CCNP Course Institute in Delhi

Tuesday, December 14, 2010

Trouble Ticket: NAT CCSP Training in Delhi Gurgaon

Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

This trouble ticket focuses on the previously discussed IP service of NAT. You are presented
with a trouble ticket detailing an issue that needs resolution. You are given sample
show and debug command output and are then challenged to identify a resolution for the
issue described.
Trouble Ticket #8
You receive the following trouble ticket:
Company A is dual-homed out to the Internet (that is, routers BB1 and BB2, where
each router represents a different ISP). Inside IP addresses in the 192.168.0.0/24 subnet
should be translated into the IP address of interface Serial 1/0.1 on router R2,
whereas inside IP addresses in the 192.168.1.0/24 subnet should be translated into the
IP address of interface Serial 1/0.2 on router R2. Router R2’s NAT translation table
shows two active translations. The configuration, therefore, seems to be partially
working. However, no additional NAT translations can be set up.
This trouble ticket references the topology shown in Figure 10-6.
Because router R2 is the one configured to perform NAT, the following show and debug
command output collects information about the NAT configuration of router R2. Initially,
notice the output of the show ip nat translations command issued on router R2, as shown
in Example 10-12.
Example 10-12 show ip nat translations Command Output on Router R2
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.2:7 192.168.0.11:7 10.4.4.4:7 10.4.4.4:7
icmp 172.16.2.1:512 192.168.1.50:512 10.1.3.2:512 10.1.3.2:512
The debug ip nat command is issued next. The output provided in Example 10-13 shows
NAT translations as they occur.
Example 10-13 debug ip nat Command Output on Router R2
R2#debug ip nat
IP NAT debugging is on
*Mar 1 00:34:16.651: NAT*: s=10.4.4.4, d=172.16.1.2->192.168.0.11 [4092]
*Mar 1 00:34:16.711: NAT*: s=192.168.0.11->172.16.1.2, d=10.4.4.4 [4093]
*Mar 1 00:34:16.843: NAT*: s=10.4.4.4, d=172.16.1.2->192.168.0.11 [4093]
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
318 CCNP TSHOOT 642-832 Official Certification Guide
S 1/0.2
.1
Lo 0
10.3.3.3/32
S 1/0.2
.1
DLCI = 182
DLCI = 811
S 1/0.1
.1
Lo 0
10.1.1.1/32
Lo 0
10.2.2.2/32
172.16.1.0/30
Fa 0/0
DLCI = 881
.11
FXS
1/0/0
FXS
1/0/1
R2
192.168.1.0/24
192.168.0.0/24
.11
Fa 0/1
172.16.2.0/30
S 1/0.1
.2
DLCI = 882
Fa 0/0
.22
10.1.3.0/30
Gig 0/8 Fa 5/46
Lo 0
10.4.4.4/32
S 1/0.2
.2
DLCI = 821
Gig 0/9 Fa 5/47
Fa 5/45
x3333
Gig 0/10 Fa 5/48
100 Mbps
10 Mbps
R1
BB2
BB1
R2 FRSW
x1111 x2222
SW1 SW2
S 1/0.1
.2
DLCI = 181
Figure 10-6 Trouble Ticket #8 Topology
*Mar 1 00:34:16.939: NAT*: s=192.168.0.11->172.16.1.2, d=10.4.4.4 [4094]
*Mar 1 00:34:16.963: NAT*: s=192.168.1.50->172.16.2.1, d=10.1.3.2 [13977]
*Mar 1 00:34:17.115: NAT*: s=10.4.4.4, d=172.16.1.2->192.168.0.11 [4094]
*Mar 1 00:34:17.163: NAT*: s=192.168.0.11->172.16.1.2, d=10.4.4.4 [4095]
*Mar 1 00:34:17.187: NAT*: s=10.1.3.2, d=172.16.2.1->192.168.1.50 [13977]
*Mar 1 00:34:17.315: NAT*: s=10.4.4.4, d=172.16.1.2->192.168.0.11 [4095]
The trouble ticket indicated that no more than two active translations can be supported at
any time. To verify that symptom, Example 10-14 shows an attempt to send a ping from
router R1. Notice that the ping response indicates that 10.4.4.4 is unreachable.
Example 10-14 Attempting to Ping 10.4.4.4 from Router R1
R1#ping 10.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 10: IP Services Troubleshooting 319
To determine whether the inability to ping 10.4.4.4 is a result of NAT or some other issue,
the NAT translation table on router R2 is cleared with the clear ip nat translation * command.
Then, with the NAT translation table of router R2 cleared, Example 10-15 shows
the result of another ping from router R1 to 10.4.4.4. This time, the ping is successful.
Example 10-15 Reattempting to Ping 10.4.4.4 from Router R1
R1#ping 10.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/137/240 ms
Example 10-16 shows the NAT translation table of router R2 after R1 performs a ping to
10.4.4.4.
Example 10-16 NAT Translation Table of Router R2
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.2:10 192.168.0.11:10 10.4.4.4:10 10.4.4.4:10
The output from the previous commands confirms that router R2 is capable of supporting
only two simultaneous NAT translations. This symptom often indicates that a router’s
NAT pool (or pools in this case) is depleted, perhaps because the NAT configuration did
not use the overload option in the ip nat inside source command. Recall that the
overload option enables PAT, which allows multiple inside local IP addresses to share a
common inside global IP address.
Example 10-17 shows the running configuration of router R2. Interestingly, both the ip
nat inside source commands have the overload option, thus eliminating that as a potential
cause for the reported issue.
Example 10-17 Running Configuration of Router R2
R2# show run
...OUTPUT OMITTED...
hostname R2
!
interface Loopback0
ip address 10.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.0.22 255.255.255.0
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
320 CCNP TSHOOT 642-832 Official Certification Guide
ip nat inside
!
interface Serial1/0
no ip address
encapsulation frame-relay
!
interface Serial1/0.1 point-to-point
ip address 172.16.1.2 255.255.255.252
ip nat outside
frame-relay interface-dlci 181
!
interface Serial1/0.2 point-to-point
ip address 172.16.2.1 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 182
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
ip nat translation max-entries 2
ip nat inside source list 1 interface Serial1/0.2 overload
ip nat inside source list 2 interface Serial1/0.1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
!
...OUTPUT OMITTED...
Based on the output of the previous show and debug commands, on a separate sheet of
paper, write out what you believe to be the underlying issue and how you would resolve it.
Suggested Solution
In the running configuration of router R2, you might have noticed the ip nat translation
max-entries 2 command. This command limits the maximum number of NAT translations
on router R2 to only two.
To resolve this issue, this configuration command is removed, as shown in Example 10-18.
Example 10-18 Removing the ip nat translation max-entries 2 Command of Router R2
R2#conf term
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no ip nat translation max-entries 2
R2(config)#end

To demonstrate that the removal of the ip nat translation max-entries 2 command did indeed
resolve the reported issue, three NAT translations were established across router R2,
as confirmed in Example 10-19.
Example 10-19 Confirming That Router R2 Supports Multiple NAT Translations
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.1.2:12 192.168.0.11:12 10.4.4.4:12 10.4.4.4:12
icmp 172.16.2.1:13 192.168.1.11:13 10.3.3.3:13 10.3.3.3:13
icmp 172.16.2.1:512 192.168.1.50:512 10.1.3.2:512 10.1.3.2:512
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)