Solved: IP NAT POOL ISSUE

dmissai · ‎02-21-2024

Hello Team,

I have tried to create NAT POOL for user to be able to browsers internet using our own public ip and not ISP.

interface GigabitEthernet0/0/0
description ===WAN======
ip address 41.200.150.2 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description ==LAN-WIFI==
ip address 192.168.100.1 255.255.255.0
ip helper-address 2.2.2.2
ip nat inside
negotiation auto
!

ip nat pool Vodafone 102.212.200.10 102.212.200.10 prefix-length 30
ip nat inside source list 10 pool Vodafone overload

!

access-list 10 permit 192.168.100.0 0.0.0.255
!

From the router I am able to ping 8.8.8.8 and www.google.com

But user workstation are able to ping 8.8.8.8 but not able to browsers internet like open google.com

paul driver · ‎02-27-2024

Hello
You failed to mention that you were using bgp. as based on your OP it was all static routing, Now you show the full run cfg,
It looks like presently with those static routes being applied and what’s showing in route table suggests:

Ingress = you are supposed to be receiving a default from BGP but the applied static default is overriding this?
Egress = traffic you are advertising 102.210.54.0/23 le 32 and that is it - which make no sense tbh?

I would say remove all those statics, soft clear the bgp process and check your route table thereafter.
Lastly post a topology diagram of your network as I do not see where your dedicated internet access is (DIA) as you show ONLY a single Wan interface at this time, which raises the question- How are you expecting to route direct to the internet?

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 41.207.242.133
no ip route 102.210.54.0 255.255.254.0 41.207.242.133 210
no ip route 102.210.54.0 255.255.254.0 Null0 250
no ip route 102.210.54.10 255.255.255.255 GigabitEthernet0/0/0
no ip nat inside source list 10 pool HUB_INTERNET overload

clear bgp ipv4 unicast * soft

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

liviu.gheorghe · ‎02-21-2024

Hello @dmissai ,

I assume that the IP address 102.212.200.10 is part of a subnet of PI addresses.

Your NAT config looks ok.

Does the ISP route traffic to 102.212.200.10 to your WAN address 41.200.150.2 ?

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

dmissai · ‎02-23-2024

Yes ISP route the traffic to 102.212.200.10.

Thanks

Dani

MHM Cisco World · ‎02-21-2024

""But user workstation are able to ping 8.8.8.8 but not able to browsers internet like open google.com""

this not relate to NAT it DNS issue
you need to push DNS Server to cleint it can your router or external DNS server
MHM

dmissai · ‎02-23-2024

Hi MHM,

DNS for ISP is already set.

ip dhcp pool KAHAWA
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 41.221.41.100 196.45.42.100
domain-name ngea.com

Dani

MHM Cisco World · ‎02-23-2024

That correct

Try

nslookup -debug google.com

Let see if user send to ISP DNS name resolve request or not

MHM

dmissai · ‎02-27-2024

Hi MHM,

See below output. are not

dmissai

MHM Cisco World · ‎02-27-2024

127.0.0.3:53 ?

Are you sure the PC get correct IP and DNS from router ?

Share

IPConfig from pc

MHM

dmissai · ‎02-28-2024

Here is the output MHM.

lp0s20f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.103 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::cfab:b682:db63:5789 prefixlen 64 scopeid 0x20<link>
ether a0:59:50:2e:46:db txqueuelen 1000 (Ethernet)
RX packets 2885079 bytes 1980618280 (1.9 GB)
RX errors 0 dropped 357 overruns 0 frame 0
TX packets 2309309 bytes 1470405916 (1.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Kind Regards,

DI

paul driver · ‎02-22-2024

Hello
The rtr will forward any dns query's from the clients via the defined default static route on the rtr as such you can set the clients dns to point to the rtr or even to vodaphones own public dns (90.255.255.90, 90.255.255.255) or both

So in the client dhcp scope settings or on the client manually, set the dns.

192.168.100.1
90.255.255.90
90.255.255.255

Lastly remove the ip helper from the lan interface and any default static route then reapply a definitive default static route
Plus as you are using a inside global address that is not actually applied to the wan interface the assumption here is that 102.212.200.10 is reachable from the internet and your ISP is advertising on your behalf?

interface GigabitEthernet0/0/1
no ip helper-address 2.2.2.2
exit
ip route 0.0.0.0 0.0.0.0 gig0/0/0 41.200.150.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dissai · ‎02-26-2024

Hello Paul,

Today I tried your solution it failed to work.

paul driver · ‎02-26-2024

Hello

@dmissai wrote:
Today I tried your solution it failed to work

Can you elaborate,
Please confirm -

1) The nat pool address is reachable from the internet AND is allocated you
2) share the run cfg of the router (in a txt file include the below commands )
sh ip int brief
sh ip nat statistics
sh ip nat translations
sh ip route
sh run

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dmissai · ‎02-27-2024

Hello Paul,

Find attached txt config.

I saw the show ip nat translation. Is translating our public ip with lan ip which is not supposed to be case. Kindly assist to provide the best way to nat so that our public can be reach even on icmp.

C:\Users\admin>ping 102.210.54.10

Pinging 102.210.54.10 with 32 bytes of data:
General failure.
Reply from 172.16.4.213: Destination host unreachable.
Request timed out.
Request timed out.

Ping statistics for 102.210.54.10:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

C:\Users\admin>

paul driver · ‎02-27-2024

Hello
You failed to mention that you were using bgp. as based on your OP it was all static routing, Now you show the full run cfg,
It looks like presently with those static routes being applied and what’s showing in route table suggests:

Ingress = you are supposed to be receiving a default from BGP but the applied static default is overriding this?
Egress = traffic you are advertising 102.210.54.0/23 le 32 and that is it - which make no sense tbh?

I would say remove all those statics, soft clear the bgp process and check your route table thereafter.
Lastly post a topology diagram of your network as I do not see where your dedicated internet access is (DIA) as you show ONLY a single Wan interface at this time, which raises the question- How are you expecting to route direct to the internet?

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 41.207.242.133
no ip route 102.210.54.0 255.255.254.0 41.207.242.133 210
no ip route 102.210.54.0 255.255.254.0 Null0 250
no ip route 102.210.54.10 255.255.255.255 GigabitEthernet0/0/0
no ip nat inside source list 10 pool HUB_INTERNET overload

clear bgp ipv4 unicast * soft

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dissai · ‎02-27-2024

Hello Paul,
Below is the topology. ISP Public is 41.207.242.134 second ISP soon is going to connect.