Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3846
Views
20
Helpful
6
Replies

Can't ping other network using nat(pat)

Go to solution
lmnlis
Level 1
Level 1

‎02-07-2021 05:16 AM - edited ‎02-07-2021 05:57 AM

I am trying to ping an end device from another network through Internet(ISP layer3 switch) using NAT overload on both routers. is it possible or it really is normal to not be able to ping because of single public IP? I am able to ping loopback address and other devices but not hosts.

Labels:
practice lab (pat).zip
46 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to lmnlis

‎02-07-2021 06:25 AM

Hello,

 

there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.

View solution in original post

praktis (pat)_REV.zip
6 Replies 6

Go to solution
Georg Pauwen
VIP
VIP

‎02-07-2021 05:26 AM

Hello,

 

if this is a Packet Tracer project, post the zipped project (.pkt) file.

0 Helpful

Go to solution
lmnlis
Level 1
Level 1
In response to Georg Pauwen

‎02-07-2021 05:45 AM

pkt file in zip has been posted. thanks

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to lmnlis

‎02-07-2021 06:25 AM

Hello,

 

there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.

praktis (pat)_REV.zip

Go to solution
paul driver
VIP
VIP

‎02-07-2021 05:37 AM - edited ‎02-07-2021 05:48 AM

Hello
Nat can be used to hide networks - so basically all your 10.x.x.x subnets are hidden from each other building 

To ping an internal host from either building would require you to ping the natted “public” ip address not the internal address and using just the one public address for nat at each building then means you are using dynamic port address translation (PAT) which means you would only be able to each a specific internal host by its single natted public ip AND it’s port address 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
lmnlis
Level 1
Level 1
In response to paul driver

‎02-07-2021 06:07 AM

 im sorry for not understanding. you mean i should not use dynamic pat(one public ip with dynamic port numbers) for pinging end to end devices but rather use static nat?

 

0 Helpful

Go to solution
Squozen_EU
Level 1
Level 1
In response to lmnlis

‎02-08-2021 07:22 AM

Ideally if you need to communicate with devices behind a public IP you would be setting up a VPN tunnel between the two routers. This eliminates the need for NAT completely as long as the private subnets at each end are different. 

Customers Also Viewed These Support Documents