Need help on ACL_NAT process...

Unanswered Question
Dec 22nd, 2009
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}



Can anyone please inform me why I am not getting expected result from the NAT process? I have included a Packet Tracer file which contains the Network and its configuration. I am also posting some pictures of the diagram and configuration.


Please view the configuration of two routers to know the details of the diagram.


Following activities are currently working properly in the Network diagram.

  1. There are 5 VLANS, Each of them has a HDCP server attached to Switch1.
  2. Switch 2 and 3 contains hosts from different VLAN.
  3. Every computer can “PING” each other.
  4. DHCP servers are providing IP address to the hosts in different VLAN.
  5. Router “Gateway” translates some private ip address to registered public ip address based on the Access list
  6. “Show IP access-list” showing the counters of matching packets, on “Gateway” router.
  7. “IP nat translation” showing Translation of Private Addresses based on ACL


As I have implemented an ACL on serial 0/0 inbound direction, I want Router “ISP” should block any private IP address coming from the “Gateway” Router.

On the router “Gateway” I have intentionally denied some private IP addresses in the access list, so that they can not take part in IP NAT translation process.


Problem:

When I am using “tracert 100.100.100.102” from any Host computers it is showing the time to reach that IP address, but it cant ping that address


When I am using “tracert 100.100.100.102” from any servers, its showing “destination host unreachable”.


When I am using the Simulation mode of Packet tracer, simulation shows packets are generating from host computers, can reach and come back to the same host, but result is showing “Failed”.


“Show access-list” command on “ISP” router showing increasing counters only against “permit ip any any”. But counter are not increasing when I am sending packets from any servers (for those packets, which I don’t want to translate through the NAT process). In that case, when I am sending packets from any servers, counters against “deny ip 172.16.0.0 0.0.15.255 any” should increase in the “ISP router.


Can anyone please help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Tue, 12/22/2009 - 22:22
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

enablethedebuaging of the nat using the folowing command in gateway router


debug ip nat detail



then generate traffic from a host supposed to be nated to outside


and post the result of the debug here as text file

abhijit379 Tue, 12/22/2009 - 23:57
User Badges:

Here is the output


Gateway#debug ip nat
IP NAT debugging is on
Gateway#
NAT: s=192.168.1.8->100.100.100.101, d=100.100.100.102 [7]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [233]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.1.8 [233]
NAT: s=192.168.2.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [239]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.2.11 [239]
NAT: s=192.168.3.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [242]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.3.11 [242]
NAT: s=192.168.4.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [246]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.4.11 [246]
NAT: s=192.168.5.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [249]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.5.11 [249]
NAT: s=192.168.2.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [252]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.2.10 [252]
NAT: s=192.168.3.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [256]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.3.10 [256]
NAT: s=192.168.4.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [259]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.4.10 [259]
NAT: s=192.168.5.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [263]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.5.10 [263]
NAT: expiring 100.100.100.101 (192.168.1.8) icmp 1 (1)
NAT: expiring 100.100.100.101 (192.168.2.11) icmp 1024 (1)
NAT: expiring 100.100.100.101 (192.168.3.11) icmp 1025 (1)

NAT: expiring 100.100.100.101 (192.168.5.11) icmp 1027 (1)
NAT: expiring 100.100.100.101 (192.168.2.10) icmp 1028 (1)100.100.
NAT: expiring 100.100.100.101 (192.168.3.10) icmp 1029 (1)100.10
NAT: expiring 100.100.100.101 (192.168.4.10) icmp 1030 (1)2

NAT: expiring 100.100.100.101 (192.168.5.10) icmp 1031 (1)


I have generated trafic from each & every host and servers

Marwan ALshawi Wed, 12/23/2009 - 04:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

thanks for doing that

but i asked to do


debug ip nat detail

Actions

This Discussion

Related Content