NAT in Transition

Unanswered Question
Jun 24th, 2008
User Badges:

3640 router version 12.3

We have most of our machines on a class C network. We have a DMZ setup with static NAT addresses. We are running low on the class C network IP addresses so would like to transition to NAT overload (PAT).


The commands I am using are:

ip nat pool ptinat 198.17.220.118 198.17.220.118 netmask 255.255.255.0


ip nat inside source list 20 pool ptinat overload


access-list 20 permit 172.28.0.0 0.0.255.255


I also put the following on the interface FastEthernet0/0


ip address 198.17.220.118 255.255.255.0 secondary


Once I have done this the 198.17.220.0 and the 172.28.0.0 networks cannot talk to each other.


Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Tue, 06/24/2008 - 11:27
User Badges:
  • Gold, 750 points or more

the 198.17.220.0 and the 172.28.0.0 networks cannot talk to each other because you did PAT.

Only hosts from 172.28.0.0 can have an access to hosts in 198.17.220.0.

lnatschke Tue, 06/24/2008 - 11:47
User Badges:

I am logged into the 172.28.0.0 host.

If I ping 198.17.220.0 host it is successful

If I traceroute 198.17.220.0 host it is succesfull

If I ssh to 198.17.220.0 host, it comes back with:

debug1: Connecting to 198.17.220.131 [198.17.220.131] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

ssh_exchange_identification: read: Connection reset by peer


If I turn NAT off, I can this same ssh will be successful.


I am grateful for any help you can give me.

Thank you.


a.alekseev Tue, 06/24/2008 - 12:28
User Badges:
  • Gold, 750 points or more

Could you show all parts of your config related to NAT/PAT?

lnatschke Tue, 06/24/2008 - 13:02
User Badges:

I am a bit nervous about putting too much of the config out on the network.Does this help at all?


interface FastEthernet0/0

ip address 198.17.220.118 255.255.255.0 secondary

ip address 198.17.x.x 255.255.255.0

ip broadcast-address 198.17.220.255

ip nat outside


!

interface FastEthernet3/1

description PTI TESTING NAT

ip address 172.28.0.100 255.255.0.0

ip broadcast-address 172.28.0.255

ip nat inside

!

ip nat pool ptinat 198.17.220.118 198.17.220.118 netmask 255.255.255.0

ip nat inside source list 20 pool ptinat overload


access-list 20 permit 172.28.0.0 0.0.255.255


a.alekseev Tue, 06/24/2008 - 13:20
User Badges:
  • Gold, 750 points or more

remove this line from the config

ip address 198.17.220.118 255.255.255.0 secondary


and try again

lnatschke Wed, 06/25/2008 - 06:11
User Badges:

Sorry to say it did not make any difference to have the secondary interface removed.

Actions

This Discussion