Question regarding NAT Overload (PAT)

Answered Question
May 22nd, 2010

Hello everyone -

Im a bit confused as to why my NAT overload seems to be working correctly from my router when sourcing from the router LAN interface 192.168.253.254, but the Servers connected to my private VLAN3 are all unable to telnet to the specified destination target 64.29.104.73 port 12222.

I am trying to implement NAT overload because we have many local IP's and very few outside addresses. Previous to installing the  3825 NAT ROUTER, my servers connect perfectly via a Cisco 3560G switch (EMI), but since the 3560 does not do NAT I was asked to place a router in front of the switch out to our client.

Current setup:

The servers have two NIC's, one NIC for the Private LAN 192.168.253.0 /24 and one NIC for the Public network 64.29.104.64 /27. The 3560G switch has only two VLAN's setup (VLAN 3 192.168.253.1 and VLAN 5 IP 64.29.104.94). Port G0/27 is where the SFP is located and the circuit is directly connected into the switch. There are no static routes configured on the switch at all!.Nothing saying in order to get to the 64.29.104.64 /27 network go out of 64.29.104.94...the servers just connect perfectly. I would say because the circuit is directly connected and of course my switch is learning that as a directly connected network.

Next step: On the 3560 switch I shut down VLAN 5 with IP 64.229.104.94, so the servers can not go out that path anymore. Then I unplugged the circuit from Port 27 and reconfigured like this:

interface G0/27
description UPLINK TO 3825-NAT-ROUTER
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3
switchport mode trunk
speed 1000
duplex full
spanning-tree portfast trunk
!
!
interface Vlan3
ip address 192.168.253.2 255.255.255.0
!
!
ip classless

!
ip route 0.0.0.0 0.0.0.0 192.168.253.254 ( i added a default route to send any traffic to the router gateway interface)

!

ip route 64.29.104.64 255.255.255.224 64.29.104.94 (??then I added a route saying in order to get to the 64.29.104.64 network go to the router .94 NATTED outside interface.(should this be changed because the target address for my servers will always be 64.29.104.73??)

My servers have a route saying in order to get to the 64.29.104.64 255.255.255.224 64.29.104.94 or should it be the Natted inside interface 192.168.253.254???? Im so confused at this point.

My machines always target the 64.29.104.73 destination host and port 12222.

*********************************************************************************************************************************************************

Next step I configured my NAT router:

3825-NAT-ROUTER#sh run
Building configuration...

Current configuration : 1214 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3825-NAT-ROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
!
!
interface GigabitEthernet0/0
description directly connected to Cisco 3560G switch - LAN SEGMENT
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.253.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
!
interface GigabitEthernet0/0/0
ip address 64.29.104.94 255.255.255.224
ip nat outside
ip virtual-reassembly
negotiation auto
!
ip http server
no ip http secure-server
ip nat pool DBS 64.29.104.94 64.29.104.94 prefix-length 27
ip nat inside source list 1 pool DBS overload
!
access-list 1 permit 192.168.253.0 0.0.0.255 log
!
!

end

3825-NAT-ROUTER#telnet 64.29.104.73 12222 /source-interface g0/0.3
Trying 64.29.104.73, 10200 ... Open
TTServerIPs172.30.14.202, 172.30.84.123compression_level3compression_resettruecompression_typedeflatehwc_ssc1PuTTY
[Connection to 64.29.104.73 closed by foreign host]
MQP-NAT-ROUTER#
*May 21 21:25:37.179: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62476]
*May 21 21:25:37.179: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [44937]
*May 21 21:25:37.179: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62477]
*May 21 21:25:37.179: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62478]
*May 21 21:25:37.183: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [44941]
*May 21 21:25:37.251: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62479]
*May 21 21:25:37.255: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [45022]
*May 21 21:25:37.255: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62480]
*May 21 21:25:37.255: NAT: s=192.168.253.254->64.29.104.94, d=64.29.104.73 [62481]
*May 21 21:25:37.255: NAT*: s=64.29.104.73, d=64.29.104.94->192.168.253.254 [45023]

ANY IDEAS OR HELP WOULD BE GREATLY APPRECIATED. SHOULD I ADD A STATIC ROUTE SOMEWHERE?

Thanks

Maria Esturao

Correct Answer by Jennifer Halim about 6 years 9 months ago

On the server when you disabled the public NIC interface, you should have a default gateway pointing towards VLAN 3 interface (192.168.253.2), or you can even point the default gateway directly to the router interface (192.168.253.254) as the server is in the same subnet as the router.

Then I would suggest that you clear the ARP table on the server itself since it has public NIC on the same interface prior to being shutdown.

Also do not add specific route "64.29.104.64 255.255.255.224 64.29.104.94" on the server as you are trying to force the traffic towards 192.168.253.254, not the public interface.

On the switch, you can't configure the following route:

ip route 64.29.104.64 255.255.255.224 64.29.104.94

Because you already have a default gateway, and if you would need to NAT, then it needs to go through the router GigabitEthernet0/0.3 interface.

Hence, please remove the above route on the switch. Then, go ahead and "clear arp" as well on this switch after removing the route.

On the router, after all the above changes, clear the translation table as well as clear arp.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Sat, 05/22/2010 - 21:13

On the server when you disabled the public NIC interface, you should have a default gateway pointing towards VLAN 3 interface (192.168.253.2), or you can even point the default gateway directly to the router interface (192.168.253.254) as the server is in the same subnet as the router.

Then I would suggest that you clear the ARP table on the server itself since it has public NIC on the same interface prior to being shutdown.

Also do not add specific route "64.29.104.64 255.255.255.224 64.29.104.94" on the server as you are trying to force the traffic towards 192.168.253.254, not the public interface.

On the switch, you can't configure the following route:

ip route 64.29.104.64 255.255.255.224 64.29.104.94

Because you already have a default gateway, and if you would need to NAT, then it needs to go through the router GigabitEthernet0/0.3 interface.

Hence, please remove the above route on the switch. Then, go ahead and "clear arp" as well on this switch after removing the route.

On the router, after all the above changes, clear the translation table as well as clear arp.

Hope that helps.

esturao Sat, 05/22/2010 - 21:34

Hello Halijen- Thank you for the response, now I have a better understanding... I will try this on Monday. How did my configuration look on the 3825? Look correct right? I do not need any static routes, right?

esturao Sat, 05/22/2010 - 21:55

On the server:

the route should be 64.29.104.64 255.255.255.224 192.168.253.254?

The servers will be on a private network, but the target will always be 64.29.104.73 port 12222.

Just making sure my routes are right :-))

Jennifer Halim Sat, 05/22/2010 - 22:04

Yes, you are absolutely correct.

On the server, the route should say: 64.29.104.64 255.255.255.224 192.168.253.254

The router configuration looks correct too.

esturao Sat, 05/22/2010 - 22:26

Ok got it, but one last check. So the static routes will be as follows:

SERVER

64.29.104.64 255.255.255.224 192.168.253.254

SWITCH

Only a default route

0.0.0.0 0.0.0.0 192.168.253.254

This switch is only used for that private VLAN 3.

ROUTER

No static routes correct?? circuit and switch connect directly to router

Just making sure ;-))

Actions

This Discussion