Solved: Re: Cant get Dynamic NAT / PAT to work on this simple setup in GNS3

Kobra09 · ‎07-10-2020

Hi guys,

Just need help on this config that I cant seem to get to work in GNS3.

So Im shrinking down the topology that Im currently working on just to isolate the issue.

I have two routers R1 and R2 connected by an ethernet link, and a VPCS connected to R2:

VPCS (e0)------10.1.1.0-------(f1/0)-R2-(f0/1)------96.2.11.0----- (f0/1)-R1

Im trying to translate VPCS's traffic via NAT in R2 to communicate to R1.

So basically, when I do a static NAT in R2, it works fine:

ip nat inside source list static 10.1.1.2 96.2.11.2

Then pinging the f0/1 of R1 from the VPCS, i can see the translation take place in R2 with 'show ip nat trans', debug nat, and 'show ip nat stat'.

However, when I create a dynamic NAT or even PAT, it doesnt seem to work when i ping R1 again from the VPCS, the translation does not occur, the ACLs dont even get a hit, BUT my pings go thru to the 96.2.11.1.

I have attached running config of R1 and R2 for reference. Am I missing something? Thanks a lot!

Georg Pauwen · ‎07-10-2020

Hello,

the 'log' keywords in your access list kill your NAT. They cause traffic to get process switches and won't work with NAT. Use the config below:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ip tcp synwait-time 5
!
interface FastEthernet0/1
ip address 96.2.11.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
version 2
network 96.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat pool OVERLOAD 96.2.11.4 96.2.11.4 prefix-length 24
ip nat inside source list 20 pool OVERLOAD
!
access-list 20 permit 10.1.1.2
access-list 20 permit 172.16.1.36
access-list 20 permit 172.16.1.3
access-list 20 permit 172.16.1.66
access-list 20 permit 172.16.0.0 0.0.255.255

!
no cdp log mismatch duplex
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

View solution in original post

Martin L · ‎07-10-2020

looks good, one concern is the range of /24 but numbers do not reflect it: starting and ending on 96.2.11.4 ?

ip nat pool OVERLOAD 96.2.11.4 96.2.11.4 prefix-length 24

Regards, ML
**Please Rate All Helpful Responses **

Kobra09 · ‎07-11-2020

Yep, based on Cisco documentations, if you want to use just a single address for your inside global, you can config it that way. :)

Georg Pauwen · ‎07-10-2020

Hello,

the 'log' keywords in your access list kill your NAT. They cause traffic to get process switches and won't work with NAT. Use the config below:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ip tcp synwait-time 5
!
interface FastEthernet0/1
ip address 96.2.11.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
version 2
network 96.0.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat pool OVERLOAD 96.2.11.4 96.2.11.4 prefix-length 24
ip nat inside source list 20 pool OVERLOAD
!
access-list 20 permit 10.1.1.2
access-list 20 permit 172.16.1.36
access-list 20 permit 172.16.1.3
access-list 20 permit 172.16.1.66
access-list 20 permit 172.16.0.0 0.0.255.255

!
no cdp log mismatch duplex
!
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Kobra09 · ‎07-11-2020

Aweesommee!
Thanks Georg, worked this time:

R2#debug ip nat
IP NAT debugging is on
R2#
*Mar 1 00:14:41.291: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28920]
R2#
*Mar 1 00:14:43.295: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28921]
*Mar 1 00:14:43.303: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28921]
R2#
*Mar 1 00:14:44.311: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28922]
*Mar 1 00:14:44.331: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28922]
R2#
*Mar 1 00:14:45.343: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28923]
*Mar 1 00:14:45.355: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28923]
R2#
*Mar 1 00:14:46.367: NAT*: s=10.1.1.2->96.2.11.4, d=96.2.11.1 [28924]
*Mar 1 00:14:46.383: NAT*: s=96.2.11.1, d=96.2.11.4->10.1.1.2 [28924]
R2#

I didn't know that, or at least I may have forgotten that rule of thumb. Thank you so much.