Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help on ACL_NAT process...

Can anyone please inform me why I am not getting expected result from the NAT process? I have included a Packet Tracer file which contains the Network and its configuration. I am also posting some pictures of the diagram and configuration.

Please view the configuration of two routers to know the details of the diagram.

Following activities are currently working properly in the Network diagram.

  1. There are 5 VLANS, Each of them has a HDCP server attached to Switch1.
  2. Switch 2 and 3 contains hosts from different VLAN.
  3. Every computer can “PING” each other.
  4. DHCP servers are providing IP address to the hosts in different VLAN.
  5. Router “Gateway” translates some private ip address to registered public ip address based on the Access list
  6. “Show IP access-list” showing the counters of matching packets, on “Gateway” router.
  7. “IP nat translation” showing Translation of Private Addresses based on ACL

As I have implemented an ACL on serial 0/0 inbound direction, I want Router “ISP” should block any private IP address coming from the “Gateway” Router.

On the router “Gateway” I have intentionally denied some private IP addresses in the access list, so that they can not take part in IP NAT translation process.

Problem:

When I am using “tracert 100.100.100.102” from any Host computers it is showing the time to reach that IP address, but it cant ping that address

When I am using “tracert 100.100.100.102” from any servers, its showing “destination host unreachable”.

When I am using the Simulation mode of Packet tracer, simulation shows packets are generating from host computers, can reach and come back to the same host, but result is showing “Failed”.

“Show access-list” command on “ISP” router showing increasing counters only against “permit ip any any”. But counter are not increasing when I am sending packets from any servers (for those packets, which I don’t want to translate through the NAT process). In that case, when I am sending packets from any servers, counters against “deny ip 172.16.0.0 0.0.15.255 any” should increase in the “ISP router.

Can anyone please help?

Everyone's tags (1)
3 REPLIES

Re: Need help on ACL_NAT process...

enablethedebuaging of the nat using the folowing command in gateway router

debug ip nat detail

then generate traffic from a host supposed to be nated to outside

and post the result of the debug here as text file

New Member

Re: Need help on ACL_NAT process...

Here is the output

Gateway#debug ip nat
IP NAT debugging is on
Gateway#
NAT: s=192.168.1.8->100.100.100.101, d=100.100.100.102 [7]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [233]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.1.8 [233]
NAT: s=192.168.2.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [239]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.2.11 [239]
NAT: s=192.168.3.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [242]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.3.11 [242]
NAT: s=192.168.4.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [246]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.4.11 [246]
NAT: s=192.168.5.11->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [249]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.5.11 [249]
NAT: s=192.168.2.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [252]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.2.10 [252]
NAT: s=192.168.3.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [256]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.3.10 [256]
NAT: s=192.168.4.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [259]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.4.10 [259]
NAT: s=192.168.5.10->100.100.100.101, d=100.100.100.102 [9]
NAT: s=100.100.100.101, d=100.100.100.102->100.100.100.102 [9]
NAT*: s=100.100.100.101->100.100.100.102, d=100.100.100.101 [263]
NAT*: s=100.100.100.102, d=100.100.100.101->192.168.5.10 [263]
NAT: expiring 100.100.100.101 (192.168.1.8) icmp 1 (1)
NAT: expiring 100.100.100.101 (192.168.2.11) icmp 1024 (1)
NAT: expiring 100.100.100.101 (192.168.3.11) icmp 1025 (1)

NAT: expiring 100.100.100.101 (192.168.5.11) icmp 1027 (1)
NAT: expiring 100.100.100.101 (192.168.2.10) icmp 1028 (1)100.100.
NAT: expiring 100.100.100.101 (192.168.3.10) icmp 1029 (1)100.10
NAT: expiring 100.100.100.101 (192.168.4.10) icmp 1030 (1)2

NAT: expiring 100.100.100.101 (192.168.5.10) icmp 1031 (1)

I have generated trafic from each & every host and servers

Re: Need help on ACL_NAT process...

thanks for doing that

but i asked to do

debug ip nat detail

827
Views
0
Helpful
3
Replies