NAT Dynamic Troubleshooting

Scenario:

Working for a company based in the caribbean isn’t such a bad life. The sun is always shining and when there is no work you can relax at the beach. Today however you get a stress call from a junior network engineer who tried to replace a failed router. He claims to have configured NAT (network address translation) correctly but it’s not working. Time for you to fix the problem!

Goal:

  • All IP addresses have been preconfigured for you as following:
    192.168.XY.X /24 where X = router1 and Y = router2.
    for example: 192.168.58.5 between router5 and router8.
  • You are only allowed to make changes on router Jamaica.
  • Your ISP has given you the 172.16.1.0/24 subnet to use for the NAT translation.
  • Do not use show run! (this will spoil the fun πŸ™‚ use the appropiate ‘show’ and ‘debug’ commands. This will teach you the skills needed to become a true troubleshooting master.
  • You need to make sure the 192.168.12.0 /24 subnet is translated into the IP addresses the ISP gave you when router John communicates with router Dave.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the troubleshooting issues for CCNP.

Would you like to be a master of troubleshooting too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of troubleshooting.

You will learn all the secrets about NAT/PAT troubleshooting and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNP TSHOOT

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

NAT Dynamic Troubleshooting

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by RenΓ© Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

RenΓ© - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

30 Comments

  1. so we ping from John to Dave… and it gets translated in Jamaica? hmm so far not working…i set ip nat inside on the fast0/0 int, and ip nat outside on serial1/0 int on Jamaica…

  2. Well there are a number of steps to make NAT work:

    – Specify the inside and outside interfaces.
    – Specify what the source and destination for the translation will be.
    – Make sure that routers know where to send traffic…so check your routing tables.

    If you have difficulty with solving this lab it’s a good idea to draw the topology on a piece of paper and “follow the packet”. Just draw what is supposed to happen and what could possibly go wrong.

  3. ok so this is what i did.

    ip nat inside = int fast0/0
    ip nat outside = int serial 1/0

    since we need to translate 192.168.12.0 network to 172.16.1.0/24 network

    configured a ip nat pool specifying the 172.16.1.1 to 172.16.1.10

    configuring an access list to permit the 192.168.12.0 network

    Am i supposed to do anything else? cuz as far as i know this is all it takes to translate inside local address 192.168.12.0 to the 172.16.1.0 network.

    i also confiugued an ip default-gateway to the 192.168.23.3 (Florida) router but still didnt work grrrrrr.

    hmmmm:(

  4. Ok so this is what you did?

    1) Configure the inside and outside interfaces.
    2) Configure an access-list to match the inside hosts.
    3) Configure a pool to translate into.
    4) Use the ‘ip nat inside source’ command to bring 2+3 together.

    Once you have done that…follow the packet in your mind and try to think about the decisions the router(s) have to make and why it isn’t working.

  5. oh ok solved was a silly mistake :P…the problem was witht he access list grrrrrrrrrrr…its funny how i did the complicated mpls lab succesfully buy got stuck on this simple one ;D

  6. I am able to get NAT working, but I have to make a change on the Florida router to route the 172.16.1.X traffic back to the Jamaica router.

    In the instructions you are only suppose to make changes on the Jamaica router, how can I dynamically update the Florida router with the 172.16.1.X network from Jamaica?

  7. Hello Alexander,

    The answer is in your own question ;D [i]…dynamically update….[/i]

    How can we dynamically update another router? *cough* routing protocol *RIP* good luck! πŸ˜‰

  8. Okay, I solved this after using a loopback interface. Would there be another way to do this without a lookback interface?

  9. Yes there is another method. With routing protocols you can advertise something when you have it on an interface. If you don’t want it on an interface then it’s possible to create a static route pointing to the null0 interface. So in short, it needs to be in your routing table before you can advertise it.

  10. One last question? I got it working using the null0 interface, but is there a reason that you would use a null interface over a loopback interface, or is this purely a personal preference?

    Thank you for your help.

  11. Hi Alexander,

    Using a loopback interface is the best way i’d say…if you advertise it than at least it’s reachable. Creating a static route pointing to null0 will ‘blackhole’ it. Only reason i can think of is you would do a CCIE exam and they state that you have to advertise a prefix but are not allowed to use a loopback or physical interface.

    Rene

  12. I have added static route pointing to fa0/0 as per design but it’s working with Null0 as well πŸ˜‰

    Jamaica#show ip nat translations

    Jamaica#

    Dave#traceroute 192.168.12.1

    Type escape sequence to abort.
    Tracing the route to 192.168.12.1

    1 192.168.34.3 56 msec 92 msec 8 msec
    2 192.168.23.2 64 msec 32 msec 0 msec
    3 172.16.1.1 76 msec * 100 msec

    Jamaica#show ip nat translations
    Pro Inside global Inside local Outside local Outside global
    udp 172.16.1.1:33437 192.168.12.1:33437 192.168.34.4:49207 192.168.34.4:49207
    udp 172.16.1.1:33438 192.168.12.1:33438 192.168.34.4:49208 192.168.34.4:49208
    udp 172.16.1.1:33439 192.168.12.1:33439 192.168.34.4:49209 192.168.34.4:49209
    udp 172.16.1.1:33440 192.168.12.1:33440 192.168.34.4:49210 192.168.34.4:49210
    udp 172.16.1.1:33442 192.168.12.1:33442 192.168.34.4:49212 192.168.34.4:49212
    — 172.16.1.1 192.168.12.1 — —
    Jamaica#

    πŸ™‚

  13. This is embarrasing… I have forgot about the details about NAT.

    I have configured the lab and I can not see the translations when I ping, even though the ping is successfull, the NAT translation isn’t:
    From John to Dave
    From Dave to John

    But if I do a traceroute from Dave to John, I get the following NAT translation:
    ———————————————–
    Jamaica#show ip nat translations
    Pro Inside global Inside local Outside local Outside global
    udp 172.16.1.1:33437 192.168.12.1:33437 192.168.34.4:49167 192.168.34.4:49167
    udp 172.16.1.1:33438 192.168.12.1:33438 192.168.34.4:49168 192.168.34.4:49168
    udp 172.16.1.1:33439 192.168.12.1:33439 192.168.34.4:49169 192.168.34.4:49169
    udp 172.16.1.1:33440 192.168.12.1:33440 192.168.34.4:49170 192.168.34.4:49170
    udp 172.16.1.1:33442 192.168.12.1:33442 192.168.34.4:49172 192.168.34.4:49172
    icmp 172.16.1.1:4194368 192.168.12.1:4194368 192.168.34.4:1702719456 192.168.34.4:1702719456
    icmp 172.16.1.1:1612683140 192.168.12.1:1612683140 192.168.34.4:7 192.168.34.4:7
    — 172.16.1.1 192.168.12.1 — —

    Can someone please tell me why the ping is not translated? Or at lease tell me where to look further?

    By the way, as maybe you have guessed from my output; Router Florida can see the route to 172.16.1.0/16 network

    Best regards,
    Waschman

    Hmm, I have problems posting a comment. I am registered to this website and when I try to post a comment I have to put in the name. But when I enter the name it says that I am already registered. Therefore I changed the name to waschman2

  14. I tried to configure PAT instead and that works perfectly! But not with a standard access-list. I changed my ACL to an extended ACL and then it worked.

    First I tried with an ACL with number 101 (extended) but it didn’t work. Then I tried to use a named extended ACL with name=NAT and then it worked. Strange!

    I am using IOS:
    Cisco IOS Software, 3600 Software (C3640-IK9O3S-M), Version 12.4(3), RELEASE SOFTWARE (fc2)

    Good lab!

    Keep up the good work πŸ˜€

  15. hahaha this was an awesome lab!! I wouldn’t even think about doing something like this. I was clueless until I read the comments :):)

    keep up the good work man!! btw I’m @matthewsface on twitter πŸ™‚

  16. great lab. I admit I read some of the comments until I solved it. I’m preparing for tshoot and your labs are really helping. Maybe you can create more tshoot labs.
    Thanks.

  17. Hi Alex,

    Thanks for letting me know about the video, the correct one is here now. Last friday I uploaded the TSHOOT topology (preconfigured). I’ll be using it to build TSHOOT labs that represent the exam asap 8)

  18. thank u for ur lab it’s really fan i solved it without using any change on the routing process.
    the mistakes founded :
    1- inside , outside used on the wrong way
    2- mistake on wilcard mask
    3-disable the old translation with the new one.
    but i want to know how could the router update dynam another router using the routing process.i wanna to explain me how could florida router knows 172.168.1.0/24 without informing on it routing table and without using any static link.
    plz answer soon as possible

    1. Hi Zazee,

      Maybe you have seen my solution by now but I’ll still answer it. It’s impossible to advertise something you "don’t have" so you’ll have to put it on an interface in order to advertise it. A loopback works well for this purpose.

  19. Hi Rene,

    I’d like to thank you very much about ur strong effort.

    I solved this problem by using ip default gateway between Jamaica and Florida
    Jamaica : ip route 0.0.0.0 0.0.0.0 192.168.23.3

    Florida : ip route 0.0.0.0 0.0.0.0 192.168.23.2

    But I liked ur solution it’s innovated..:)

    1. Thank you Mohammad!

      Static routes can solve about any problem but sometimes it’s better to use a more "dynamic" solution. Routing protocols can recover by themselves when you have a link failure or some other issues πŸ™‚

  20. Hello,

    I can not download the topology files for some reason, every time i am trying i am facing this message:

    "You need to register to be able to download the GNS3 Topology File. (Registration is Free!)"

    p.s This happens for all labs now , when i was studying for the routing ,couple of months ago i didn’t had any problem .

    Could you please help me with this issue.

    Thank you

  21. i am from india.these days i am reading your book.your book is so good for learning bcoz you r use very simple language and it quiet helpful to understand technical thing very easily..

  22. Hi guys. I am trying this lab and i have a question. Let me see if i get it right.

    The one way to advertise the network to Florida is with static ip route – 0.0.0.0 0.0.0.0 null and after i created it I put it in the rip – network 0.0.0.0?

    Thanks

Comments are closed.