Solved: Re: PAT Config issue

jlajuarez · ‎12-09-2010

I have several issues with my PAT config. On the attached image of the topology:

1. Only hosts on network 10.0.1.0 / 25 can ping interface 128.10.10.2 / 24 (PAT is successful for this network)

2. Network 10.0.10.0 / 25 (VLAN) can ping 128.10.10.1 / 24, but cannot ping 128.10.10.2 / 24

3. The rest of the networks, whenever i ping 128.10.10.1 / 24 , it says destination host unreachable.

Here are the configurations i used in this topology.

R1(config)#int fa1/0

R1(config-if)ip nat inside

R1(config)#int s0/0/0

R1(config-if)#ip nat outside

R1(config-if)#exit

R1(config)#ip nat pool PATPOOL 128.10.10.1 128.10.10.1 netmask 255.255.255.0

R1(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0

R1(config)#ACCESS-LIST 1 PERMIT 10.0.1.0 0.0.0.127

R1(config)#ACCESS-LIST 1 PERMIT 10.0.10.0 0.0.0.127

R1(config)#ACCESS-LIST 1 PERMIT 10.0.2.0 0.0.0.127

R1(config)#ACCESS-LIST 1 PERMIT 10.0.3.0 0.0.0.127

R1(config)#ACCESS-LIST 1 PERMIT 172.16.1.0 0.0.0.3 * in my first config, i did not include this, but result is still the same. this is my current config.

R1(config)#ACCESS-LIST 1 PERMIT 172.16.2.0 0.0.0.3

R1(config)#ACCESS-LIST 1 PERMIT 172.16.3.0 0.0.0.3

R1(config)#ip nat inside source list 1 pool PATPOOL overload

Show IP Nat Trans on Router0

Pro Inside global Inside local Outside local Outside global

icmp 128.10.10.1:29 10.0.1.6:29 128.10.10.2:29 128.10.10.2:29

icmp 128.10.10.1:30 10.0.1.6:30 128.10.10.2:30 128.10.10.2:30

icmp 128.10.10.1:31 10.0.1.6:31 128.10.10.2:31 128.10.10.2:31

icmp 128.10.10.1:32 10.0.1.6:32 128.10.10.2:32 128.10.10.2:32

Show IP route on Router0

10.0.0.0/25 is subnetted, 4 subnets

C 10.0.1.0 is directly connected, FastEthernet1/0

O 10.0.2.0 [110/2] via 172.16.1.2, 00:55:33, FastEthernet0/0

O 10.0.3.0 [110/2] via 172.16.3.2, 00:55:33, FastEthernet0/1

C 10.0.10.0 is directly connected, FastEthernet1/0.10

128.10.0.0/24 is subnetted, 1 subnets

C 128.10.10.0 is directly connected, Serial0/0/0

172.16.0.0/30 is subnetted, 3 subnets

C 172.16.1.0 is directly connected, FastEthernet0/0

O 172.16.2.0 [110/2] via 172.16.1.2, 00:55:33, FastEthernet0/0

[110/2] via 172.16.3.2, 00:55:33, FastEthernet0/1

C 172.16.3.0 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 is directly connected, Serial0/0/0

I also tried configuring the other interfaces in the router as IP NAT INSIDE but still the same result (this is just me experimenting).

What have I done wrong?

lgijssel · ‎12-13-2010

There is a default route on this router but ospf does not announce it to the rest of the neigbors, it's only known locally.

The best solution woukd be to add the following line to your ospf config:

router ospf 1

default-information originate

If you want some additional reading on the subject, please check the link below:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a74.shtml#typesofospfareas

regards,

Leo

View solution in original post

cadet alain · ‎12-10-2010

Hi,

1. Only hosts on network 10.0.1.0 / 25 can ping interface 128.10.10.2 / 24 (PAT is successful for this network)

As you are natting to 128.10.10.1 then the src ip add for POP router is 128.10.10.1 which is directly connected so he can reply.

If you want 10.0.2.0,10.0.3.0,10.0.20.0 and 10.0.30.0 to get natted you must put ip nat inside on f0/0 and f0/1

2. Network 10.0.10.0 / 25 (VLAN) can ping 128.10.10.1 / 24, but cannot ping 128.10.10.2 / 24

if the other networks are not NAT overloaded then their src ip add is not natted and if POP router hasn't got a default route via its serial interface

he won't be able to reply back.

can you post: sh run int f1/0

3. The rest of the networks, whenever i ping 128.10.10.1 / 24 , it says destination host unreachable.

In your routing table you have no route for them via ospf and your default route is pointing to s0/0/0 where they are not located

whether you put your network commands in ospf on the other routers or you put static routes to them pointing to next-hop on this router.

Regards.

Alain.

Don't forget to rate helpful posts.

jlajuarez · ‎12-10-2010

Hi,

1. Nat inside was already configured on fa0/0 (172.16.1.1) and fa0/1 (172.16.3.1) and fa1/0 (10.0.1.1)

2. I think i have placed all other networks on overload, haven't i?

3. All routers have ospf configured in them.

Here is the show run on Router 0

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.252

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.3.1 255.255.255.252

ip nat inside

duplex auto

speed auto

!

interface Serial0/0/0

ip address 128.10.10.1 255.255.255.0

ip nat outside

clock rate 64000

!

interface FastEthernet1/0

ip address 10.0.1.1 255.255.255.128

ip nat inside

duplex auto

speed auto

!

interface FastEthernet1/0.10

encapsulation dot1Q 10

ip address 10.0.10.1 255.255.255.128

!

router ospf 1

log-adjacency-changes

network 172.16.1.0 0.0.0.3 area 0

network 172.16.3.0 0.0.0.3 area 0

network 10.0.1.0 0.0.0.127 area 0

network 10.0.10.0 0.0.0.127 area 0

!

ip nat pool PATPOOL 128.10.10.1 128.10.10.1 netmask 255.255.255.0

ip nat inside source list 1 pool PATPOOL overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

cadet alain · ‎12-10-2010

3. All routers have ospf configured in them.

in the output of show ip route you gave there was no OSPF routes for 10.0.20.0, 10.0.30.0

2. I think i have placed all other networks on overload, haven't i?

I didn't say they weren't, I said they were not natted.

You are on packet tracer? can you do some debugs?

first clear nat table: clear ip nat translation *

then ping from 10.0.10.0/25 network -PC3 avec debug ip nat puis show ip nat trans

then do the same with ip nat inside configured on f1/0.10 it should solve 10.0.10.0/25 network problem

in your ACL remove all lines with 172.16.x.x then do the same test from these subnets to see if they still not natted

and in that case(no natted) if you want your pings to succeed you must advertise these subnets to your NAT router otherwise how can he reply

Regards.

Don't forget to rate helpful posts.

jlajuarez · ‎12-10-2010

Oh yeah!!! There is no 10.0.20.0 or 10.0.30.0.. Haha...

Ok I will try to do what you just told me....

Bugger!!! I left the packet tracer file in office computer. Lol. Darn it... I'll do these things you told me as soon as i get my hands on the file.. Thank you so much for your time.. I'll reply again in this thread once i have done what you told me.. Till then...

Thanks..

Regards

jlajuarez · ‎12-13-2010

Hey man..

Sorry this took a while.... I apologize...

After i have done what you have said...

so far 10.0.1.0 and 10.0.10.0 can now ping 128.10.10.2

Show IP Nat Trans result

R1#show ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp 128.10.10.1:1 10.0.1.6:1 128.10.10.2:1 128.10.10.2:1

icmp 128.10.10.1:2 10.0.1.6:2 128.10.10.2:2 128.10.10.2:2

icmp 128.10.10.1:3 10.0.1.6:3 128.10.10.2:3 128.10.10.2:3

icmp 128.10.10.1:4 10.0.1.6:4 128.10.10.2:4 128.10.10.2:4

icmp 128.10.10.1:29 10.0.10.6:29 128.10.10.2:29 128.10.10.2:29

icmp 128.10.10.1:30 10.0.10.6:30 128.10.10.2:30 128.10.10.2:30

icmp 128.10.10.1:31 10.0.10.6:31 128.10.10.2:31 128.10.10.2:31

icmp 128.10.10.1:32 10.0.10.6:32 128.10.10.2:32 128.10.10.2:32

However, the rest of the networks on the other routers cannot ping the 128.10.10.1 interface on the router R1 (NAT router).

Pinging 128.10.10.1 with 32 bytes of data:

Reply from 10.0.3.1: Destination host unreachable.

Pinging 128.10.10.1 with 32 bytes of data:

Reply from 10.0.2.1: Destination host unreachable.

Ping statistics for 128.10.10.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Here is the new show run config on R1

interface FastEthernet0/0

ip address 172.16.1.1 255.255.255.252

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.3.1 255.255.255.252

ip nat inside

duplex auto

speed auto

!

interface Serial0/0/0

ip address 128.10.10.1 255.255.255.0

ip nat outside

clock rate 64000

!

interface FastEthernet1/0

ip address 10.0.1.1 255.255.255.128

ip nat inside

duplex auto

speed auto

!

interface FastEthernet1/0.10

encapsulation dot1Q 10

ip address 10.0.10.1 255.255.255.128

ip nat inside

!

router ospf 1

log-adjacency-changes

network 172.16.1.0 0.0.0.3 area 0

network 172.16.3.0 0.0.0.3 area 0

network 10.0.1.0 0.0.0.127 area 0

network 10.0.10.0 0.0.0.127 area 0

network 10.0.20.0 0.0.0.127 area 0

network 10.0.30.0 0.0.0.127 area 0

network 10.0.2.0 0.0.0.127 area 0

network 10.0.3.0 0.0.0.127 area 0

!

ip nat pool PATPOOL 128.10.10.1 128.10.10.1 netmask 255.255.255.0

ip nat inside source list 1 pool PATPOOL overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

access-list 1 permit 10.0.1.0 0.0.0.127

access-list 1 permit 10.0.2.0 0.0.0.127

access-list 1 permit 10.0.3.0 0.0.0.127

access-list 1 permit 10.0.10.0 0.0.0.127

access-list 1 permit 10.0.20.0 0.0.0.127

access-list 1 permit 10.0.30.0 0.0.0.127

lgijssel · ‎12-13-2010

You also have a problem with your routing.

Both hosts which report destination unreachable are not on this router and the message implies they have no route for the destination networks.

You'd better give Alain a good rating for his help so far, this is another issue.

regards,

Leo

jlajuarez · ‎12-13-2010

Both hosts which report destination unreachable are not on this router and the message implies they have no route for the destination networks.

Uhh.... yes they are not on the NAT router but they are routed via ospf.

I always give high ratings. Lol.

lgijssel · ‎12-13-2010

Uhh.... yes they are not on the NAT router but they are routed via ospf.

This may very well be the case but you are not advertizing the 128-network.

regards,

Leo

jlajuarez · ‎12-13-2010

Hi,

This is what Alain has pointed out too and also you...

What do you mean by "advertising"? You mean like configure something that would enable them to advertise?

You mean like include the 128 network on my ospf configuration?

Regards,

J

lgijssel · ‎12-13-2010

Your ospf process should include the following:

router ospf 1

network 128.10.10.0 0 0.0.0.255 area 0

regards,

Leo

jlajuarez · ‎12-13-2010

Hi,

thanks for taking your time in answering my question.

But the scenario that im trying to bring up here is that the 128.10.10.0 network is a public ip address and is not part of lets say my company's network system.

Or maybe the scenario that im trying to bring up is wrong.

regards

lgijssel · ‎12-13-2010

In that case, you need to have a default route to enable it's reachability.

This route must be redistributed by ospf.

regards,

Leo

jlajuarez · ‎12-13-2010

Hi Leo,

Is this what you mean?

router ospf 1

log-adjacency-changes

network 172.16.1.0 0.0.0.3 area 0

network 172.16.3.0 0.0.0.3 area 0

network 10.0.1.0 0.0.0.127 area 0

network 10.0.10.0 0.0.0.127 area 0

network 10.0.20.0 0.0.0.127 area 0

network 10.0.30.0 0.0.0.127 area 0

network 10.0.2.0 0.0.0.127 area 0

network 10.0.3.0 0.0.0.127 area 0

ip nat pool PATPOOL 128.10.10.1 128.10.10.1 netmask 255.255.255.0

ip nat inside source list 1 pool PATPOOL overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

If not, then what configuration would you suggest?

And doesn't OSPF redistribute only classfull by default? How do you redistribute subnetted addresses?

Regards

lgijssel · ‎12-13-2010

There is a default route on this router but ospf does not announce it to the rest of the neigbors, it's only known locally.

The best solution woukd be to add the following line to your ospf config:

router ospf 1

default-information originate

If you want some additional reading on the subject, please check the link below:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a74.shtml#typesofospfareas

regards,

Leo