7

network

The HQ network is using PAT to gain access to the internet, the internal webserver needs to be accessed from the internet using static NAT.

Configs:

S_HQ

!
interface FastEthernet0/1
 switchport access vlan 10
!
interface FastEthernet0/2
 switchport access vlan 20
!
interface FastEthernet0/3
 switchport access vlan 30
!
interface GigabitEthernet0/1
 switchport mode trunk
!

R_HQ

!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
!
interface Serial0/0/0
 ip address 145.89.181.192 255.255.255.0
 ip nat outside
 clock rate 2000000
!
ip nat pool PAT 145.89.181.192 145.89.181.192 netmask 255.255.255.0
ip nat inside source list PAT pool PAT overload
ip nat inside source static tcp 192.168.30.10 80 145.89.181.192 80
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 
!
ip access-list standard PAT
 permit 192.168.0.0 0.0.255.255
!

R_ISP

!
interface GigabitEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 145.89.181.193 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 
!

All PC's are configured correctly, yet pinging from any VLAN inside the HQ network to the customer leads to a timeout, no translations are being made stating the show ip nat translations command.

However, static NAT seems to be working fine visiting 145.89.181.192 in the browser on the customer PC.

By removing and reapplying static NAT the problem seems to be gone, but after reopening Packet Tracer the problem is back again, it makes no sense to me...

Am I overseeing something or could this be a bug in Packet Tracer?

Much appreciated!

Thom
  • 71
  • 1
  • 2
  • Fix your NAT Pool! – Shinomoto Asakura Sep 28 '15 at 21:14
  • What address at the customers network were you pinging? You should be able to ping from inside HQ to the outside Serial0/0/0 interface of the customer network with your config. – Brian Duke Feb 25 '16 at 22:25
  • Show the output of debug ip nat before and after you add the static entry. – Daniel Mar 26 '16 at 14:30
  • 2
    The NAT pool is gratuitous. It is a single address, which is the address of your outside interface, that will be used anyway. Try something like: `ip nat inside source list PAT interface Serial0/0/0 overload`. – Ron Maupin May 25 '16 at 14:21
  • I don't see anything glaringly obvious in your configs. If the same exact configuration given the same exact connections work at times and doesn't work at other times, I would suspect misbehavior on PT's end. I would try it in GNS3 or on real hardware. (It wouldn't be surprising if PT was the culprit here.) – user19273 Sep 27 '15 at 17:33
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. – Ron Maupin Nov 19 '22 at 21:35

5 Answers5

0

Is there a specific configuration to have your Pool Nat with a mask of /24 and not /32 if your public address is always the same: 145.89.181.192

Have you tried to modify your PAT Pool by this:

ip nat pool PAT 145.89.181.192 145.89.181.192 netmask 255.255.255.255
Sorcha
  • 276
  • 1
  • 4
  • True, I made a little mistake there... But modifying the pool doesn't seem to change the situation, it's probably Packet Tracer acting weird – Thom Sep 29 '15 at 15:49
  • Yes, it's possible. Sometimes, PT doesn't want to connect my wifi devices with a radius scheme when i run PT on Linux. I must to do my config on windows and re-open my finished file in Linux and...it's works.... – Sorcha Sep 29 '15 at 19:12
0

Create a standard access list to identify the internal traffic being translated.

ip access-list 1 permit 192.168.0.0 0.0.255.255

in the NAT statement reflect the access-list

ip nat inside source list 1 interface serial 0/0/0 overload

This will work in NAPT.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
Gngogh
  • 327
  • 3
  • 15
0

I would recommend you to remove the pool since you have just 1 IP address from the ISP.

Do something like it was already suggested but you can use your existing ACL.

ip access-list standard PAT
 permit 192.168.0.0 0.0.255.255

//remove the pool, probably you need to remove "IP nat outside" on the interface first then "clear ip nat trans * "

no ip nat pool PAT 145.89.181.192 145.89.181.192 netmask 255.255.255.0

ip nat inside source list PAT int Serial0/0/0 overload

you need to re-add ip nat outside if remove from s0/0/0

All the rest can remain the same

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
Percy
  • 1
  • 1
0

I would like to share my thoughts and suggestions about this situation. First, I join everyone's suggestion about configuring pool. 

ip nat inside source list PAT interface s0/0/0 overload

PT does not like some kind of overloading stuff.

Second, it's not clear which ip address on the ISP-end were you pinging? Because on R_ISP I don't see IP addresses assignments (private to public).

J. Doe
  • 31
  • 4
0

Basically PAT is port address translation this kind of translation is used for internet access . Users in internal LAN network can access internet by translating multiple private address to single public ip configured in respective interface ..

In mentioned scenario

PAT configuration

RouterH_Q(config)#iP access -list 10 permit 192.168.0.0 0.0.255.255

RouterH_Q(config)#ip NAT inside souce list 10 interface serial 0/0/0 overload.

Static NAT

Static NAT is used for accessing internal hosted webserver resources from internet.

RouterH_Q(config)#ip NAT inside source static 192.168.30.10 145.89.181.192
Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
Sagar Uragonda
  • 835
  • 1
  • 16
  • 73