Solved: Re: Double Nat Issue

StudentCru · ‎06-27-2023

Hi, Rules:
------------
1- All routers will be hostnamed, their console/enable security configured (let me know the passwords of course)
2- Internet Router and ALL end-devices will acquire IP addresses via DHCP
3- PC0, PC1, PC2 and PC3 will use dynamic addressing scheme when reaching the Internet (NAT/PAT both OK)
4- Internet Network will be connected through static routing (No Dynamic Routing will be accepted)
5- VPN Tunnel is to be established between Router1 and Router3 for

10.10.10.10.0/24 and 30.30.30.0/24

networks.

In my project, I began by manually assigning IP addresses to all devices except the switches. Next, I configured EIGRP routing and tested the connectivity by pinging PC2 from PC0, which was successful. Since Router1 and Router3 are located at the edge of the internet, I implemented NAT (Network Address Translation) on both routers to convert private IP addresses to public ones.

However, I encountered an issue where I could ping Router3 from PC0 but not PC2. Upon simulating the packet flow, I observed that the returned packet was being lost at Router1. Further investigation revealed that in the NAT translations on Router1, the destination address appeared as the local IP address

30.30.30.4

However, when the packet returned from PC2, Router3 translated the destination address to a public IP, causing Router1 to be unable to match the translation and resolve the given IP address to PC0. As a result, Router1 attempted to broadcast the packet in an attempt to find the IP address.

Based on the situation described, deleting the NAT configuration from Router3 seems to be a potential solution. By removing the NAT configuration on Router3, the returned packet's destination address will remain as the local IP address, allowing Router1 to successfully match the translation and resolve the IP address to PC0.

Any other solutions ? (Nat eigrp both working well, i don't think that i did something wrong.)

MHM Cisco World · ‎06-27-2023

the dynamic NAT work but what not work is dynamic NAT with connect from Side to Side, this not work.
dynamic NAT is unidirectional
static NAT is bidirectional
may be if you talk with your instructor and explain to him this point may be he want other thing not.
thanks
MHM

View solution in original post

StudentCru · ‎06-27-2023

Okay so i can make

ipsec

tunnel and deny translation from

10.10.10.0 to 30.30.30.0 or vice versa

how about that ? Thank you so much btw.

View solution in original post

MHM Cisco World · ‎06-27-2023

Sure you can use

ipsec

or for simple you can use

gre tunnel

this make your traffic bypass NAT/PAT

View solution in original post

Flavio Miranda · ‎06-27-2023

Hi

Share your project, it is easier for troublshooting. Just zip the file first

StudentCru · ‎06-27-2023

Sure I shared it.

Flavio Miranda · ‎06-27-2023

Hi

On the file attached you can see the EIGRP and VPN working.

Can you share the exactly requirements you have? Let´s see what is missing ?

And the router had to be changed. The model you installed does not support IPSEC

MHM Cisco World · ‎06-27-2023

what you try to achieve here is impossible,
ping form LAN to other LAN and there is dynamic NAT...
sorry
what you can do is using static NAT in one side and ping to Mapped IP. this work.

StudentCru · ‎06-27-2023

Thanks but project needs dynamic Nat or Pat, and i did eigrp routing which is dynamic so i need to do it

static route

since project wants static routing protocol. Also having dynamic NAT on the one side

(Router1 if pc0 pings)

works too.

MHM Cisco World · ‎06-27-2023

the dynamic NAT work but what not work is dynamic NAT with connect from Side to Side, this not work.
dynamic NAT is unidirectional
static NAT is bidirectional
may be if you talk with your instructor and explain to him this point may be he want other thing not.
thanks
MHM

StudentCru · ‎06-27-2023

How about Pat ?

MHM Cisco World · ‎06-27-2023

same friend

 
LAN1-R1-----R2-LAN2
when you ping from LAN1 to LAN2 using it real IP not mapped IP 
the traffic flow 
the return back traffic will NAT/PAT and here LAN1 will see different IP from what is send 
with static NAT 
LAN1-R1-----R2-LAN2 
LAN1 ping to mapped IP of R2 of LAN2 and NAT/PAT to real IP of LAN2
LAN2 will reply and R2 will NAT/PAN to mapped IP 
LAN1 see reply from mapped IP so the traffic not drop

StudentCru · ‎06-27-2023

Okay so i can make

ipsec

tunnel and deny translation from

10.10.10.0 to 30.30.30.0 or vice versa

how about that ? Thank you so much btw.

MHM Cisco World · ‎06-27-2023

Sure you can use

ipsec

or for simple you can use

gre tunnel

this make your traffic bypass NAT/PAT

StudentCru · ‎06-27-2023

How about this one ? PC0 can't ping PC3 right ? PC0 can ping PC2 thanks to ipsec (with deny list of pat).

Vpn is between 10.10.10.0 and 20.20.20.0

This is also my assignment, but I couldn't figure it out.

MHM Cisco World · ‎06-27-2023

Add

40.40.40.0 to acl

in both routers'

This make traffic between

10.10.10.0 and 40.40.40.0 hit the acl of ipsec

and flow through tunnel.

StudentCru · ‎06-29-2023

10.10.10.0 and 40.40.40.0

needs to use internet for communication not the tunnel. Vpn tunnel is for only between

10.10.10.0 and 20.20.20.0

When i simulate the packet i see that it can't pass through the middle router.

MHM Cisco World · ‎06-29-2023

So the traffic between

10.10.10.0 and 40.40.40.0

NOT NATing
NOT pass through VPN
if above Yes
then only check Router in middle

show ip route, do you see 10.10.10.0 and 40.40.40.0

?