Solved: Dynamic NAT not working

Harold Doolittle · ‎01-19-2012

I have Dynamic NAT configured, as you can see in the config. I can ping across the 2 routers, and from the gateway router to the destination network but not the desired network from the NATd network. I get one of the translating IPs from the pool.

Where or what do I look for in this problem. I would like to figure it out but I am out of ideas on debug or other commands.

R0#debug ip nat
IP NAT debugging is on
R0#
NAT: s=10.1.5.6->172.16.5.5, d=192.168.2.6 [9]

NAT: s=10.1.5.6->172.16.5.5, d=192.168.2.6 [10]

NAT: expiring 172.16.5.5 (10.1.5.6) icmp 1 (1)

NAT: s=10.1.5.6->172.16.5.5, d=192.168.2.6 [11]
un a
NAT: expiring 172.16.5.5 (10.1.5.6) icmp 2 (2)

CONFIG
!
!
ip dhcp excluded-address 10.1.5.1 10.1.5.5
!
ip dhcp pool pool
network 10.1.5.0 255.255.255.0
default-router 172.16.5.1
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.5.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface Fa...

STATS
R0#sh ip nat statistics
Total translations: 0 (0 static, 0 dynamic, 0 extended)
Outside Interfaces: FastEthernet0/0
Inside Interfaces: FastEthernet0/1
Hits: 4 Misses: 87
Expired translations: 47
Dynamic mappings:
-- Inside Source
access-list 1 pool NA...

R0#sh ip route 192.168.2.6
Routing entry for 192.168.2.0/24
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 172.16.5.2
Route metric is 0, traffic share count is 1
R0#

When I am in either router I can ping the distant network nodes, 10.1.5.6 or 7 and 192.168.2.6 or 7.

Ryan Newell · ‎01-20-2012

Something told me to ask if you were running NAT on R1. I am glad you posted the config and command outputs.

There are two problems. First when pinging from 2.6 you should ping the NAT address of 5.6. Same goes for when you ping from 2.6. The problem is you don't know what the NAT address is because you are using a pool.

And this leads to the second problem. Dynamic NAT, without additional configuration, does not support connection initiated from outside-to-inside. This is because a NAT translation has not been established yet. It is only established when the connection is initiated from the outside. In your current configuration, two routers connected to each other both performing dynamic NAT, you will not be able to establish communication between the 192.168.2.0 and 10.1.5.0. One router will always see the connection as being established from outside.

If this is for learning purposes I suggest removing the NAT configuration from R1. Then ping from 10.1.5.6 to 192.168.2.6. After success I THINK you should be able to ping from 192.168.2.6 to whatever the inside global address R0 reports for 10.1.5.6. The entry will timeout eventually and you will lose the ability to ping from out to in. There is a workaround though. You would need to configure NAT routemaps for outside-to-inside support.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnato2n.html

Regards,

Ryan

View solution in original post

cadet alain · ‎01-20-2012

Hi,

Is there a reason not to do NAT overload? if not then do this:

-clear ip nat translation *

-no ip nat pool NAT 172.16.5.5 172.16.5.10 netmask 255.255.255.0

- ip nat pool NAT 172.16.5.5 172.16.5.10 netmask 255.255.255.0 overload

Regards.

Alain

Don't forget to rate helpful posts.

Harold Doolittle · ‎01-20-2012

Alain: at this point I am building this in testing my knowledge of what I am reading and know. In preps for my test. PAT is next.

I am afraid that if I don't fix this and it is something wrong, then I could be in error in the future and on the test

Harold Doolittle · ‎01-20-2012

Ryan: yes, that is in the very last line of my initial posting. From the routers I can ping either side all the way to the remote nodes(pc). This is why I think I have done something wrong in my NAT config.

Ryan Newell · ‎01-20-2012

I think Neeraj has provided some good test points but I still have a few question. R0 would need to respond to ARP requests for any icmp replies to 172.16.5.5 - 10. If you don't mind please ping from from 10.1.5.6 to 172.16.5.2. This should invoke NAT. Hopefully this works. If this does not work, check the ARP table in R1 for 172.16.5.5. If there is no ARP entry please apply a static ARP entry. Your configuration appears to be okay. I am still concerned with a layer 2 or 3 issue.

I am still trying to figure out how you ping 10.1.5.6 from R1 without NAT functioning properly..

Regards,
Ryan

Ryan Newell · ‎01-20-2012

Hello,

Are you certain the IP routing is okay? From R0 you can ping 192.168.2.6? Can you ping 10.1.5.6 from the remote router attached to interface f0/0? What does the configuration look like on the other router?

I'm curious...are your host receiving DHCP address or static configuration?

Regards,
Ryan

Neeraj Arora · ‎01-20-2012

Harold,

As Alain mentioned, instead of using a pool of 6 ip addresses, you should use NAT overload (ip nat inside source list 1 interface fa0/0 overload) to a single ip address because with your configuration every NAT translation will create a Static like entry in the NAT table and for that inside host, translation can happen in both directions i.e from inside to outside(which is desirable) and Outside to inside as well (which is not required really)

You can actually see this in "sh ip nat translation" output after you have initiated a ping from 10.1.5.6 to 192.168.2.6

Moreover sitting on R0 router, try and ping 192.168.2.6 with source ip as fa0/1 and check that works and also do you see any translation created to 10.1.5.1.

I am tempted to ask you to add a reverse route on the other router for 10.1.5.0/24 subnet but it should not be required as NATing should translate all traffic from this subnet to 172.16.5.x pool ip, so you can try and either debugging ip traffic on the remote traffic (only if this is in a lab environment and no other traffic is being routed apart from the one mentioned in this problem). That can give you a little more idea if NAT is actually happening on R0 or not.

Following outputs from both the routers should help us in giving better answers:

- sh run

- sh ip nat translation

- ping 192.168.2.6 --- from R0

- ping 192.168.2.6 source fa0/1 --- from R0

- ping 10.1.5.6 --- from R1

Hope it helps.

Neeraj

Harold Doolittle · ‎01-20-2012

PC>ipconfig

IP Address......................: 10.1.5.6
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 172.16.5.1

PC>ping 172.16.5.2

Pinging 172.16.5.2 with 32 bytes of data:

Reply from 172.16.5.2: bytes=32 time=26ms TTL=254
Reply from 172.16.5.2: bytes=32 time=15ms TTL=254
Reply from 172.16.5.2: bytes=32 time=9ms TTL=254
Reply from 172.16.5.2: bytes=32 time=9ms TTL=254

Ping statistics for 172.16.5.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 26ms, Average = 14ms

R0#
NAT: s=10.1.5.6->172.16.5.5, d=192.168.2.1 [11]

NAT: s=10.1.5.6->172.16.5.5, d=192.168.2.1 [12]

NAT: s=10.1.5.6->172.16.5.5, d=192.168.2.1 [13]

NAT: s=10.1.5.6->172.16.5.5, d=192.168.2.1 [14]

NAT: s=10.1.5.6->172.16.5.5, d=172.16.5.2 [15]

NAT*: s=172.16.5.2, d=172.16.5.5->10.1.5.6 [19]

NAT: s=10.1.5.6->172.16.5.5, d=172.16.5.2 [16]

NAT*: s=172.16.5.2, d=172.16.5.5->10.1.5.6 [20]

NAT: s=10.1.5.6->172.16.5.5, d=172.16.5.2 [17]

NAT*: s=172.16.5.2, d=172.16.5.5->10.1.5.6 [21]

NAT: s=10.1.5.6->172.16.5.5, d=172.16.5.2 [18]

NAT*: s=172.16.5.2, d=172.16.5.5->10.1.5.6 [22]

R1#ping 10.1.5.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/11 ms

R1#ping
Protocol [ip]:
Target IP address: 10.1.5.6
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1

NAT: s=192.168.2.1->172.16.2.11, d=10.1.5.6 [28]
.
NAT: s=192.168.2.1->172.16.2.11, d=10.1.5.6 [29]
.
NAT: s=192.168.2.1->172.16.2.11, d=10.1.5.6 [30]
.
NAT: s=192.168.2.1->172.16.2.11, d=10.1.5.6 [31]
.
NAT: s=192.168.2.1->172.16.2.11, d=10.1.5.6 [32]
.
Success rate is 0 percent (0/5)

R0#ping 192.168.2.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/13 ms

R0#ping
Protocol [ip]:
Target IP address: 192.168.2.6
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.5.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.6, timeout is 2 seconds:
Packet sent with a source address of 10.1.5.1

NAT: s=10.1.5.1->172.16.5.5, d=192.168.2.6 [37]
.
NAT: s=10.1.5.1->172.16.5.5, d=192.168.2.6 [38]
.
NAT: s=10.1.5.1->172.16.5.5, d=192.168.2.6 [39]
.
NAT: s=10.1.5.1->172.16.5.5, d=192.168.2.6 [40]
.
NAT: s=10.1.5.1->172.16.5.5, d=192.168.2.6 [41]
.
Success rate is 0 percent (0/5)

This is pinging from 10.1.5.6 to 192.168.2.6 - Why is the Inside local and Outside Global the same? Shouldn't Outside Global be 172.16.5.2?

R0#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 172.16.5.5:17 10.1.5.6:17 192.168.2.6:17 192.168.2.6:17

icmp 172.16.5.5:18 10.1.5.6:18 192.168.2.6:18 192.168.2.6:18

icmp 172.16.5.5:19 10.1.5.6:19 192.168.2.6:19 192.168.2.6:19

icmp 172.16.5.5:20 10.1.5.6:20 192.168.2.6:20 192.168.2.6:20

R0#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 172.16.5.5:17 10.1.5.6:17 192.168.2.6:17 192.168.2.6:17

icmp 172.16.5.5:18 10.1.5.6:18 192.168.2.6:18 192.168.2.6:18

icmp 172.16.5.5:19 10.1.5.6:19 192.168.2.6:19 192.168.2.6:19

icmp 172.16.5.5:20 10.1.5.6:20 192.168.2.6:20 192.168.2.6:20

R1#sh run
Building configuration...

Current configuration : 1089 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.5
!
ip dhcp pool pool
network 192.168.2.0 255.255.255.0
default-router 172.16.5.2
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.5.2 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/1/0
no ip address
shutdown
!
interface Serial1/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat pool LAN 172.16.2.11 172.16.2.16 netmask 255.255.255.0
ip nat inside source list 1 pool LAN
ip classless
ip route 10.1.5.0 255.255.255.0 172.16.5.1
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
line con 0
exec-timeout 0 0
line vty 0 4
login
!
!
!
end

R0#sh run
Building configuration...

Current configuration : 1068 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R0
!
!
!
!
ip dhcp excluded-address 10.1.5.1 10.1.5.5
!
ip dhcp pool pool
network 10.1.5.0 255.255.255.0
default-router 172.16.5.1
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.5.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.5.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/1/0
no ip address
shutdown
!
interface Serial1/1/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat pool NAT 172.16.5.5 172.16.5.10 netmask 255.255.255.0
ip nat inside source list 1 pool NAT
ip classless
ip route 192.168.2.0 255.255.255.0 172.16.5.2
!
!
access-list 1 permit 10.1.5.0 0.0.0.255
!
!
!
!
!
line con 0
exec-timeout 0 0
line vty 0 4
login
!
!
!
end

Ping from 192.168.2.6 to 10.1.5.6

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 172.16.2.11:10 192.168.2.7:10 10.1.5.6:10 10.1.5.6:10

icmp 172.16.2.11:11 192.168.2.7:11 10.1.5.6:11 10.1.5.6:11

icmp 172.16.2.11:12 192.168.2.7:12 10.1.5.6:12 10.1.5.6:12

icmp 172.16.2.11:9 192.168.2.7:9 10.1.5.6:9 10.1.5.6:9

I think this is all.

Ryan Newell · ‎01-20-2012

Something told me to ask if you were running NAT on R1. I am glad you posted the config and command outputs.

There are two problems. First when pinging from 2.6 you should ping the NAT address of 5.6. Same goes for when you ping from 2.6. The problem is you don't know what the NAT address is because you are using a pool.

And this leads to the second problem. Dynamic NAT, without additional configuration, does not support connection initiated from outside-to-inside. This is because a NAT translation has not been established yet. It is only established when the connection is initiated from the outside. In your current configuration, two routers connected to each other both performing dynamic NAT, you will not be able to establish communication between the 192.168.2.0 and 10.1.5.0. One router will always see the connection as being established from outside.

If this is for learning purposes I suggest removing the NAT configuration from R1. Then ping from 10.1.5.6 to 192.168.2.6. After success I THINK you should be able to ping from 192.168.2.6 to whatever the inside global address R0 reports for 10.1.5.6. The entry will timeout eventually and you will lose the ability to ping from out to in. There is a workaround though. You would need to configure NAT routemaps for outside-to-inside support.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnato2n.html

Regards,

Ryan

Harold Doolittle · ‎01-20-2012

First OMG! I have fought this thing for 4 days, posted quesitons in other locations and still no resolutions until now. THANK YOU ALL FOR LOOKING AT THIS.

Ryan: I did remove the configuration from R1 and it works, along with your explaining what I did wrong helps. Can I ask, in the real world you would only setup NAT in a one way direction? If by directional most likely using PAT, something like an enterprise configuration?

Again thank you all!

Ryan Newell · ‎01-20-2012

Harold,

Your configuration was a first for me. I would also say my exposure to NAT outside of textbook and lab has been limited. The customers I have supported always use public addresses. Any NAT configuration has been simple static or dynamic configuration. It possible to have two enterprises communicate who both leverage NAT. But I would imagine any servers or resources where communication is initiated from the outside would require a static NAT configuration mapping inside local to inside global.

PAT allows NAT to overload one address. Essentially many inside local addresses can be NAT'd to one inside global. The NAT route-maps for outside-to-inside does not work with PAT. As far as I know you would definitely need static NAT for

communication initiated outside to inside .

Regards,
Ryan