Solved: Re: Cannot ping Inside Global ip from inside network

friendly12345 · ‎01-10-2018

Hi,

I'm new to CCNA

currently I learning about ip nat inside source static

I have configure a router R1 have

LAN interface g0/1 which has ip 192.168.1.1/24

a Serial S0/0/0 interface which has ip 1.1.1.1/30

The LAN connect to a PC and a Internal Server

I config the NAT for R1 as below

ip nat inside source list Internet interface Serial0/0/0 overload

ip nat inside source static 192.168.1.100 2.2.2.2

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

There is a Router R2 connect to R1 at interface s0/0/0 which ip 1.1.1.2/30

and a External Server connect to R2

at R2 I have configure a static route

ip route 2.2.2.2 255.255.255.255 Serial0/0/0

The External Server can ping the address 2.2.2.2

but the inside PC0 cannot ping the address 2.2.2.2

I have test with simulation. The packet is travel from

PC0 > R1(source IP: 192.168.1.10, Dest IP: 2.2.2.2)

R1 NAT source IP to 1.1.1.1

R1 > R2 (source IP: 1.1.1.1, Dest IP: 2.2.2.2)

R2 send back to R1 (source IP: 1.1.1.1, Dest IP: 2.2.2.2)

R1 NAT Dest IP to 192.168.1.100

R1 > Internal Server (source IP: 1.1.1.1, Dest IP: 192.168.1.100)

Internal Server Reply to R1 with (source IP: 192.168.1.100, Dest IP: 1.1.1.1)

R1 receive the packet Dest IP to it interface IP and discard it.

So PC0 never receive the reply from Internal Server

So what is the solution for this? So PC0 can ping 2.2.2.2

check my Packet Tracer file at here

https://drive.google.com/open?id=1fBbKTU2Qja_RxSEaIjsbGZJZ08hZjtV9

Please give me advice on how to get this fix.

Thanks

paul driver · ‎01-11-2018

Hello

Okay then for that to happen I suggest as stated bef ore using NVI NAT.

R1
int fa0/0
no ip nat inside
ip nat enable

int ser0/0
no ip nat outside
ip nat enable
no ip redirects

no ip nat inside source list Internet interface Serial0/0/0 overload
no ip nat inside source static 192.168.1.100 1.1.1.3

ip nat source list Internet interface Serial0/0/0 overload
ip nat source static 192.168.1.100 1.1.1.3

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎01-10-2018

Hello

@friendly12345 wrote:

Hi,

I'm new to CCNA

currently I learning about ip nat inside source static

I have configure a router R1 have

LAN interface g0/1 which has ip 192.168.1.1/24

a Serial S0/0/0 interface which has ip 1.1.1.1/30

The LAN connect to a PC and a Internal Server

I config the NAT for R1 as below

ip nat inside source list Internet interface Serial0/0/0 overload

ip nat inside source static 192.168.1.100 2.2.2.2

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

There is a Router R2 connect to R1 at interface s0/0/0 which ip 1.1.1.2/30

and a External Server connect to R2

at R2 I have configure a static route

ip route 2.2.2.2 255.255.255.255 Serial0/0/0

The External Server can ping the address 2.2.2.2

but the inside PC0 cannot ping the address 2.2.2.2

I have test with simulation. The packet is travel from

PC0 > R1(source IP: 192.168.1.10, Dest IP: 2.2.2.2)

R1 NAT source IP to 1.1.1.1

R1 > R2 (source IP: 1.1.1.1, Dest IP: 2.2.2.2)

R2 send back to R1 (source IP: 1.1.1.1, Dest IP: 2.2.2.2)

R1 NAT Dest IP to 192.168.1.100

R1 > Internal Server (source IP: 1.1.1.1, Dest IP: 192.168.1.100)

Internal Server Reply to R1 with (source IP: 192.168.1.100, Dest IP: 1.1.1.1)

R1 receive the packet Dest IP to it interface IP and discard it.

So PC0 never receive the reply from Internal Server

So what is the solution for this? So PC0 can ping 2.2.2.2

check my Packet Tracer file at here

https://drive.google.com/open?id=1fBbKTU2Qja_RxSEaIjsbGZJZ08hZjtV9

Please give me advice on how to get this fix.

Thanks

hello

you need to nat in your own public ip address not that of R2

no ip nat inside source static 192.168.1.100 2.2.2.2

no ip route 0.0.0.0 0.0.0.0 Serial0/0/0

ip nat inside source static 192.168.1.100 1.1.1.50

ip route 0.0.0.0 0.0.0.0 Serial0/0/0 1.1.1.2

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

friendly12345 · ‎01-10-2018

Hi,

I have try with your recommend but it doesn't work

The problem still persist

when PC0 ping the address 1.1.1.50

PC0 > R1 (NAT Source IP) > R2 > R1 (Translate Dest IP to 192.168.1.100) > Internal Server > R1 (Source IP: 192.168.1.100, Dest IP: 1.1.1.50)

R1 still discard the reply packet from Internal Server.

paul driver · ‎01-10-2018

Hello

Can you post your configuration please of the two rtrs

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

friendly12345 · ‎01-10-2018

Hi,

R1 Configuration

Current configuration : 967 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R1

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX1524DAKV

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0/0

ip address 1.1.1.1 255.255.255.252

ip nat outside

!

interface Serial0/0/1

no ip address

clock rate 2000000

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list Internet interface Serial0/0/0 overload

ip nat inside source static 192.168.1.100 1.1.1.50

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip flow-export version 9

!

ip access-list standard Internet

permit any

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

R2 Configuration

Current configuration : 840 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R2

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX15242ULC

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 100.100.100.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

ip address 1.1.1.2 255.255.255.252

clock rate 2000000

!

interface Serial0/0/1

no ip address

clock rate 2000000

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 2.2.2.2 255.255.255.255 Serial0/0/0

ip route 1.1.1.50 255.255.255.255 Serial0/0/0

!

ip flow-export version 9

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

PC0 IP: 192.168.1.10/24

Internal Server: 192.168.1.100/24

External Server: 100.100.100.100/24

Check the attached image for the topology

paul driver · ‎01-11-2018

Hello

So you want to ping the external server from the internal server and vice versa - I assume this a a lab?

The easiest way would be to change the addressing on the serial interface to accommodate additional public ip addresses

R1
conf t
no ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 1.1.1.2

no ip access-list standard Internet
ip access-list standard Internet
permit ip 192.169.1.0 0.0.0.255

int ser0/0
ip address 1.1.1.1 255.255.255.248

no ip nat inside source static 192.168.1.100 1.1.1.50
ip nat inside source static 192.168.1.100 1.1.1.3

R2
int ser0/0
ip address 1.1.1.2 255.255.255.248

no ip route 2.2.2.2 255.255.255.255 Serial0/0/0
no ip route 1.1.1.50 255.255.255.255 Serial0/0/0

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

friendly12345 · ‎01-11-2018

Hi,

with your configuration. When R2 ping 1.1.1.3 it send to R1, since 1.1.1.3 is not R1 interface IP, R1 look into it routing table and found

C 1.1.1.0/29 is directly connected, Serial0/0/0

So it send back the packet to R2, and then R2 discard the packet.

Do you use Packet Tracer?

Can you check out my Packet Tracer file here

https://drive.google.com/open?id=1fBbKTU2Qja_RxSEaIjsbGZJZ08hZjtV9

Really thanks for your help.

Nguyen

friendly12345 · ‎01-11-2018

Hi,

R2 cannot ping 1.1.1.3 because after change the R1 s0/0/0 interface IP

it has remove the line

ip nat outside

So I have added back

R1

inter s0/0/0

ip nat outside

Now R2 and external server can ping 1.1.1.3 from the outside.

But PC0 still not be able to ping 1.1.1.3

The same problem occur like the above

when PC0 ping the address 1.1.1.3

PC0 > R1 (NAT Source IP 1.1.1.1, Dest: 1.1.1.3) > R2 > R1 (Translate Dest IP to 192.168.1.100, Source IP is 1.1.1.1) > Internal Server (source IP: 1.1.1.1, Dest: 192.168.1.100)

Internal Server Reply (source: 192.168.1.100, Dest: 1.1.1.1) > R1 (Source IP: 192.168.1.100, Dest IP: 1.1.1.1) R1 receive the packet and find the Dest IP to it interface s0/0/0 IP address and discard it.

paul driver · ‎01-11-2018

Hello

Okay then for that to happen I suggest as stated bef ore using NVI NAT.

R1
int fa0/0
no ip nat inside
ip nat enable

int ser0/0
no ip nat outside
ip nat enable
no ip redirects

no ip nat inside source list Internet interface Serial0/0/0 overload
no ip nat inside source static 192.168.1.100 1.1.1.3

ip nat source list Internet interface Serial0/0/0 overload
ip nat source static 192.168.1.100 1.1.1.3

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

friendly12345 · ‎01-11-2018

Hi,

I think this is the solution for this

It is call Hairpin NAT

I've just look in to this https://supportforums.cisco.com/t5/wan-routing-and-switching/nat-hairpinning/td-p/2475807

Really thanks

paul driver · ‎01-11-2018

Hello

Correct yes it is called hairpining.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul