PG1X LASTHOPE WIKI

My Knowledge Base

User Tools

Site Tools

You are here: PG1X LASTHOPE WIKI » Technology » Networking » Cisco Systems » NAT Troubleshooting
Trace: NAT Troubleshooting
tech:network:cisco:nat-pat-trouble-shooting:nat-pat-trouble-shooting

Table of Contents

NAT Troubleshooting

, , , , , , ,

Using GNS3 Virtual Lab.

Troubleshooting 1: PAT

Initial Configuration

Basic IP Configuration, Virutal-Internet is done.

  • R1
conf t
hostname R1
!
int gig0/0
ip addr 100.1.1.1 255.255.255.0
no shut
exit
int gig0/1
ip addr 172.16.0.254 255.255.255.0
no shut
exit
int gig0/2
ip addr 192.168.0.254 255.255.255.0
no shut
exit
!
ip route 0.0.0.0 0.0.0.0 100.1.1.2
!
end
  • ISP
conf t
hostname ISP
!
int gig0/1
ip addr 100.1.1.2 255.255.255.0
no shut
exit
int gig0/2
ip addr 100.2.1.2 255.255.255.0
no shut
exit
!
! static routing to R2 behind terminal
ip route 100.3.1.0 255.255.255.0 100.2.1.1
!
end
  • R2
conf t
hostname R2
!
int gig0/0
ip addr 100.2.1.1 255.255.255.0
no shut
exit
int gig0/1
ip addr 100.3.1.254 255.255.255.0
no shut
exit
!
ip route 0.0.0.0 0.0.0.0 100.2.1.2
!
end
  • PC-1
ip 172.16.0.1 255.255.255.0 172.16.0.254
save
  • PC-2
ip 172.16.0.2 255.255.255.0 172.16.0.254
save
  • PC-3
ip 192.168.0.1 255.255.255.0 192.168.0.254
save
  • PC-4
ip 100.3.1.1 255.255.255.0 100.3.1.254
save

Wrong Configuration

conf t
!
ip nat inside source list 1 int gig0/0 overload
!
int gig0/0
ip nat outside
exit
!
int gig0/1
ip nat inside
exit
!
int gig0/2
ip nat outside
exit
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
!
end

Verification

R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.1.1.1:542     172.16.0.1:542     100.3.1.1:542      100.3.1.1:542
icmp 100.1.1.1:1054    172.16.0.1:1054    100.3.1.1:1054     100.3.1.1:1054
icmp 100.1.1.1:1566    172.16.0.1:1566    100.3.1.1:1566     100.3.1.1:1566
icmp 100.1.1.1:1822    172.16.0.1:1822    100.3.1.1:1822     100.3.1.1:1822
icmp 100.1.1.1:2078    172.16.0.1:2078    100.3.1.1:2078     100.3.1.1:2078
icmp 100.1.1.1:2590    172.16.0.1:2590    100.3.1.1:2590     100.3.1.1:2590
icmp 100.1.1.1:2846    172.16.0.1:2846    100.3.1.1:2846     100.3.1.1:2846
icmp 100.1.1.1:3102    172.16.0.1:3102    100.3.1.1:3102     100.3.1.1:3102
icmp 100.1.1.1:3358    172.16.0.1:3358    100.3.1.1:3358     100.3.1.1:3358
icmp 100.1.1.1:3614    172.16.0.1:3614    100.3.1.1:3614     100.3.1.1:3614
icmp 100.1.1.1:9246    172.16.0.2:9246    100.3.1.1:9246     100.3.1.1:9246
icmp 100.1.1.1:9758    172.16.0.2:9758    100.3.1.1:9758     100.3.1.1:9758
icmp 100.1.1.1:10014   172.16.0.2:10014   100.3.1.1:10014    100.3.1.1:10014
icmp 100.1.1.1:10270   172.16.0.2:10270   100.3.1.1:10270    100.3.1.1:10270
icmp 100.1.1.1:10526   172.16.0.2:10526   100.3.1.1:10526    100.3.1.1:10526
PC-1> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=11.701 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=7.385 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=10.100 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.714 ms
PC-2> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=6.185 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=6.810 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=6.266 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=7.801 ms
PC-3> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
100.3.1.1 icmp_seq=2 timeout
100.3.1.1 icmp_seq=3 timeout
100.3.1.1 icmp_seq=4 timeout
100.3.1.1 icmp_seq=5 timeout

Identify Problem

interface gig0/2 must be inside. not outside.

Fixing issue and Verify

conf t
!
int gig0/2
no ip nat outside
ip nat inside
exit
!
end
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#!
R1(config)#int gig0/2
R1(config-if)#ip nat inside
% Interface is outside enabled.
R1(config-if)#exit
R1(config)#!
R1(config)#end
R1#
*Apr 15 09:49:27.943: %SYS-5-CONFIG_I: Configured from console by console

ping still failed… 

interface GigabitEthernet0/2
 ip address 192.168.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 no cdp enable

I found still ip nat outside command exist.

re-enter commands. 

R1(config)#int gig0/2
R1(config-if)#int gig0/2
R1(config-if)#ip nat inside
% Interface is outside enabled.

command rejected!

correct method is here 

no ip nat outside
ip nat inside
R1(config-if)#^Z
R1#
*Apr 15 09:59:48.032: %SYS-5-CONFIG_I: Configured from console by console
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#!
R1(config)#int gig0/2
R1(config-if)#no ip nat inside
%Interface is outside enabled, try <no ip nat outside>
R1(config-if)#ip nat inside
% Interface is outside enabled.
R1(config-if)#exit
R1(config)#!
R1(config)#end
R1#
*Apr 15 09:59:54.212: %SYS-5-CONFIG_I: Configured from console by console

mistake! 

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#!
R1(config)#int gig0/2
R1(config-if)#no ip nat outside
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#!
R1(config)#end
R1#
*Apr 15 10:01:02.025: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.1.1.1:1571    172.16.0.1:1571    100.3.1.1:1571     100.3.1.1:1571
icmp 100.1.1.1:1027    172.16.0.1:1827    100.3.1.1:1827     100.3.1.1:1027
icmp 100.1.1.1:1028    172.16.0.1:2083    100.3.1.1:2083     100.3.1.1:1028
icmp 100.1.1.1:1029    172.16.0.1:2339    100.3.1.1:2339     100.3.1.1:1029
icmp 100.1.1.1:2595    172.16.0.1:2595    100.3.1.1:2595     100.3.1.1:2595
icmp 100.1.1.1:803     172.16.0.2:803     100.3.1.1:803      100.3.1.1:803
icmp 100.1.1.1:1315    172.16.0.2:1315    100.3.1.1:1315     100.3.1.1:1315
icmp 100.1.1.1:1827    172.16.0.2:1827    100.3.1.1:1827     100.3.1.1:1827
icmp 100.1.1.1:2083    172.16.0.2:2083    100.3.1.1:2083     100.3.1.1:2083
icmp 100.1.1.1:2339    172.16.0.2:2339    100.3.1.1:2339     100.3.1.1:2339
icmp 100.1.1.1:57122   192.168.0.254:57122 192.168.0.1:57122 192.168.0.1:57122
icmp 100.1.1.1:57634   192.168.0.254:57634 192.168.0.1:57634 192.168.0.1:57634
icmp 100.1.1.1:58146   192.168.0.254:58146 192.168.0.1:58146 192.168.0.1:58146
icmp 100.1.1.1:58658   192.168.0.254:58658 192.168.0.1:58658 192.168.0.1:58658
icmp 100.1.1.1:59170   192.168.0.254:59170 192.168.0.1:59170 192.168.0.1:59170
icmp 100.1.1.1:59682   192.168.0.254:59682 192.168.0.1:59682 192.168.0.1:59682
icmp 100.1.1.1:60194   192.168.0.254:60194 192.168.0.1:60194 192.168.0.1:60194
icmp 100.1.1.1:60706   192.168.0.254:60706 192.168.0.1:60706 192.168.0.1:60706
icmp 100.1.1.1:61218   192.168.0.254:61218 192.168.0.1:61218 192.168.0.1:61218
icmp 100.1.1.1:61730   192.168.0.254:61730 192.168.0.1:61730 192.168.0.1:61730
icmp 100.1.1.1:62242   192.168.0.254:62242 192.168.0.1:62242 192.168.0.1:62242

PC-1> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=829.092 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=9.510 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=10.085 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=7.312 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=5.643 ms
PC-2> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
100.3.1.1 icmp_seq=2 timeout
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=7.004 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=7.526 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=5.417 ms
PC-3> ping 192.168.0.254
84 bytes from 192.168.0.254 icmp_seq=1 ttl=255 time=5.139 ms
84 bytes from 192.168.0.254 icmp_seq=2 ttl=255 time=2.873 ms
84 bytes from 192.168.0.254 icmp_seq=3 ttl=255 time=3.412 ms
84 bytes from 192.168.0.254 icmp_seq=4 ttl=255 time=4.796 ms
84 bytes from 192.168.0.254 icmp_seq=5 ttl=255 time=2.895 ms

Troubleshooting 2: Dynamic NAT

Initial Configuration

Basic IP Configuration, Virutal-Internet is done.

  • R1
conf t
hostname R1
!
int gig0/0
ip addr 100.1.1.1 255.255.255.0
no shut
exit
int gig0/1
ip addr 172.16.0.254 255.255.255.0
no shut
exit
int gig0/2
ip addr 192.168.0.254 255.255.255.0
no shut
exit
!
ip route 0.0.0.0 0.0.0.0 100.1.1.2
!
end
  • ISP
conf t
hostname ISP
!
int gig0/1
ip addr 100.1.1.2 255.255.255.0
no shut
exit
int gig0/2
ip addr 100.2.1.2 255.255.255.0
no shut
exit
!
! static routing to R2 behind terminal
ip route 100.3.1.0 255.255.255.0 100.2.1.1
! NAT Pool route
ip route 150.1.1.0 255.255.255.248 100.1.1.1
!
end
  • R2
conf t
hostname R2
!
int gig0/0
ip addr 100.2.1.1 255.255.255.0
no shut
exit
int gig0/1
ip addr 100.3.1.254 255.255.255.0
no shut
exit
!
ip route 0.0.0.0 0.0.0.0 100.2.1.2
!
end
  • PC-1
ip 172.16.0.1 255.255.255.0 172.16.0.254
save
  • PC-2
ip 172.16.0.2 255.255.255.0 172.16.0.254
save
  • PC-3
ip 192.168.0.1 255.255.255.0 192.168.0.254
save
  • PC-4
ip 100.3.1.1 255.255.255.0 100.3.1.254
save

Wrong Configuration

  • R1
conf t
!
ip nat pool PG1X-POOL 150.1.1.1 150.1.1.2 netmask 255.255.255.248
ip nat inside source list 10 pool PG1X-POOL
!
int gig0/0
ip nat outside
exit
int gig0/1
ip nat inside
exit
int gig0/2
ip nat inside
exit
!
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!
end
  • ISP
conf t
!
! NAT Pool route
ip route 150.1.1.0 255.255.255.248 100.1.1.1
!
end

Verification

  • R1
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#!
R1(config)#ip nat pool PG1X-POOL 150.1.1.1 150.1.2 netmask 255.255.255.248
                                                  ^
% Invalid input detected at '^' marker.

R1(config)#ip nat inside source list 10 pool PG1X-POOL
R1(config)#!
R1(config)#int gig0/0
R1(config-if)#ip nat outside

-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CCC6EAz 3CCC62Cz 3CCC5CBz 3A36694z 233EB23z 233E910z 2341812z 2358E3Cz - Process "Exec", CPU hog, PC 0x00153D85

-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CCC6EAz 3CCC62Cz 3CCC5CBz 38CF640z 38C1EBCz 38C21F0z 38C9416z 38CE1D0z - Process "Exec", CPU hog, PC 0x00153D6B

-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CCC6EAz 3CCC62Cz 3CCC5CBz 38CF640z 38C1EBCz 38C21F0z 38C9416z 38CE1D0z - Process "Exec", CPU hog, PC 0x00153D6B
R1(config-if)#exit
R1(config)#int gig0/1
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#int gig0/2
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#!
R1(config)#access-list 10 permit 172.16.0.0 0.0.0.255
R1(config)#access-list 10 permit 192.168.0.0 0.0.0.255
R1(config)#!
R1(config)#end
R1#
*Apr 15 10:53:44.427: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = Exec.
*Apr 15 10:53:46.169: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Apr 15 10:53:48.191: %SYS-3-CPUHOG: Task is running for (1998)msecs, more than (2000)msecs (0/0),process = Exec.
*Apr 15 10:53:50.191: %SYS-3-CPUHOG: Task is running for (3998)msecs, more than (2000)msecs (0/0),process = Exec.
R1#
*Apr 15 10:53:51.457: %SYS-5-CONFIG_I: Configured from console by console
R1#
-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CE4A6Az 3CD3F2Ez 3CD724Fz 50D46D1z 380B750z 388A09Cz 388A1E2z 388A349z - Process "STILE PERIODIC TASK", CPU hog, PC 0x00153D7D

*Apr 15 10:53:56.735: %SYS-3-CPUHOG: Task is running for (1999)msecs, more than (2000)msecs (0/0),process = STILE PERIODIC TASK.
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#!
R1(config)#ip nat pool PG1X-POOL 150.1.1.1 150.1.1.2 netmask 255.255.255.248
R1(config)#^Z
R1#
*Apr 15 10:56:57.323: %SYS-5-CONFIG_I: Configured from console by console
  • ISP
ISP#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ISP(config)#! NAT Pool route
ISP(config)#ip route 150.1.1.0 255.255.255.248 100.1.1.1
ISP(config)#^Z
ISP#
*Apr 15 10:41:32.620: %SYS-5-CONFIG_I: Configured from console by console
ISP#sh ip ro 150.1.1.1
Routing entry for 150.1.1.0/29
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 100.1.1.1
      Route metric is 0, traffic share count is 1
R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 150.1.1.1:4400    172.16.0.1:4400    100.3.1.1:4400     100.3.1.1:4400
icmp 150.1.1.1:4912    172.16.0.1:4912    100.3.1.1:4912     100.3.1.1:4912
icmp 150.1.1.1:5168    172.16.0.1:5168    100.3.1.1:5168     100.3.1.1:5168
icmp 150.1.1.1:5424    172.16.0.1:5424    100.3.1.1:5424     100.3.1.1:5424
icmp 150.1.1.1:5680    172.16.0.1:5680    100.3.1.1:5680     100.3.1.1:5680
--- 150.1.1.1          172.16.0.1         ---                ---
icmp 150.1.1.2:4912    192.168.0.1:4912   100.3.1.1:4912     100.3.1.1:4912
icmp 150.1.1.2:5424    192.168.0.1:5424   100.3.1.1:5424     100.3.1.1:5424
icmp 150.1.1.2:5680    192.168.0.1:5680   100.3.1.1:5680     100.3.1.1:5680
icmp 150.1.1.2:5936    192.168.0.1:5936   100.3.1.1:5936     100.3.1.1:5936
icmp 150.1.1.2:6192    192.168.0.1:6192   100.3.1.1:6192     100.3.1.1:6192
--- 150.1.1.2          192.168.0.1        ---                ---
PC-1> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=23.942 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=4.963 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=12.755 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=6.441 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=4.496 ms
PC-2> ping 100.3.1.1
*172.16.0.254 icmp_seq=1 ttl=255 time=4.331 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=2 ttl=255 time=3.210 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=3 ttl=255 time=4.584 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=4 ttl=255 time=4.076 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=5 ttl=255 time=5.643 ms (ICMP type:3, code:1, Destination host unreachable)
PC-3>  ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=4.818 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=6.679 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=6.163 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.883 ms
R1#clear ip nat translation *
R1#sh ip nat translations
R1#
PC-2> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
100.3.1.1 icmp_seq=2 timeout
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=7.967 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=4.661 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=5.487 ms

PC-3>  ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=6.819 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=6.297 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=6.441 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=20.522 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.384 ms

PC-1> ping 100.3.1.1
*172.16.0.254 icmp_seq=1 ttl=255 time=3.360 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=2 ttl=255 time=3.193 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=3 ttl=255 time=2.720 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=4 ttl=255 time=4.215 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.0.254 icmp_seq=5 ttl=255 time=3.172 ms (ICMP type:3, code:1, Destination host unreachable)

Identify Problem

caused by address pool exhaust. 

R1#sh ip nat statistics
Total active translations: 12 (0 static, 12 dynamic; 10 extended)
Peak translations: 12, occurred 00:02:50 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1, GigabitEthernet0/2
Hits: 40  Misses: 0
CEF Translated packets: 40, CEF Punted packets: 20
Expired translations: 10
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 pool PG1X-POOL refcount 12
 pool PG1X-POOL: netmask 255.255.255.248
        start 150.1.1.1 end 150.1.1.2
        type generic, total addresses 2, allocated 2 (100%), misses 30

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Fixing issue and Verify

Method 1: PAT using Address Pool

  • R1
conf t
!
ip nat inside source list 10 pool PG1X-POOL overload
!
end
PC-1> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=25.984 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=7.670 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=8.482 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=4.832 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=5.939 ms

PC-2> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=6.676 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=5.828 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=5.087 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=6.462 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.261 ms

PC-3> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=4.695 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=5.198 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=7.083 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=7.652 ms

R1#sh ip nat t
Pro Inside global      Inside local       Outside local      Outside global
icmp 150.1.1.2:1026    172.16.0.1:19765   100.3.1.1:19765    100.3.1.1:1026
icmp 150.1.1.2:1028    172.16.0.1:20021   100.3.1.1:20021    100.3.1.1:1028
icmp 150.1.1.2:20533   172.16.0.1:20533   100.3.1.1:20533    100.3.1.1:20533
icmp 150.1.1.2:20789   172.16.0.1:20789   100.3.1.1:20789    100.3.1.1:20789
icmp 150.1.1.2:21045   172.16.0.1:21045   100.3.1.1:21045    100.3.1.1:21045
icmp 150.1.1.2:19509   172.16.0.2:19509   100.3.1.1:19509    100.3.1.1:19509
icmp 150.1.1.2:19765   172.16.0.2:19765   100.3.1.1:19765    100.3.1.1:19765
icmp 150.1.1.2:20021   172.16.0.2:20021   100.3.1.1:20021    100.3.1.1:20021
icmp 150.1.1.2:20277   172.16.0.2:20277   100.3.1.1:20277    100.3.1.1:20277
icmp 150.1.1.2:1030    172.16.0.2:20533   100.3.1.1:20533    100.3.1.1:1030
icmp 150.1.1.2:1032    172.16.0.2:20789   100.3.1.1:20789    100.3.1.1:1032
icmp 150.1.1.2:1024    192.168.0.1:19509  100.3.1.1:19509    100.3.1.1:1024
icmp 150.1.1.2:1025    192.168.0.1:19765  100.3.1.1:19765    100.3.1.1:1025
icmp 150.1.1.2:1027    192.168.0.1:20021  100.3.1.1:20021    100.3.1.1:1027
icmp 150.1.1.2:1029    192.168.0.1:20277  100.3.1.1:20277    100.3.1.1:1029
icmp 150.1.1.2:1031    192.168.0.1:20533  100.3.1.1:20533    100.3.1.1:1031
icmp 150.1.1.2:1033    192.168.0.1:20789  100.3.1.1:20789    100.3.1.1:1033

Method 2: PAT using Interface Address

  • R1
conf t
!
no ip nat pool PG1X-POOL 150.1.1.1 150.1.1.2 netmask 255.255.255.248
no ip nat inside source list 10 pool PG1X-POOL
!
ip nat inside source list 10 int gig0/0 overload
!
end
PC-1> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
100.3.1.1 icmp_seq=2 timeout
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=4.980 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=5.542 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=5.209 ms
PC-2> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=446.751 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=5.416 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=4.239 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.147 ms
PC-3> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=5.016 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=6.839 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=5.679 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.503 ms
R1#sh ip nat t
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.1.1.1:55347   172.16.0.1:55347   100.3.1.1:55347    100.3.1.1:55347
icmp 100.1.1.1:1024    172.16.0.1:55859   100.3.1.1:55859    100.3.1.1:1024
icmp 100.1.1.1:1025    172.16.0.1:56371   100.3.1.1:56371    100.3.1.1:1025
icmp 100.1.1.1:1027    172.16.0.1:56627   100.3.1.1:56627    100.3.1.1:1027
icmp 100.1.1.1:1029    172.16.0.1:56883   100.3.1.1:56883    100.3.1.1:1029
icmp 100.1.1.1:55603   172.16.0.2:55603   100.3.1.1:55603    100.3.1.1:55603
icmp 100.1.1.1:56115   172.16.0.2:56115   100.3.1.1:56115    100.3.1.1:56115
icmp 100.1.1.1:1026    172.16.0.2:56371   100.3.1.1:56371    100.3.1.1:1026
icmp 100.1.1.1:1028    172.16.0.2:56627   100.3.1.1:56627    100.3.1.1:1028
icmp 100.1.1.1:1030    172.16.0.2:56883   100.3.1.1:56883    100.3.1.1:1030
icmp 100.1.1.1:55859   192.168.0.1:55859  100.3.1.1:55859    100.3.1.1:55859
icmp 100.1.1.1:56371   192.168.0.1:56371  100.3.1.1:56371    100.3.1.1:56371
icmp 100.1.1.1:56627   192.168.0.1:56627  100.3.1.1:56627    100.3.1.1:56627
icmp 100.1.1.1:56883   192.168.0.1:56883  100.3.1.1:56883    100.3.1.1:56883
icmp 100.1.1.1:57139   192.168.0.1:57139  100.3.1.1:57139    100.3.1.1:57139

Troubleshooting 3: Mixing PAT, Static NAT

Initial Configuration

Basic IP Configuration, Virutal-Internet is done.

  • R1
conf t
hostname R1
!
int gig0/0
ip addr 100.1.1.1 255.255.255.0
no shut
exit
int gig0/1
ip addr 172.16.0.254 255.255.255.0
no shut
exit
int gig0/2
ip addr 192.168.0.254 255.255.255.0
no shut
exit
int gig0/3
ip addr 10.1.1.254 255.255.255.0
no shut
exit
!
ip route 0.0.0.0 0.0.0.0 100.1.1.2
!
end
  • ISP
conf t
hostname ISP
!
int gig0/1
ip addr 100.1.1.2 255.255.255.0
no shut
exit
int gig0/2
ip addr 100.2.1.2 255.255.255.0
no shut
exit
!
! static routing to R2 behind terminal
ip route 100.3.1.0 255.255.255.0 100.2.1.1
!
end
  • R2
conf t
hostname R2
!
int gig0/0
ip addr 100.2.1.1 255.255.255.0
no shut
exit
int gig0/1
ip addr 100.3.1.254 255.255.255.0
no shut
exit
!
ip route 0.0.0.0 0.0.0.0 100.2.1.2
!
end
  • PC-1
ip 172.16.0.1 255.255.255.0 172.16.0.254
save
  • PC-2
ip 172.16.0.2 255.255.255.0 172.16.0.254
save
  • PC-3
ip 192.168.0.1 255.255.255.0 192.168.0.254
save
  • PC-4
ip 100.3.1.1 255.255.255.0 100.3.1.254
save
  • PC-5
ip 10.1.1.1 255.255.255.0 10.1.1.254
save

Wrong Configuration

  • R1
conf t
!
ip nat inside source list 10 interface gig0/0 overload
ip nat inside source static 10.1.1.1 150.1.1.1
!
int gig0/0
ip nat outside
exit
int gig0/1
ip nat inside
exit
int gig0/2
ip nat inside
exit
int gig0/3
ip nat inside
exit
!
access-list 10 permit 172.16.0.0 0.0.0.255
!
end
  • ISP
conf t
!
! Add specific route to R1 static NAT address
ip route 150.1.1.1 255.255.255.255 100.1.1.1
!
end

Verification

#sh ip nat t
Pro Inside global      Inside local       Outside local      Outside global
--- 150.1.1.1          10.1.1.1           ---                ---
ISP#sh ip ro 150.1.1.1
Routing entry for 150.1.1.1/32
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 100.1.1.1
      Route metric is 0, traffic share count is 1
PC-1> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=22.042 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=6.053 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=7.574 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=6.466 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.696 ms

PC-2> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=9.830 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=7.270 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=7.079 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=8.319 ms
PC-3> ping 100.3.1.1
100.3.1.1 icmp_seq=1 timeout
100.3.1.1 icmp_seq=2 timeout
100.3.1.1 icmp_seq=3 timeout
100.3.1.1 icmp_seq=4 timeout
100.3.1.1 icmp_seq=5 timeout
PC-5> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=4.892 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=6.049 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=6.084 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=6.502 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=7.303 ms
R1#sh ip nat t
Pro Inside global      Inside local       Outside local      Outside global
icmp 150.1.1.1:38463   10.1.1.1:38463     100.3.1.1:38463    100.3.1.1:38463
icmp 150.1.1.1:38719   10.1.1.1:38719     100.3.1.1:38719    100.3.1.1:38719
icmp 150.1.1.1:38975   10.1.1.1:38975     100.3.1.1:38975    100.3.1.1:38975
icmp 150.1.1.1:39231   10.1.1.1:39231     100.3.1.1:39231    100.3.1.1:39231
icmp 150.1.1.1:39487   10.1.1.1:39487     100.3.1.1:39487    100.3.1.1:39487
--- 150.1.1.1          10.1.1.1           ---                ---
icmp 100.1.1.1:37695   172.16.0.1:37695   100.3.1.1:37695    100.3.1.1:37695
icmp 100.1.1.1:1024    172.16.0.1:37951   100.3.1.1:37951    100.3.1.1:1024
icmp 100.1.1.1:38207   172.16.0.1:38207   100.3.1.1:38207    100.3.1.1:38207
icmp 100.1.1.1:1025    172.16.0.1:38463   100.3.1.1:38463    100.3.1.1:1025
icmp 100.1.1.1:1026    172.16.0.1:38719   100.3.1.1:38719    100.3.1.1:1026
icmp 100.1.1.1:37951   172.16.0.2:37951   100.3.1.1:37951    100.3.1.1:37951
icmp 100.1.1.1:38463   172.16.0.2:38463   100.3.1.1:38463    100.3.1.1:38463
icmp 100.1.1.1:38719   172.16.0.2:38719   100.3.1.1:38719    100.3.1.1:38719
icmp 100.1.1.1:38975   172.16.0.2:38975   100.3.1.1:38975    100.3.1.1:38975
icmp 100.1.1.1:39231   172.16.0.2:39231   100.3.1.1:39231    100.3.1.1:39231

Identify Problem

it caused by lack of ACL statement for 192.168.0.0/24.

Fixing issue and Verify

  • R1
conf t
!
ip access-list standard 10
permit 192.168.0.0 0.0.0.255
exit
!
end
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#!
R1(config)#ip access-list standard 10
R1(config-std-nacl)#permit 192.168.0.0 0.0.0.255
R1(config-std-nacl)#exit
R1(config)#!
R1(config)#end
R1#
*Apr 15 12:09:23.269: %SYS-5-CONFIG_I: Configured from console by console
R1#sh run | i access-list
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
R1#sh ip ac
R1#sh ip acce
R1#sh ip access-lists 10
Standard IP access list 10
    10 permit 172.16.0.0, wildcard bits 0.0.0.255 (5 matches)
    20 permit 192.168.0.0, wildcard bits 0.0.0.255
PC-1> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=16.877 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=11.930 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=5.650 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=5.067 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.053 ms
PC-2> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=5.499 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=6.187 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=8.033 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=16.159 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=9.206 ms
PC-3> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=20.143 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=6.401 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=7.235 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=5.770 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=6.910 ms
PC-5> ping 100.3.1.1
84 bytes from 100.3.1.1 icmp_seq=1 ttl=61 time=6.329 ms
84 bytes from 100.3.1.1 icmp_seq=2 ttl=61 time=6.419 ms
84 bytes from 100.3.1.1 icmp_seq=3 ttl=61 time=6.163 ms
84 bytes from 100.3.1.1 icmp_seq=4 ttl=61 time=7.821 ms
84 bytes from 100.3.1.1 icmp_seq=5 ttl=61 time=5.231 ms
R1#sh ip nat t
Pro Inside global      Inside local       Outside local      Outside global
icmp 150.1.1.1:12865   10.1.1.1:12865     100.3.1.1:12865    100.3.1.1:12865
icmp 150.1.1.1:13121   10.1.1.1:13121     100.3.1.1:13121    100.3.1.1:13121
icmp 150.1.1.1:13377   10.1.1.1:13377     100.3.1.1:13377    100.3.1.1:13377
icmp 150.1.1.1:13633   10.1.1.1:13633     100.3.1.1:13633    100.3.1.1:13633
icmp 150.1.1.1:13889   10.1.1.1:13889     100.3.1.1:13889    100.3.1.1:13889
--- 150.1.1.1          10.1.1.1           ---                ---
icmp 100.1.1.1:1027    172.16.0.1:13121   100.3.1.1:13121    100.3.1.1:1027
icmp 100.1.1.1:1029    172.16.0.1:13377   100.3.1.1:13377    100.3.1.1:1029
icmp 100.1.1.1:1030    172.16.0.1:13633   100.3.1.1:13633    100.3.1.1:1030
icmp 100.1.1.1:13889   172.16.0.1:13889   100.3.1.1:13889    100.3.1.1:13889
icmp 100.1.1.1:14145   172.16.0.1:14145   100.3.1.1:14145    100.3.1.1:14145
icmp 100.1.1.1:1024    172.16.0.2:12609   100.3.1.1:12609    100.3.1.1:1024
icmp 100.1.1.1:1025    172.16.0.2:12865   100.3.1.1:12865    100.3.1.1:1025
icmp 100.1.1.1:1026    172.16.0.2:13121   100.3.1.1:13121    100.3.1.1:1026
icmp 100.1.1.1:1028    172.16.0.2:13377   100.3.1.1:13377    100.3.1.1:1028
icmp 100.1.1.1:13633   172.16.0.2:13633   100.3.1.1:13633    100.3.1.1:13633
icmp 100.1.1.1:12353   192.168.0.1:12353  100.3.1.1:12353    100.3.1.1:12353
icmp 100.1.1.1:12609   192.168.0.1:12609  100.3.1.1:12609    100.3.1.1:12609
icmp 100.1.1.1:12865   192.168.0.1:12865  100.3.1.1:12865    100.3.1.1:12865
icmp 100.1.1.1:13121   192.168.0.1:13121  100.3.1.1:13121    100.3.1.1:13121
icmp 100.1.1.1:13377   192.168.0.1:13377  100.3.1.1:13377    100.3.1.1:13377

all was done!

References

  1. スタティックNAT、ダイナミックNAT、PATのトラブルシューティング事例
tech/network/cisco/nat-pat-trouble-shooting/nat-pat-trouble-shooting.txt · Last modified: 2018/04/15 21:12 by wnoguchi

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki