Solved: Can't ping from outside to inside NAT

Asemmoqbel · ‎10-18-2017

I'm doing a lab about NAT and I came to a point where I need an explanation because I really don't know whether there is an issue or not.

My lab is shown as per the photo. my router conneced to ISP router and connected to switch for Lan Users.

I am using PAT to nat all Lan users to the internet with one single IP. when I did the lap and configure NAT. I can see the translations is working and I can ping from inside Lan (192.168.1.0/24) to the outside address (50.3.3.3) with natted ip of the Wan interface(1.2.2.2). But When I go to server (50.3.3.3) and try to ping the inside Lan (192.168.1.0/24)I can only ping one IP out of the subnet and the rest dropped.

Now I'm wondering is this ok in Pat (NAT overload) to be only able to ping from Inside to outside and not vice versa or something wrong with my lab and it should be pingable. and please if someone explain how the traffic flow is done in NAT to know how to troubleshoot..

Note: I am using Vmware stations as host to confirm the ping reachability.

Thank you

Meheretab Mengistu · ‎10-18-2017

Hi,

When you do PAT, you are using, most of the time, a single Public IP address to translate Private IP addresses so that devices with private IP addresses can reach the outside world. However, there is no one-to-one mapping/translation of IP addresses. Instead, the translation will be many-to-one using different port numbers (Layer 4 protocols).

Ping does not use any Layer 4 protocol (TCP/UDP). ICMP packets run on top of IP (Layer 3). As a result, with PAT configured, you can not ping several devices on the Inside network (192.168.1.0/24) from the outside world.

In your case, you should not be able to ping devices in 192.168.1.0/24 network because they are not Internet routable IP addresses. If you want to reach any device in your internal network from the Internet (eg. from 50.3.3.3), you will need to do "destination NAT" on your router and ping the routable address (1.2.2.2).

HTH,
Meheretab

HTH,
Meheretab

View solution in original post

Meheretab Mengistu · ‎10-18-2017

Hi,

When you do PAT, you are using, most of the time, a single Public IP address to translate Private IP addresses so that devices with private IP addresses can reach the outside world. However, there is no one-to-one mapping/translation of IP addresses. Instead, the translation will be many-to-one using different port numbers (Layer 4 protocols).

Ping does not use any Layer 4 protocol (TCP/UDP). ICMP packets run on top of IP (Layer 3). As a result, with PAT configured, you can not ping several devices on the Inside network (192.168.1.0/24) from the outside world.

In your case, you should not be able to ping devices in 192.168.1.0/24 network because they are not Internet routable IP addresses. If you want to reach any device in your internal network from the Internet (eg. from 50.3.3.3), you will need to do "destination NAT" on your router and ping the routable address (1.2.2.2).

HTH,
Meheretab

HTH,
Meheretab