NAT Configuration Issue 7613 - Sup720

Unanswered Question
Apr 18th, 2008
User Badges:


I am trying to get NAT to work on a 7613 w/sup720 and am having some unexpected results.

IOS Version 12.2(18)SXF7

MSFC3 Sup720

Here is the config:

interface GigabitEthernet9/44

ip address X.X.100.1

ip nat outside

spanning-tree portfast


interface GigabitEthernet9/45

ip address

ip nat inside

spanning-tree portfast


ip nat inside source list 105 interface GigabitEthernet9/44 overload

access-list 105 permit ip any

The unexpected results are that the access list is not get any hits when I try to ping through to a public address. I debug NAT and do not see any log entries, so then I tried adding the public network to the access list and started to see hits on the access list and nat log entries???

Any suggestions?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Thu, 04/24/2008 - 08:14
User Badges:
  • Silver, 250 points or more

"ip nat inside source list" command performs the following tasks:

1)Translates the source of the IP packets that travel outside to inside.

2)Translates the destination of the IP packets that travel inside to outside

The access list should containg the public ip address for the NAT to work properly and to be able to ping the public ip address.

For details on Inside NAT refer:

Justin Brenton Thu, 04/24/2008 - 08:20
User Badges:
  • Silver, 250 points or more

Don't see your pool for Nat overload... Im not a nat expert but shouldn't you have

ip nat pool pool30 netmask

HTH, Please rate if so



andrewdillon Thu, 04/24/2008 - 09:37
User Badges:

You can choose an interface (with an ip address assigned to it) or a pool. I have tried both luck.

andrewdillon Thu, 04/24/2008 - 09:34
User Badges:

Thanks for the reply.

All of the documentation, including the link you provided (bottom of the page Example), shows an access list permitting only the inside networks. My understanding is that the first part of the "ip nat inside source list" command is to identify the inside ip addresses and the second part identifying the outside interface (or pool). I think I should see the access list be hit when I ping from an inside address to an outside address??

lamav Thu, 04/24/2008 - 09:55
User Badges:
  • Blue, 1500 points or more

Andrew, are you saying that you cannot reach any external addresses from the inside network -- as you have configured it to do?

Or are you saying that you do have connectivity to external addresses, but that you don't see the ACL hitting up?


andrewdillon Thu, 04/24/2008 - 11:19
User Badges:

That's correct, I cannot hit any external addresses from the inside network.

lamav Thu, 04/24/2008 - 11:30
User Badges:
  • Blue, 1500 points or more

OK, it doesn't work.

Is your routing correct? Do you have a route to the destination networks in your routing table? If not, the router will drop the packet before even trying to do any NATing (order of operations).


andrewdillon Thu, 04/24/2008 - 11:44
User Badges:

I do not have a static route but there is a local route (directly connected).

1#sho ip route

Routing entry for

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via GigabitEthernet9/45

Route metric is 0, traffic share count is 1

lamav Thu, 04/24/2008 - 11:50
User Badges:
  • Blue, 1500 points or more

Of course you have a directly connected route to a network that your interface belongs to.

I was asking about a route in the routing table for the destination network.

A router routes a packet based on the destination IP address in the IP datagram header it receives on its interface, unless PBR is being used, which is another story.

Do you have a route to the destination network?


andrewdillon Thu, 04/24/2008 - 11:55
User Badges:

Yes, this router has a full BGP route table. The destination network is definately known. I can ping the address from the router.

lamav Thu, 04/24/2008 - 12:10
User Badges:
  • Blue, 1500 points or more


How about you post the entire config and lets take a closer look at everything?

I meant to ask you about the 'portfast' configs on the L3 interfaces? Why do you have them? Portfast is an STP feature that is applied to L2 interfaces that connect end-users.

Curious, are both those interfaces in an 'up, up' state?

Im also trying to remember if you have to configure the 'no switchport' command to make it an L3 interface on the 7613.


andrewdillon Thu, 04/24/2008 - 12:21
User Badges:

The portfast was leftover from a previous role this interface had. I removed it on both and still no luck.

You do have to execute the no switchport command before you assign an IP address to an interface. Both of the interfaces are up and can be reached via ping.

I will post the entire config tomorrow.

Thanks for your help.


This Discussion