Solved: Re: Can't ping other network using nat(pat)

lmnlis · ‎02-07-2021

I am trying to ping an end device from another network through Internet(ISP layer3 switch) using NAT overload on both routers. is it possible or it really is normal to not be able to ping because of single public IP? I am able to ping loopback address and other devices but not hosts.

Georg Pauwen · ‎02-07-2021

Hello,

there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.

View solution in original post

Georg Pauwen · ‎02-07-2021

Hello,

if this is a Packet Tracer project, post the zipped project (.pkt) file.

lmnlis · ‎02-07-2021

pkt file in zip has been posted. thanks

Georg Pauwen · ‎02-07-2021

Hello,

there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.

paul driver · ‎02-07-2021

Hello
Nat can be used to hide networks - so basically all your 10.x.x.x subnets are hidden from each other building

To ping an internal host from either building would require you to ping the natted “public” ip address not the internal address and using just the one public address for nat at each building then means you are using dynamic port address translation (PAT) which means you would only be able to each a specific internal host by its single natted public ip AND it’s port address

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

lmnlis · ‎02-07-2021

im sorry for not understanding. you mean i should not use dynamic pat(one public ip with dynamic port numbers) for pinging end to end devices but rather use static nat?

Squozen_EU · ‎02-08-2021

Ideally if you need to communicate with devices behind a public IP you would be setting up a VPN tunnel between the two routers. This eliminates the need for NAT completely as long as the private subnets at each end are different.