Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Double NAT broke: config is the same

Hi all,

I configured a router to do double nat (overlapping ip addresses) a while back. Now, suddenly, my users report that they cannot access the server by it's nat'd address. when they traceroute to the nat'd address, it traces to the router doing the natting, when i ping/tracert to the router, from the server, it works. I cannot ping/tracerouter through the natting router.

I'm looking at the config, and it should be working. The only changte that has been made in the past couple of months, is that I removed a router from the path, implementing vlans, but I've modified the routes on the devices between the server and the natting router, adn the tracert works! Arrgh.

Here's the current running-config of the natting router.

rtr-PDCity#sh ru

Building configuration...

Current configuration : 1378 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname rtr-PDCity

!

logging buffered 4096 debugging

no logging console

enable secret xxx

enable password xxx

!

ip subnet-zero

!

!

!

!

!

interface Loopback0

no ip address

!

interface Ethernet0

description connected to County Network

ip address 10.90.204.12 255.255.255.128

ip nat outside

full-duplex

!

interface FastEthernet0

description connected to City Network

ip address 10.20.14.100 255.255.0.0

ip nat inside

speed auto

half-duplex

!

ip nat pool city 192.168.69.17 192.168.69.22 netmask 255.255.255.248

ip nat inside source list 1 pool city

ip nat outside source static 192.168.5.11 192.168.69.2

ip classless

ip route 0.0.0.0 0.0.0.0 10.90.204.1

ip route 10.10.0.0 255.255.0.0 10.20.14.31

ip route 10.70.0.0 255.255.0.0 10.20.14.31

ip route 192.168.20.50 255.255.255.255 10.90.204.1

ip route 192.168.69.2 255.255.255.255 Ethernet0

ip route 192.168.69.16 255.255.255.248 FastEthernet0

no ip http server

!

!

access-list 1 permit 10.70.0.0 0.0.255.255

access-list 1 permit 10.20.0.0 0.0.255.255

access-list 1 permit 10.10.0.0 0.0.255.255

snmp-server community public RO

!

line con 0

password xxx

login

line aux 0

password xxx

login

line vty 0 4

password xxx

login

!

end

rtr-PDCity#

Server 192.168.5.11

|

|

ASA

|

|

Router

|

|

L3Switch

|

|vlan 16

|

natting router

|

|

router

|

|

clients

Thanks for any help!

-Jeff

1 REPLY
Silver

Re: Double NAT broke: config is the same

in such situation i prefer you use a sniffer (etherreal) in inside and outside the nating router to see what hapens exactly, then you can follow the packet till the destination and find who is the wrong point!

etherreal is freeware, think to use filters when capturing

123
Views
0
Helpful
1
Replies
CreatePlease to create content