ip nat overload expert-pls have a look

johnessbbk · Joined: 10 Jul 2005 Posts: 1

dear all;

would appreciate cisco expert to identify and give clue on my NAT problem.2 SITE connected via satellite link.Site A Network 10.254.0.0/16
and 192.168.150.0/24(inside NAT) with 1 Public Ip for access internet..IP NAT OVERLOAD on interface f0/0 source list 10.Site B has network 211..25.132.0/255.255.255.192 and s0 172.168.150.1/24 connected to Site C : with the network 192.168.55.0/24 and S0/1 172.168.150.2/24.
Site B and C need to comunicate to Site A and connect to IP NAT OUTSIDE network.Please see below config router for the respective site

SITE A-NAT ROUTER

interface FastEthernet0/0
description Connectivity to Customer Network
ip address 211.25.132.102 255.255.255.192
ip nat outside
ip policy route-map pbr00
load-interval 30
speed 100
full-duplex
!
interface FastEthernet0/1
description Connectivity to TCP Acceleration hme0
ip address 192.168.141.3 255.255.255.0
ip nat inside
ip policy route-map pbr01
load-interval 30
speed 100
full-duplex
!
interface FastEthernet1/0
description Connectivity to TCP Acceleration hme1
ip address 192.168.142.3 255.255.255.0
ip nat inside
ip policy route-map pbr10
load-interval 30
speed 100
full-duplex
!
interface FastEthernet1/1
description Connectivity to HUB LAN
ip address 192.168.150.51 255.255.255.0
ip nat inside
ip policy route-map pbr11
speed 100
full-duplex
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 211.25.132.129
ip route 10.251.6.0 255.255.255.0 211.25.132.160
ip route 10.254.0.0 255.255.0.0 192.168.150.8
ip route 172.21.10.0 255.255.255.0 192.168.139.1
ip route 172.168.0.0 255.255.255.0 192.168.150.8
ip route 172.168.150.0 255.255.255.0 211.25.132.160
ip route 192.168.0.0 255.255.0.0 192.168.150.8
ip route 192.168.1.0 255.255.255.0 192.168.139.1
ip route 192.168.1.0 255.255.255.0 192.168.150.8
ip route 192.168.2.0 255.255.255.0 192.168.150.8
ip route 192.168.3.0 255.255.255.0 192.168.150.8
ip route 192.168.17.0 255.255.255.0 192.168.150.8
ip route 192.168.22.0 255.255.255.0 192.168.150.8
ip route 192.168.138.0 255.255.255.0 211.25.132.155
ip route 192.168.139.0 255.255.255.252 211.25.132.155
no ip http server
!
access-list 10 deny 192.168.150.43
access-list 10 deny 192.168.150.8
access-list 10 deny 192.168.150.7
access-list 10 deny 192.168.150.1
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 10.254.0.0 0.0.255.255
access-list 101 permit tcp any any
access-list 103 permit tcp any 192.168.150.0 0.0.0.255
access-list 104 permit tcp 192.168.150.0 0.0.0.255 any
access-list 105 permit tcp 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255

route-map pbr00 permit 10
match ip address 103
set interface FastEthernet1/1
!
route-map pbr00 permit 20
match ip address 101
set ip next-hop 192.168.141.1
!
route-map pbr11 permit 10
match ip address 105
set interface FastEthernet1/1
!
route-map pbr11 permit 20
match ip address 104
set interface FastEthernet0/0
!
route-map pbr11 permit 30
match ip address 101
set ip next-hop 192.168.142.1
!
route-map pbr01 permit 10
match ip address 101
set interface FastEthernet0/0
!
route-map pbr01 permit 20
set default interface Null0
!
route-map pbr10 permit 10
match ip address 101
set interface FastEthernet1/1
!
route-map pbr10 permit 20
set default interface Null0

SITE B:
Router cconfig
Cyber-kkip-cisco1700

Current configuration : 720 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cyber
!
!
memory-size iomem 25
ip subnet-zero

!
interface Serial0

ip address 172.168.150.1 255.255.255.0
no fair-queue
!
interface FastEthernet0
ip address 211.25.132.160 255.255.255.192
speed auto
half-duplex
!
ip classless
ip route 192.168.55.0 255.255.255.0 172.168.150.2
ip route 10.254.0.0 255.255.0.0 211.25.132.102
ip route 192.168.150.0 255.255.255.0 211.25.132.102
no ip http server
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4

login

no scheduler allocate
end

SITE C
Router config

KKIP-CYBER-CISCO2600

Current configuration : 899 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname kkipc
!
!
voice-card 0
dspfarm
!
ip subnet-zero
!
!
!
!
!
voice call carrier capacity active

!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
controller E1 0/0
shutdown
!
!
!
!
interface FastEthernet0/0
ip address 192.168.55.1 255.255.255.0
speed auto
half-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 172.168.150.2 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.168.150.1
no ip http server
!
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!

!
!
line con 0
line aux 0
line vty 0 4

!
!
end

Nature of Problem:
From inside NAT NETWORK i have no problem ping outside NAT Network at Site B.When go to Site B Router from router itself consoled locally i can get through all network INSIDE NAT network..ping get reply..,but when i connect cross over cable to 1 pc..,i've dificullty to ping inside NAT Network .I only can ping up to IP NAT OUTSIDE Interface f0/0 ip address-211.25.132.102..beyond that i get time out.It really give headache .i did tracroute from that pc to the any IP inside NAT NTWORK at SITE A.It was
stuck at F0/0 IP NAT Outside interface-211.25.132.102.But from router ,the ping was successfull-to any Host inside NAT Network.

Please advise me..
thanks

Johness