NAT doesn't work. Packets goes directly to the interface

Unanswered Question
Apr 13th, 2007
User Badges:

Hi!

Wery simple configuration but it doesn't work.

I've configured router 2811 to NAT packets from different hosts that arrive from interface fa 0/0.200 (subinterface for VLAN200) via static NAT


Packets arrive from fa 0/0.200 but NAT doesn't create entries for some of them.

This packets go directly by routing. I can see this packets in OUT access-list binded to the outbound interface


I think that the root of the issue is missconfiguration but couldn't find it.


Here is part of my config

---------------Static NAT---------------

ip nat inside source static tcp 10.0.32.93 3000 10.251.1.29 3000 extendable

ip nat inside source static tcp 10.0.32.94 3000 10.251.1.30 3000 extendable

ip nat inside source static tcp 10.0.32.125 3000 10.251.1.31 3000 extendable



------------------INBOUND INETRFACE-----------------

interface FastEthernet0/0.200

description TO-LOT-OF-INTERNAL-HOSTS-THAT-MUST-BE-NATED

encapsulation dot1Q 200

ip address 172.22.0.101 255.255.255.252

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

ip ospf message-digest-key 200 md5 7 XXX

ip ospf network non-broadcast

no snmp trap link-status

no cdp enable

end


---------------OUTBOUND INETRFACE---------------

interface Vlan3

description OUTSIDE-NATED-PACKETS-MUST-ENCRYPT-AND-GO-TO-REMOTE DESTINATION

ip address X.X.X.Z 255.255.255.252

ip nat outside

ip virtual-reassembly

crypto map TO-REMOTE

end


---------------ROUTING---------------

ip route 10.1.15.0 255.255.255.0 IPADDR 240 tag 333 name REMOTE-DEST

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stephen.stack Sat, 04/14/2007 - 10:21
User Badges:
  • Silver, 250 points or more

HI,


Is it possible for you to show the rest of your config. If the config you have given is you complete NAT config then you are misssing a fundemental component.


The commands 'ip nat inside source static tcp ...' only allow static nat's for external hosts getting access to servers 'inside' the NAT boundary.


You will need to specify the subnet range or ranges that need to be natted.


try..

ip nat inside sourde list 1 interface vlan 3 overload

!

ip access-list 1 permit 172.16.0.0 0.0.0.255


If this does not work, again provide a complete config, expected subnet to be natted and destination/outbound port.


Thanks


Stephen

dbellaze Sat, 04/14/2007 - 19:26
User Badges:
  • Bronze, 100 points or more

This type of configuration is typically for an outside to inside communication. For example a server internally on your network that you would like accessible by an outside network.


You'll only see your NAT work in the following two scenarios.


1) A packet arrives on the interface marked nat outside with an IP packet destined to 10.251.1.29 on TCP port 3000. The router will translate the destination IP header to 10.0.32.93 and destination TCP port 3000.


2) A packet arrives on the interface marked nat inside with an IP packet sourced by 10.0.32.93 and source TCP port 3000. The router will translate the source IP to 10.251.1.29 and source TCP port to 3000.


This same behavior applies to your other two statements as well.


What are you trying to accomplish?


Daniel



Actions

This Discussion