This post represents the solution and explanation for quiz-11.
Have a look at the quiz to understand the problem.
A very important topic when configuring Network Address Translation (NAT) is the order of operation. The most asked question is ip nat commands).
- if the packet arrives
on the inside interface , the order is:ROUTING (1st) --> NAT (local to global) - if the packet arrives
on the outside interface , the order is:NAT (global to local) --> ROUTING (2nd)
Most of the times, NAT is used to hide or translate the source of the packet and you leave the destination unchanged, so you don't have to deal with the order of operations as long as routing is configured correctly.
But sometimes, you may want to translate also the destination of the packet, as it was demonstrated (or required) in the scenario described in the quiz. The NAT configuration was correct, but still end-to-end connectivity between 192.168.11.1 and partner 192.168.44.4 was not achieved.
Let's review the quiz:
- your company’s server
192.168.11.1will be seen as172.16.23.1on the partner side - partner server
192.168.44.4will be seen as192.168.1.4inside your company’s network
As shown in the diagram below, packets received on the outside interface from partner 192.168.44.4 are correctly translated and routed (because translation occurs before routing).
But packets received on the inside interface from 192.168.11.1 are not translated because the destination 192.168.1.4 (to be translated to 192.168.44.4) has a routing entry on Fa0/1 (connected subnet):
R2#sh ip route 192.168.1.4 Routing entry for 192.168.1.0/24 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected,via FastEthernet0/0 Route metric is 0, traffic share count is 1 [...] R4#ping 172.16.23.1 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.23.1, timeout is 2 seconds: Packet sent with a source address of 192.168.44.4..... Success rate is 0 percent (0/5)
In order to solve the quiz we need to adjust the routing for the address 192.168.1.4 to be routed onto the outside partner:
R2(config)#ip route 192.168.1.4 255.255.255.255 172.16.23.3 R2(config)#end R2#sh ip route 192.168.1.4 Routing entry for 192.168.1.4/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 172.16.23.3 Route metric is 0, traffic share count is 1 [...] R4#ping 172.16.23.1 source lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.23.1, timeout is 2 seconds: Packet sent with a source address of 192.168.44.4!!!!! Success rate is 100 percent (5/5) , round-trip min/avg/max = 48/79/100 ms
Of course, this situation is triggered by the fact that I used the connected subnets for NAT, but even when using different subnets, you need to know the order of operation to make it work.
Thank you for your comments and interest in the quiz!
Costi is a network and security engineer with over 10 years of experience in multi-vendor environments. He holds a CCIE Routing and Switching certification and is currently pursuing same expert-level certifications in other areas. He believes that the best way to learn and understand networking topics is to challenge yourself to fix different problems, production-wise or lab-type exams. He also enjoys teaching networking and security technologies, whevever there is an opportunity for it.
Comments
comments powered by Disqus