cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1005
Views
0
Helpful
2
Replies

Static NAT from cisco 878, but not ping for cisco!

Daniel Castro
Level 1
Level 1

Hello,

I configured a static NAT from the WAN to a private IP (192.168.2.5) on the LAN. I have used a WAN IP dynamic.

interface Vlan1
   ip nat inside
   ip tcp adjust-mss 1398
!
interface Dialer0
   ip nat outside

!

ip nat inside source static 192.168.2.5 interface Dialer0

The problem is then I do a ping from the router, for example to 8.8.8.8, I don't get answer.
In cisco logs shows:

ping 8.8.8.8
000232: Nov  4 09:21:59.260 UTC: NAT*: o: icmp (8.8.8.8, 41) -> (IP WAN ROUTER, 41) [49129]   
000233: Nov  4 09:21:59.260 UTC: NAT*: o: icmp (8.8.8.8, 41) -> (IP WAN ROUTER, 41) [49129]
000234: Nov  4 09:21:59.260 UTC: NAT*: s=8.8.8.8, d=IP WAN ROUTER->192.168.2.5 [49129]
000235: Nov  4 09:22:01.256 UTC: NAT*: o: icmp (8.8.8.8, 41) -> (IP WAN ROUTER, 41) [49130]
000236: Nov  4 09:22:01.256 UTC: NAT*: s=8.8.8.8, d=IP WAN ROUTER->192.168.2.5 [49130]
...

And from the 192.168.2.5 machine I did a tcpdump:

13:01:18.334255 IP 8.8.8.8 > 192.168.2.5: ICMP echo reply, id 84, seq 0, length 72
13:01:20.330983 IP 8.8.8.8 > 192.168.2.5: ICMP echo reply, id 84, seq 1, length 72
13:01:22.331766 IP 8.8.8.8 > 192.168.2.5: ICMP echo reply, id 84, seq 2, length 72
13:01:24.330629 IP 8.8.8.8 > 192.168.2.5: ICMP echo reply, id 84, seq 3, length 72
13:01:26.332398 IP 8.8.8.8 > 192.168.2.5: ICMP echo reply, id 84, seq 4, length 72


Any ideas?
Sorry for my english
Thank You!

2 Replies 2

andtoth
Level 4
Level 4

Hi,

This is an expected behavior. Because you are configuring static NAT for a single external IP address, that address will be mapped (translated) to the internal address you configured and every traffic coming from the outside (internet) will be sent to the internal address.

In order to have internet connectivity on your router as well, you will need to use dynamic overloaded nat (PAT) which is assigning a port for each connection and does not make a 1:1 translation as static. However, in that case you will need to forward ports to your server if you would like them to be accessible from the internet.

Here's an example for overloaded nat:

access-list 1 permit 192.168.2.0 0.0.0.255

!

ip nat inside source list 1 interface Dialer0 overload

For more information about NAT, visit the following links:

How NAT Works

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml

Configuring Network Address Translation: Getting Started

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

Andras

Hello,

First, thanks for answer my question.

I can't understand that a zyxel can do a static nat against a firewall, and in the same time answer requests DynDNS.

And  however cisco can not perform a ping. The problem is that the machine  with IP 192.168.2.5 is a firewall, and must be redirected all traffic to  the firewall.

This whole thing is, because as a dynamic IP I  have configured DynDNS in the cisco. But of course, all traffic is going  against 192.168.2.5.

I have also tried other DynDNS clients for  debian, as ddclient and IPCheck. But the firewall has two gateways, and  it only updates the IP that has the default gateway.

Thanks.

Regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: