Hi Flavio, 

My apologies, I should've made myself clearer.

To understand NAT/PAT better, I based the topology on my current network where I am behind CGNAT. From the information I could gather my first NAT'ing is on my router (R1 in the topology). Then it happens again at the ISP-gateway (R2 in the topology). There is no specific end goal to this assignment besides than for my own clarification and understanding NAT/PAT at a more realistic level

Best,

Jacob

Got it.

 If you can share you Packtracer project would be easier to look. Need to zip it first.

I suspect that the problem can be on the ACL on R2. It should match the addressing come from R1 and not the  R2´s interface.

Hi again Flavio,

Thank you very much for taking your time to check the configuration.

I have attached a zip with the Packet Tracer file and the new configuration-files. Please be advised, that I made a typo earlier. The IP 227.21.26.46 should be 217.21.26.46, of course

Working now.

A few things I change. For default route, i prefer use  0.0.0.0  0.0.0.0 "ip next hop".  I dont like to use interface.  But, not the most important thing.

The routing in R2 needs to be specific, I mean, i can´t just have one default route as it is in the meadle of the raw.

The IP address 220.220.200.4 actually did not exist so I had to create it as one loopback on R3.

The ALC  also need to be changed to match the NATed traffic from the privous router and not the interface of the current router.

R1:

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 100.100.252.58:83 192.168.1.11:83 220.220.200.4:83 220.220.200.4:83

icmp 100.100.252.58:84 192.168.1.11:84 220.220.200.4:84 220.220.200.4:84

icmp 100.100.252.58:85 192.168.1.11:85 220.220.200.4:85 220.220.200.4:85

R2:

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 217.21.26.44:86 100.100.252.58:86 220.220.200.4:86 220.220.200.4:86

icmp 217.21.26.44:87 100.100.252.58:87 220.220.200.4:87 220.220.200.4:87

icmp 217.21.26.44:88 100.100.252.58:88 220.220.200.4:88 220.220.200.4:88

icmp 217.21.26.44:89 100.100.252.58:89 220.220.200.4:89 220.220.200.4:89

That was a very simple solution, thank you very much Jon!

Can you explain to me why the 100.100.252.58 host is used, and not the 100.100.252.49 as that is the incoming interface's IP-address? Would the packet not have a source IP of 100.100.252.49 as it leaves R2?

You have translated the 192.168.1.x IP to 100.100.252.58 on R1 so when the packet arrives at R2 that is the source IP of the packet and so that is what you need to match in your NAT acl on R2. 

As it leaves R2 to R3 it would then have a source IP of 227.21.26.44 which I believe is what you wanted.

Jon

Hi Jon,

Thank you very much for taking your time to explain this.

I took some time to think about what you wrote, and look at the packets as they traversed the networks. I think I understand the NAT-process on the routers now.

I just have one last question I hope you can/will answer (I have tried my best to make it precise and short):

How does the IP address of gig0/0/1 on R2 (100.100.252.49) factor in when I use the "ip nat inside" command on that interface? 

I might be mixing some things together, but it's like a thorn in my eye that the ip address on that interface isn't used in the NAT-translation, when that specific command is set on that interface. I hope it makes sense.

Best,
Jacob

The "ip nat inside" on the router interface doesn't mean it has to use the IP address that is assigned to that interface which I think is where you are getting confused. 

Those NAT statements, both "ip nat inside" and "ip nat outside" are telling the router that packets arriving on those interfaces may need to be translated depending of course on the rest of the configuration in terms of acl etc. but it doesn't mean the IPs assigned to those interfaces have to be used in the translation. 

In your configuration you are using the IP address of the interface with "ip nat outside" configured but you don't have to ie. you could create a pool of IPs that are used for translation, none of which are assigned to any physical interfaces on the router. 

But you would still need the "ip nat inside" and "ip nat outside" statements under the interfaces for the router to know it has to translate the source (or destination) IPs in the packets. 

Hope that makes sense, if not feel free to ask further. 

Jon

Hi Jon,

You've helped me a bunch of times, and I can't express how much I appreciate it. 

Your explanation is on the point and very precise. I haven't thought about using a pool of available, translateable, addresses on a router which doesn't correspond to the outgoing interface of that router. But how would that work on a packet-level? Would the SRC IP of that packet be one of the addresses in the pool or be that of the interface? I guess it would be one of the pooled addresses (I hope so)

Yes, the source IP would be one of the addresses in the pool. 

The pool of IPs can either belong to the same subnet as the IP on the outside interface in which case the router will respond to proxy arp requests for IPs from the pool of they can be a different as long as that subnet is routed to the outside interface of your router. 

Jon