asked on NAT/PAT unable to config correctly
Hello everyone.
So I created a simple network with 3 router, each with DHCP, VLAN, trunks ect...
Here is the config for R0NWGS
Current configuration : 2097 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R0NWGS
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool HR
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.5
ip dhcp pool ACC
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.2.5
ip dhcp pool CEO
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX1524F7W6
!
ip domain-name nwgs.local
!
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 50.73.7.209 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
ip address 70.73.7.209 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 50.0.0.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip any any
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 3
login local
line vty 4
password 7 082949420516
login local
!
end
I have NAT/PAT enable and I can ping across to the other 2 network without any problem
When I do the same to R0MDG which has same setup as R0NWGS I can no longer ping to the 192.168.2.0 network, but can still ping to the 192.168.7.0 and 192.168.8.0 network.. Which NAT/PAT has not be config
Current configuration : 1803 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R)MDG
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.6.1 192.168.6.10
!
ip dhcp pool SHP
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.2.5
ip dhcp pool MARKET
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX15246198
!
ip domain-name MDG.local
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 60.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 70.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2.6
encapsulation dot1Q 6
ip address 192.168.6.1 255.255.255.0
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 70.0.0.0
network 60.0.0.0
network 192.168.5.0
network 192.168.6.0
!
ip nat inside source list NAT1 interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
!
ip access-list extended NAT1
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.6.0 0.0.0.255 any
permit ip any any
!
no cdp run
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 4
password 7 082949420516
login local
!
end
Then if I remove PAT I can ping the 2.0 network again.
What I'm I doing wrong, cant figure it out.
Respectfully
J.Pieniro
So I created a simple network with 3 router, each with DHCP, VLAN, trunks ect...
Here is the config for R0NWGS
Current configuration : 2097 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R0NWGS
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool HR
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.5
ip dhcp pool ACC
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.2.5
ip dhcp pool CEO
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX1524F7W6
!
ip domain-name nwgs.local
!
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 50.73.7.209 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
ip address 70.73.7.209 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 50.0.0.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip any any
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 3
login local
line vty 4
password 7 082949420516
login local
!
end
I have NAT/PAT enable and I can ping across to the other 2 network without any problem
When I do the same to R0MDG which has same setup as R0NWGS I can no longer ping to the 192.168.2.0 network, but can still ping to the 192.168.7.0 and 192.168.8.0 network.. Which NAT/PAT has not be config
Current configuration : 1803 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R)MDG
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.6.1 192.168.6.10
!
ip dhcp pool SHP
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.2.5
ip dhcp pool MARKET
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX15246198
!
ip domain-name MDG.local
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 60.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 70.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2.6
encapsulation dot1Q 6
ip address 192.168.6.1 255.255.255.0
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 70.0.0.0
network 60.0.0.0
network 192.168.5.0
network 192.168.6.0
!
ip nat inside source list NAT1 interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
!
ip access-list extended NAT1
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.6.0 0.0.0.255 any
permit ip any any
!
no cdp run
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 4
password 7 082949420516
login local
!
end
Then if I remove PAT I can ping the 2.0 network again.
What I'm I doing wrong, cant figure it out.
Respectfully
J.Pieniro
CiscoNetwork OperationsRouters
Last Comment
Predrag Jovic
ASKER
Sorry a bit confused,
I have EIGRP config on all the routers.
So you are saying that I still need a static NAT even if I have EIGRP?
So to fix this i need to create a one to one Static NAT from router to router?
I have EIGRP config on all the routers.
So you are saying that I still need a static NAT even if I have EIGRP?
So to fix this i need to create a one to one Static NAT from router to router?
You can use tunnels (typically this is used to go around your the problem).
ASKER
So if I'm just going out from network out to internet I would just do a normal nat/pat.
In this setup it's the router to router that is causing the problem, correct.
I'll try doing the one to one static Nat on each interface.
In this setup it's the router to router that is causing the problem, correct.
I'll try doing the one to one static Nat on each interface.
Problem is that NAT is allowing exit out of the network, but not easy entrance into network.
Tunnels are way much more better solution for what you are trying to achieve. For more that 2 routers DMVPN is recommended solution for Cisco devices.
Tunnels are way much more better solution for what you are trying to achieve. For more that 2 routers DMVPN is recommended solution for Cisco devices.
ASKER
Thank you for your help
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
So, you are not doing anything wrong, that's how technology works.