Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.
NAT/PAT unable to config correctly
Hello everyone.
So I created a simple network with 3 router, each with DHCP, VLAN, trunks ect...
Here is the config for R0NWGS
Current configuration : 2097 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R0NWGS
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool HR
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.5
ip dhcp pool ACC
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.2.5
ip dhcp pool CEO
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX1524F7W6
!
ip domain-name nwgs.local
!
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 50.73.7.209 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
ip address 70.73.7.209 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 50.0.0.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip any any
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 3
login local
line vty 4
password 7 082949420516
login local
!
end
I have NAT/PAT enable and I can ping across to the other 2 network without any problem
When I do the same to R0MDG which has same setup as R0NWGS I can no longer ping to the 192.168.2.0 network, but can still ping to the 192.168.7.0 and 192.168.8.0 network.. Which NAT/PAT has not be config
Current configuration : 1803 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R)MDG
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.6.1 192.168.6.10
!
ip dhcp pool SHP
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.2.5
ip dhcp pool MARKET
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX15246198
!
ip domain-name MDG.local
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 60.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 70.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2.6
encapsulation dot1Q 6
ip address 192.168.6.1 255.255.255.0
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 70.0.0.0
network 60.0.0.0
network 192.168.5.0
network 192.168.6.0
!
ip nat inside source list NAT1 interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
!
ip access-list extended NAT1
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.6.0 0.0.0.255 any
permit ip any any
!
no cdp run
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 4
password 7 082949420516
login local
!
end
Then if I remove PAT I can ping the 2.0 network again.
What I'm I doing wrong, cant figure it out.
Respectfully
J.Pieniro
So I created a simple network with 3 router, each with DHCP, VLAN, trunks ect...
Here is the config for R0NWGS
Current configuration : 2097 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R0NWGS
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool HR
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.5
ip dhcp pool ACC
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.2.5
ip dhcp pool CEO
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX1524F7W6
!
ip domain-name nwgs.local
!
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 50.73.7.209 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
ip address 70.73.7.209 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 50.0.0.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip any any
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 3
login local
line vty 4
password 7 082949420516
login local
!
end
I have NAT/PAT enable and I can ping across to the other 2 network without any problem
When I do the same to R0MDG which has same setup as R0NWGS I can no longer ping to the 192.168.2.0 network, but can still ping to the 192.168.7.0 and 192.168.8.0 network.. Which NAT/PAT has not be config
Current configuration : 1803 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R)MDG
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.6.1 192.168.6.10
!
ip dhcp pool SHP
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.2.5
ip dhcp pool MARKET
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUg
!
license udi pid CISCO2911/K9 sn FTX15246198
!
ip domain-name MDG.local
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 60.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 70.73.7.210 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2.6
encapsulation dot1Q 6
ip address 192.168.6.1 255.255.255.0
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 70.0.0.0
network 60.0.0.0
network 192.168.5.0
network 192.168.6.0
!
ip nat inside source list NAT1 interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
!
ip access-list extended NAT1
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.6.0 0.0.0.255 any
permit ip any any
!
no cdp run
!
line con 0
password 7 082949420516
login
!
line aux 0
password 7 082949420516
login
!
line vty 0 4
password 7 082949420516
login local
!
end
Then if I remove PAT I can ping the 2.0 network again.
What I'm I doing wrong, cant figure it out.
Respectfully
J.Pieniro
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Sorry a bit confused,
I have EIGRP config on all the routers.
So you are saying that I still need a static NAT even if I have EIGRP?
So to fix this i need to create a one to one Static NAT from router to router?
I have EIGRP config on all the routers.
So you are saying that I still need a static NAT even if I have EIGRP?
So to fix this i need to create a one to one Static NAT from router to router?
So if I'm just going out from network out to internet I would just do a normal nat/pat.
In this setup it's the router to router that is causing the problem, correct.
I'll try doing the one to one static Nat on each interface.
In this setup it's the router to router that is causing the problem, correct.
I'll try doing the one to one static Nat on each interface.
Problem is that NAT is allowing exit out of the network, but not easy entrance into network.
Tunnels are way much more better solution for what you are trying to achieve. For more that 2 routers DMVPN is recommended solution for Cisco devices.
Tunnels are way much more better solution for what you are trying to achieve. For more that 2 routers DMVPN is recommended solution for Cisco devices.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
So, you are not doing anything wrong, that's how technology works.