?
Solved

One to One NAT setup, ping works but any other traffic doesn't

Posted on 2005-03-29
9
Medium Priority
?
328 Views
Last Modified: 2010-04-17
I am trying to setup a one to one NAT for various IP's on other private networks that connect to our company network via point to point links. I have a test setup that I'm using to get things working and below are the cisco routers configs for the test lab scenerio. There are 3 routers and two PC's connected to this test network. One PC is on R1's E0 interface with ip 192.168.1.1 and the other PC is connected to R3's E0 interface with an IP of 10.210.102.1.

R1

interface Ethernet0/0
 ip address 192.168.1.254 255.255.255.0
 half-duplex
!
interface Serial0/0
 ip address 172.16.2.2 255.255.255.252
!
router eigrp 10
 network 10.0.0.0
 network 172.16.0.0
 network 192.168.1.0
 auto-summary

---------------------------------------------------------

R2

interface Ethernet0/0
 ip address 10.210.101.254 255.255.255.0
 ip nat inside
 half-duplex
!
interface Serial0/0
 ip address 172.16.1.1 255.255.255.252
!
interface Serial0/1
 ip address 172.16.2.1 255.255.255.252
 ip nat outside
!
router eigrp 10
 network 10.0.0.0
 network 172.16.0.0
 network 192.168.1.0
 auto-summary
 eigrp log-neighbor-changes
!
ip nat inside source static 192.168.1.1 10.210.101.50
ip classless
ip route 10.210.102.0 255.255.255.0 Serial0/0

-------------------------------------------------------

R3

interface Ethernet0/0
 ip address 10.210.102.254 255.255.255.0
 no ip directed-broadcast
!
interface Serial0/0
 ip address 172.16.1.2 255.255.255.252
 no ip directed-broadcast
!
router eigrp 10
 network 10.0.0.0
 network 172.16.0.0
 network 192.168.1.0
!

-------------------------------------------------------

With the above setup I can ping 10.210.101.50 from the PC at 10.210.102.1 without a problem and the PC at 192.168.1.1 can ping 10.210.102.1 as well. The issue now is that other than ping, I can't do anything else. I want to remote desktop for example and when I try remote desktop from 10.210.102.1 to the NAT address of 10.210.101.50 (which points to 192.168.1.1) nothing happens. Of course I can remote using 192.168.1.1, but the point is to do this using the NAT address.

So, what am I doing wrong? What do I need to add in order for ALL ports to work to the NAT address of 10.210.101.50 throughout the entire network?
0
Comment
Question by:acave
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 13655803
Add "ip nat inside" to the Serial0/0 interface on R2.

interface Serial0/0
 ip address 172.16.1.1 255.255.255.252
 ip nat inside

0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 1000 total points
ID: 13655936
On R2: Try

interface Serial0/0
 ip address 172.16.1.1 255.255.255.252
 ip nat outside
!
interface Serial0/1
 ip address 172.16.2.1 255.255.255.252
 ip nat intside

Also in EIGRP on all routers, you need to add the command
no auto-summary

This is because EIGRP automatically summarizes classfully on network boundaries, and your serial links are classful network boundaries. Fix this and you can remove the static route. (Also in EIGRP, FYI you don't need to add network statements for every network, only the ones that are actually on local interfaces.)

Ping sometimes works because the router may be answering for the NAT address, not the actual host.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 13655945
Oh- and take out ip nat inside on the Ethernet interface on R2.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:acave
ID: 13656479
Thanks for the replies so far.

I added "ip nat inside" on R2 serial 0/0 and removed "ip nat inside" on the E 0/0 interface of R2, but that hasn't fixed the problem yet.

I also add "no auto-summary" to each router and removed the static routes and now EIGRP is showing all the routes in the routing table correctly now, thanks for that. However, that still didn't fix the NAT issue.

I can ping the 192.168.1.1 address from the 10.210.102.1 PC, so even if the router is responding to my ping from 10.210.102.1 to the NAT IP of 10.210.101.50, at least I know the connectivity is actually there for communication to work.

There must be something else I have to do, but I'm stuck.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 13656868
I think you need "ip nat outside" on serial 0/0, not "ip nat inside". Was your reply a typo?
0
 

Author Comment

by:acave
ID: 13657286
Actually, I used "ip nat inside" on s 0/0 because JFredrick29 said to do so above, but maybe his answer was a typo.

I switched the interfaces so R2 s 0/0 is "ip nat outside" and R2 s 0/1 is "ip nat inside" and now I can ping AND remote desktop so it appears to be working, but with a new problem though. I shared resources (the c: drive) on the PC at 192.168.1.1 (nat address 10.210.101.50) but I can't see the shares from the PC at 10.210.102.1 when I run the command \\10.210.101.50. This seems very strange since I can ping and remote desktop to the 192.168.1.1 machine using the NAT address 10.210.101.50.

I really appreciate the responses and I will surely give Mike the points for the correct answer to my original question, but I'm now at a loss on this new dilemma. Anyone know what's causing this?
0
 

Author Comment

by:acave
ID: 13657303
Umm, hold the phones, I think I know why. The PC at 10.210.102.1 ain't on the same subnet, so duuhhh, it should not see the local shares I guess. That's right isn't it?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 13657333
I'm only a middling Windows guy, so I'm not going to venture a guess on that one. You might want to post your question to one of the Windows boards here at EE. Maybe it's some issue with NAT and Windows file sharing? Maybe just some sharing permissions issue? Dunno.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 13657351
Crossed posts...

If they're in the same workgroup or domain and you access it by ip address I don't think it should be an issue. But like I said I'm not a Windows expert.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question