topic Re: weird nat problem ???!!!! in Network Security

weird nat problem ???!!!!

baraa272 — Fri, 21 Feb 2020 14:17:45 GMT

hi everyone of the community

today i stumbled upon such a weird and annoying nat problem

simply i have two networks and theres eigrp applied

and i can ping any computer within the 2 networks

the problem appeared when i started applying NAT

first when i applied the PAT on "ppp" the nat works and i still can ping

then when i applied PAT on "mikrotik"

then i lost the ability to ping any computer within the 2 networks

heres config 'MIKROTIK"

Building configuration...

Current configuration : 1401 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname mikrotik
!
!
!
!
ip dhcp excluded-address 192.168.88.1 192.168.88.10
!
ip dhcp pool pp.ps
network 192.168.88.0 255.255.255.0
default-router 192.168.88.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX15241P58
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.88.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 85.64.25.11 255.255.0.0
ip nat outside
!
interface Serial0/0/1
no ip address
clock rate 2000000
!
interface Serial0/1/0
no ip address
clock rate 2000000
!
interface Serial0/1/1
no ip address
clock rate 2000000
!
interface Serial0/2/0
no ip address
clock rate 2000000
!
interface Serial0/2/1
no ip address
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 85.64.0.0 0.0.255.255
network 192.168.88.0

!
ip nat inside source list 1 interface Serial0/0/0 overload
ip classless
!
ip flow-export version 9
!
!
access-list 1 permit 192.168.88.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

config "ppp"

Building configuration...

Current configuration : 1218 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ppp
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX152468BI
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 85.64.25.15 255.255.0.0
ip nat outside
clock rate 64000
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 85.64.0.0 0.0.255.255
network 192.168.1.0

!
ip nat inside source list 1 interface Serial0/0/0 overload
ip classless
!
ip flow-export version 9
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip access-list standard nat
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

PS.ROUTERS can ping any client but clients cant ping

Re: weird nat problem ???!!!!

Pawan Raut — Tue, 12 Sep 2017 09:13:07 GMT

This is beacuse of asymetric NAT issue.
Kindly note that PAT is use to NAT the source for outbound connection.
Here in this case you are intiating connection from mikrotik loaction to ppplocation for ppp its inbound connection and that PAT on ppp router create asyemtric nat issue.

Lets consider PC1 behind mikrotik has IP address 192.168.88.10 and PC4 behind PPP has IP 192.168.1.10

So PC1 ping to PC2 that is Source: 192.168.88.10 destination: 192.168.1.10

on router mikrotik beacuse of PAT rule source getting NAT for outbound connection so now Source: 85.64.25.11 destination: 192.168.1.10

But on router PPP the connection is inbound so it will ignore the PAT and Source: 85.64.25.11 destination: 192.168.1.10.

So packet reaches to PC4 and it send ICMP reply back to PC1 now here source is Source: 192.168.1.10 destination: 85.64.25.11.

on router PPP baecause of PAT rule source getting NAT for outbound connection so now Source:85.64.25.15 destination: 85.64.25.11.

But the router mikrotik expecting icmp reply from source IP 192.168.1.10 and not from 85.64.25.15

192.168.88.x -->85.64.25.11

ppp
192.168.1.y -->85.64.25.15

Regards,

Pawan (CCIE#52104)

Kindly Rate for helpful post

Re: weird nat problem ???!!!!

baraa272 — Tue, 12 Sep 2017 09:17:47 GMT

what can i do to fix this problem?????

Re: weird nat problem ???!!!!

Pawan Raut — Tue, 12 Sep 2017 09:44:14 GMT

Also I noticed you used same subnet 85.64.0.0/16 on outside interface on both router you can split the subnet into two and use 85.64.0.0/17 on mikrotik router outside interface and 85.64.128.0/17 on ppp router outside interface.

For NAT you can use static host to host nat instead on PAT.

on router mikrotik

ip nat inside source static <PC1 IP address> 85.64.0.10

on router PPP

ip nat inside source static <PC4 IP address> 85.64.128.10

Hope this will help you

Re: weird nat problem ???!!!!

baraa272 — Tue, 12 Sep 2017 09:53:05 GMT

using static not a solution!

i want the 2 networks to be behind NAT with 1 address

192.168.1.0 >>>> ppp router ip address

192.168.88.0 >>>> mikrotik ip address

and i want a real solution for this problem!

does cisco routers cant do that????? like cheap home/office routers!!!???

Re: weird nat problem ???!!!!

Pawan Raut — Tue, 12 Sep 2017 10:09:12 GMT

What you really want to achive.Cisco router can do that and home router dont allow any inbound connections.

Re: weird nat problem ???!!!!

baraa272 — Tue, 12 Sep 2017 10:51:18 GMT

if you own tp link router with RIP you can easily apply nat

so can you tell me how i can fix this problem in packet tracer or at least how i can do that ????!!!

Re: weird nat problem ???!!!!

Pawan Raut — Wed, 13 Sep 2017 01:49:00 GMT

You can do the PAT as you alreday did but you will not able to ping the end to end IP address.