Troubleshooting NAT / PAT

In this lesson we’ll take a look at some common NAT (Network Address Translation / PAT (Port Address Translation) issues. The configuration of NAT / PAT on Cisco IOS routers is pretty straight-forward but there are some issues. Let’s look at some scenarios…

NAT Inside / Outside

Here’s the topology I will use:

NAT Host NAT Webserver

In this scenario we have 3 devices. The router on the left side is called “Host” and this is supposed to be a computer on our LAN.   The device on the right side is supposed to be some webserver, something that we are trying to reach on the Internet. In the middle we’ll find our router that is configured for NAT and/or PAT.

Users from our LAN are complaining that they are unable to reach anything on the Internet. They have confirmed that their IP address and default gateway is OK. Let’s take a look at the NAT router:

NAT#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

It’s not a bad idea to check if the NAT router can reach the webserver by trying a simple ping. If it doesn’t work you at least know that you have routing issues or that the webserver is down (or maybe just blocking ICMP traffic). Let’see if we can connect to TCP port 80:

NAT#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ... Open

You can see that this is working so routing between the NAT router and the webserver and connecting to the TCP port is no problem. Let’s focus on the NAT configuration:

NAT#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.2:1    192.168.12.2:1     192.168.12.1:1     192.168.12.1:1

We can use the show ip nat translations to see if anything is going on. We see that the NAT router is translating something but it doesn’t look quite right if you look closely. The outside local and global IP addresses refer to the IP address on the inside. Let’s take a closer look:

NAT#show ip nat statistics 
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/0
Inside interfaces: 
  FastEthernet1/0
Hits: 5  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface FastEthernet1/0 refcount 0
Queued Packets: 0

Show ip nat statistics is a nice command to verify your configuration. You can see that the inside and outside interfaces have been swapped. FastEthernet 0/0 should be the inside and FastEthernet 1/0 should be the outside. Let’s fix this:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 803 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
494 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Rene,
    Interesting scenarios and explained by you clearly.

    Thanks,
    Srini

  2. I’m confused about the 172.16.1.0 subnet.
    I guess the address 172.16.1.1 does somehow configure automatically in the HOST.

    Two questions :

    1 - Why the static rule is simply not something like ip route 172.16.1.0 255.255.255.0 192.168.12.1 ?

    2 - How come a private (inside) network (172.16.1.0) be advertised for outside of the NAT ?

  3. Hello Maodo

    The 172.16.1.0 subnet is a range of addresses that are given to us by the ISP that will be used to translate the INSIDE addresses to the OUTSIDE. In other words, when the Host communicates to the outside world, the 192.168.12.1 address will be translated to 172.16.1.X when it traverses the NAT router. So from the NAT router outwards, all communication occurs with the IP address 172.16.1.X. Note that this subnet essentially “exists” on the F1/0 interface of the NAT router. In a sense, it coexists with the 192.168.23.2 IP address on that interface

    ... Continue reading in our forum

  4. Hi @kayoutoure,

    The inside global address is indeed the IP address on the outside interface of the NAT router, it’s the address that you translate to. This can be a bit confusing, if you see the word “inside” you might start looking at the green inside box but you won’t find it there…:smile:.

    Rene

1 more reply! Ask a question or join the discussion by visiting our Community Forum