the 172.16.11.1/24 network on the WWW router? When you ping from the NAT hosts to the WWW hosts the packet is arriving at the NAT router but it does not know how to get to the 172.16.11.1/24 network.

You need to set a static route or default gateway to point to

172.16.10.65 and then the packets will return OK since the destination address is the NATed 172.16.10.70 which the WWW router knows about since its directly connected.

If you have problems with NATing run a few debug commands like "debug ip nat detailed" on the NAT router to get a better idea what the router is doing. On the WWW router you can try debug icmp to see if the ip is being translated.

Beez

Reply to
Beezneez

I added default routes to both the NAT and WWW router and it works. Strange but that with the default routes you can ping from pc to pc using the unNATed address, but I imagine this would not be the case in reality as opposed to a lab environment. More importantly, the WWW PC can ping the NATed address, which proves that NAT is in fact working.

Thanks for that RB

Reply to
R. Baker

Hi RB

You only need to set a default route on the NAT router. When you have a default route on the WWW router everything is sent to the NAT router no matter its destination. This explains why both the NATed and unNATed addresses are pingable. When the default is taken out of the WWW router only the NATed address will work since its directly connected between the NAT and WWW routers.

Beez

Reply to
Beezneez

router

Cool. I'll try that tonight and make sure it works. RB

Reply to
rb33339

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.