Solved: basic Nat not working

Max-kinpin · ‎03-04-2018

Good Day. i am having an issue with nating from a local devices to devices on the other side of the internet. In the NAT table it show that the address is being translated but local all it says that the destination host is unreachable.

the configuration is as follows:

hostname R1

!

ip cef

no ipv6 cef

!

no ip domain-lookup

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

ip address 80.80.80.2 255.255.255.252

ip nat outside

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 192.168.10.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list NAT-TRANS101 interface GigabitEthernet0/0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 80.80.80.1

!

ip flow-export version 9

!

ip access-list standard NAT-TRANS101

permit 192.168.10.0 0.0.0.255

permit host 0.0.0.0

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

____________________________---------------_________________-------------------

hostname ISP

!

ip cef

no ipv6 cef

!

license udi pid CISCO2911/K9 sn FTX1524QRW0

!

no ip domain-lookup

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 80.80.80.1 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 40.40.40.1 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 5

log-adjacency-changes

network 80.80.80.0 0.0.0.3 area 0

network 40.40.40.0 0.0.0.3 area 0

!

ip classless

!

ip flow-export version 9

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

---------------------------------____________________-------------_______________

hostname R2

!

ip cef

no ipv6 cef

!

no ip domain-lookup

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

ip address 40.40.40.2 255.255.255.252

ip nat outside

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 192.168.20.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list R2-NAT interface GigabitEthernet0/0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 40.40.40.1

!

ip flow-export version 9

!

ip access-list standard R2-NAT

permit 192.168.20.0 0.0.0.255

permit host 0.0.0.0

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Richard Burts · ‎03-05-2018

Here is a slightly different way of understanding this issue. You are doing dynamic nat. This translates your private source address. This allows your devices with private addresses to initiate traffic to the outside networks. It enables outbound traffic. But it does not enable traffic from the Internet to initiate traffic to your device with private address. To do that you need a static nat.

Your current config with static default route is sufficient to allow your traffic to get to devices on the outside. But it is not sufficient to allow it to receive traffic initiated from outside.

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎03-04-2018

You are only doing NAT on the source IPs and the ISP router does not have routes for either 192.168.10.x or 192.168.20.x.

So when the packet arrives at the ISP router it cannot forward it because it does not know where to send it.

Jon

Max-kinpin · ‎03-04-2018

@Jon Marshall wrote:

You are only doing NAT on the source IPs and the ISP router does not have routes for either 192.168.10.x or 192.168.20.x.

So when the packet arrives at the ISP router it cannot forward it because it does not know where to send it.

Jon

Is it a must that i put routes for the the 192.168.20.x and 192.168.10.x?

i just want them to get to the internet via default routes.

my objective is just to use default to get to the internet without the isp "knowing" about 192.168.10.x 192.168.20.x. to me though it seems as if it can ping but something is wrong. something else

Dennis Mink · ‎03-04-2018

Johns point is still valid, you are now doing source NAT to hide your 192.168.10.x addresses, so far so good, but you are still trying to connect to the unnated 192.168.20.x on the far end, so your :internet router in the middle has not routes to that.

you need to NAT destination as well, your outside global IP addresses cant be private IP addresses

cheers

Please remember to rate useful posts, by clicking on the stars below.

Max-kinpin · ‎03-04-2018

@Dennis Mink wrote:

Johns point is still valid, you are now doing source NAT to hide your 192.168.10.x addresses, so far so good, but you are still trying to connect to the unnated 192.168.20.x on the far end, so your :internet router in the middle has not routes to that.

you need to NAT destination as well, your outside global IP addresses cant be private IP addresses

cheers

i don't really understand what you are saying. could you explain a bit more. you stated that i need to Nat the destination... i don't really understand what you mean by that. i do however understand when you say that my outside global IP addresses can't be private. but i dont know what a way to change that.

Richard Burts · ‎03-05-2018

Here is a slightly different way of understanding this issue. You are doing dynamic nat. This translates your private source address. This allows your devices with private addresses to initiate traffic to the outside networks. It enables outbound traffic. But it does not enable traffic from the Internet to initiate traffic to your device with private address. To do that you need a static nat.

Your current config with static default route is sufficient to allow your traffic to get to devices on the outside. But it is not sufficient to allow it to receive traffic initiated from outside.

HTH

Rick

HTH

Rick

Max-kinpin · ‎03-05-2018

Thanks alot. one question though, i there a scenario where in it would work with dynamic Nat maintaining the default route?

Richard Burts · ‎03-06-2018

Whether it would work with dynamic nat and with only a default route depends on what you want it to do. If you want devices in your network to be able to access Internet resources then dynamic nat with a default route works ok. Your PC should be able to ping, or browse the web or whatever you want. If you want something in the outside to be able to initiate traffic to your PC then dynamic nat is a challenge.

To understand this we need to think about how dynamic nat works. Initially the translation table is empty. When your PC sends a web browser packet to something outside then the router makes an entry in the translation table. The entry has your PC private address, the public address it translated to and source and destination port numbers. Then the router sends the web packet out. The web server sends a response. The response gets to the router which looks at the public address and the port numbers and checks the translation table. When it finds a match it then gets the private address from the table entry and puts that into the web packet and sends it to your PC.

That works and I hope is easy to understand. Now think about what happens if some device outside attempts to send something to your PC. It can not send to your private address so it must send the packet to the public address. The packet gets to your router which looks into the translation table hoping to find a match. But there is not any entry in the translation table that matches the address and port numbers.

So if you want devices in the outside networks to be able to initiate traffic to your PC (or your web server or whatever you want to be accessible from the Internet) then you need a static nat entry which will always have an entry in the translation table.

You have asked if there is any scenario in which dynamic nat and a default route would work. And I can think of one scenario in which it could work. If your PC has initiated traffic to the Internet and there is a dynamic entry in the translation table for your private address then it could be possible that some other device in the Internet could send a packet to the router that could match the dynamic entry and get to your PC. While this could work it is certainly not a very practical way to operate a network.

HTH

Rick

HTH

Rick