Messing around with packettracer (DNS/NAT-PAT)

Are you trying to ping by ip or host name between the PC's? Before DNS will work all ip connectivity need to be in place first.

Either would be progress from where I am now

Abandoned by the 'experts', yes

Not abandoned. You didn't provide any additional info. Providing a packet tracer file assumed ppl have the packet tracer application. Could you kindly attach the configs of the two routes and switches that you are having the communication issue with. Thanks.

Soulja

The packettracer application can be downloaded from:

http://www.packettracerdownload.com/
http://www.ccna4u.org/2010/05/packet-tracer-version-53-software.html
http://www.packettracernetwork.com/

For your convenience I'll post the configs of the first 2 routers, please don't ask me for every show command in the IOS, that's why I posted the packet tracer file in the first place.

The switches have default configs, all VLAN1, trunks not even hardcoded (dynamic)

And yes as the title of this question is: 'Messing with Packettracer' I was indeed assuming people responding would have prior experience using this app, I would expect the same if the tittle was 'Messing with photoshop'

Kind regards,

Techie

ROUTER 0

no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.5
!
ip dhcp pool bas
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 192.168.0.2
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 34.84.208.1 255.255.255.252
 ip nat outside
!
interface Serial0/0/1
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 0.1 interface Serial0/0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 34.84.208.2 
ip route 2.2.2.0 255.255.255.0 34.84.208.2 
ip route 192.168.1.0 255.255.255.0 34.84.208.2 
!
!
ip access-list standard 0.1
 permit 192.168.0.0 0.0.0.255
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end



ROUTER 4

Current configuration : 1073 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.1.2 192.168.1.5
!
ip dhcp pool 1.1
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.1.2
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 2.2.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/3/0
 ip address 34.84.208.2 255.255.255.252
 ip nat outside
 clock rate 64000
!
interface Serial0/3/1
 ip address 34.84.208.5 255.255.255.252
 ip nat outside
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 1.1 interface Serial0/3/0 overload
ip classless
ip route 34.84.208.8 255.255.255.252 34.84.208.6 
ip route 0.0.0.0 0.0.0.0 Serial0/3/0 
ip route 192.168.0.0 255.255.255.0 34.84.208.1 
!
!
ip access-list standard 1.1
 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end

Select allOpen in new window

Okay, thanks for the links. I will download and check it out. My first notion from looking at the configs is removing from router 0:

no ip route 2.2.2.0 255.255.255.0 34.84.208.2
no ip route 192.168.1.0 255.255.255.0 34.84.208.2

from Router 4 remove:

no ip route 192.168.0.0 255.255.255.0 34.84.208.1

I tried opening the dns.pkt file in vers 5.3 and 5.2 and it states incompatible with this version. What version of Packet Tracer are you using?

ah darn yeah that can be a hassle, I'm using 5.3.1.0044. Looks like they just released a new one.

Ah, okay.

It's bed time here, maybe I'll set it up in 5.3.2 tomorrow

Gnight

Just downloaded 5.3.2.0027, file I attached works here.....

 screenshot.pdf

now really gnight

After much testing to confirm my presumptions. (I wanted to make sure first). I don't  think you will be able to accomplish computer to computer communication with your topology if NAT Overload is enabled. You could incorporate some type of 1 to 1 Natting, but since we are dealing with 1 wan address on the routers, you are left with overloading. Your other option is the set up an IPSEC tunnel between the two routers and allow the 192 subnets throught it.

As with most things. I could be wrong and another Expert can chime in.

The obvious question is, why isn't NAT overload possible? Not sure what added value an IPSEC tunnel would have since those packets will have the same source/destination+port as non encrypted packets.

In my youthful innocence ahum, this appears to be a common scenario where you have 2 private networks both behind a NAT router communicating to each other over a WAN link. Should be possible....one would think.  

I definitely can and will be wrong again ;)

Ok let's simplify this a bit..let's try anyway. What I'm trying to do it to have NAT on both routers  but to make this work DNS has to play a role for it to work. Have a look at attached example .pkt file (renamed to doc again). NAT/PAT on one side works. Now how do I introduce DNS on both sides or somewhere in the middle to make NAT work on both sides?

Google took me here:

https://learningnetwork.cisco.com/thread/26925


p.s. latest packettracer version

SimpleNAToverload.doc

To your statement regarding the IPSEC tunnel. The source destination info would not be the same. If you want the two private networks to talk to each other since they are behind NAT, an ipsec tunnel would allow you to specify 192.168.0.0/24 traffic to traverse the tunnel to the 192.168.1.0/24 network. You could then allow all other destinations to go out NAT, such as internet traffic.

One of the CCIE's in the link stated what I stated above:

"Thanks Paul-

 
I didn't even see that NAT was being attempted on the outside router as well.

 
With NAT on both sides The PCs won't be able to ping the remote PCs, because both are hiding behind PAT.

 
Thanks again Paul.

 
Keith"

From the looks of it. The solution in the link was to disable nat on one of the routers, which would make sense to me.

First of all, I read the link I posted, the comment you posted is why I posted the link in the first place.

Ok moving on, I think we can both agree that having NAT on both sides of a given private network is not impossible to overcome. Chances are good that you and me are both using NAT, let's say you wanted to telnet into my computer we'd be faced with the same problem. I think that's where DNS comes into play but let's see where you where going with your IPSEC tunneling scenario first.

I've made an IPSEC tunnel from R1 to R2 (attachment), show me what you had in mind cause the way I have it set up now I can still not enable NAT on both sides (addressing doesn't change either)

End goal here is to have NAT enabled on both private networks and to have them talking...just like in the real world ;)


SimpleNAToverload-IPSEC-TUNNEL.doc

Okay, I made corrections to your packet tracer. Your tunnels weren't up at all. No Isakmp SA session were live.  I now have end to end pingability (if that a word) between the two computers by host name. You did not have NAT enable on both sides. Your R2 didn't have an NAT OVERLOAD command. Additionally, you didn't create a ACL to tell the routers not to nat traffic between the two private networks. Thus the traffice was still not being encrypted and sent across the tunnel.

I have attached my packettracerfile. Please compare yours with mines.
SimpleNAToverload-IPSEC-TUNNEL.doc

First off, I know NAT wasn't turned on on R2, every time I add the statement (ACL was already there ) I lose connectivity, thought it be a bad starting point for someone else to work with. I'm no tunnel expert, I did a show crypto map and thought I was tunneling away, missed that group statement apparently.

So now we have encryption turned on and NAT turned off, you say here:

'Soulja:
To your statement regarding the IPSEC tunnel. The source destination info would not be the same'

I don't see the source and destination changing just because encryption is turned on, if we were to create a tunnel interface however...

This is the point where we started (plus encryption), you don't need the DNS server, you can ping by IP too. The router isn't doing any translation because of your added deny statement in the ACL effectively turning off NAT(ing) thus reverting back to where we started of, a static route and 2 routers pinging + NAT in the config as decoration.

End goal here is to have NAT ENABLED on both private networks and to have them talking...just like in the real world ;)

"Okay, I made corrections to your packet tracer. Your tunnels weren't up at all. No Isakmp SA session were live"

Had a closer look at my posted config, tunnels were in place, just will not work with NAT up, as soon I took out the ' ip nat inside source list 10 interface Serial0/3/0 overload ' line the ' show crypto isakmp sa ' shows an active session. Basically what you did by disabling the NAT via the deny line in the ACL....

But getting it to run with NAT (on both sides) was the whole point, getting connectivity without NAT is not a problem, static route does that.

Check this attachment out. With a GRE tunnel the NAT statement can stay in place on both routers but it seems it's completely ignored/bypassed.
SimpleNAT---GRE-TUNNEL.doc

How do I request attention again? The last expert has stopped responding?

p.s. is there only one Cisco Expert?

I didn't disable nat. I chose was traffic would be Natted and what traffic wouldn't. When you say "real" world. Please give me a scenario where two locations are natted over the internet and talk to each other without a VPN tunnel? The only way is if they stand up a DMZ or port forward into their private network.

I said 'effectively disabled NAT' and since there's only 2 routers if you choose to not use NAT for this connection (the only one) then you've disabled NAT. Since half the world is NAT/PAT'ed don't you think there's a scenario where 2 computers want to talk to each other.

There must be a way, I've been looking at scenarios with overlapping address spaces where you can ping a host (using hostname) on the same address space when in reality it re-directs it to another location using DNS, the router catches the DNS reply or something. Hey I've got plenty of questions myself, I was looking for answers.

looked at your config. The reason that NAT is ignored is because you have a static route to go through the tunnel. NAT order of operation does routing before natting.

Ok show me how it works without a static route.

I give up, I'll leave you with a nice link from this polish dude. Thanks for the replies.

http://samy.pl/pwnat/