Cisco – PAT and Static NAT not working together

cisconat;packet-tracersnat

The HQ network is using PAT to gain access to the internet, the internal webserver needs to be accessed from the internet using static NAT.

Configs:

S_HQ

!
interface FastEthernet0/1
 switchport access vlan 10
!
interface FastEthernet0/2
 switchport access vlan 20
!
interface FastEthernet0/3
 switchport access vlan 30
!
interface GigabitEthernet0/1
 switchport mode trunk
!

R_HQ

!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
!
interface Serial0/0/0
 ip address 145.89.181.192 255.255.255.0
 ip nat outside
 clock rate 2000000
!
ip nat pool PAT 145.89.181.192 145.89.181.192 netmask 255.255.255.0
ip nat inside source list PAT pool PAT overload
ip nat inside source static tcp 192.168.30.10 80 145.89.181.192 80
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 
!
ip access-list standard PAT
 permit 192.168.0.0 0.0.255.255
!

R_ISP

!
interface GigabitEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 145.89.181.193 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 
!

All PC's are configured correctly, yet pinging from any VLAN inside the HQ network to the customer leads to a timeout, no translations are being made stating the show ip nat translations command.

However, static NAT seems to be working fine visiting 145.89.181.192 in the browser on the customer PC.

By removing and reapplying static NAT the problem seems to be gone, but after reopening Packet Tracer the problem is back again, it makes no sense to me…

Am I overseeing something or could this be a bug in Packet Tracer?

Much appreciated!

Best Answer

I would like to share my thoughts and suggestions about this situation. First, I join everyone's suggestion about configuring pool.

ip nat inside source list PAT interface s0/0/0 overload

PT does not like some kind of overloading stuff.

Second, it's not clear which ip address on the ISP-end were you pinging? Because on R_ISP I don't see IP addresses assignments (private to public).

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco – use PAT and static nat at the same time as inside and global nat interface

I resolved using NAT virtual interface. http://www.ciscozine.com/nat-virtual-interface-aka-nvi-what-is-that/

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco – use PAT and static nat at the same time as inside and global nat interface

Related Topic