Troubleshooting NAT / PAT

In this lesson we’ll take a look at some common NAT (Network Address Translation / PAT (Port Address Translation) issues. The configuration of NAT / PAT on Cisco IOS routers is pretty straight-forward but there are some issues. Let’s look at some scenarios…

NAT Inside / Outside

Here’s the topology I will use:

NAT Host NAT Webserver

In this scenario we have 3 devices. The router on the left side is called “Host” and this is supposed to be a computer on our LAN.   The device on the right side is supposed to be some webserver, something that we are trying to reach on the Internet. In the middle we’ll find our router that is configured for NAT and/or PAT.

Users from our LAN are complaining that they are unable to reach anything on the Internet. They have confirmed that their IP address and default gateway is OK. Let’s take a look at the NAT router:

NAT#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

It’s not a bad idea to check if the NAT router can reach the webserver by trying a simple ping. If it doesn’t work you at least know that you have routing issues or that the webserver is down (or maybe just blocking ICMP traffic). Let’see if we can connect to TCP port 80:

NAT#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ... Open

You can see that this is working so routing between the NAT router and the webserver and connecting to the TCP port is no problem. Let’s focus on the NAT configuration:

NAT#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.2:1    192.168.12.2:1     192.168.12.1:1     192.168.12.1:1

We can use the show ip nat translations to see if anything is going on. We see that the NAT router is translating something but it doesn’t look quite right if you look closely. The outside local and global IP addresses refer to the IP address on the inside. Let’s take a closer look:

NAT#show ip nat statistics 
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/0
Inside interfaces: 
  FastEthernet1/0
Hits: 5  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface FastEthernet1/0 refcount 0
Queued Packets: 0

Show ip nat statistics is a nice command to verify your configuration. You can see that the inside and outside interfaces have been swapped. FastEthernet 0/0 should be the inside and FastEthernet 1/0 should be the outside. Let’s fix this:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 654 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

535 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Rene,
    Interesting scenarios and explained by you clearly.

    Thanks,
    Srini

  2. I’m confused about the 172.16.1.0 subnet.
    I guess the address 172.16.1.1 does somehow configure automatically in the HOST.

    Two questions :

    1 - Why the static rule is simply not something like ip route 172.16.1.0 255.255.255.0 192.168.12.1 ?

    2 - How come a private (inside) network (172.16.1.0) be advertised for outside of the NAT ?

  3. Hello Maodo

    The 172.16.1.0 subnet is a range of addresses that are given to us by the ISP that will be used to translate the INSIDE addresses to the OUTSIDE. In other words, when the Host communicates to the outside world, the 192.168.12.1 address will be translated to 172.16.1.X when it traverses the NAT router. So from the NAT router outwards, all communication occurs with the IP address 172.16.1.X. Note that this subnet essentially “exists” on the F1/0 interface of the NAT router. In a sense, it coexists with the 192.168.23.2 IP address on that interface

    ... Continue reading in our forum

  4. Ok ! Ok ! I see. It’s “Dynamic NAT”, as it is explained by the following lesson.

    There’s, unfortunately, something

    ... Continue reading in our forum

  5. Working on the ISP side at Level 3 Communication and Zayo I always found it interesting because on the academic side they always say BGP is not really needed unless you need to do load balancing across multiple ISP.

    However, when your actual out there in the real world that doe not seem to be how the majority do it. Basically I would say the majority use BGP even for single connections. Laz Hypothesis sounds as reasonable as any that its easier for the ISP so they just go with BGP. I never really asked that question and most of the guys and girls around me

    ... Continue reading in our forum

1 more reply! Ask a question or join the discussion by visiting our Community Forum