Hello, I'm kinda new to networking and try to do a project on packet tracer.
I have a problem when configuring Static NAT / PAT on both the google's router and the ASBR on the same time.
When configuring only one of the routers to use NAT the ping seems to be working fine but when configuring both of the routers to use NAT the ping seems to fail or it says "destination unreachable".
i add a screenshot of the topology, the different kind of massages between the successful and the unsuccessful ping.
NAT configuration on ASBR:
ip access-list standard NAT:
permit 10.0.10.0 0.0.0.31
permit 10.0.20.0 0.0.0.31
permit 10.0.30.0 0.0.0.31
permit 10.0.40.0 0.0.0.15
permit 10.0.50.0 0.0.0.15
permit 192.168.80.0 0.0.0.255
permit host 200.200.200.226
permit host 200.200.200.227
deny any
interface GigabitEthernet0/0/0.10
ip address 172.16.10.6 255.255.255.248
ip nat inside
interface GigabitEthernet0/1/0
ip address 203.0.113.1 255.255.255.252
ip nat outside
ip nat inside source list NAT interface GigabitEthernet0/1/0 overload
NAT CONFIGURATION ON GOOGLE'S ROUTER:
ip access-list standard NAT_IN
permit host 8.8.8.8
permit host 172.217.6.1
permit host 142.250.75.6
deny any
interface FastEthernet0/0
ip address 8.8.8.254 255.255.255.0
ip nat inside
interface FastEthernet0/1
ip address 172.217.6.254 255.255.255.0
ip nat inside
interface FastEthernet1/0
ip address 142.250.75.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/1/0
ip address 203.1.113.1 255.255.255.252
ip nat outside
ip nat inside source list NAT_IN interface GigabitEthernet0/1/0 overload
thanks again in advance for anyone who notices
Accepted Solutions
The best way to tackle this kind of problem is to follow the packets and see what's happening if NAT is enabled on just the ASBR or on both routers:
Let us start with NAT enabled on the ASBR only.
You send a ping from the Manager PC at Office B to the server GOOGLE.COM so the packet has
Src IP: 10.0.50.2 - Dst IP: 142.250.75.6
The packet arrives at the ASBR and NAT will translate the source IP so the packet now looks like this
Src IP: 203.0.113.1 - Dst IP: 142.250.75.6
Hence the ASBR now has an entry in its translation table accordingly with an Inside Local IP 10.0.50.2, Inside Global IP 230.0.113.1 and the Outside Local and Global IP 142.250.75.6
As you should know, any return traffic has to match exactly this entry in order to reach the Manager PC.
Let's follow the packet further on its way to Google.com and check what is happening if NAT is not enabled on Google's router.
Since there is no NAT at this point, the packet will simply be routed and successfully arrives at the server GOOGLE.COM.
The server will send a reply packet where source and destination IPs are switched:
Src IP: 142.250.75.6 - Dst IP: 203.0.113.1
Without NAT this packet will once again be simply routed by Google's router and arrives at the ASBR.
Now the questions is whether or not the ASBR has a perfect match for this packet in its NAT translation table and the answer is YES, of course.
So NAT will kick in and translate the destination address this time:
Src IP: 142.250.75.6 - Dst IP: 10.0.50.2
Hence the packet arrives at the Manager PC and the ping is successful.
Now let's check what is happening if NAT is also enabled at Google's router.
Interface Gi0/1/0 on this router is configured with "ip nat outside" so that the router must check its NAT translation table for an entry.
So what is in the table right now? Nothing!
Hence the packet is dropped and will never reach the server GOOGLE.COM
Generally speaking the cause of the problem is that you can only enter a network behind a NAT enabled router if this router has a perfect match for the packet in its NAT translation table. So you cannot send traffic from the outside to a host that is hidden behind a NAT router unless it is return traffic for a session that was initiated by an inside host/server. Google's servers use public IP addresses so there is no need for NAT at Google's router and as you have seen yourself implementing NAT on this router makes the servers behind it unreachable for the outside.
HTH
The best way to tackle this kind of problem is to follow the packets and see what's happening if NAT is enabled on just the ASBR or on both routers:
Let us start with NAT enabled on the ASBR only.
You send a ping from the Manager PC at Office B to the server GOOGLE.COM so the packet has
Src IP: 10.0.50.2 - Dst IP: 142.250.75.6
The packet arrives at the ASBR and NAT will translate the source IP so the packet now looks like this
Src IP: 203.0.113.1 - Dst IP: 142.250.75.6
Hence the ASBR now has an entry in its translation table accordingly with an Inside Local IP 10.0.50.2, Inside Global IP 230.0.113.1 and the Outside Local and Global IP 142.250.75.6
As you should know, any return traffic has to match exactly this entry in order to reach the Manager PC.
Let's follow the packet further on its way to Google.com and check what is happening if NAT is not enabled on Google's router.
Since there is no NAT at this point, the packet will simply be routed and successfully arrives at the server GOOGLE.COM.
The server will send a reply packet where source and destination IPs are switched:
Src IP: 142.250.75.6 - Dst IP: 203.0.113.1
Without NAT this packet will once again be simply routed by Google's router and arrives at the ASBR.
Now the questions is whether or not the ASBR has a perfect match for this packet in its NAT translation table and the answer is YES, of course.
So NAT will kick in and translate the destination address this time:
Src IP: 142.250.75.6 - Dst IP: 10.0.50.2
Hence the packet arrives at the Manager PC and the ping is successful.
Now let's check what is happening if NAT is also enabled at Google's router.
Interface Gi0/1/0 on this router is configured with "ip nat outside" so that the router must check its NAT translation table for an entry.
So what is in the table right now? Nothing!
Hence the packet is dropped and will never reach the server GOOGLE.COM
Generally speaking the cause of the problem is that you can only enter a network behind a NAT enabled router if this router has a perfect match for the packet in its NAT translation table. So you cannot send traffic from the outside to a host that is hidden behind a NAT router unless it is return traffic for a session that was initiated by an inside host/server. Google's servers use public IP addresses so there is no need for NAT at Google's router and as you have seen yourself implementing NAT on this router makes the servers behind it unreachable for the outside.
HTH
