Network Address Translation on a Stick

Superfrog · ‎01-25-2018

Ok folks, been beating my head on the wall for a bit on this, I'm referring to brain trust. A bit of a background, I recently graduated from school and I focused on Cisco. After a break to finish the rest of my studies, take a break from studies, and spend time with the fam; I recently fired up the home network to start going back over what I learned and begin prepping for the CCNA. I also work as a tech writer, so anything I can learn to better understand the systems I work with helps as well. My home lab is 3x 3825 Routers, 2x 3750-48TS L3 switches and a 3590 L2 switch. All have the latest IOS.

My goal ultimate goal is to create a fairly complex architecture for testing and observing how changes I make in ACL's, QoS, trunking, and so on affect the network and the hosts. The issue I've run into is getting a simple ROS setup to NAT to my home network (to simulate the ISP and allow hosts access to the Internet). I've been up and down the internet looking for solutions and am at a brick wall. I've attached my current very simple config for a single switch and router, with a single VLAN and trunk.

What I'm seeing is that when I initiate a ping from any interface from the router to the WAN, I get a return like I expect. I've put a deny in my access-list to check that as well. I can also ping to the switch (VLAN 25 192.168.25.101) and the host (192.168.25.10). From the switch, in L2 config, I can ping each router interface. It's when I ping the WAN (I use 8.8.8.8 and my home router 220.100.15.1 - no not my public address) I get nothing.

I set up debug ip icmp on both devices and see the syslog pop when going device to device or router to WAN. I get nothing when going switch to WAN.

I've tried default-route on the switch to trunk interface, loopback, and to the WAN.
I've tried static routes. I've tried putting IP NAT INSIDE on the trunk interface.
I've tried a static IP address on the IP NAT OUTSIDE.
I've tried using IP NAT ENABLE on both interfaces.
I've tried a pool of addresses and a single address
In the IP NAT INSIDE SOURCE, I've used the interface and the port address.
And a few other things that I've done but am going in circles now...

I also cabled up one of my second routers to act as the WAN and used it to at least to see if I was getting traffic. I set it up using my home network address and set up a loopback with 8.8.8.8 (not connected of course). Like if I was connected, the router interfaces could ping both sides of the NAT and I had syslogs from the debug on both devices. Here's where I get really confused... when I pinged from the switch, I can see the ICMP packets at the second router, but not the return at the switch.

I've copied and pasted the configuration to my other switch and other router and got the same results, just to rule out hardware.

I've also tried, briefly, going L3 on the switch with identical results. (Want to get the L2 down first since I do see this at work.)

Lastly, I decided to put one of the routers in between the switch and the NAT router and BAM... I could ping the WAN from the switch. The IP NAT config is very similar to what I have in the attached files as well.

I know at one point I had ROS working and I have saved configs from school practice that worked. Those are part of what I'm using ATM.

So, any help will be greatly appreciated. I have a good understanding of networks, just not a lot of experience yet... so any gems will also be greatly appreciated. Need any more info, I'll be glad to provide.

Thanks in advance!

Georg Pauwen · ‎01-26-2018

Hello,

the 'log' keyword at the end of your access list 10 disables NAT, remove that and try again. I have edited the router configuration (changes in bold):

Building configuration...

Current configuration : 1866 bytes
!
! Last configuration change at 02:33:17 UTC Fri Jan 26 2018
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3825_Router1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
memory-size iomem 5
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name Froglabs.com
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
!
license udi pid CISCO3825 sn FTX1241A3J5
!
redundancy
!
interface Loopback10
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type sfp
negotiation auto
!
interface GigabitEthernet0/0.25
encapsulation dot1Q 25 native
ip address 192.168.25.1 255.255.255.0
ip nat inside
!
interface Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1/0
no ip address
shutdown
!
router rip
version 2
network 172.16.0.0
network 192.168.25.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 10 interface GigabitEthernet0/1 overload

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 172.16.0.0 0.0.255.255
!
control-plane
!
mgcp profile default
!
line con 0
logging synchronous
line aux 0
line 194
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

View solution in original post

Deepak Kumar · ‎01-26-2018

Your question is a little bit confused for me. actually, I am not sure what you want to archive? If I am not wrong, you are trying to ping 8.8.8.8 or other wan public IP from your switch with no luck. First, please make some changes in your router:

1. Add a default route toward to your WAN gateway or exit interface as

IP route 0.0.0.0 0.0.0.0 interface gig0/1

Please verify the following things:

1. Sho IP NAT Translation

2. Sho IP route

3. routing table on your WAN router (If this is your lab then you definitely having access).

Regards.,

Deepak Kmar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Superfrog · ‎01-26-2018

Well, in short, this issue was just trying to get a simple NAT going for an ROS configuration. I should have added that the sho ip rout did show the gateway of last resort was set on the router for my home router. However, in my searching I didn't see that you could use the interface, and really should have looked in the command at the console. However, when I added your suggested route, the gateway then showed as:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

One of the responses below added dhcp at the end of that command and that also helped.

Thanks for responding, more info for the note book.

paul driver · ‎01-26-2018

Hello

have you attached any confirmation files ?

if not can you please share and mabye a small topology diagram also

on a side note:

Res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎01-26-2018

Hello,

the 'log' keyword at the end of your access list 10 disables NAT, remove that and try again. I have edited the router configuration (changes in bold):

Building configuration...

Current configuration : 1866 bytes
!
! Last configuration change at 02:33:17 UTC Fri Jan 26 2018
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3825_Router1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
memory-size iomem 5
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name Froglabs.com
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
!
license udi pid CISCO3825 sn FTX1241A3J5
!
redundancy
!
interface Loopback10
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type sfp
negotiation auto
!
interface GigabitEthernet0/0.25
encapsulation dot1Q 25 native
ip address 192.168.25.1 255.255.255.0
ip nat inside
!
interface Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1/0
no ip address
shutdown
!
router rip
version 2
network 172.16.0.0
network 192.168.25.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 10 interface GigabitEthernet0/1 overload

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 172.16.0.0 0.0.255.255
!
control-plane
!
mgcp profile default
!
line con 0
logging synchronous
line aux 0
line 194
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Superfrog · ‎01-26-2018

Georg, your the man! I've definitely got a couple of take-aways and questions but it does appear that the log statement in my ACL was causing problems.

As I replied in an above statement, I wasn't aware that the ip route statement could take an interface which is good to know! After I got my ROS to work, I configured the 3750 as L3 and used that same statement with the interface to the router. Good stuff.

I was also setting up the Loopback to act as an intermediary for the trunk interfaces (was planning on setting up several for testing) but it looks like the NAT INSIDE has to be on the physical or virtual interface it originates on the device? That's the way I read it. Set up a couple other VLANs and trunked. Only added the nat statement to one... yep only the subinterface with the nat statement connected. I know I did try this, but I also started using the ACL with logging early on, which probably broke things more.

So, the question is why? If I set up a router in between the NAT router and the switch, everything works with NAT, just when I'm going switch to router? In my searching for a solution, I do think I remember all the examples didn't use log, and I understand the impact of using ACL logs (and debug) in a production environment, but seems to be a good tool in a testing environment. Any other instances where ACL logs would have such a negative impact?

Anyway, I'm off and running. Thanks for the assist!

Georg Pauwen · ‎01-28-2018

Hello,

other than NAT, I am not aware of access list logging disabling entire features. In the case of NAT, if you don't know that it does disable NAT, it can be very frustrating, because everything else is configured correctly and you have no idea why it doesn't work...

As for the NAT inside statement, this simply determines which interface is supposed to be the source of the NAT. There are scenarios where you can use NAT on Loopback interfaces, such as the one below...

Network Address Translation on a Stick

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6505-nat-on-stick.html

Trouble getting 3825 to NAT/PAT with L2/L3 Switch

Network Address Translation on a Stick