How to configure PAT on Cisco IOS Router

This been tested? How is host 1 which is on the 192.168.12.0/24 network going to reach the 192.168.23.0/24 network since it has no routes there? I can see it being able to reach 192.168.23.2 as its on the NAT router.

However it will not reach 192.168.23.3 which is IP address of Web1

Host1#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:

Success rate is 0 percent (0/5)

nor can you telnet to it which makes sense as you cannot ping to it.

Host1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 …
% Connection timed out; remote host not responding

Host1#

So I think there is something missing from the configs for this to know how to get there be it static routing or a dynamic. I could not get it to work I will double check my GNS3 routers to make sure it does not have something turned off but this lab does not seem to work :x

Here is my base host configuration some of the stuff is added every time use that model router.

Host1#show run
Building configuration…

Current configuration : 988 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Host1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 192.168.123.1 255.255.255.0
no ip route-cache
duplex half
!
ip default-gateway 192.168.123.3
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

Host1#

I had went back to Static NAT and after finding an issue with typo there was able to get lab up and running so about to come back here test some things.

Ok so my guess was correct. To be able to ping the webserver here we have to do “no ip routing” on this device as well same as the host. Then we also have to setup a default gateway. Once you do that you can then ping from hosts to the webserver… which makes sense as the default-gateway is a form of static routing its basically creating a default route to NAT. I could do basically the same thing by adding default routes to host1 and web1 and not add remove routing. Saying that off top of my head without a great deal of thought but it sounds logically.

anyway in order for this lab to work you need to add the following to the web server:

no ip routing
ip default-gateway 192.168.23.2

Now I will test the PAT portion.

==========================================================

Ok good news the Lab does indeed work after those changes.

show command now works:

NAT#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.23.2:6 192.168.123.1:6 192.168.23.3:6 192.168.23.3:6
NAT#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.123.3 YES NVRAM up up
FastEthernet0/1 192.168.23.2 YES NVRAM up up
NVI0 192.168.123.3 YES unset up up
NAT#

debug:

Sep 26 21:11:33.415: IP: s=192.168.23.2
Web1# (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1
*Sep 26 21:11:33.419: IP: tableid=0, s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), routed via RIB
*Sep 26 21:11:33.419: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending
*Sep 26 21:11:33.423: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending full packet
*Sep 26 21:11:33.435: IP: s=192.168.23.2 (FastEthernet0/0), d=192.168.23.3, len 100, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 26 21:11:33.435: IP: s=192.168.23.2 (FastEthernet0/0), d=192.168.23.3, len 100, rcvd 1
*Sep 26 21:11:33.439: IP: tableid=0, s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), routed via RIB
*Sep 26 21:11:33.439: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending
*Sep 26 21:11:33.443: IP: s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), len 100, sending full packet
Web1#

telnet worked (But only after NAT was correctly setup… before NAT you could only ping)

Host1#telnet 192.168.23.3
Trying 192.168.23.3 … Open

Password required, but none set

[Connection to 192.168.23.3 closed by foreign host]
Host1#

--------------------------Be careful on your NAT command!------------------------------------------
I accidentally messed up on the NAT command the first time I did the following:

NAT(config)#ip nat source list 1 interface fastEthernet 0/1 overload

It took my command but nothing worked… lol… I had to go back and remove that and add the “inside”

After that everything worked…

NAT(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload

===================================
===================================

Btw I went ahead and removed the following items from the web server which is what was needed to get the lab to work:

no ip routing
ip default-gateway 192.168.23.2

I then added the following to the web server:

Web1(config)#no ip default-gateway
Web1(config)#ip routing
Web1(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

Web1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.23.2 to network 0.0.0.0

C 192.168.23.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.23.2
Web1#

I retested and everything still worked… So my original guess was right. It had to do with routing. So in order for this to work the following must be done though there is a few choices on how to do it.

2 Likes