PAT ISSUE

Answered Question
May 7th, 2007

Hi

I have two routers connected through Public carrier provided MPLS netwro.

Both can ping on thier serial interfaces alongwith service provider end IPS. but failed to ping on each other local fast ethernet.

The configuration of Router 'A' is here:

interface FastEthernet0/1

description ## KHI Gateway to MPLS ###

ip address 192.168.15.250 255.255.255.0

ip nat inside

duplex auto

speed auto

interface Serial0/0/1

description #link to MPLS#$FW_INSIDE$

ip address 221.x.x.34 255.255.255.252

ip nat outside

router eigrp 1

network 192.168.0.0

network 192.168.2.0

network 192.168.9.0

network 192.168.10.0

network 192.168.13.0

network 192.168.14.0

network 192.168.15.0

network 192.168.16.0

ip route 0.0.0.0 255.255.255.252 221.120.192.33

ip route 202.x.x.96 255.255.255.252 221.120.192.33

ip http server

ip http access-class 71

ip http authentication local

ip nat pool outer 192.168.16.0 192.168.16.254 netmask 255.255.255.0

ip nat inside source list 7 interface Serial0/0/1 overload

ip nat outside source list 8 pool outer add-route

!

!

access-list 7 permit 192.168.15.0 0.0.0.255

access-list 8 permit 192.168.16.0 0.0.0.255

Router 'B'

interface Serial0/1/0

description ITI SERIAL

ip address 202.x.x.98 255.255.255.252

ip nat outside

interface FastEthernet0/0

description CONNECTION TO MY NETWORK

ip address 192.168.16.250 255.255.255.0

ip nat inside

speed auto

full-duplex

no mop enabled

router eigrp 1

network 192.168.0.0

network 192.168.2.0

network 202.x.x.0 0.0.0.7

network 221.x.x.0 0.0.0.3

ip classless

ip route 0.0.0.0 0.0.x.x.125.147.97

ip route 0.0.0.0 255.x.x.252 202.125.147.97

!

ip http server

ip nat inside source list 8 interface Serial0/1/0 overload

!

access-list 8 permit 192.168.16.0 0.0.0.255

access-list 8 permit 192.168.15.0 0.0.0.255

Any help highly apperciated

Correct Answer by vijayasankar about 9 years 9 months ago

Hi,

You should inform your service provider that you are having 192.168.15.0/24 network at Location A and 192.168.16.0/24 network at location B. So that the service provider will add necessary routes on his MPLS PE router.

If you service provider adds the neccesary routes in his end devices, you will be able to access LAN communication between both sites.

Only If your service provider also configure EIGRP at the PE Router and supports it for you, you will be able to advertise your networks dynamically through EIGRP.

Please discuss with your service provider to proceed further.

-VJ

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
mrmozaffari Mon, 05/07/2007 - 02:11

Hi

Let to forget about Dynamic routing now i mean eigrp ,use static routing to test the connectivity ,now take a look to this line in your configuration :

ip route 0.0.0.0 255.255.255.252 221.120.192.33

What it means ?

it should be like this :

ip route 0.0.0.0 0.0.0.0 221.120.192.33

I hope this will solve your problem.

Please rate helpful posts.

Best Regards B.Mozaffari

vijayasankar Mon, 05/07/2007 - 02:19

Hi,

At Router A, you don't need the ip nat outside.

Remove that "ip nat outside and corresponding statements on Router A.

At Router B, i dont see that the local network 192.168.16.0 is included in Eigrp.

Also the ACL 8 on Router B,should not include the network 192.168.15.0. Remove that.

To summarise,

On Router A, perform the following.

no ip nat outside source list 8 pool outer add-route

no access-list 8

On Router B, perform the following

router eigrp 1

network 192.168.16.0 0.0.0.255

no access-list 8

access-list 8 permit 192.168.16.0 0.0.0.255

Also i could see some strage static routes on both the routers.

Router A:

ip route 0.0.0.0 255.255.255.252 221.120.192.33

Router B:

ip route 0.0.0.0 0.0.0.0 202.125.147.97

ip route 0.0.0.0 255.255.255.252 202.125.147.97

Please correct the same.

-VJ

shahzadrana Mon, 05/07/2007 - 02:43

Hi VJ

I am sending again the updateted output of Sh run command:

Router 'A'

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname OLPHO3

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip subnet-zero

!

!

ip cef

!

!

no ftp-server write-enable

interface FastEthernet0/0

description # Fast Ethernet Connection 1 #

ip address 192.168.0.248 255.255.255.0

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description ## KHI Gateway to MPLS ###

ip address 192.168.15.250 255.255.255.0

ip nat inside

duplex auto

speed auto

!

!

interface Serial0/0/1

description #link to MPLS#$FW_INSIDE$

ip address 221.120.192.34 255.255.255.252

ip nat outside

!

!

router eigrp 1

network 192.168.0.0

network 192.168.2.0

network 192.168.9.0

network 192.168.10.0

network 192.168.13.0

network 192.168.14.0

network 192.168.15.0

network 192.168.16.0

network 192.168.19.0

network 192.168.100.0

network 202.125.147.0 0.0.0.7

network 221.120.192.0 0.0.0.3

no auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 255.255.255.252 221.120.192.33 (this is the ISP end edge router IP)

ip route 192.168.16.0 255.255.255.0 221.120.192.33

ip route 192.168.16.0 255.255.255.0 202.125.147.97

ip route 202.125.147.96 255.255.255.252 221.120.192.33

ip http server

ip http access-class 71

ip http authentication local

ip nat pool outer 192.168.16.0 192.168.16.254 netmask 255.255.255.0

ip nat inside source list 7 interface Serial0/0/1 overload

!

!

access-list 7 permit 192.168.15.0 0.0.0.255

access-list 71 permit 192.168.0.5

access-list 99 permit 192.168.0.62

access-list 99 permit 192.168.0.5

access-list 99 deny any

access-list 101 permit ip any any

access-list 108 remark 8

access-list 108 remark SDM_ACL Category=2

access-list 108 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 169 permit icmp any any echo

access-list 169 permit icmp any any echo-reply

access-list 169 permit udp any any eq echo

access-list 169 permit udp any eq echo any

access-list 169 permit tcp any any established

access-list 169 permit tcp any any

access-list 169 permit ip any any

dialer-list 1 protocol ip list 101

!

control-plane

!

banner login ^C ^C

banner motd ^C Welcome To OLPHO ISDN Router ^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

Router 'B'

Current configuration : 1713 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ORIX-MPLS

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$D54Q$j6R5yWaLSGH7XzPcsA5iW.

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

no ip dhcp use vrf connected

ip name-server 202.125.148.204

isdn switch-type basic-net3

interface FastEthernet0/0

description CONNECTION TO MY NETWORK

ip address 192.168.16.250 255.255.255.0

ip nat inside

speed auto

full-duplex

no mop enabled

!

interface Serial0/1/0

description ITI SERIAL

ip address 202.125.147.98 255.255.255.252

ip nat outside

!

interface Serial0/1/1

no ip address

shutdown

clockrate 2000000

!

router eigrp 1

network 192.168.15.0

network 192.168.16.0

network 202.125.147.0 0.0.0.7

network 221.120.192.0 0.0.0.3

auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 202.125.147.97 (the 202.125.147.97 is the ISP edge router address)

ip route 0.0.0.0 255.255.255.252 202.125.147.97

!

ip http server

ip nat inside source list 8 interface Serial0/1/0 overload

!

end

vijayasankar Mon, 05/07/2007 - 02:46

Hi,

ACL 8 is missing in Router B.

Include these lines on Router B.

access-list 8 permit 192.168.16.0 0.0.0.255

-VJ

mrmozaffari Mon, 05/07/2007 - 02:47

Hi again

Please change this line

ip route 0.0.0.0 255.255.255.252 221.120.192.33

to this and examine what will happen.

ip route 0.0.0.0 255.255.255.252 221.120.192.33

Thanks.

vijayasankar Mon, 05/07/2007 - 02:49

Hi,

As pointed out by the fellow Netpro, please remove the incorrect static route on Router B.

no ip route 0.0.0.0 255.255.255.252 202.125.147.97

It should have only one default route.

ip route 0.0.0.0 0.0.0.0 202.125.147.97

-VJ

shahzadrana Mon, 05/07/2007 - 02:56

hi VJ

remove the incorrect address. but still failed to ping remote LAN

Thank u

vijayasankar Mon, 05/07/2007 - 03:07

Hi,

As you are having the MPLS links connecting to both the sites, do you really need NAT to access the remote lan segments.

I just had a look at the configuration and your initial requirement.

You want lan to lan access, in this case PAT is not going to help.

If you receive the lan routes via EIGRP properly, then you dont need to do NAT at all.

Does your service provider instructed you to turn on EIGRP to advertise your subnets.

If this is the case which is usually, you dont need to do NAT / PAT at both ends, you should be able to access the lan segments mutually at both locations.

Kindly clarify me on your setup to help you better.

-Vj

shahzadrana Mon, 05/07/2007 - 03:15

Hi

Yes, you are right. This is a MPLS link connecting both sites, usualy NAT and PAT not required to access remote lan segments.

I am using leased line on other router and eigrp protocol and it works fine with lan routes. My service providor not asked me to turn on the eigrp. but what else we should use instead of eigrp.

Thanks again

Correct Answer
vijayasankar Mon, 05/07/2007 - 03:21

Hi,

You should inform your service provider that you are having 192.168.15.0/24 network at Location A and 192.168.16.0/24 network at location B. So that the service provider will add necessary routes on his MPLS PE router.

If you service provider adds the neccesary routes in his end devices, you will be able to access LAN communication between both sites.

Only If your service provider also configure EIGRP at the PE Router and supports it for you, you will be able to advertise your networks dynamically through EIGRP.

Please discuss with your service provider to proceed further.

-VJ

shahzadrana Mon, 05/07/2007 - 03:42

Thank you VJ.

I forwarded your suggested guidelines to our service provider.

Best Regards

Shahzad

Actions

This Discussion