| Author |
Question about NAT
|
|
| networxing 2005-10-15, 9:33 am |
| Hi all,
Just have a quick question. To set up NAT will i require a "registered" global IP address? Like i have been trying to setup NAT on my 2503 router--well i do set it up but it wont work in that i cant ping the " global ip adress" from my another router or from another Pc which are both connected to this 2503 router.
what iam doing is on 2503 iam giving the the local ip as 192.168.1.1(the ip of the pc the router is connected to) and global ip as 203.x.x.x. the ip nat transalation/stat commands shows the configurion to be saved.
when i ping the local ip from another pc or router its working(like the way it works when i dont have any NAT at all) but global ip doesnt. it say "dest not reachable". i have configured both ips as inside ips, as in inside local and inside global, isn't that correct? and also when do we use outside local and outside global, under what circumstances?
what am I missing here? can someone help pls? | |
| chitownsvt 2005-10-15, 9:52 am |
| try putting in 'ip nat outside' on the WAN interface, and 'ip nat inside' on the LAN interface. It would also help if you could post your config, I don't know what you've configured already... | |
| networxing 2005-10-15, 10:10 am |
| thanks for your reply.
ok, after i setup static route b/w 2503 and 2513 and get both the routers and pcs that connected to them ping each other...this is what i put in one of the router which is connected to a pc with ip addres 192.168.1.1
ip nat inside source static 192.168.1.1 200.200.200.1
interface ethernet 0
ip nat inside
exit
interface serial 0
ip nat outside
exit
also tried this
ip nat inside source list 1 pool nat-pool
access-list 1 permit 192.168.1.1 0.0.0.0
ip nat pool nat-pool 200.200.200.1 200.200.200.1 netmask 255.255.255.0
interface ethernet 0
ip nat inside
exit
interface serial 0
ip nat outside
exit
both of the time same result--cant ping global ip. | |
| JPaper007 2005-10-15, 1:09 pm |
| Try this...
interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface serial 0
200.200.200.1 255.255.255.0
ip nat outside
ip nat inside source list 1 interface serial 0
access-list 1 permit 192.168.1.0 0.0.0.255
If you only have 1 global IP address there is no ned to creat a NAT pool. Just point to the NAT outside interface. Also your access list was set up to only allow 192.168.1.1 out because of how you had your wildcard subnet mask setup. This is why you could not ping the outside from any internal IP address unless you did a extended ping and originated the ping from that address.
Good luck and let us know if this worked. | |
| johnaspen 2005-10-15, 5:04 pm |
| Looks like JPaper did all the work so that the rest of us can sit back and relax on this one . I didn't delve into it, but his config looks solid. He knows his stuff.
Only question I saw unanswered was about needing a registered global IP address. Inside your test network you can assign any address you want, so you don't have to worry about using that 200 public address. Typically most people do stick with private ranges though (10,172.16/12,192.168/24); that's what they're there for. | |
| JPaper007 2005-10-16, 2:50 am |
| Yea after I failed my first attempt at the 640-801 exam because of a NAT sim, I spent a lot of time reading and practicing NAT with my routers.
Here is a very useful link from Cisco on NAT
http://www.cisco.com/en/US/products.../>
091cb9.shtml
After your configuration is set you can use
Show ip nat statistics
and/or
Show ip nat translations
These commands will help you see what is going on with you NAT config.
You do not need a registered global IP address if you are doing offline/lab enviroment testing. So if your routers are not connected to the internet in any way then you can use private IP address for both inside and outside NAT interfaces. | |
| networxing 2005-10-17, 1:00 pm |
| Tried many things---still no luck..same thing cant ping the global ip from my other router and pc
however i noticed one thing new--when iam pinging the local interface, it goes
reply from 200.x.x.x(which is the global ip iam setting)
but when i ping 200.x.x.x itself
result = dest not reachable
even from the pc the router is connected to directly its the same.
jpaper007--is your config instructions step by step?--it cant be cus that would actually setup router interface's ips. although i tried figuring out the steps you were directing me to but didnt get much out of it
any more suggestions pls any one? | |
| JPaper007 2005-10-17, 1:15 pm |
| Can you paste your entire running configuration here? I would like to look at exactly what you have running. Also what IOS version are you running?
Thanks | |
|
|
| johnaspen 2005-10-17, 9:38 pm |
| Above link got fudged up by the examnotes forum software.
Link check in isle 9!! | |
| chitownsvt 2005-10-17, 10:17 pm |
| Put these two statements in
ip nat inside source list 1 interface serial 0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
don't forget the 'overload' because thats what maps all your local addresses to your one global address | |
|
|
| networxing 2005-10-18, 11:44 am |
| Ok, i managed to somehow make it work, however it would only work if i have same subnet for both local and global ips. Iam pasting my running config--this config works cus i have 192.168.2.115 as local and 192.168.2.250 as global but if i change my global to say 10.x.x.x. or 200.x.x.x, it wont work.i tried with and without access-list as well.
if you guys can find out where the problem is...?
Building configuration...
Current configuration : 901 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 2513
!
enable secret 5 $1$A5/v$iTbIvh8DL/lyQ5KIgsJUi/
enable password 7 020E0D590A0E
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface Serial0
ip address 192.168.3.2 255.255.255.0
ip nat outside
!
interface Serial1
no ip address
shutdown
!
interface TokenRing0
no ip address
shutdown
!
router eigrp 200
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
auto-summary
!
ip nat inside source static 192.168.2.115 192.168.2.250
ip classless
ip http server
!
line con 0
exec-timeout 30000 0
password 7 1046001B041F
logging synchronous
login
line aux 0
password 7 1046001B041F
login
line vty 0 4
password 7 1046001B041F
login
!
end | |
| JPaper007 2005-10-18, 12:32 pm |
| Try this config. I changed you Serial 0 interface IP address but you can configure it to what ever you want. I set your access list to only alow 192.168.0.0 through 192.168.8.255 thru, if you have more than that subnet allowed out you will need to adjust your ACL.
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 2513
!
enable secret 5 $1$A5/v$iTbIvh8DL/lyQ5KIgsJUi/
enable password 7 020E0D590A0E
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface Serial0
ip address 200.200.200.1 255.255.255.0
ip nat outside
!
interface Serial1
no ip address
shutdown
!
interface TokenRing0
no ip address
shutdown
!
router eigrp 200
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
auto-summary
!
ip nat inside source list 1 interface serial 0 overload
!
ip classless
ip http server
ip route 0.0.0.0 0.0.0.0 serial0
!
access-list 1 permit 192.168.0.0 0.0.7.255
!
line con 0
exec-timeout 30000 0
password 7 1046001B041F
logging synchronous
login
line aux 0
password 7 1046001B041F
login
line vty 0 4
password 7 1046001B041F
login
!
end
Let us know if this works. If it does and you have questions on why it works we will be glad to answer them. | |
| YesI'mBack 2005-10-18, 2:16 pm |
| quote:
Originally posted by networxing
if you guys can find out where the problem is...?
thanks for including your passwords in your config.
your enable password is: hibah
your console password is: hibah
your aux password is: hibah
your vty password is: hibah
it's a good practice not to include your passwords in your config. easy to crack, you see. your enable secret password can be cracked, too. just takes a little more time | |
| johnaspen 2005-10-18, 9:02 pm |
| Amazing how much a guy thinks he knows, and then something like http://makeashorterlink.com comes along and ruins your day.
Thanks Darth, I'm definitely bookmarking that one. Could have used this numerous times over the years. | |
| JPaper007 2005-10-19, 10:44 am |
| Nothing to say, just wanted to bring this valid post back to the from because of some idiot spamed the forum. | |
| networxing 2005-10-20, 10:31 am |
| jpaper007--Thanks for your help so far dude--i have tried your config and guess what it worked.From the changes you made i stripped everything except for the default route you setup and it still works. so what made it to work may i ask 
However my outbound NAT doesnt work..well i can ping both the global and local outside ip from my pc and router on inside, but cant ping from the router that is actually configured as outside network itself--if that makes any sense??
Here is my connection
pc1-----router2503-----router2513-----pc2
I configured outside and inside NAT on 2513, the outside local address being that of router2503 serial int and a "made up" global ip. i can ping both the local and global ip from router 2513 and pc2 but cant ping either of them from pc1 and router2503..do i need to do anythng on router2503? | |
| JPaper007 2005-10-20, 11:20 am |
| What made it work was the access list and the default static route. You need the access list there to allow your networks out. Without them NAT will not allow the translation. The static route just said to get to everything goto serial0
Now from PC2 you should be able to ping every interface except for your 2503 Ethernet interface and PC1. Those IP's are private and not advertiszed. You can create a NAT map for them and map global to private, then advertise the global network between your 2503 and 2513 routers with OSPF, RIP, IGRP, or EIGRP. Since you already have a EIGRP set up I would use another routing protocol just to give you practise. Since OSPF is on the CCNA exam I recommend that one.
This is what you could look like
pc1
IP 192.168.XXX.XXX
SM 255.255.255.0
GW 192.168.XXX.XXX
router2503
Eth0 192.168.XXX.XXX/24
Ser0 200.200.200.XXX/24
EIGRP XXX Network 192.168.XXX.0
OSPF XXX Network 200.200.200.0 0.0.0.255 area 0
router2513
Ser0 200.200.200.XXX/24
Eth0 10.10.10.XXX/24
EIGRP XXX Network 10.10.10.0
OSPF XXX network 200.200.200.0 0.0.0.255 area 0
pc2
IP 10.10.10.XXX
SM 255.255.255.0
GW 10.10.10.XXX
You can create NAT Maps on your 2503 pointing a 200.200.200.XXX Ip to your PC1 address. Then do the same for the 2513 router. Remember your access lists on both routers, you may not need the static default route if you advertise the network between your routers.
Good luck! | |
| donaldmc 2005-11-07, 11:02 am |
| I had a problem like this and it frustrated me for hours until I realized I forgot to enable a routing protocol like rip or eigrp on the networks. |
|
|
|