Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
0
Helpful
2
Replies

NAT doesn't work. Packets goes directly to the interface

MaximBudyonny
Level 1
Level 1

‎04-13-2007 11:37 AM - edited ‎03-03-2019 04:32 PM

Hi!

Wery simple configuration but it doesn't work.

I've configured router 2811 to NAT packets from different hosts that arrive from interface fa 0/0.200 (subinterface for VLAN200) via static NAT

Packets arrive from fa 0/0.200 but NAT doesn't create entries for some of them.

This packets go directly by routing. I can see this packets in OUT access-list binded to the outbound interface

I think that the root of the issue is missconfiguration but couldn't find it.

Here is part of my config

---------------Static NAT---------------

ip nat inside source static tcp 10.0.32.93 3000 10.251.1.29 3000 extendable

ip nat inside source static tcp 10.0.32.94 3000 10.251.1.30 3000 extendable

ip nat inside source static tcp 10.0.32.125 3000 10.251.1.31 3000 extendable

------------------INBOUND INETRFACE-----------------

interface FastEthernet0/0.200

description TO-LOT-OF-INTERNAL-HOSTS-THAT-MUST-BE-NATED

encapsulation dot1Q 200

ip address 172.22.0.101 255.255.255.252

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

ip ospf message-digest-key 200 md5 7 XXX

ip ospf network non-broadcast

no snmp trap link-status

no cdp enable

end

---------------OUTBOUND INETRFACE---------------

interface Vlan3

description OUTSIDE-NATED-PACKETS-MUST-ENCRYPT-AND-GO-TO-REMOTE DESTINATION

ip address X.X.X.Z 255.255.255.252

ip nat outside

ip virtual-reassembly

crypto map TO-REMOTE

end

---------------ROUTING---------------

ip route 10.1.15.0 255.255.255.0 IPADDR 240 tag 333 name REMOTE-DEST

Labels:
0 Helpful
2 Replies 2

stephen.stack
Level 4
Level 4

‎04-14-2007 10:21 AM

HI,

Is it possible for you to show the rest of your config. If the config you have given is you complete NAT config then you are misssing a fundemental component.

The commands 'ip nat inside source static tcp ...' only allow static nat's for external hosts getting access to servers 'inside' the NAT boundary.

You will need to specify the subnet range or ranges that need to be natted.

try..

ip nat inside sourde list 1 interface vlan 3 overload

!

ip access-list 1 permit 172.16.0.0 0.0.0.255

If this does not work, again provide a complete config, expected subnet to be natted and destination/outbound port.

Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

dbellaze
Level 4
Level 4

‎04-14-2007 07:26 PM

This type of configuration is typically for an outside to inside communication. For example a server internally on your network that you would like accessible by an outside network.

You'll only see your NAT work in the following two scenarios.

1) A packet arrives on the interface marked nat outside with an IP packet destined to 10.251.1.29 on TCP port 3000. The router will translate the destination IP header to 10.0.32.93 and destination TCP port 3000.

2) A packet arrives on the interface marked nat inside with an IP packet sourced by 10.0.32.93 and source TCP port 3000. The router will translate the source IP to 10.251.1.29 and source TCP port to 3000.

This same behavior applies to your other two statements as well.

What are you trying to accomplish?

Daniel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card