Solved: Thank you so much for your

fisnik-jashari1 · ‎05-25-2015

Greetings to everyone.

I am learning NAT and I am having a problem. The problem is that when I use the NAT in network A(Router 1) I am able to ping every device. However when I add NAT in network B(Router 2). NAT stops working on router1(network A) and router2(Network B). It works to ping 172.16.10.0 and 172.16.20.0 but I can't ping 10.10.10.0 or 10.10.20.0

I will include running-conf..

Router0

interface Loopback1

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 172.16.10.1 255.255.255.240

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.20.1 255.255.255.240

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

passive-interface Loopback1

network 172.16.10.0 0.0.0.15 area 0

network 172.16.20.0 0.0.0.15 area 0

!

Router 1

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool r1

network 10.10.10.0 255.255.255.240

default-router 10.10.10.1

!

ip cef

no ipv6 cef

!

no ip domain-lookup

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 172.16.10.2 255.255.255.240

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.240

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

router-id 192.168.2.1

log-adjacency-changes

network 172.16.10.0 0.0.0.15 area 0

network 10.10.10.0 0.0.0.15 area 0

!

ip nat pool r1 172.16.10.3 172.16.10.14 netmask 255.255.255.240

ip nat inside source list 1 pool r1

ip classless

!

ip flow-export version 9

!

access-list 1 permit 10.10.10.0 0.0.0.15

Router 2

ip dhcp excluded-address 10.10.20.1

!

ip dhcp pool r2

network 10.10.20.0 255.255.255.240

default-router 10.10.20.1

!

ip cef

no ipv6 cef

!

no ip domain-lookup

!

spanning-tree mode pvst

!

interface Loopback1

ip address 192.168.0.1 255.255.255.0

!

interface FastEthernet0/0

ip address 172.16.20.2 255.255.255.240

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.20.1 255.255.255.240

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router ospf 1

log-adjacency-changes

passive-interface Loopback1

network 172.16.20.0 0.0.0.15 area 0

network 10.10.20.0 0.0.0.15 area 0

!

ip nat pool r2 172.16.20.3 172.16.20.14 netmask 255.255.255.240

ip nat inside source list 1 pool r2

ip classless

!

ip flow-export version 9

!

access-list 1 permit 10.10.20.0 0.0.0.15

!

Thank you for your help.

Peter Paluch · ‎05-25-2015

Hi,

The problem with two NATs in your network is this: When you ping 10.10.20.2 from 10.10.10.2, your packets arrive at the 10.10.10.2. However, when 10.10.10.2 responds, its address in the response will be translated by Router2 into 172.16.20.3. Because 10.10.10.2 expects to receive a response from 10.10.20.2 and not from 172.16.20.3, it is unable to associate this response with its original request, and will cause the packet to be dropped.

Getting this configuration to work may not be that simple, as - first and foremost - you did not give us a realistic scenario to be replicated in your lab. What you have configured here is not something that would be used in a real world because if two networks are behind NAT, they do not communicate using their private addresses. At least one of these networks would use some public address space that could be reached from the other network. In your case, you would set up a static NAT between, say, 172.16.20.5 and 10.10.20.2. Then, 10.10.10.2 would be instructed to talk to 172.16.20.5, no 10.10.20.2. Because all communication going to 172.16.20.5 would be translated to 10.10.20.2, packets would get to the intended destination. Afterwards, 10.10.20.2 would respond, its response would be translated back to 172.16.20.5 and it would be delivered back to 10.10.10.2, exactly as 10.10.10.2 expects it to be received. I have omitted the fact that 10.10.10.2 would itself be NATted to some public address to not confuse things too much but I believe you should now be able to connect the dots.

Please feel welcome to ask further!

Best regards,
Peter

View solution in original post

Peter Paluch · ‎05-25-2015

Hi,

The problem with two NATs in your network is this: When you ping 10.10.20.2 from 10.10.10.2, your packets arrive at the 10.10.10.2. However, when 10.10.10.2 responds, its address in the response will be translated by Router2 into 172.16.20.3. Because 10.10.10.2 expects to receive a response from 10.10.20.2 and not from 172.16.20.3, it is unable to associate this response with its original request, and will cause the packet to be dropped.

Getting this configuration to work may not be that simple, as - first and foremost - you did not give us a realistic scenario to be replicated in your lab. What you have configured here is not something that would be used in a real world because if two networks are behind NAT, they do not communicate using their private addresses. At least one of these networks would use some public address space that could be reached from the other network. In your case, you would set up a static NAT between, say, 172.16.20.5 and 10.10.20.2. Then, 10.10.10.2 would be instructed to talk to 172.16.20.5, no 10.10.20.2. Because all communication going to 172.16.20.5 would be translated to 10.10.20.2, packets would get to the intended destination. Afterwards, 10.10.20.2 would respond, its response would be translated back to 172.16.20.5 and it would be delivered back to 10.10.10.2, exactly as 10.10.10.2 expects it to be received. I have omitted the fact that 10.10.10.2 would itself be NATted to some public address to not confuse things too much but I believe you should now be able to connect the dots.

Please feel welcome to ask further!

Best regards,
Peter

fisnik-jashari1 · ‎05-25-2015

Thank you so much for your answer. I am just preparing for the CCENT exam and I was trying to build a more advanced NATs scenario. Your answer was so helpful and thank you one more time.

Peter Paluch · ‎05-25-2015

Hi,

You are quite brave doing these more complex labs for your CCENT :) That's good! Keep up the good work, and good luck with your certifications!

Best regards,
Peter

NAT Example Not Working