cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
256
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cant get Dynamic NAT / PAT to work on this simple setup in GNS3

Hi guys,

 

Just need help on this config that I cant seem to get to work in GNS3.

So Im shrinking down the topology that Im currently working on just to isolate the issue.

I have two routers R1 and R2 connected by an ethernet link, and a VPCS connected to R2:

 

VPCS (e0)------10.1.1.0-------(f1/0)-R2-(f0/1)------96.2.11.0----- (f0/1)-R1

 

Im trying to translate VPCS's traffic via NAT in R2 to communicate to R1. 

 

So basically, when I do a static NAT in R2, it works fine:

ip nat inside source list static 10.1.1.2 96.2.11.2

Then pinging the f0/1 of R1 from the VPCS, i can see the translation take place in R2 with 'show ip nat trans', debug nat, and 'show ip nat stat'.

 

However, when I create a dynamic NAT or even PAT, it doesnt seem to work when i ping R1 again from the VPCS, the translation does not occur, the ACLs dont even get a hit, BUT my pings go thru to the 96.2.11.1. 

 

I have attached running config of R1 and R2 for reference. Am I missing something? Thanks a lot!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Expert

Hello,

 

the 'log' keywords in your access list kill your NAT. They cause traffic to get process switches and won't work with NAT. Use the config below:

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ip tcp synwait-time 5
!
interface FastEthernet0/1
ip address 96.2.11.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
version 2
network 96.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat pool OVERLOAD 96.2.11.4 96.2.11.4 prefix-length 24
ip nat inside source list 20 pool OVERLOAD
!
access-list 20 permit 10.1.1.2
access-list 20 permit 172.16.1.36
access-list 20 permit 172.16.1.3
access-list 20 permit 172.16.1.66
access-list 20 permit 172.16.0.0 0.0.255.255

!
no cdp log mismatch duplex
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

 

View solution in original post

4 REPLIES 4
Highlighted
VIP Engager

 

looks good, one concern is the range of /24 but numbers do not reflect it: starting and ending on 96.2.11.4 ?

ip nat pool OVERLOAD 96.2.11.4 96.2.11.4 prefix-length 24

 

Regards, ML
**Please Rate All Helpful Responses **

Highlighted

Yep, based on Cisco documentations, if you want to use just a single address for your inside global, you can config it that way. :)
Highlighted
VIP Expert

Hello,

 

the 'log' keywords in your access list kill your NAT. They cause traffic to get process switches and won't work with NAT. Use the config below:

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ip tcp synwait-time 5
!
interface FastEthernet0/1
ip address 96.2.11.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
version 2
network 96.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat pool OVERLOAD 96.2.11.4 96.2.11.4 prefix-length 24
ip nat inside source list 20 pool OVERLOAD
!
access-list 20 permit 10.1.1.2
access-list 20 permit 172.16.1.36
access-list 20 permit 172.16.1.3
access-list 20 permit 172.16.1.66
access-list 20 permit 172.16.0.0 0.0.255.255

!
no cdp log mismatch duplex
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

 

View solution in original post

Highlighted

Aweesommee!
Thanks Georg, worked this time:

R2#debug ip nat
IP NAT debugging is on
R2#
*Mar 1 00:14:41.291: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28920]
R2#
*Mar 1 00:14:43.295: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28921]
*Mar 1 00:14:43.303: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28921]
R2#
*Mar 1 00:14:44.311: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28922]
*Mar 1 00:14:44.331: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28922]
R2#
*Mar 1 00:14:45.343: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28923]
*Mar 1 00:14:45.355: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28923]
R2#
*Mar 1 00:14:46.367: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28924]
*Mar 1 00:14:46.383: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28924]
R2#

I didn't know that, or at least I may have forgotten that rule of thumb. Thank you so much.