Cisco – Static NAT – Cisco Packet Tracer

ciscopacket-tracer

I have configured what I think is Static Nat on my "NAT Router". I have attached an image of my network topology.

However when I test the connection between the server on the inside network and the agent PC on the outside network it seems something regarding the NAT seems to be wrong as it won't access with the nat address?

I do need to set a NAT router statement to accept and rout any IP from the internet with any subnet mask to (FA0/1) which im struggling with, because this isn't set up could this be why? Does anyone know how I would implement this?

This is the coding which I have added for nat

Ronald(config)#ip nat inside source static 172.31.0.100 74.125.20.100 Ronald(config)#inter Ronald(config)#interface fas Ronald(config)#interface fastEthernet 0/1 Ronald(config-if)#ip nat inside Ronald(config-if)#exit Ronald(config)#inter Ronald(config)#interface fa Ronald(config)#interface fastEthernet 0/0 Ronald(config-if)#ip nat outside Ronald(config-if)#exit

Ronald#show ip nat translation Pro Inside global Inside local Outside local Outside global --- 74.125.20.100 172.31.0.100 --- ---

Router Configurations

Router#config t Router(config)hostname Ronald Ronald(config)#interface FastEthernet0/0 Ronald(config-if)#ip address 74.125.15.2 255.255.255.0 Ronald(config-if)#ip address 74.125.15.2 255.255.255.0 Ronald(config-if)# Ronald(config-if)#exit Ronald(config)#interface FastEthernet0/1 Ronald(config-if)#ip address 74.125.20.1 255.255.255.0 Ronald(config)#ip nat inside source static 172.31.0.100 74.125.20.100 Ronald(config)#inter Ronald(config)#interface fas Ronald(config)#interface fastEthernet 0/1 Ronald(config-if)#ip nat inside Ronald(config-if)#exit Ronald(config)#inter Ronald(config)#interface fa Ronald(config)#interface fastEthernet 0/0 Ronald(config-if)#ip nat outside Ronald(config-if)#exit

Best Answer

You need to configure Static Route. Ip route 172.31.0.0 255.255.255.0 74.125.15.1 In NAT router. Otherwise Router does not know how to reach to your 172.31.0.0 network

internal router: ip route 0.0.0.0 0.0.0.0 74.125.15.2

Related Solutions

Cisco – About the inside local and outside local and inside global and outside global

Usually NAT will be used to translate between private to public IP address but this is not the only use case. You can also translate between any addresses you want such as private to private.

The terms local and global most often refer to the inside and outside of your network but this doesn't mean that it MUST be LAN and WAN although it often is.

So say that we have a webserver on our LAN with the IP 10.0.0.1. We want the webserver to be accessible from a public IP of 130.130.130.130.

ip nat inside source static 10.0.0.1 130.130.130.130

What this does is to translate all packets from 10.0.0.1 (Source IP) to a source of 130.130.130.130 when exiting on the outside interface. This command is bidirectional so all packets entering the outside interface with a destination IP of 130.130.130.130 will also get translated to 10.0.0.1.

The ip nat inside destination command translates from inside global to one or several inside locals. This is primarily used to do primitive load sharing.

ip nat inside destination list 1 pool real-hosts
ip nat pool real-hosts 10.0.0.1 10.0.0.3 prefix-length 24 type rotary
access-list 1 permit 130.130.130.130

What this does is to translate from 130.130.130.130 to 10.0.0.1, 10.0.0.2 and 10.0.0.3 in a rotary fashion. So for every incoming request to the inside global IP of 130.130.130.130 it will be translated to a different inside local address in a round robin fashion.

IP nat outside source static translates between outside global and outside local IP. One common use case would be if you have overlapping subnets. Like if you are doing a merger and both companies use the same IP subnets. So say that both company A and company B are using 10.0.0.0/24 for something. So you are working for company A and you want to translate all 10.0.0.0/24 on the outside to 192.168.0.0/24.

ip nat outside source static network 10.0.0.0 192.168.0.0 /24

Then you would have to do the same for traffic going from the inside to the outside of course.

Regarding your last question it only really makes sense to either translate the source or the destination of the packet. What you are suggesting sounds like some kind of policy routing. You can use inside and outside NAT to do everything you need.

Cisco ASA Routing Issue

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10