03-28-2022 02:36 PM
Hi! So I have this network and I need to apply NAT overload on router 1 and router 2. Whenever I apply it (NAT overload) on 1 of them, everything is fine, I can ping every device on the whole network. But when I apply it on the second router, I can no longer ping between LAN1 and LAN2 (ping from/to WAN is still working).
The routing protocol is OSPF (just in case it matters).
Commands used on Router 1:
int eth0/0/0
ip nat inside
int fa0/1
ip nat inside
int fa0/0
ip nat outside
exit
ip access-list standard LIST1
permit 192.168.3.0 0.0.0.255
exit
ip nat inside source list LIST1 int fa0/0 overload
Commands used on Router 2:
int eth0/0/0
ip nat inside
int fa0/1
ip nat inside
int fa0/0
ip nat outside
exit
ip access-list standard LIST2
permit 192.168.5.0 0.0.0.255
exit
ip nat inside source list LIST2 int fa0/0 overload
Could you please help me? I'm struggling with it for couple of hours, tried multiple things, but could figure it out.
Thank you!
Solved! Go to Solution.
03-29-2022 08:48 AM
Hello,
it is a flaw in Packet Tracer, NAT on opposite routers does not work. In the real world it obviously would, as all routers are using NAT.
Either way, what they want you is to use NAT for accessing the Internet, and the VPN for accessing the LANs. The configs are below (I have also attached the revised Packet Tracer project file, saved in version 8.1.1).
Router1#sh run
Building configuration...
Current configuration : 1661 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.22
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.22
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.18 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.3.9 255.255.255.248
ip helper-address 172.16.3.2
ip helper-address 192.168.3.10
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.3.1 255.255.255.248
ip helper-address 192.168.3.2
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.3.0 0.0.0.7 area 0
network 192.168.3.8 0.0.0.7 area 0
network 150.217.59.16 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
access-list 100 permit ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
permit ip 192.168.3.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
Router2#sh run
Building configuration...
Current configuration : 1628 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.18
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.18
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.22 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.5.9 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.5.1 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.5.0 0.0.0.7 area 0
network 192.168.5.8 0.0.0.7 area 0
network 150.217.59.20 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list standard LIST2
permit 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
permit ip 192.168.5.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
03-28-2022 02:43 PM
yes that is normal.
you have 2 Options in general
1. Create Tunnel between Router 1 and Router 2, make Lan to Lan Communication
2. Allow incoming Connection from Router 1 NAT IP omn Router 2 (same other way around) to reach LAN IP address
If this internet (most deployment in real work is VPN between sites)
03-28-2022 03:05 PM
Hello,
post your zipped Packet Tracer project (.pkt) file...
03-29-2022 07:38 AM
03-29-2022 08:48 AM
Hello,
it is a flaw in Packet Tracer, NAT on opposite routers does not work. In the real world it obviously would, as all routers are using NAT.
Either way, what they want you is to use NAT for accessing the Internet, and the VPN for accessing the LANs. The configs are below (I have also attached the revised Packet Tracer project file, saved in version 8.1.1).
Router1#sh run
Building configuration...
Current configuration : 1661 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.22
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.22
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.18 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.3.9 255.255.255.248
ip helper-address 172.16.3.2
ip helper-address 192.168.3.10
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.3.1 255.255.255.248
ip helper-address 192.168.3.2
ip helper-address 192.168.3.3
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.3.0 0.0.0.7 area 0
network 192.168.3.8 0.0.0.7 area 0
network 150.217.59.16 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
access-list 100 permit ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.3.0 0.0.0.15 192.168.5.0 0.0.0.15
permit ip 192.168.3.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
Router2#sh run
Building configuration...
Current configuration : 1628 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
ip cef
no ipv6 cef
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key cisco123 address 150.217.59.18
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CM 100 ipsec-isakmp
set peer 150.217.59.18
set pfs group5
set security-association lifetime seconds 86400
set transform-set TS
match address 100
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 150.217.59.22 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map IPSEC-CM
!
interface FastEthernet0/1
ip address 192.168.5.9 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Ethernet0/0/0
ip address 192.168.5.1 255.255.255.248
ip helper-address 192.168.5.2
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.5.0 0.0.0.7 area 0
network 192.168.5.8 0.0.0.7 area 0
network 150.217.59.20 0.0.0.3 area 0
!
ip nat inside source list NAT interface FastEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list standard LIST2
permit 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
ip access-list extended NAT
deny ip 192.168.5.0 0.0.0.15 192.168.3.0 0.0.0.15
permit ip 192.168.5.0 0.0.0.15 any
!
no cdp run
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end
03-29-2022 09:24 AM
Thank you so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide