Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
0
Helpful
3
Replies

NAT Example Not Working

Go to solution
fisnik-jashari1
Level 1
Level 1

‎05-25-2015 03:30 AM - edited ‎03-08-2019 12:09 AM

Greetings to everyone.

 

I am learning NAT and I am having a problem. The problem is that when I use the NAT in network A(Router 1) I am able to ping every  device.  However when I add  NAT in network B(Router 2). NAT stops working on router1(network A) and router2(Network B). It works to ping 172.16.10.0 and 172.16.20.0 but I can't ping 10.10.10.0 or 10.10.20.0 

I will include running-conf..

Router0

interface Loopback1

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 172.16.10.1 255.255.255.240

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.20.1 255.255.255.240

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

passive-interface Loopback1

network 172.16.10.0 0.0.0.15 area 0

network 172.16.20.0 0.0.0.15 area 0

!

 

Router 1

 

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool r1

network 10.10.10.0 255.255.255.240

default-router 10.10.10.1

!

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 172.16.10.2 255.255.255.240

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.240

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

router-id 192.168.2.1

log-adjacency-changes

network 172.16.10.0 0.0.0.15 area 0

network 10.10.10.0 0.0.0.15 area 0

!

ip nat pool r1 172.16.10.3 172.16.10.14 netmask 255.255.255.240

ip nat inside source list 1 pool r1

ip classless

!

ip flow-export version 9

!

!

access-list 1 permit 10.10.10.0 0.0.0.15

 

Router 2

 

ip dhcp excluded-address 10.10.20.1

!

ip dhcp pool r2

network 10.10.20.0 255.255.255.240

default-router 10.10.20.1

!

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface Loopback1

ip address 192.168.0.1 255.255.255.0

!

interface FastEthernet0/0

ip address 172.16.20.2 255.255.255.240

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.20.1 255.255.255.240

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

passive-interface Loopback1

network 172.16.20.0 0.0.0.15 area 0

network 10.10.20.0 0.0.0.15 area 0

!

ip nat pool r2 172.16.20.3 172.16.20.14 netmask 255.255.255.240

ip nat inside source list 1 pool r2

ip classless

!

ip flow-export version 9

!

!

access-list 1 permit 10.10.20.0 0.0.0.15

!

 


 

Thank you for your help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎05-25-2015 06:56 AM

Hi,

The problem with two NATs in your network is this: When you ping 10.10.20.2 from 10.10.10.2, your packets arrive at the 10.10.10.2. However, when 10.10.10.2 responds, its address in the response will be translated by Router2 into 172.16.20.3. Because 10.10.10.2 expects to receive a response from 10.10.20.2 and not from 172.16.20.3, it is unable to associate this response with its original request, and will cause the packet to be dropped.

Getting this configuration to work may not be that simple, as - first and foremost - you did not give us a realistic scenario to be replicated in your lab. What you have configured here is not something that would be used in a real world because if two networks are behind NAT, they do not communicate using their private addresses. At least one of these networks would use some public address space that could be reached from the other network. In your case, you would set up a static NAT between, say, 172.16.20.5 and 10.10.20.2. Then, 10.10.10.2 would be instructed to talk to 172.16.20.5, no 10.10.20.2. Because all communication going to 172.16.20.5 would be translated to 10.10.20.2, packets would get to the intended destination. Afterwards, 10.10.20.2 would respond, its response would be translated back to 172.16.20.5 and it would be delivered back to 10.10.10.2, exactly as 10.10.10.2 expects it to be received. I have omitted the fact that 10.10.10.2 would itself be NATted to some public address to not confuse things too much but I believe you should now be able to connect the dots.

Please feel welcome to ask further!

Best regards,
Peter

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎05-25-2015 06:56 AM

Hi,

The problem with two NATs in your network is this: When you ping 10.10.20.2 from 10.10.10.2, your packets arrive at the 10.10.10.2. However, when 10.10.10.2 responds, its address in the response will be translated by Router2 into 172.16.20.3. Because 10.10.10.2 expects to receive a response from 10.10.20.2 and not from 172.16.20.3, it is unable to associate this response with its original request, and will cause the packet to be dropped.

Getting this configuration to work may not be that simple, as - first and foremost - you did not give us a realistic scenario to be replicated in your lab. What you have configured here is not something that would be used in a real world because if two networks are behind NAT, they do not communicate using their private addresses. At least one of these networks would use some public address space that could be reached from the other network. In your case, you would set up a static NAT between, say, 172.16.20.5 and 10.10.20.2. Then, 10.10.10.2 would be instructed to talk to 172.16.20.5, no 10.10.20.2. Because all communication going to 172.16.20.5 would be translated to 10.10.20.2, packets would get to the intended destination. Afterwards, 10.10.20.2 would respond, its response would be translated back to 172.16.20.5 and it would be delivered back to 10.10.10.2, exactly as 10.10.10.2 expects it to be received. I have omitted the fact that 10.10.10.2 would itself be NATted to some public address to not confuse things too much but I believe you should now be able to connect the dots.

Please feel welcome to ask further!

Best regards,
Peter

0 Helpful

Go to solution
fisnik-jashari1
Level 1
Level 1

‎05-25-2015 07:11 AM

Thank you so much for your answer. I am just preparing for the CCENT exam and I was trying to build a more advanced NATs scenario. Your answer was so helpful and thank you one more time. 

 

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to fisnik-jashari1

‎05-25-2015 07:21 AM

Hi,

You are quite brave doing these more complex labs for your CCENT :) That's good! Keep up the good work, and good luck with your certifications!

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents