nat translation

fran19422 · ‎05-15-2012

Hello, I am having trouble getting NAT working.

I am setting up NAT on Hamilton router.

There are 2 inside routers - Waihi and Huntly. There is one outside interface (web server).

When I use "show ip nat translations" or "debug ip nat" and generate traffic, nothing shows up.

I have attached an image of my configuration.

Can anyone see what I am doing wrong ? Thank you kindly for any help.

This is my relevant running-config for the NAT server (Hamilton):

interface FastEthernet0/0

ip address 10.20.0.1 255.0.0.0

ip nat outside

duplex auto

speed auto

interface Serial0/0/0

ip address 172.26.252.1 255.255.255.252

encapsulation ppp

ppp authentication chap

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 c1scoccna

ip nat inside

!

interface Serial0/0/1

ip address 172.26.252.5 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 c1scoccna

ip nat inside

clock rate 64000

ip nat pool NAT-POOL1 192.168.2.7 192.168.2.7 netmask 255.255.255.252

ip nat inside source list 1 pool NAT-POOL1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

access-list 1 permit 172.28.0.0 0.0.255.255

Here is my "show NAT statistics:

Hamilton#show ip nat statistics

Total translations: 0 (0 static, 0 dynamic, 0 extended)

Outside Interfaces: FastEthernet0/0

Inside Interfaces: Serial0/0/0 , Serial0/0/1

Hits: 0 Misses: 198

Expired translations: 0

Dynamic mappings:

-- Inside Source

access-list 1 pool NAT-POOL1 refCount 0

pool NAT-POOL1: netmask 255.255.255.252

start 192.168.2.7 end 192.168.2.7

type generic, total addresses 1 , allocated 0 (0%), misses 0

cadet alain · ‎05-15-2012

Hi,

you must have connectivity to the NAT pool address from the server: use a static route on the server pointing to the router

Change this ACL too:

access-list 1 permit 172.28.0.0 0.0.255.255

like this : access-list 1 permit 172.26.0.0 0.0.255.255

Regards.

Alain

Don't forget to rate helpful posts.

Jan Hrnko · ‎05-15-2012

Hi Philip,

Can you post the output from show ip route?

I am thinking about two things. The first one, shouldn't this:

ip nat pool NAT-POOL1 192.168.2.7 192.168.2.7 netmask 255.255.255.252

have the netmask of 32? But I think this would not cause the problem you are dealing with and the mask will be ignored in this case.

You can't ping it from the other routers just because of the NAT. You are NATing the whole traffic that comes to Hamilton router - but you don't have corresponding ACLs configured. You would need to make some for the 172.26. networks of the router interfaces.

The other thing is problem with routing. Maybe not just one. Does the traffic from networks

172.28.0.0 0.0.255.255 reach the Hamilton router? Please...confirm this by showing us the output from the command show ip route on all routers. Thank you!

Best regards,

Jan

fran19422 · ‎05-15-2012

thank you for your excellent respones:

Jan, here is the show ip route output from:

Hamilton

C 10.0.0.0/8 is directly connected, FastEthernet0/0

172.26.0.0/16 is variably subnetted, 8 subnets, 5 masks

O E2 172.26.0.0/22 [110/50] via 172.26.252.6, 02:48:17, Serial0/0/1

O 172.26.4.0/24 [110/65] via 172.26.252.2, 04:32:11, Serial0/0/0

O 172.26.15.0/25 [110/65] via 172.26.252.6, 04:32:21, Serial0/0/1

O 172.26.25.0/25 [110/65] via 172.26.252.6, 04:32:21, Serial0/0/1

O 172.26.86.0/28 [110/65] via 172.26.252.6, 04:32:21, Serial0/0/1

C 172.26.252.0/30 is directly connected, Serial0/0/0

C 172.26.252.4/30 is directly connected, Serial0/0/1

O E2 172.26.252.8/30 [110/50] via 172.26.252.6, 02:48:17, Serial0/0/1

S* 0.0.0.0/0 is directly connected, FastEthernet0/0

from Waihi:

O 10.0.0.0/8 [110/65] via 172.26.252.1, 04:32:47, Serial0/0/0

172.26.0.0/16 is variably subnetted, 8 subnets, 5 masks

O E2 172.26.0.0/22 [110/50] via 172.26.252.1, 02:48:54, Serial0/0/0

C 172.26.4.0/24 is directly connected, FastEthernet0/0

O 172.26.15.0/25 [110/129] via 172.26.252.1, 04:32:47, Serial0/0/0

O 172.26.25.0/25 [110/129] via 172.26.252.1, 04:32:47, Serial0/0/0

O 172.26.86.0/28 [110/129] via 172.26.252.1, 04:32:47, Serial0/0/0

C 172.26.252.0/30 is directly connected, Serial0/0/0

O 172.26.252.4/30 [110/128] via 172.26.252.1, 04:32:47, Serial0/0/0

O E2 172.26.252.8/30 [110/50] via 172.26.252.1, 02:48:54, Serial0/0/0

O*E2 0.0.0.0/0 [110/1] via 172.26.252.1, 04:32:47, Serial0/0/0

from Huntly:

O 10.0.0.0/8 [110/65] via 172.26.252.5, 04:33:19, Serial0/0/1

172.26.0.0/16 is variably subnetted, 8 subnets, 5 masks

R 172.26.0.0/22 [120/1] via 172.26.252.10, 00:00:08, Serial0/0/0.101

O 172.26.4.0/24 [110/129] via 172.26.252.5, 04:33:09, Serial0/0/1

C 172.26.15.0/25 is directly connected, FastEthernet0/0.15

C 172.26.25.0/25 is directly connected, FastEthernet0/0.25

C 172.26.86.0/28 is directly connected, FastEthernet0/0.86

O 172.26.252.0/30 [110/128] via 172.26.252.5, 04:33:19, Serial0/0/1

C 172.26.252.4/30 is directly connected, Serial0/0/1

C 172.26.252.8/30 is directly connected, Serial0/0/0.101

O*E2 0.0.0.0/0 [110/1] via 172.26.252.5, 04:33:19, Serial0/0/1

Jan Hrnko · ‎05-15-2012

Hi Philip,

Thank you!

So it seems to me that you made a mistake in ACL configuuation. You don't use 172.28.0.0 network but 172.26.0.0. So as Alain said, you need to change it like this:

access-list 1 permit 172.26.0.0 0.0.255.255

Best regards,

Jan

fran19422 · ‎05-15-2012

thank you guys. I have done that. However Alain told me to set up a static route from the web server to the NAT pool address from the server. I am unsure how to do that with the web server in pacet tracer.

Is it using a different method than a packet tracer router ? The web server only has simple IP configuration options like a PC.

Thank you for your help.

Jan Hrnko · ‎05-15-2012

Hi Philip,

I am not sure how Alain meant that... but I think that you don't have to set up an static route from server. It will communicate through its default gateway and thats it! End devices don't know anything about routing.

Best regards,

Jan

fran19422 · ‎05-15-2012

OK I understand, however after changing the ACL as you recommended. I now cannot access the web server from any of my PC's inside the lan apart from Hamilton router. It is strange how I could gain web server access when the ACL was 172.28.0.0 but now having changed it to 172.26.0.0, I have no outside access. Do you have any ideas ?

Thank you for your persistence !

HAMILTON running config:

interface FastEthernet0/0

ip address 10.20.0.1 255.0.0.0

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 172.26.252.1 255.255.255.252

encapsulation ppp

ppp authentication chap

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 c1scoccna

ip nat inside

!

interface Serial0/0/1

ip address 172.26.252.5 255.255.255.252

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 c1scoccna

ip nat inside

clock rate 64000

!

interface Vlan1

no ip address

shutdown

!

router ospf 43

log-adjacency-changes

area 0 authentication message-digest

network 172.26.252.0 0.0.0.3 area 0

network 10.0.0.0 0.255.255.255 area 0

network 172.26.252.4 0.0.0.3 area 0

network 172.26.252.0 0.0.3.255 area 0

default-information originate

!

ip nat pool NAT-POOL1 192.168.2.7 192.168.2.7 netmask 255.255.255.252

ip nat inside source list 1 pool NAT-POOL1

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

access-list 1 permit 172.26.0.0 0.0.255.255

Jan Hrnko · ‎05-15-2012

Hi Philip,

you are welcome! So is the NAT running now? Verify by show ip nat translations. It is not that strange - maybe the NAT has just started to work but there is a problem somewhere else . We will get to the root of the problem...

Best regards,

Jan

fran19422 · ‎05-15-2012

thanks !!

Entering "show ip nat translations" on Hamilton router and then pinging the outside web server from different devices reveals nothing.

Jan Hrnko · ‎05-15-2012

Hi Philip,

ok, so try to use the extended ping with source IP address of 172.26.252.1 on the router Hamilton and ping the server. See if it works. And see if there is some NAT translations going on.

We must ensure that routing is ok (it seems so), links are ok (it seems so as well as there are networks distirbuted through OSPF) and NAT also. And we have to separate the problem.

When you try to ping from Hamilton to Waihi does it work? And from what hosts (what addresses) are you trying to ping the server?

Just keep on and have patience!

Best regards,

Jan

fran19422 · ‎05-15-2012

Jan, extended ping did not work and no nat translations occurring.

yes, ping to Hamilton from Waihi works.

I am trying to ping the server from all hosts in the network.

Phil

cadet alain · ‎05-15-2012

Hi,

all network devices have a routing table even hosts like the server but if the server has a default route yes indeed it should work for the return traffic of the server.

Can you try this for your NAT:

no ip nat pool NAT-POOL1 192.168.2.7 192.168.2.7 netmask 255.255.255.252

no ip nat inside source list 1 pool NAT-POOL1

ip nat inside source list 1 interface fastethernet0/0

Tell us if it works and also what is the IP of the server ?

Regards.

Alain

Don't forget to rate helpful posts.

fran19422 · ‎05-15-2012

Yes,. that does all work now.

The thing is I do need to assign the pool as 192.168.2.7. Can that still be done ?

The ip of the server is 10.20.0.2

cadet alain · ‎05-15-2012

hi,

I wonder if the fact that 192.168.2.7 /30 is the broadcast adress could be the problem.

Can you try with this pool: 192.168.2.6 255.255.255.252

Regards.

Alain

Don't forget to rate helpful posts.