- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2021 05:16 AM - edited 02-07-2021 05:57 AM
I am trying to ping an end device from another network through Internet(ISP layer3 switch) using NAT overload on both routers. is it possible or it really is normal to not be able to ping because of single public IP? I am able to ping loopback address and other devices but not hosts.
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2021 06:25 AM
Hello,
there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2021 05:26 AM
Hello,
if this is a Packet Tracer project, post the zipped project (.pkt) file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2021 05:45 AM
pkt file in zip has been posted. thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2021 06:25 AM
Hello,
there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2021 05:37 AM - edited 02-07-2021 05:48 AM
Hello
Nat can be used to hide networks - so basically all your 10.x.x.x subnets are hidden from each other building
To ping an internal host from either building would require you to ping the natted “public” ip address not the internal address and using just the one public address for nat at each building then means you are using dynamic port address translation (PAT) which means you would only be able to each a specific internal host by its single natted public ip AND it’s port address
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2021 06:07 AM
im sorry for not understanding. you mean i should not use dynamic pat(one public ip with dynamic port numbers) for pinging end to end devices but rather use static nat?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2021 07:22 AM
Ideally if you need to communicate with devices behind a public IP you would be setting up a VPN tunnel between the two routers. This eliminates the need for NAT completely as long as the private subnets at each end are different.
