NAT Configuration Issue 7613 - Sup720

andrewdillon · ‎04-18-2008

Hello,

I am trying to get NAT to work on a 7613 w/sup720 and am having some unexpected results.

IOS Version 12.2(18)SXF7

MSFC3 Sup720

Here is the config:

interface GigabitEthernet9/44

ip address X.X.100.1 255.255.255.0

ip nat outside

spanning-tree portfast

!

interface GigabitEthernet9/45

ip address 192.168.100.1 255.255.255.0

ip nat inside

spanning-tree portfast

!

ip nat inside source list 105 interface GigabitEthernet9/44 overload

access-list 105 permit ip 192.168.100.0 0.0.0.255 any

The unexpected results are that the access list is not get any hits when I try to ping through to a public address. I debug NAT and do not see any log entries, so then I tried adding the public network to the access list and started to see hits on the access list and nat log entries???

Any suggestions?

Thanks,

Andrew

smahbub · ‎04-24-2008

"ip nat inside source list" command performs the following tasks:

1)Translates the source of the IP packets that travel outside to inside.

2)Translates the destination of the IP packets that travel inside to outside

The access list should containg the public ip address for the NAT to work properly and to be able to ping the public ip address.

For details on Inside NAT refer:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftnatis.html#wp1027195

Justin Brenton · ‎04-24-2008

Don't see your pool for Nat overload... Im not a nat expert but shouldn't you have

ip nat pool pool30 66.192.112.230 66.192.112.230 netmask 255.255.255.192

HTH, Please rate if so

Regards,

Justin

andrewdillon · ‎04-24-2008

You can choose an interface (with an ip address assigned to it) or a pool. I have tried both ways...no luck.

andrewdillon · ‎04-24-2008

Thanks for the reply.

All of the documentation, including the link you provided (bottom of the page Example), shows an access list permitting only the inside networks. My understanding is that the first part of the "ip nat inside source list" command is to identify the inside ip addresses and the second part identifying the outside interface (or pool). I think I should see the access list be hit when I ping from an inside address to an outside address??

lamav · ‎04-24-2008

Andrew, are you saying that you cannot reach any external addresses from the inside network -- as you have configured it to do?

Or are you saying that you do have connectivity to external addresses, but that you don't see the ACL hitting up?

VL

andrewdillon · ‎04-24-2008

That's correct, I cannot hit any external addresses from the inside network.

lamav · ‎04-24-2008

OK, it doesn't work.

Is your routing correct? Do you have a route to the destination networks in your routing table? If not, the router will drop the packet before even trying to do any NATing (order of operations).

Victor

andrewdillon · ‎04-24-2008

I do not have a static route but there is a local route (directly connected).

1#sho ip route 192.168.100.0

Routing entry for 192.168.100.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via GigabitEthernet9/45

Route metric is 0, traffic share count is 1

lamav · ‎04-24-2008

Of course you have a directly connected route to a network that your interface belongs to.

I was asking about a route in the routing table for the destination network.

A router routes a packet based on the destination IP address in the IP datagram header it receives on its interface, unless PBR is being used, which is another story.

Do you have a route to the destination network?

Victor

andrewdillon · ‎04-24-2008

Yes, this router has a full BGP route table. The destination network is definately known. I can ping the address from the router.

lamav · ‎04-24-2008

OK.

How about you post the entire config and lets take a closer look at everything?

I meant to ask you about the 'portfast' configs on the L3 interfaces? Why do you have them? Portfast is an STP feature that is applied to L2 interfaces that connect end-users.

Curious, are both those interfaces in an 'up, up' state?

Im also trying to remember if you have to configure the 'no switchport' command to make it an L3 interface on the 7613.

VL

andrewdillon · ‎04-24-2008

The portfast was leftover from a previous role this interface had. I removed it on both and still no luck.

You do have to execute the no switchport command before you assign an IP address to an interface. Both of the interfaces are up and can be reached via ping.

I will post the entire config tomorrow.

Thanks for your help.