question about NAT.

Unanswered Question
Jul 16th, 2007

I tried to have a NAT enabled on my LAN. IP address of my PC is Outside interface is 66.x.x.18/30, which is connected to my Internet router with IP address ending with .17/30. The configuration is like the following. However, I cannot go out to the rest of the world. I check on the NAT router, the NAT seems ok.

LAN_2801#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- ---

I was wondering that the Internet Router might not know the route to 66.x.x.0, that's why I even added the secondary IP address 66.x.x.1/24 to the NAT router's outside interface. However, still no luck.

Is there anyone has an idea about that? Many thanks.

interface FastEthernet0/0

ip address 66.x.x.1 secondary

ip address 66.x.x.18

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no snmp trap link-status

crypto map rtptrans

service-policy output Shaper


interface FastEthernet0/1

ip address

ip nat inside

ip virtual-reassembly

duplex auto

speed auto


interface FastEthernet0/1.1

encapsulation dot1Q 2

ip address

ip nat inside

ip virtual-reassembly

no snmp trap link-status


ip local pool DIAL-IN

ip route

ip route 208.x.x.0


ip nat pool sss 66.x.x.3 prefix-length 24

ip nat inside source route-map SSS pool sss reversible

ip nat inside source route-map nonat interface FastEthernet0/0 overload


access-list 125 deny ip

access-list 125 permit ip any

access-list 135 permit ip host host

access-list 145 permit ip host any


route-map SSS permit 5

match ip address 145


route-map nonat permit 10

match ip address 125

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Mon, 07/16/2007 - 05:13

Looks good, did you configure DNS on the workstations trying to access the internet ?

Try pinging a internet location by using an IP address instead of the name and see if it works.

I also noticed you have a crypto (IPSec) in the outgoing interface, I didn't see any IPSec configuration in the router. Was that left behind by mistake ?

philipsyao Mon, 07/16/2007 - 05:52

Yes, I did have the DNS configured and try using an IP address instead of name, but not working.

The IPSec is for something else, it just works fine, long before I tried this NAT. I didn't post the crpto congiguration since it's totally unrelated.

As you can see, we also have another NAT with subnet, but use overloading mode, that works. what I what is the 1-to-1 static mapping with subnet.

what's the standard configuration for the 1-to-1 mapping? I used the route-map and nat pool method, but not sure if it's the right way. I though there should be a eaiser way to do it.

Edison Ortiz Mon, 07/16/2007 - 14:48

With the 'overload' option, you turn on PAT, which means many workstations can share the same IP address since it's using port-address translation.

On a 1-to-1 like you stated, it's static NAT, the first workstation will grab that IP and that's the only one able to browse the internet.

Currently, is the only device able to browse the net.

philipsyao Tue, 07/17/2007 - 04:51

Even though it's shown that my PC got NATed, I cannot browse the internet, I cannot visit any website, no ping, no traceroute. It right stoped at the NAT router. I can ping the outside interface address, but no further than that.

what could be the reason? that must be a routing problem.

Edison Ortiz Tue, 07/17/2007 - 18:40

... and you are allowed to use by your ISP ?

Can you try this way ?

ip nat inside source static local-ip global-ip

philipsyao Thu, 07/19/2007 - 06:05

actually I'm the ISP itself.

I tried that command at the very first step because it's the most straightforward way you can come up with. but it didn't work.

is there any conflct if I use both overloading and static NAT on the same interface?


This Discussion