Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
You know from the configuration that the source address (10.10.10.4) should be statically
translated to 172.16.6.14. You can use the show ip nat translation command to verify that
the translation does exist in the translation table, as demonstrated here:
RouterX# show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.16.6.14 10.10.10.4 --- ---
Table 7-4 show ip nat statistics Field Descriptions
Field Description
Total translations Number of translations that are active in the system. This number is
incremented each time a translation is created and is decremented each time a
translation is cleared or times out.
Outside interfaces List of interfaces that are marked as outside with the ip nat outside command.
Inside interfaces List of interfaces that are marked as inside with the ip nat inside command.
Hits Number of times the software looks up an entry in the translations table and
finds an entry.
Misses Number of times the software looks up a translations table, fails to find an
entry, and must try to create one.
Expired translations Cumulative count of translations that have expired since the router was booted.
Dynamic mappings Indicates that the information that follows is about dynamic mappings.
Inside source Indicates that the information that follows is about an inside source translation.
access-list ACL number that is being used for the translation.
pool Name of the pool (in this case, test).
refcount Number of translations that are using this pool.
netmask IPv4 network mask that is used in the pool.
start Starting IPv4 address in the pool range.
end Ending IPv4 address in the pool range.
type Type of pool. Possible types are generic or rotary.
total addresses Number of addresses in the pool that are available for translation.
allocated Number of addresses that are being used.
misses Number of failed allocations from the pool.
Scaling the Network with NAT and PAT 265
Next, ensure that the translation is occurring. You can confirm this in two ways: by running
a NAT debug command or by monitoring NAT statistics with the show ip nat statistics
command. Because debug commands should always be used as a last resort, start with the
show ip nat statistics command.
To determine whether the translation is taking place, monitor the hits counter to see if it
increases as traffic is sent through the router. The hits counter increments every time a
translation in the translation table is used to translate an address. First, clear the statistics
and then display them. Next, try to execute a ping through the router and then display the
statistics again, as demonstrated in Example 7-3.
After you ping through the router, the NAT statistics show, as demonstrated in Example 7-4.
Example 7-3 Verifying That Address Translation Is Occurring
RouterX# clear ip nat statistics
RouterX#
RouterX# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2
Inside interfaces:
Ethernet1
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 7 pool test refcount 0
pool test: netmask 255.255.255.0
start 172.16.11.70 end 172.16.11.71
type generic, total addresses 2, allocated 0 (0%), misses 0
Example 7-4 show ip statistics to Verify Translation
RouterX# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 7 pool test refcount 0
pool test: netmask 255.255.255.0
start 172.16.11.70 end 172.16.11.71
type generic, total addresses 2, allocated 0 (0%), misses 0
266 Chapter 7: Managing Address Spaces with NAT and IPv6
You can see from the output of the show command that the number of hits incremented by
five after the NAT statistics were cleared. In a successful ping, the number of hits should
increase by 10. The five ICMP echoes that were sent by the source should be translated, and
the five echo reply packets from the destination should be translated, for a total of 10 hits.
The five missing hits are most likely due to the echo replies not being translated or not being
sent from the destination router.
To determine why the echo reply is not being returned when you issue a ping, check the
default gateway of the destination default gateway router for a route back to the translated
address, as demonstrated in Example 7-5.
The routing table of Router B does not have a route for 172.16.6.14, which is the translated
address. Therefore, the echo replies in response to the ping fail. Once you add this return
route, the ping works.
In Figure 7-7, the network administrator is experiencing the following symptom: Host A
(192.168.1.2) cannot ping host B (192.168.2.2).
The next several examples show how to troubleshoot this issue.
To troubleshoot the problem, use the show ip nat translation command to see if any
translations are currently in the table:
RouterA# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- --- ---
Example 7-5 Verifying the Default Gateway
RouterY# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter are
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 4 subnets
C 172.16.12.0 is directly connected, Serial0.8
C 172.16.9.0 is directly connected, Serial0.5
C 172.16.11.0 is directly connected, Serial0.6
C 172.16.5.0 is directly connected, Ethernet0
Scaling the Network with NAT and PAT 267
Figure 7-7 NAT Problem Cannot Ping Remote Host
You find that no translations are in the table. This could indicate a problem, or it could mean
that no traffic is currently being translated.
Next, you must verify if any translations have ever taken place and identify the interfaces
between which translation should be occurring. Use the show ip nat statistics command to
determine this information, as demonstrated in Example 7-6.
Example 7-6 Identifying Translations and Interfaces
RouterA# show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0
Inside interfaces:
Serial0
Hits: 0 Misses: 0
…
Host A
192.168.1.2
E0
192.168.1.1/24
S0
10.1.1.1/24
S0
10.1.1.2/24
E0
192.168.2.1
ip nat pool test 172.16.17.20 172.16.17.30
ip nat inside source list 1 pool test
!
int s0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
int e0
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
router rip
network 10.0.0.0
network 192.168.1.0
!
access-list 1 permit 192.168.1.0 255.255.255.0
int eo
ip address 192.168.2.1 255.255.255.0
!
int s0
ip address 10.1.1.2 255.255.255.0
!
router rip
network 10.0.0.0
network 192.168.2.0
Host B
192.168.2.2
A B
268 Chapter 7: Managing Address Spaces with NAT and IPv6
From the results in Example 7-6, you determine that the NAT counters are at 0, verifying
that no translation has occurred. You also find that the router interfaces are incorrectly
defined as NAT inside or NAT outside.
After you correctly define the NAT inside and outside interfaces, generate another ping
from host A to host B. In the example, the ping still fails. Issue the show ip nat translations
and show ip nat statistics commands again to troubleshoot the problem. In the example,
you find that translations are still not occurring.
Next, you should use the show access-list command to verify whether the ACL that is
referenced by the NAT command is permitting all the necessary networks:
RouterA# show access-list
Standard IP access list 1
10 permit 192.168.1.1, wildcard bits 255.255.255.0
From this output, you determine that an incorrect wildcard bit mask has been used in the
ACL that defines the addresses to be translated.
After correcting the ACL wildcard bit mask, you generate another ping from host A to
host B. The ping still fails. However, when you reissue the show ip nat translations and
show ip nat statistics commands, you find that translations are now occurring:
RouterA# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 172.16.17.20 192.168.1.2 --- ---
Next, you use the show ip route command on Router B to verify the existence of a return
route to the translated address.
From the results in Example 7-7, you discover that Router B has no route to the translated
network address of 172.16.0.0.
Example 7-7 Verifying a Return Route to the Translated Address
RouterB# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0/24 is directly connected, Serial0
192.168.2.0/24 is subnetted, 1 subnets
R 192.168.2.0/24 is directly connected, Ethernet0
192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
R 192.168.1.0/24 [120/1] via 10.1.1.1, 2d19h, Serial0
Scaling the Network with NAT and PAT 269
You return to Router A and enter the show ip protocol command to determine if Router A
is advertising the translated address of 172.16.0.0, as demonstrated in Example 7-8.
You find that Router A is advertising 192.168.1.0, which is the network that is being
translated, instead of advertising network 172.16.0.0, which is the network to which the
addresses are being translated.
So, to fix the original problem where host A (192.168.1.2) could not ping host B
(192.168.2.2), you changed the following configurations on Router A:
■ Interface S0 is now the outside interface, rather than the inside interface.
■ Interface E0 is now the inside interface, rather than the outside interface.
■ The wildcard mask now matches any host on the 192.168.1.0 network. Previously, the
access-list 1 command did not match inside local IPv4 address.
■ Router A is now configured to advertise network 172.16.0.0. Previously, Router B did
not know how to reach the 172.16.17.0/24 subnet. The configuration is done by
creating a loopback interface and modifying the Routing Information Protocol (RIP)
network statements.
Summary of Scaling the Network with NAT and PAT
The following summarizes the key points that were discussed in this section.
■ There are three types of NAT: static, dynamic, and overloading (PAT).
Example 7-8 Verifying Advertisement of a Translated Address
RouterA# show ip protocol
Routing Protocol is “rip”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 0 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 1, receive any version
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
270 Chapter 7: Managing Address Spaces with NAT and IPv6
■ Static NAT is one-to-one address mapping. Dynamic NAT addresses are picked from
a pool.
■ NAT overloading (PAT) allows you to map many inside addresses to one outside
address.
■ Use the show ip nat translation command to display the translation table and verify
that translation has occurred.
■ To determine whether a current translation entry is being used, use the show ip nat
statistics or clear ip nat statistics commands to check and clear the hits counter.
■ Use the debug ip nat command to verify translation of packets.
No comments:
Post a Comment