We help IT Professionals succeed at work.

NAT/PAT unable to config correctly

252 Views
Last Modified: 2017-03-23
Hello everyone.

So I created a simple network with 3 router, each with DHCP, VLAN, trunks ect...
Here is the config for R0NWGS
Current configuration : 2097 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R0NWGS
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool HR
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 dns-server 192.168.2.5
ip dhcp pool ACC
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 192.168.2.5
ip dhcp pool CEO
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1
 dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
license udi pid CISCO2911/K9 sn FTX1524F7W6
!
ip domain-name nwgs.local
!
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
 ip address 50.73.7.209 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.4
 encapsulation dot1Q 4
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/2
 ip address 70.73.7.209 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 100
 network 50.0.0.0
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list extended NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.3.0 0.0.0.255 any
 permit ip 192.168.4.0 0.0.0.255 any
 permit ip any any
!
line con 0
 password 7 082949420516
 login
!
line aux 0
 password 7 082949420516
 login
!
line vty 0 3
 login local
line vty 4
 password 7 082949420516
 login local
!
end

I have NAT/PAT enable and I can ping across to the other 2 network without any problem

When I do the same to R0MDG which has same setup as R0NWGS I can no longer ping to the 192.168.2.0 network, but can still ping to the 192.168.7.0 and 192.168.8.0 network.. Which NAT/PAT has not be config

Current configuration : 1803 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R)MDG
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.6.1 192.168.6.10
!
ip dhcp pool SHP
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1
 dns-server 192.168.2.5
ip dhcp pool MARKET
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.1
 dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
license udi pid CISCO2911/K9 sn FTX15246198
!
ip domain-name MDG.local
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
 ip address 60.73.7.210 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 70.73.7.210 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/2.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/2.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
 ip nat inside
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 100
 network 70.0.0.0
 network 60.0.0.0
 network 192.168.5.0
 network 192.168.6.0
!
ip nat inside source list NAT1 interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
!
ip access-list extended NAT1
 permit ip 192.168.5.0 0.0.0.255 any
 permit ip 192.168.6.0 0.0.0.255 any
 permit ip any any
!
no cdp run
!
line con 0
 password 7 082949420516
 login
!
line aux 0
 password 7 082949420516
 login
!
line vty 0 4
 password 7 082949420516
 login local
!
end

Then if I remove PAT I can ping the 2.0 network again.

What I'm I doing wrong, cant figure it out.

Respectfully
J.Pieniro
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
As soon as you configure NAT you can't ping since you need to configure port forward or static NAT to be able to reach devices between NAT.
So, you are not doing anything wrong, that's how technology works.

Author

Commented:
Sorry a bit confused,  

I have EIGRP config on all the routers.
So you are saying that I still need a static NAT even if I have EIGRP?

So to fix this i need to create a one to one Static NAT from router to router?
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
You can use tunnels (typically this is used to go around your the problem).

Author

Commented:
So if I'm just going out from network out to internet I would just do a normal nat/pat.

In this setup it's the router to router that is causing the problem, correct.

I'll try doing the one to one static Nat on each interface.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Problem is that NAT is allowing exit out of the network, but not easy entrance into network.
Tunnels are way much more better solution for what you are trying to achieve. For more that 2 routers DMVPN is recommended solution for Cisco devices.

Author

Commented:
Thank you for your help
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION