06-06-2020 02:17 AM
In the attechments you find my whole Network in PacketTracer. Can somebody tell me, if my NAT is working correctly?
It should be very simple, as it is simply about 5 lines of code. The dynamic NAT is working on the R7-Router.
Here the running-config of R7:
R7(config-router)#do show run
Building configuration...
Current configuration : 1030 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R7
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/1/0
ip address 171.16.0.1 255.255.0.0
ip nat inside
!
interface Serial0/1/1
ip address 100.0.0.2 255.0.0.0
ip nat outside
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 171.16.0.0 0.0.255.255 area 0
network 100.0.0.0 0.255.255.255 area 0
!
ip nat pool NAT-POOL 100.0.0.3 100.0.0.40 netmask 255.0.0.0
ip nat inside source list 1 pool NAT-POOL
ip classless
!
ip flow-export version 9
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Here the running-config of R8:
R8(config-router)#do show run
Building configuration...
Current configuration : 918 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R8
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/1/0
ip address 171.16.0.2 255.255.0.0
clock rate 2000000
!
interface Serial0/1/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
passive-interface GigabitEthernet0/0/0
network 192.168.2.0 0.0.0.255 area 0
network 171.16.0.0 0.0.255.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
06-06-2020 02:40 AM
Hello,
the configuration of R7 does not look right. What are you trying to accomplish ?
interface Serial0/1/0
ip address 171.16.0.1 255.255.0.0
ip nat inside
!
ip nat pool NAT-POOL 100.0.0.3 100.0.0.40 netmask 255.0.0.0
!
ip nat inside source list 1 pool NAT-POOL
!
access-list 1 permit 192.168.2.0 0.0.0.255
If you want NAT to work, the access list (1) needs to match the IP address space of the 'ip nat inside', 171.16.0.1/16 in this case.
So if you change access list 1 to:
access-list 1 permit 171.16.0.1 0.0.255.255
the NAT should work.
06-06-2020 02:51 AM
First I wanna say thanks to you Georg! :-)
I appreciate your help.
I'm simply trying to accomplish NAT the way it should always work. You have an inside network and an outside network. The inside network addresses should be translated into the outside network adresses (as far as I understand!).
Georg, you mean 172.16.0.0 for the ip access-list, or? Not 172.16.0.1, or do I missunderstand something?
Thx,
Raffael
06-06-2020 02:58 AM
Hello,
the access list needs to match the subnet of the inside interface. 172.16.0.0 is not configured on your router, make sure you did not accidentally use 171 instead of 172. The below access list should work:
interface Serial0/1/0
ip address 171.16.0.1 255.255.0.0
ip nat inside
!
access-list 1 permit 171.16.0.0 0.0.0.255
06-06-2020 03:11 AM
06-06-2020 03:15 AM
Hello,
can you post the (zipped) Packet Tracer project (.pkt) file here ?
06-06-2020 03:24 AM - edited 06-06-2020 03:26 AM
06-06-2020 03:32 AM
Hello,
the access list is still wrong.
You have:
access-list 1 permit 171.16.0.0 0.0.0.255
You need:
access-list 1 permit 171.16.0.0 0.0.255.255
I have changed the access list in the attached file. Now if you send a ping from R8 to 192.168.1.66, the translation on R7 is visible:
R7#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 100.0.0.3:1 171.16.0.2:1 192.168.1.66:1 192.168.1.66:1
icmp 100.0.0.3:2 171.16.0.2:2 192.168.1.66:2 192.168.1.66:2
icmp 100.0.0.3:3 171.16.0.2:3 192.168.1.66:3 192.168.1.66:3
icmp 100.0.0.3:4 171.16.0.2:4 192.168.1.66:4 192.168.1.66:4
icmp 100.0.0.3:5 171.16.0.2:5 192.168.1.66:5
06-06-2020 04:02 AM
06-06-2020 04:42 AM
Hello,
access list 1 permit 192.168.2.0 0.0.0.255
should certainly work.
If you want to migrate from IPv4 to IPv6, I would do it in parallel, meaning, run both at the same time, so you can verify reachability.
06-06-2020 05:08 AM
06-06-2020 05:53 AM
Hello,
I think I misread your original post. Not sure why you did not see any NAT translations with access-list 1 permit 192.168.2.0 0.0.0.255. Packet Tracer can be a bit slow or quirky sometimes.
Regarding the IPv6 stuff, let us know if you run into any problems/questions, it should be quite straightforward.
06-06-2020 06:30 AM
My question is the one below - I repeat it here:
Ok,I have one last question: At the moment I am not able to ping from one IPv6-PC to another IPv6-PC. The packet dies in simulation mode instantly at the PC and does not go further. Does anyone have any suggestion why that is the case and how I can get the PING problem solved?
In the attachment you see my most current state of my project!
06-06-2020 07:17 AM
06-06-2020 10:35 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide