Debugging NAT Overload

It turns out I was asked to get the CCNA certification at work. It’s being quite difficult to find time to prepare it, besides I’m traveling quite often, what makes it even more complicated. I was tinkering with Packet Tracer, reviewing some concepts about NAT and I wond up with an interesting case I did not expect, basically because I did not understand NAT at all, now I’m starting.

A router implementing NAT overload keeps a table with a private IP address (RFC1918) and source port mapped to one external routable IP address and its destination port. Below is the image of the lab I prepared today:

Here is the configuration for R1

interface GigabitEthernet0/0
 ip address 191.1.1.1 255.255.255.252
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 172.16.1.0 255.255.255.0 GigabitEthernet0/0 
!
access-list 1 permit host 192.168.1.2

The configuration for R2 was exactly the same, but using a different network.

interface GigabitEthernet0/0
 ip address 191.1.1.2 255.255.255.252
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0 
!
access-list 1 permit host 172.16.1.2

The first test was a simple ping form R2 towards R1, it did not work, requests timeout. Taking a look to the translation table on both routers show me the error.

R2# show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
icmp 191.1.1.2:21      172.16.1.2:21      192.168.1.2:21     192.168.1.2:21

On R1 we found:

R1# show ip nat translations
Pro  Inside global     Inside local       Outside local      Outside global
icmp 191.1.1.1:21      192.168.1.2:21     191.1.1.2:21       191.1.1.2:21

The problem, R1 was performing NAT, modifying the source IP address from 192.168.1.2 to 191.1.1.1. When the packet arrived to R2, this looked up 192.168.1.2 (outside global ), trying to know the Inside local and proceed to forward the packet, however there is not a translation for this packet. Verifying the statistics, I see the misses (increasing during the ping)

R2# show ip nat statistics 
Total translations: 4 (0 static, 4 dynamic, 3 extended)
Outside Interfaces: GigabitEthernet0/0
Inside Interfaces: GigabitEthernet0/1
Hits: 1  Misses: 3
Expired translations: 0
Dynamic mappings:

R2# show ip nat statistics 
Total translations: 5 (0 static, 5 dynamic, 4 extended)
Outside Interfaces: GigabitEthernet0/0
Inside Interfaces: GigabitEthernet0/1
Hits: 1  Misses: 5
Expired translations: 0

One of the solutions was to disable NAT on either R1 or R2. However, defining a static map for that miss would do the ping work. The only drawback, this mapping only works for the IP address 192.168.1.2, any other host would fail answering.

R2(config)# ip nat outside source static 191.1.1.1 192.168.1.2 

The conclusion is that the best approach before debugging is to understand how things work.

Comments