Messing around with packettracer (DNS/NAT-PAT)

Hi I'm messing around in packettracer a bit, I've attached the .pkt file. Basically what I'm trying to do is to ping from PC0 to PC1 with NAT in place on the routers. This is after a lot of messing around in the routing tables of Router0 and Router 4 and a DNS experiment in place between Server0 and Server4 so don't take everything you find in there too seriously ;). My initial goal was to somehow use DNS in order to ping outside addresses but then I thought hey let's throw in NAT too...

Any help, pointers will be greatly appreciated,

Tech

p.s. EE doesn't accept .pkt so I renamed it to .doc, tried zipping but to no avail picDNS.doc
it_techieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
Are you trying to ping by ip or host name between the PC's? Before DNS will work all ip connectivity need to be in place first.
0
it_techieAuthor Commented:
Either would be progress from where I am now
0
it_techieAuthor Commented:
Abandoned by the 'experts', yes
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Soulja53 6F 75 6C 6A 61 Commented:
Not abandoned. You didn't provide any additional info. Providing a packet tracer file assumed ppl have the packet tracer application. Could you kindly attach the configs of the two routes and switches that you are having the communication issue with. Thanks.

Soulja
0
it_techieAuthor Commented:
The packettracer application can be downloaded from:

http://www.packettracerdownload.com/
http://www.ccna4u.org/2010/05/packet-tracer-version-53-software.html
http://www.packettracernetwork.com/

For your convenience I'll post the configs of the first 2 routers, please don't ask me for every show command in the IOS, that's why I posted the packet tracer file in the first place.

The switches have default configs, all VLAN1, trunks not even hardcoded (dynamic)

And yes as the title of this question is: 'Messing with Packettracer' I was indeed assuming people responding would have prior experience using this app, I would expect the same if the tittle was 'Messing with photoshop'

Kind regards,

Techie
ROUTER 0

no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.5
!
ip dhcp pool bas
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 192.168.0.2
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 34.84.208.1 255.255.255.252
 ip nat outside
!
interface Serial0/0/1
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 0.1 interface Serial0/0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 34.84.208.2 
ip route 2.2.2.0 255.255.255.0 34.84.208.2 
ip route 192.168.1.0 255.255.255.0 34.84.208.2 
!
!
ip access-list standard 0.1
 permit 192.168.0.0 0.0.0.255
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end



ROUTER 4

Current configuration : 1073 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.1.2 192.168.1.5
!
ip dhcp pool 1.1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.1.2
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 2.2.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/3/0
 ip address 34.84.208.2 255.255.255.252
 ip nat outside
 clock rate 64000
!
interface Serial0/3/1
 ip address 34.84.208.5 255.255.255.252
 ip nat outside
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 1.1 interface Serial0/3/0 overload
ip classless
ip route 34.84.208.8 255.255.255.252 34.84.208.6 
ip route 0.0.0.0 0.0.0.0 Serial0/3/0 
ip route 192.168.0.0 255.255.255.0 34.84.208.1 
!
!
ip access-list standard 1.1
 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end

Open in new window

0
Soulja53 6F 75 6C 6A 61 Commented:
Okay, thanks for the links. I will download and check it out. My first notion from looking at the configs is removing from router 0:

no ip route 2.2.2.0 255.255.255.0 34.84.208.2
no ip route 192.168.1.0 255.255.255.0 34.84.208.2

from Router 4 remove:

no ip route 192.168.0.0 255.255.255.0 34.84.208.1

0
Soulja53 6F 75 6C 6A 61 Commented:
I tried opening the dns.pkt file in vers 5.3 and 5.2 and it states incompatible with this version. What version of Packet Tracer are you using?
0
it_techieAuthor Commented:
ah darn yeah that can be a hassle, I'm using 5.3.1.0044. Looks like they just released a new one.
0
Soulja53 6F 75 6C 6A 61 Commented:
Ah, okay.
0
it_techieAuthor Commented:
It's bed time here, maybe I'll set it up in 5.3.2 tomorrow

Gnight
0
it_techieAuthor Commented:
Just downloaded 5.3.2.0027, file I attached works here.....

 screenshot.pdf
0
it_techieAuthor Commented:
now really gnight
0
Soulja53 6F 75 6C 6A 61 Commented:
After much testing to confirm my presumptions. (I wanted to make sure first). I don't  think you will be able to accomplish computer to computer communication with your topology if NAT Overload is enabled. You could incorporate some type of 1 to 1 Natting, but since we are dealing with 1 wan address on the routers, you are left with overloading. Your other option is the set up an IPSEC tunnel between the two routers and allow the 192 subnets throught it.

As with most things. I could be wrong and another Expert can chime in.
0
it_techieAuthor Commented:
The obvious question is, why isn't NAT overload possible? Not sure what added value an IPSEC tunnel would have since those packets will have the same source/destination+port as non encrypted packets.

In my youthful innocence ahum, this appears to be a common scenario where you have 2 private networks both behind a NAT router communicating to each other over a WAN link. Should be possible....one would think.  

I definitely can and will be wrong again ;)

0
it_techieAuthor Commented:
Ok let's simplify this a bit..let's try anyway. What I'm trying to do it to have NAT on both routers  but to make this work DNS has to play a role for it to work. Have a look at attached example .pkt file (renamed to doc again). NAT/PAT on one side works. Now how do I introduce DNS on both sides or somewhere in the middle to make NAT work on both sides?

Google took me here:

https://learningnetwork.cisco.com/thread/26925


p.s. latest packettracer version

SimpleNAToverload.doc
0
Soulja53 6F 75 6C 6A 61 Commented:
To your statement regarding the IPSEC tunnel. The source destination info would not be the same. If you want the two private networks to talk to each other since they are behind NAT, an ipsec tunnel would allow you to specify 192.168.0.0/24 traffic to traverse the tunnel to the 192.168.1.0/24 network. You could then allow all other destinations to go out NAT, such as internet traffic.

One of the CCIE's in the link stated what I stated above:

"Thanks Paul-

 
I didn't even see that NAT was being attempted on the outside router as well.

 
With NAT on both sides The PCs won't be able to ping the remote PCs, because both are hiding behind PAT.

 
Thanks again Paul.

 
Keith"


From the looks of it. The solution in the link was to disable nat on one of the routers, which would make sense to me.
0
it_techieAuthor Commented:
First of all, I read the link I posted, the comment you posted is why I posted the link in the first place.

Ok moving on, I think we can both agree that having NAT on both sides of a given private network is not impossible to overcome. Chances are good that you and me are both using NAT, let's say you wanted to telnet into my computer we'd be faced with the same problem. I think that's where DNS comes into play but let's see where you where going with your IPSEC tunneling scenario first.

I've made an IPSEC tunnel from R1 to R2 (attachment), show me what you had in mind cause the way I have it set up now I can still not enable NAT on both sides (addressing doesn't change either)

End goal here is to have NAT enabled on both private networks and to have them talking...just like in the real world ;)


SimpleNAToverload-IPSEC-TUNNEL.doc
0
Soulja53 6F 75 6C 6A 61 Commented:
Okay, I made corrections to your packet tracer. Your tunnels weren't up at all. No Isakmp SA session were live.  I now have end to end pingability (if that a word) between the two computers by host name. You did not have NAT enable on both sides. Your R2 didn't have an NAT OVERLOAD command. Additionally, you didn't create a ACL to tell the routers not to nat traffic between the two private networks. Thus the traffice was still not being encrypted and sent across the tunnel.

I have attached my packettracerfile. Please compare yours with mines.
SimpleNAToverload-IPSEC-TUNNEL.doc
0
it_techieAuthor Commented:
First off, I know NAT wasn't turned on on R2, every time I add the statement (ACL was already there ) I lose connectivity, thought it be a bad starting point for someone else to work with. I'm no tunnel expert, I did a show crypto map and thought I was tunneling away, missed that group statement apparently.

So now we have encryption turned on and NAT turned off, you say here:

'Soulja:
To your statement regarding the IPSEC tunnel. The source destination info would not be the same'

I don't see the source and destination changing just because encryption is turned on, if we were to create a tunnel interface however...

This is the point where we started (plus encryption), you don't need the DNS server, you can ping by IP too. The router isn't doing any translation because of your added deny statement in the ACL effectively turning off NAT(ing) thus reverting back to where we started of, a static route and 2 routers pinging + NAT in the config as decoration.

End goal here is to have NAT ENABLED on both private networks and to have them talking...just like in the real world ;)

0
it_techieAuthor Commented:
"Okay, I made corrections to your packet tracer. Your tunnels weren't up at all. No Isakmp SA session were live"

Had a closer look at my posted config, tunnels were in place, just will not work with NAT up, as soon I took out the ' ip nat inside source list 10 interface Serial0/3/0 overload ' line the ' show crypto isakmp sa ' shows an active session. Basically what you did by disabling the NAT via the deny line in the ACL....

But getting it to run with NAT (on both sides) was the whole point, getting connectivity without NAT is not a problem, static route does that.
0
it_techieAuthor Commented:
Check this attachment out. With a GRE tunnel the NAT statement can stay in place on both routers but it seems it's completely ignored/bypassed.
SimpleNAT---GRE-TUNNEL.doc
0
it_techieAuthor Commented:
How do I request attention again? The last expert has stopped responding?

p.s. is there only one Cisco Expert?
0
Soulja53 6F 75 6C 6A 61 Commented:
I didn't disable nat. I chose was traffic would be Natted and what traffic wouldn't. When you say "real" world. Please give me a scenario where two locations are natted over the internet and talk to each other without a VPN tunnel? The only way is if they stand up a DMZ or port forward into their private network.
0
Soulja53 6F 75 6C 6A 61 Commented:
I looked at your config. The reason that NAT is ignored is because you have a static route to go through the tunnel. NAT order of operation does routing before natting.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
it_techieAuthor Commented:
I said 'effectively disabled NAT' and since there's only 2 routers if you choose to not use NAT for this connection (the only one) then you've disabled NAT. Since half the world is NAT/PAT'ed don't you think there's a scenario where 2 computers want to talk to each other.

There must be a way, I've been looking at scenarios with overlapping address spaces where you can ping a host (using hostname) on the same address space when in reality it re-directs it to another location using DNS, the router catches the DNS reply or something. Hey I've got plenty of questions myself, I was looking for answers.

looked at your config. The reason that NAT is ignored is because you have a static route to go through the tunnel. NAT order of operation does routing before natting.

Ok show me how it works without a static route.
0
it_techieAuthor Commented:
I give up, I'll leave you with a nice link from this polish dude. Thanks for the replies.

http://samy.pl/pwnat/

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.