Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1098
Views
0
Helpful
16
Replies

Can somebody tell me if something with my NAT isn't working correctly?!

iPhoneFreak
Level 1
Level 1

‎06-06-2020 02:17 AM

In the attechments you find my whole Network in PacketTracer. Can somebody tell me, if my NAT is working correctly?

It should be very simple, as it is simply about 5 lines of code. The dynamic NAT is working on the R7-Router.

 

Here the running-config of R7:

 

R7(config-router)#do show run

Building configuration...

 

Current configuration : 1030 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R7

!

!

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 171.16.0.1 255.255.0.0

ip nat inside

!

interface Serial0/1/1

ip address 100.0.0.2 255.0.0.0

ip nat outside

clock rate 2000000

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

network 171.16.0.0 0.0.255.255 area 0

network 100.0.0.0 0.255.255.255 area 0

!

ip nat pool NAT-POOL 100.0.0.3 100.0.0.40 netmask 255.0.0.0

ip nat inside source list 1 pool NAT-POOL

ip classless

!

ip flow-export version 9

!

!

access-list 1 permit 192.168.2.0 0.0.0.255

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Here the running-config of R8:

 

R8(config-router)#do show run

Building configuration...

 

Current configuration : 918 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R8

!

!

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0/0

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 171.16.0.2 255.255.0.0

clock rate 2000000

!

interface Serial0/1/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

router-id 5.5.5.5

log-adjacency-changes

passive-interface GigabitEthernet0/0/0

network 192.168.2.0 0.0.0.255 area 0

network 171.16.0.0 0.0.255.255 area 0

!

ip classless

!

ip flow-export version 9

!

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Labels:
Preview file
5 KB
Preview file
135 KB
0 Helpful
16 Replies 16

Georg Pauwen
VIP
VIP

‎06-06-2020 02:40 AM

Hello,

 

the configuration of R7 does not look right. What are you trying to accomplish ?

 

interface Serial0/1/0
ip address 171.16.0.1 255.255.0.0
ip nat inside
!
ip nat pool NAT-POOL 100.0.0.3 100.0.0.40 netmask 255.0.0.0
!
ip nat inside source list 1 pool NAT-POOL
!
access-list 1 permit 192.168.2.0 0.0.0.255

 

If you want NAT to work, the access list (1) needs to match the IP address space of the 'ip nat inside', 171.16.0.1/16 in this case.

 

So if you change access list 1 to:

 

access-list 1 permit 171.16.0.1 0.0.255.255

 

the NAT should work.

0 Helpful

iPhoneFreak
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2020 02:51 AM

First I wanna say thanks to you Georg! :-)

I appreciate your help.

 

I'm simply trying to accomplish NAT the way it should always work. You have an inside network and an outside network. The inside network addresses should be translated into the outside network adresses (as far as I understand!).

 

Georg, you mean 172.16.0.0 for the ip access-list, or? Not 172.16.0.1, or do I missunderstand something?

Thx,
Raffael

0 Helpful

Georg Pauwen
VIP
VIP
In response to iPhoneFreak

‎06-06-2020 02:58 AM

Hello,

 

the access list needs to match the subnet of the inside interface. 172.16.0.0 is not configured on your router, make sure you did not accidentally use 171 instead of 172. The below access list should work:

 

interface Serial0/1/0
ip address 171.16.0.1 255.255.0.0
ip nat inside
!
access-list 1 permit 171.16.0.0 0.0.0.255

0 Helpful

iPhoneFreak
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2020 03:11 AM

I did what you said, Georg, but I simply do not get any information output, when I write: do show ip nat translations into the console. Do you have any suggestions, why this does not work?
0 Helpful

Georg Pauwen
VIP
VIP
In response to iPhoneFreak

‎06-06-2020 03:15 AM

Hello,

 

can you post the (zipped) Packet Tracer project (.pkt) file here ?

0 Helpful

iPhoneFreak
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2020 03:24 AM - edited ‎06-06-2020 03:26 AM

Here we go! ;-)

Thx Georg!

PT_Abgabe_Tomesek_Raffael.zip
0 Helpful

Georg Pauwen
VIP
VIP
In response to iPhoneFreak

‎06-06-2020 03:32 AM

Hello,

 

the access list is still wrong. 

 

You have:

 

access-list 1 permit 171.16.0.0 0.0.0.255

 

You need:

 

access-list 1 permit 171.16.0.0 0.0.255.255

 

I have changed the access list in the attached file. Now if you send a ping from R8 to 192.168.1.66, the translation on R7 is visible:

 

R7#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 100.0.0.3:1 171.16.0.2:1 192.168.1.66:1 192.168.1.66:1
icmp 100.0.0.3:2 171.16.0.2:2 192.168.1.66:2 192.168.1.66:2
icmp 100.0.0.3:3 171.16.0.2:3 192.168.1.66:3 192.168.1.66:3
icmp 100.0.0.3:4 171.16.0.2:4 192.168.1.66:4 192.168.1.66:4
icmp 100.0.0.3:5 171.16.0.2:5 192.168.1.66:5

 

PT_Abgabe_Tomesek_Raffael_REV.zip
0 Helpful

iPhoneFreak
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2020 04:02 AM

But isn't it also possible to use the access-list 1 like this:
access-list 1 permit 192.168.2.0 0.0.0.255

Because then the result of show ip nat translations looks like this:
R7#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 100.0.0.3:1 192.168.2.2:1 192.168.1.195:1 192.168.1.195:1
icmp 100.0.0.3:2 192.168.2.2:2 192.168.1.3:2 192.168.1.3:2
icmp 100.0.0.3:3 192.168.2.2:3 192.168.1.66:3 192.168.1.66:3
icmp 100.0.0.4:1 192.168.2.3:1 172.16.0.3:1 172.16.0.3:1
icmp 100.0.0.4:2 192.168.2.3:2 192.168.1.131:2 192.168.1.131:2

The reason for this question is that I actually want the translations to happen between PC6 & 7 and the other PCs in my topology.
0 Helpful

Georg Pauwen
VIP
VIP
In response to iPhoneFreak

‎06-06-2020 04:42 AM

Hello,

 

access list 1 permit 192.168.2.0 0.0.0.255

 

should certainly work. 

 

If you want to migrate from IPv4 to IPv6, I would do it in parallel, meaning, run both at the same time, so you can verify reachability.

0 Helpful

iPhoneFreak
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2020 05:08 AM

Thx Georg! :-)
0 Helpful

Georg Pauwen
VIP
VIP
In response to iPhoneFreak

‎06-06-2020 05:53 AM

Hello,

 

I think I misread your original post. Not sure why you did not see any NAT translations with access-list 1 permit 192.168.2.0 0.0.0.255. Packet Tracer can be a bit slow or quirky sometimes.

 

Regarding the IPv6 stuff, let us know if you run into any problems/questions, it should be quite straightforward.

0 Helpful

iPhoneFreak
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2020 06:30 AM

My question is the one below - I repeat it here:

Ok,I have one last question: At the moment I am not able to ping from one IPv6-PC to another IPv6-PC. The packet dies in simulation mode instantly at the PC and does not go further. Does anyone have any suggestion why that is the case and how I can get the PING problem solved?

 

In the attachment you see my most current state of my project!

PT_Abgabe_Tomesek_Raffael.zip
0 Helpful

Georg Pauwen
VIP
VIP
In response to iPhoneFreak

‎06-06-2020 07:17 AM

Hello,

 

on both R9 and R10, add a static default route:

 

ipv6 route ::/0 serial 0/1/0

 

Attached the adapted file...

PT_Abgabe_Tomesek_Raffael_IPV6.zip
0 Helpful

iPhoneFreak
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2020 10:35 AM

Thx, that was it!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card