Packets don't come back in a network with NAT in Cisco Packet Tracer

Question

This is my network:

I have done my best to try to solve the problem, but with no success. Whenever packets come from LAN 1 or LAN 3, the local IP addresses are translated into one of the 3 public addresses each router has available, but packets from LAN 2 or 4 are immediately dropped by the router that says "The device cannot allocate an available IP address for translation. It drops the packet.".

So, while packets do get routed out of LAN 1 and 3, they never come back. The router can't translate the public IP address set as destination in the packet to the correct private IP of the machine which sent the packet. For example, a ping from LAN 1 to LAN 3 (LAN 2 and 4, as I have previously mentioned, immediately drop the packets) correctly travels back and forth from Router0, but then the same Router0, seeing that the response destination is one of its interfaces addresses, drops the packet saying that it has never sent a ping and as such was not waiting for any echo reply. I may be missing something and I admit that I still can't completely understand how NAT and PAT actually work (and my teacher is not helpful at all, unfortunately), but I don't know where to start from to make everything work.

I'll now post the 4 routers startup configurations.

Router0

!  
version 12.2  
no service timestamps log datetime msec  
no service timestamps debug datetime msec  
no service password-encryption  
!  
hostname Router   
!    
!    
!    
!    
!    
!    
!    
!    
ip cef  
no ipv6 cef  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
!  
interface FastEthernet0/0  
 no ip address  
 duplex auto  
 speed auto  
 shutdown  
!  
interface FastEthernet1/0  
 ip address 192.168.1.1 255.255.255.0  
 ip nat inside  
 duplex auto  
 speed auto  
!  
interface Serial2/0  
 ip address 200.200.0.1 255.255.255.252  
 ip nat outside  
 clock rate 64000  
!  
interface Serial3/0  
 ip address 200.200.3.2 255.255.255.252  
 ip nat outside  
!  
interface FastEthernet4/0  
 ip address 200.200.4.1 255.255.255.252  
 ip nat outside  
!  
interface FastEthernet5/0  
 no ip address  
 shutdown  
!  
router ospf 1  
 log-adjacency-changes  
 network 200.200.0.0 0.0.0.3 area 0  
 network 200.200.4.0 0.0.0.3 area 0  
 network 200.200.3.0 0.0.0.3 area 0  
!  
ip nat inside source list 101 interface FastEthernet4/0 overload  
ip classless  
!  
ip flow-export version 9  
!  
!  
access-list 101 permit ip any any  
!  
!  
!  
!  
!  
line con 0  
!  
line aux 0  
!  
line vty 0 4  
 login  
!  
!  
!  
end

Router1

!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 200.200.3.1 255.255.255.252
 ip nat outside
 clock rate 64000
!
interface Serial3/0
 ip address 200.200.2.2 255.255.255.252
 ip nat outside
!
interface FastEthernet4/0
 ip address 200.200.5.2 255.255.255.252
 ip nat outside
!
interface FastEthernet5/0
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 network 200.200.3.0 0.0.0.3 area 0
 network 200.200.5.0 0.0.0.3 area 0
 network 200.200.2.0 0.0.0.3 area 0
!
ip nat inside source list 101 interface FastEthernet4/0 overload
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Router2

!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 200.200.1.1 255.255.255.252
 ip nat outside
 clock rate 64000
!
interface Serial3/0
 ip address 200.200.0.2 255.255.255.252
 ip nat outside
!
interface FastEthernet4/0
 no ip address
 shutdown
!
interface FastEthernet5/0
 ip address 200.200.5.1 255.255.255.252
 ip nat outside
!
router ospf 1
 log-adjacency-changes
 network 200.200.1.0 0.0.0.3 area 0
 network 200.200.5.0 0.0.0.3 area 0
 network 200.200.0.0 0.0.0.3 area 0
!
ip nat inside source list 101 interface FastEthernet4/0 overload
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Router3

!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 200.200.2.1 255.255.255.252
 ip nat outside
 clock rate 64000
!
interface Serial3/0
 ip address 200.200.1.2 255.255.255.252
 ip nat outside
!
interface FastEthernet4/0
 no ip address
 shutdown
!
interface FastEthernet5/0
 ip address 200.200.4.2 255.255.255.252
 ip nat outside
!
router ospf 1
 log-adjacency-changes
 network 200.200.2.0 0.0.0.3 area 0
 network 200.200.4.0 0.0.0.3 area 0
 network 200.200.1.0 0.0.0.3 area 0
!
ip nat inside source list 101 interface FastEthernet4/0 overload
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Thanks in advance.

When you are pinging from LAN1 to LAN3, what are the source and destinations - what address are you pinging and where from? — Paul, Commented Apr 17, 2016 at 14:06
Pinging from PC1 in LAN1 (192.168.1.3) to one of the Router1 interfaces (for example, 200.200.3.1. — Davide, Commented Apr 17, 2016 at 14:08
If you ping 200.200.3.1, your egress interface on R0 will be Serial3/0 - but you don't have a NAT defined for this interface, you only have one for Fa0/4. Is that intended? — Paul, Commented Apr 18, 2016 at 3:41
That's not intented. You mean that I might be missing two ip nat inside source list for the two serial interfaces? — Davide, Commented Apr 18, 2016 at 13:13
Yes, you are. But I am not sure if it will pick the right one, just because you overload to the interface IP. You might need a different access list per nat that is specific about the destination. — Paul, Commented Apr 18, 2016 at 13:21

Nithin Kumar · Accepted Answer · 2016-06-17 10:56:42Z

Your nat commands in Router2 and Router3 are wrong :

ip nat inside source list 101 interface FastEthernet4/0 overload

You have given this command to both routers. But the actual wan interfaces are FastEthernet5/0. Your nat command in both routers should be :

ip nat inside source list 101 interface FastEthernet5/0 overload

Secondly,

Although you have configured ip nat outside for all your wan interfaces (serial), you only have one interface specified in the NATing commands per router.

So when in case of a reroute (packets routed through another outside interface), the source address of the packet wont be NATted.

To solve this, you'll require one NAT command per wan interface. So you first need to create separate ACLs (for the same source LAN), and apply one acl to each NAT command.

For example:

On Router3

!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface Serial2/0
 ip address 200.200.2.1 255.255.255.252
 ip nat outside
!
interface Serial3/0
 ip address 200.200.1.2 255.255.255.252
 ip nat outside
!
!
interface FastEthernet5/0
 ip address 200.200.4.2 255.255.255.252
 ip nat outside
!    
ip nat inside source list 101 interface FastEthernet5/0 overload
ip nat inside source list 102 interface Serial2/0 overload
ip nat inside source list 103 interface Serial3/0 overload
!
access-list 101 permit ip any any
access-list 102 permit ip any any
access-list 103 permit ip any any

Stack Exchange Network

Packets don't come back in a network with NAT in Cisco Packet Tracer

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
networking
router
lan
nat
packet
.

Hot Network Questions

Packets don't come back in a network with NAT in Cisco Packet Tracer

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged networkingrouterlannatpacket.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
router
lan
nat
packet
.