Solved: Re: Can't ping between 2 networks with NAT overload

neww · ‎03-28-2022

Hi! So I have this network and I need to apply NAT overload on router 1 and router 2. Whenever I apply it (NAT overload) on 1 of them, everything is fine, I can ping every device on the whole network. But when I apply it on the second router, I can no longer ping between LAN1 and LAN2 (ping from/to WAN is still working).

The routing protocol is OSPF (just in case it matters).

Commands used on Router 1:

int eth0/0/0

ip nat inside

int fa0/1

ip nat inside

int fa0/0

ip nat outside

exit

ip access-list standard LIST1

permit 192.168.3.0 0.0.0.255

exit

ip nat inside source list LIST1 int fa0/0 overload

Commands used on Router 2:

int eth0/0/0

ip nat inside

int fa0/1

ip nat inside

int fa0/0

ip nat outside

exit

ip access-list standard LIST2

permit 192.168.5.0 0.0.0.255

exit

ip nat inside source list LIST2 int fa0/0 overload

Could you please help me? I'm struggling with it for couple of hours, tried multiple things, but could figure it out.

Thank you!

Georg Pauwen · ‎03-29-2022

Hello,

it is a flaw in Packet Tracer, NAT on opposite routers does not work. In the real world it obviously would, as all routers are using NAT.

Either way, what they want you is to use NAT for accessing the Internet, and the VPN for accessing the LANs. The configs are below (I have also attached the revised Packet Tracer project file, saved in version 8.1.1).

Router1#sh run
Building configuration...

Current configuration : 1661 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.22
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.22
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.18 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.3.9 255.255.255.248
ip helper-address 172.16.3.2
ip helper-address 192.168.3.10
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.3.1 255.255.255.248
ip helper-address 192.168.3.2
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.3.0 0.0.0.7 area 0
network 192.168.3.8 0.0.0.7 area 0
network 150.217.59.16 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
access-list 100 permit ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
permit ip 192.168.3.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Router2#sh run
Building configuration...

Current configuration : 1628 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.18
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.18
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.22 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.5.9 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.5.1 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.5.0 0.0.0.7 area 0
network 192.168.5.8 0.0.0.7 area 0
network 150.217.59.20 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list standard LIST2
permit 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
permit ip 192.168.5.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

View solution in original post

balaji.bandi · ‎03-28-2022

yes that is normal.

you have 2 Options in general

1. Create Tunnel between Router 1 and Router 2, make Lan to Lan Communication

2. Allow incoming Connection from Router 1 NAT IP omn Router 2 (same other way around) to reach LAN IP address

If this internet (most deployment in real work is VPN between sites)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-28-2022

Hello,

post your zipped Packet Tracer project (.pkt) file...

neww · ‎03-29-2022

I will also need implement VPN tunnel (just saying in case it makes a difference)

Georg Pauwen · ‎03-29-2022

Hello,

it is a flaw in Packet Tracer, NAT on opposite routers does not work. In the real world it obviously would, as all routers are using NAT.

Either way, what they want you is to use NAT for accessing the Internet, and the VPN for accessing the LANs. The configs are below (I have also attached the revised Packet Tracer project file, saved in version 8.1.1).

Router1#sh run
Building configuration...

Current configuration : 1661 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.22
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.22
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.18 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.3.9 255.255.255.248
ip helper-address 172.16.3.2
ip helper-address 192.168.3.10
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.3.1 255.255.255.248
ip helper-address 192.168.3.2
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.3.0 0.0.0.7 area 0
network 192.168.3.8 0.0.0.7 area 0
network 150.217.59.16 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
access-list 100 permit ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
permit ip 192.168.3.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Router2#sh run
Building configuration...

Current configuration : 1628 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.18
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.18
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.22 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.5.9 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.5.1 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.5.0 0.0.0.7 area 0
network 192.168.5.8 0.0.0.7 area 0
network 150.217.59.20 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list standard LIST2
permit 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
permit ip 192.168.5.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

neww · ‎03-29-2022

Thank you so much!