Cisco IOS IP NAT Trouble Ticket 2

In continuation of my last post Trouble Ticket 1 , following is another trouble ticket related to NAT.  Please find the details below :

Task : In this example we have configured NAT on SITE1 router to translate hosts going out from inside network. This is simplest for of NAT but for some reason the end to end ping is not working.  Following you can see network diagram and configurations :

IP NAT not working arp issue
IP NAT

 

SITE 1:

interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
!
interface FastEthernet1/0
 ip address 30.30.30.1 255.255.255.0
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
ip nat inside source static 10.10.10.2 100.100.100.1

 

Site 2:
interface FastEthernet0/0
 ip address 30.30.30.2 255.255.255.0
!
interface FastEthernet1/0
 ip address 20.20.20.1 255.255.255.0
!ip route 0.0.0.0 0.0.0.0 FastEthernet1/0

Following are the configuration on hosts…

HOST 1:interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.0
!
ip default-gateway 10.10.10.1
!no ip routing
Host 2: interface FastEthernet0/0
 ip address 20.20.20.2 255.255.255.0
!
ip default-gateway 20.20.20.1
!
no ip routing

 

Now lets check the connectivity. We will try to ping host 2 from host 1. The configuration is very simple and it should work…

HOST1#ping 20.20.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

Unfortunately it did not work.  Now we need to check what is wrong, following are few things which must check .

1- Is NAT working fine ? Lest check this…

There is just one router which is responsible for NAT , SITE 1 router. We will check SITE 1 router if NAT is working fine or NOT.

SITE1#show ip nat translations
Pro    Inside global     Inside local     Outside local    Outside global
icmp  100.100.100.1:47   10.10.10.2:47    20.20.20.2:47     20.20.20.2:47
---     100.100.100.1     10.10.10.2        ---                 ---

SITE1#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Peak translations: 18, occurred 00:15:14 ago
Outside interfaces:
 FastEthernet1/0
Inside interfaces:
 FastEthernet0/0
Hits: 385 Misses: 0
CEF Translated packets: 380, CEF Punted packets: 5
Expired translations: 17
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0

 

2- Now if the NAT is working there is just one more feature implemented in this network which is routing. So if all the physical infrastructure(interface issues etc) is fine then issue could be with forwarding. So lets check routing and to do that we will use most useful and traditional tool “traceroute”, lets trace the HOST2 ip from HOST 1.

HOST1#traceroute 20.20.20.2
Type escape sequence to abort.
Tracing the route to 20.20.20.2
1 10.10.10.1 48 msec 32 msec 92 msec
2 * * *
3 *
HOST1#

 Alright, so we have an observation here that the packet is not going our of SITE1 router. Now this is another level of isolation, we have isolated the issue to SITE1 router. Lets see if we have forwarding tables fine in the router. Below output shows that cef entry for 20.20.20.2 is present…

SITE1#sh ip cef 20.20.20.2
20.20.20.2/32
 attached to FastEthernet1/0

 

We can further run debugs on router to check what exactly is happening with ICMP echo request but debug can be cryptic at times so I prefer taking simple packet capture between SITE 1 and SITE 2 router to see if we have some clue.

NAT Wireshark inside to outside
NAT -Wireshark

Wow!!! that is the reason I prefer to take packet capture whenever I am stuck while troubleshooting. The best thing about the packet capture is that even you do not find anything relevant to the issue you are troubleshooting, you get to know the network activities very well which intern adds to your knowledge and also helps you to conclude the issue soon. But our case is fortunately more simpler…Because we clearly see what is happening here. SITE 1 router is sending ICMP packet out and we do not see any response coming from other end. And what we see coming is ARP request for 100.100.100.1 IP address which is the translated IP here. Below is the way packet is getting translated with our configuration:

 

Packet flow NAT
Packet Flow

 

We see the SITE 2 router is sending ARP for 100.100.100.1 but there is no response for that because there is no IP address in the network which has this IP address, 100.100.100.1 is just defined is NAT statement there is no actual host in the network which holds this so nobody is responding to ARP response. But why the SITE 2 router is sending ARP request for 100.100.100.1 ?  The reason behind this is the route statement that we have configured.

SITE1(Config)#ip route 0.0.0.0 0.0.0.0 FastEthernet1/0

Keep a note of it that whenever we define a static route with the exit interface router has to do arp for all the destination IP addresses. This also adds extra overhead on the router in terms of CPU Cycles. Lets see if we see any improvement in our issue if remove exit interface with next hop IP address.

SITE1(Config)#ip route 0.0.0.0 0.0.0.0 30.30.30.2

SITE2 (Config)#ip route 0.0.0.0 0.0.0.0 30.30.30.1

HOST1#ping 20.20.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/47/64 ms
Router#

Neat!!! As soon as we changed the route to next hop IP address we see the ping is working. See the packet capture below, there is no ARP now.

ICMP packet capture
NAT-Wireshark-Working

 

That is all with this  trouble ticket, hope you have learnt something. Please leave your suggestions or questions in Comment section, I would love to hear from you.

Thanks , stay Tuned for more.

Leave a Reply