NAT problem - no NATing reverse traffic

Unanswered Question
Oct 9th, 2007
User Badges:


I have a problem with NAT configuration. It is somewhat similar to 'NAT-on-a-stick' situation, with NATing on a loopback interface.

I have a simple network with 2 hosts connected to 2 Fastethernet ports of a router, and one loopback interface on that router. NAT has to be done inside router, before exiting to 'public' network.

I send ping from 'private' to 'public' host, and traffic is going into router, with policy routing is forwarded to loopback, then nated, and routed to 'public' network. Just fine.

Problem is that reply from 'public' host

(and any other traffic as well) comes into router, but is never nated back to private address, so my 'private' host never gets answer.

I attached image, config of a router, and outputs of some show and debug commands.

Thank you in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 10/09/2007 - 02:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Can i ask why you are policy routing through the loopback interface ?

If you modify the config as follows

1) Move the "ip nat outside" statement from the loopback interface to the fa0/1 interface.

2) Remove the "ip policy route-map .. " config from fa0/0

then it should work.

If i have misinterpreted your requirements please let me know.



ekrdzevic Tue, 10/09/2007 - 05:13
User Badges:

Yes, it should work in simple case, but i have a situation where my traffic must be nated before going out fa0/1 interface, and 'ip nat outside' is not an option because of other reasons (real network is not this simple, there are other issues why 'ip nat outside' cannot be on this fa0/1)

Phillip Hichens Wed, 10/10/2007 - 04:07
User Badges:


Very interesting, something I haven't come across before. It's a pity you don't divulge more on the real network.

I would like to LAB this but can't at the moment, looking at the debugs the next thing I'll attempt would be policy routing in reverse direction.

Something like:

access-list 2 deny

access-list 2 permit any

route-map Nat-fast permit 10

match ip address 2

set interface FastEthernet0/0

interface Loopback1

ip policy route-map Nat-fast



ekrdzevic Wed, 10/10/2007 - 05:25
User Badges:


I have just seen Your post. Thank You for sugestion. I think of this one too, but haven't tried it yet.

I hope You will see my other post, I attached configuration I tried on 2600 router, and this one worked fine, but problem still not solved, because it doesn't work on 6500, where it should be.

By the way, I will try with this reverse policy routing, and let You know results.

In the meantime, I hope You will have some comment about this working config, why it doesn't work on 6500, and is there a way to make it work.



ekrdzevic Wed, 10/10/2007 - 05:16
User Badges:


I have tried little bit different config on test platform with router 2600, and this one worked perfectly.

But when I put configuration on 6500, where it should be, nothing worked again.

I know 2600 wouldn't be exactly nice test platform for something that should work on 6500, but it was all I've got :(

Does anyone know why?

Could this be caused because of cef, or something similar, or this could be some strange issue with 6500 IOS...

Any suggestion would be appreciated.



luqmankondeth Wed, 10/10/2007 - 07:01
User Badges:

If you dont mind, what is it that is stoppin you from applying "ip nat outside" on the fa0/1 interface? If you give reasons, we can suggest alternatives.

ekrdzevic Wed, 10/10/2007 - 21:44
User Badges:

As I said, real situation is not this simple. On that device there are many many interfaces, vlan interfaces, and much much traffic.

Traffic from Fa0/0 from image is, let's say tiny, comparing to the traffic on other interfaces, and putting 'ip nat outside' caused that device processed against nat acl every packet leaving fa0/1 interface, no matter if it is comming from fa0/0, or some other interface, so causing CPU to rise for amount that is not acceptable.

That is why I try to solve problem trying this little bit complicating config.



ekrdzevic Wed, 10/10/2007 - 22:01
User Badges:

One update of this info.

On 6500, with this config, in one moment I have accidentally put on fa0/1 acl that denied all traffic except traffic from nat pool ip, and in that moment nat worked. When I removed it, or put permit any at the end, it didn't work again.

Maybe this info could help someone to find out why it doesn't work, and how to make it work.


luqmankondeth Wed, 10/10/2007 - 22:05
User Badges:

can u furnish some debugs like

debug ip nat

debug ip packet ACL


sh ip nat translations

both during working condition and failure

ekrdzevic Thu, 10/11/2007 - 05:52
User Badges:

Unfortunatelly, I can't get this info for working condition on 6500, because I can't put same acl on same interface again (it was put accidentaly).

From 2600 I can get working info, but I don't know how relevant it is.

And non working info from 6500 I will get as soon as I can.


AD VISSER Tue, 10/16/2007 - 01:44
User Badges:

Leave the config as it is, but put ip nat outside on the interface FastEthernet 0/1.

Traffic that hits acces-list 1 will be nated on loopback1.

Return traffic goes directly to, without going to the loopback1.



This Discussion