NAT Dynamic Troubleshooting

so we ping from John to Dave... and it gets translated in Jamaica? hmm so far not working...i set ip nat inside on the fast0/0 int, and ip nat outside on serial1/0 int on Jamaica...

grrrr i cant do it :'( seems so simple...

Well there are a number of steps to make NAT work:

- Specify the inside and outside interfaces.
- Specify what the source and destination for the translation will be.
- Make sure that routers know where to send traffic...so check your routing tables.

If you have difficulty with solving this lab it's a good idea to draw the topology on a piece of paper and "follow the packet". Just draw what is supposed to happen and what could possibly go wrong.

ok so this is what i did.

ip nat inside = int fast0/0
ip nat outside = int serial 1/0

since we need to translate 192.168.12.0 network to 172.16.1.0/24 network

configured a ip nat pool specifying the 172.16.1.1 to 172.16.1.10

configuring an access list to permit the 192.168.12.0 network

Am i supposed to do anything else? cuz as far as i know this is all it takes to translate inside local address 192.168.12.0 to the 172.16.1.0 network.

i also confiugued an ip default-gateway to the 192.168.23.3 (Florida) router but still didnt work grrrrrr.

hmmmm

Ok so this is what you did?

1) Configure the inside and outside interfaces.
2) Configure an access-list to match the inside hosts.
3) Configure a pool to translate into.
4) Use the 'ip nat inside source' command to bring 2+3 together.

Once you have done that...follow the packet in your mind and try to think about the decisions the router(s) have to make and why it isn't working.

oh ok solved was a silly mistake ...the problem was witht he access list grrrrrrrrrrr...its funny how i did the complicated mpls lab succesfully buy got stuck on this simple one ;D

No worries i know how that feels...i get caught by small mistakes all the time, especially after labbing all day long

I am able to get NAT working, but I have to make a change on the Florida router to route the 172.16.1.X traffic back to the Jamaica router.

In the instructions you are only suppose to make changes on the Jamaica router, how can I dynamically update the Florida router with the 172.16.1.X network from Jamaica?

Hello Alexander,

The answer is in your own question ;D ...dynamically update....

How can we dynamically update another router? *cough* routing protocol *RIP* good luck!

Okay, I solved this after using a loopback interface. Would there be another way to do this without a lookback interface?

Yes there is another method. With routing protocols you can advertise something when you have it on an interface. If you don't want it on an interface then it's possible to create a static route pointing to the null0 interface. So in short, it needs to be in your routing table before you can advertise it.

One last question? I got it working using the null0 interface, but is there a reason that you would use a null interface over a loopback interface, or is this purely a personal preference?

Thank you for your help.

Hi Alexander,

Using a loopback interface is the best way i'd say...if you advertise it than at least it's reachable. Creating a static route pointing to null0 will 'blackhole' it. Only reason i can think of is you would do a CCIE exam and they state that you have to advertise a prefix but are not allowed to use a loopback or physical interface.

Rene

I have added static route pointing to fa0/0 as per design but it's working with Null0 as well

Jamaica#show ip nat translations

Jamaica#

Dave#traceroute 192.168.12.1

Type escape sequence to abort.
Tracing the route to 192.168.12.1

1 192.168.34.3 56 msec 92 msec 8 msec
2 192.168.23.2 64 msec 32 msec 0 msec
3 172.16.1.1 76 msec * 100 msec

Jamaica#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 172.16.1.1:33437 192.168.12.1:33437 192.168.34.4:49207 192.168.34.4:49207
udp 172.16.1.1:33438 192.168.12.1:33438 192.168.34.4:49208 192.168.34.4:49208
udp 172.16.1.1:33439 192.168.12.1:33439 192.168.34.4:49209 192.168.34.4:49209
udp 172.16.1.1:33440 192.168.12.1:33440 192.168.34.4:49210 192.168.34.4:49210
udp 172.16.1.1:33442 192.168.12.1:33442 192.168.34.4:49212 192.168.34.4:49212
--- 172.16.1.1 192.168.12.1 --- ---
Jamaica#

Good job. If it's in the routing table it's ok...null0 will do the job as well.

This is embarrasing... I have forgot about the details about NAT.

I have configured the lab and I can not see the translations when I ping, even though the ping is successfull, the NAT translation isn't:
From John to Dave
From Dave to John

But if I do a traceroute from Dave to John, I get the following NAT translation:
-----------------------------------------------
Jamaica#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 172.16.1.1:33437 192.168.12.1:33437 192.168.34.4:49167 192.168.34.4:49167
udp 172.16.1.1:33438 192.168.12.1:33438 192.168.34.4:49168 192.168.34.4:49168
udp 172.16.1.1:33439 192.168.12.1:33439 192.168.34.4:49169 192.168.34.4:49169
udp 172.16.1.1:33440 192.168.12.1:33440 192.168.34.4:49170 192.168.34.4:49170
udp 172.16.1.1:33442 192.168.12.1:33442 192.168.34.4:49172 192.168.34.4:49172
icmp 172.16.1.1:4194368 192.168.12.1:4194368 192.168.34.4:1702719456 192.168.34.4:1702719456
icmp 172.16.1.1:1612683140 192.168.12.1:1612683140 192.168.34.4:7 192.168.34.4:7
--- 172.16.1.1 192.168.12.1 --- ---

Can someone please tell me why the ping is not translated? Or at lease tell me where to look further?

By the way, as maybe you have guessed from my output; Router Florida can see the route to 172.16.1.0/16 network

Best regards,
Waschman

Hmm, I have problems posting a comment. I am registered to this website and when I try to post a comment I have to put in the name. But when I enter the name it says that I am already registered. Therefore I changed the name to waschman2

I tried to configure PAT instead and that works perfectly! But not with a standard access-list. I changed my ACL to an extended ACL and then it worked.

First I tried with an ACL with number 101 (extended) but it didn't work. Then I tried to use a named extended ACL with name=NAT and then it worked. Strange!

I am using IOS:
Cisco IOS Software, 3600 Software (C3640-IK9O3S-M), Version 12.4(3), RELEASE SOFTWARE (fc2)

Good lab!

Keep up the good work

hahaha this was an awesome lab!! I wouldn't even think about doing something like this. I was clueless until I read the comments

keep up the good work man!! btw I'm @matthewsface on twitter

Glad you guys like it!

great lab. I admit I read some of the comments until I solved it. I'm preparing for tshoot and your labs are really helping. Maybe you can create more tshoot labs.
Thanks.

P.S. The video you recorded is for another lab.

Hi Alex,

Thanks for letting me know about the video, the correct one is here now. Last friday I uploaded the TSHOOT topology (preconfigured). I'll be using it to build TSHOOT labs that represent the exam asap

thank u for ur lab it's really fan i solved it without using any change on the routing process.
the mistakes founded :
1- inside , outside used on the wrong way
2- mistake on wilcard mask
3-disable the old translation with the new one.
but i want to know how could the router update dynam another router using the routing process.i wanna to explain me how could florida router knows 172.168.1.0/24 without informing on it routing table and without using any static link.
plz answer soon as possible

Hi Zazee,

Maybe you have seen my solution by now but I'll still answer it. It's impossible to advertise something you "don't have" so you'll have to put it on an interface in order to advertise it. A loopback works well for this purpose.

Hi Rene,

I'd like to thank you very much about ur strong effort.

I solved this problem by using ip default gateway between Jamaica and Florida
Jamaica : ip route 0.0.0.0 0.0.0.0 192.168.23.3

Florida : ip route 0.0.0.0 0.0.0.0 192.168.23.2

But I liked ur solution it's innovated..

Thank you Mohammad!

Static routes can solve about any problem but sometimes it's better to use a more "dynamic" solution. Routing protocols can recover by themselves when you have a link failure or some other issues