cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3428
Views
20
Helpful
6
Replies

Can't ping other network using nat(pat)

lmnlis
Level 1
Level 1

I am trying to ping an end device from another network through Internet(ISP layer3 switch) using NAT overload on both routers. is it possible or it really is normal to not be able to ping because of single public IP? I am able to ping loopback address and other devices but not hosts.

1 Accepted Solution

Accepted Solutions

Hello,

 

there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.

View solution in original post

6 Replies 6

Hello,

 

if this is a Packet Tracer project, post the zipped project (.pkt) file.

pkt file in zip has been posted. thanks

Hello,

 

there were a few things missing in your config. The right router had no 'ip nat inside source list' configured, so no NAT at all was taking place on that side. An access list that uses 'permit any' is usually not a good idea, I changed that to include the actual networks. The revised file is attached. Either way, you will always get a ping response from the outside public address, never from the original, private IP. Think about it this way: most NAT translations use private networks such as 192.168.1.0/24, these addresses are not routed over the Internet. You cannot get a response from these private space addresses, since everybody is using the same address space.

Hello
Nat can be used to hide networks - so basically all your 10.x.x.x subnets are hidden from each other building 

To ping an internal host from either building would require you to ping the natted “public” ip address not the internal address and using just the one public address for nat at each building then means you are using dynamic port address translation (PAT) which means you would only be able to each a specific internal host by its single natted public ip AND it’s port address 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

 im sorry for not understanding. you mean i should not use dynamic pat(one public ip with dynamic port numbers) for pinging end to end devices but rather use static nat?

 

Ideally if you need to communicate with devices behind a public IP you would be setting up a VPN tunnel between the two routers. This eliminates the need for NAT completely as long as the private subnets at each end are different. 

Review Cisco Networking for a $25 gift card