Issue with NAT I think

brophy.n · ‎06-09-2015

Hi Everyone,

Trying to pick up some networking from the past and I'm running into an issue.

I have a router that can successfully ping the outside world and behind the router I have a PC that can ping the internal and external interfaces of the router but not the next hop or the outside world.

I'm guessing its an issue with NAT but if someone could point me in the right direction I would appreciate it.

Inside host: 192.168.1.50

Router:

Inside Interface 192.168.1.10

Outside Interface 192.168.137.10

Next Hop: 192.168.137.1

Config below if it helps.

-----------------------------------------------------------------------------------------------------------------

*Mar 1 00:36:38.735: %SYS-5-CONFIG_I: Configured from console by console
R1#show run
Building configuration...

Current configuration : 1262 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Ethernet0
ip address 192.168.137.10 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
!
interface FastEthernet0
ip address 192.168.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Serial0
no ip address
shutdown
!
ip forward-protocol nd
ip forward-protocol spanning-tree
ip route 0.0.0.0 0.0.0.0 192.168.137.1
!
!
no ip http server
no ip http secure-server
ip nat pool RTR 192.168.137.10 192.168.137.10 netmask 255.255.255.252
ip nat inside source list 1 pool RTR overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 7 permit any
no cdp log mismatch duplex
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

R1#

Rejohn Cuares · ‎06-10-2015

1. Run a continuous ping from 192.168.1.50 to 4.2.2.2.

2. Issue this command "sh ip nat translation" and post the output here.

NAT examples for bed time reading:

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Please rate replies and mark question as "answered" if applicable.

brophy.n · ‎06-10-2015

Pro Inside global Inside local Outside local Outside global
icmp 192.168.137.10:23277 192.168.1.50:23277 4.2.2.2:23277 4.2.2.2:23277
icmp 192.168.137.10:23789 192.168.1.50:23789 4.2.2.2:23789 4.2.2.2:23789
icmp 192.168.137.10:24301 192.168.1.50:24301 4.2.2.2:24301 4.2.2.2:24301
icmp 192.168.137.10:24813 192.168.1.50:24813 4.2.2.2:24813 4.2.2.2:24813
icmp 192.168.137.10:25325 192.168.1.50:25325 4.2.2.2:25325 4.2.2.2:25325
icmp 192.168.137.10:25837 192.168.1.50:25837 4.2.2.2:25837 4.2.2.2:25837
icmp 192.168.137.10:26349 192.168.1.50:26349 4.2.2.2:26349 4.2.2.2:26349
icmp 192.168.137.10:26861 192.168.1.50:26861 4.2.2.2:26861 4.2.2.2:26861
icmp 192.168.137.10:27373 192.168.1.50:27373 4.2.2.2:27373 4.2.2.2:27373
icmp 192.168.137.10:27885 192.168.1.50:27885 4.2.2.2:27885 4.2.2.2:27885
icmp 192.168.137.10:28397 192.168.1.50:28397 4.2.2.2:28397 4.2.2.2:28397
icmp 192.168.137.10:28909 192.168.1.50:28909 4.2.2.2:28909 4.2.2.2:28909
icmp 192.168.137.10:29421 192.168.1.50:29421 4.2.2.2:29421 4.2.2.2:29421
icmp 192.168.137.10:29933 192.168.1.50:29933 4.2.2.2:29933 4.2.2.2:29933
icmp 192.168.137.10:30445 192.168.1.50:30445 4.2.2.2:30445 4.2.2.2:30445
icmp 192.168.137.10:30957 192.168.1.50:30957 4.2.2.2:30957 4.2.2.2:30957
icmp 192.168.137.10:31469 192.168.1.50:31469 4.2.2.2:31469 4.2.2.2:31469
icmp 192.168.137.10:31981 192.168.1.50:31981 4.2.2.2:31981 4.2.2.2:31981
icmp 192.168.137.10:32493 192.168.1.50:32493 4.2.2.2:32493 4.2.2.2:32493

Rejohn Cuares · ‎06-10-2015

Your NAT config looks fine. What is the result if you run this command on the router - "ping 4.2.2.2 source FastEthernet0"

Do you have access to 192.168.137.1? Could you please tell me why you hardcoded half-duplex on interface Ethernet0?

Please rate replies and mark question as "answered" if applicable.

brophy.n · ‎06-10-2015

I'm starting to suspect it might be an issue with access lists

I also tested static NAT and that works just fine

R1(config)#do ping 4.2.2.2 source FastEthernet0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.10
.!!!.
Success rate is 60 percent (3/5), round-trip min/avg/max = 52/58/72 ms
R1(config)#do ping 4.2.2.2 source FastEthernet0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.10
!.!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 48/53/56 ms
R1(config)#do ping 4.2.2.2 source FastEthernet0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.10
!!.!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 48/76/124 ms
R1(config)#

Rejohn Cuares · ‎06-10-2015

Based on your ICMP tests, you experienced packet drops this is due to collisions (half duplex on your end and on the other end could be set to full duplex). Kindly check the interface stats to confirm this - "show int Ethernet0"

Please rate replies and mark question as "answered" if applicable.

brophy.n · ‎06-10-2015

This is just test environment so I'm fine with dropped packets.

I just want to get NAT working.

Rejohn Cuares · ‎06-10-2015

Did you read the document I posted?

Here it is again. Go to section "Configuring NAT to Allow Internal Users to Access the Internet Using Overloading"

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Please rate replies and mark question as "answered" if applicable.

brophy.n · ‎06-10-2015

yes i read through it and I thought I have everything correct.

I'll give it another go though

Rejohn Cuares · ‎06-10-2015

I have verified you config in GNS3 and it is all good, no issues found.

Topology:

R1 <<>> R2 <<>> R3

R1:

interface Loopback1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/0
ip address 192.168.137.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

!

ip nat pool RTR 192.168.137.10 192.168.137.10 netmask 255.255.255.252
ip nat inside source list 1 pool RTR overload
ip route 0.0.0.0 0.0.0.0 192.168.137.1

!
access-list 1 permit 192.168.1.0 0.0.0.255

R2:

interface FastEthernet0/0
ip address 192.168.137.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2

R3:

interface Loopback1
ip address 4.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
duplex auto
speed auto
!
ip route 192.168.137.0 255.255.255.0 192.168.10.1

Verification:

R1#ping 4.2.2.2 source loo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/38/64 ms

R1#
R1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.137.10:8 192.168.1.1:8      4.2.2.2:8          4.2.2.2:8

Please rate replies and mark question as "answered" if applicable.

brophy.n · ‎06-10-2015

Everything looks good as far as I can tell.

Not sure where I'm going wrong

brophy.n · ‎06-10-2015

Will half-duplex have anything to do with it?