IP Nat not working - please help

Unanswered Question
Sep 26th, 2008

Hi


I've got nat translation configured on my router, but it doesn't seem to be working. If I run "show ip nat statistics" I can see that their are "0" active dynamic translations.


Here's my config:


Vlan100

ip nat outside


Vlan200

ip nat inside


ip nat pool nat-pool 10.28.20.100 10.28.20.110 prefix-length 26


ip nat inside source list nat-list pool nat-pool overload


ip access-list extended nat-list

permit ip 10.5.70.0 0.0.0.255 host 10.28.20.200


That's it, I've got another dynamic nat configured and a static but I can't see how they can interfere with this nat not being active.


sh ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)

Outside interfaces:

Vlan100, Vlan150

Inside interfaces:

Vlan200

Hits: 43379 Misses: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

access-list l-nat pool l-nat refcount 0

pool l-nat: netmask 255.255.255.0

start 10.40.56.17 end 10.40.56.31

type generic, total addresses 15, allocated 0 (0%), misses 0

access-list nat-list pool nat-pool refcount 0

pool nat-pool: netmask 255.255.255.192

start 10.28.20.100 end 10.28.20.110

type generic, total addresses 11, allocated 0 (0%), misses 0


Any thoughts?


Thanks

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 09/26/2008 - 03:47

Dan


Could you just confirm that to get to 10.28.20.200 the L3 switch would route traffic out of vlan 100 ?


If so then are you sure that the source IP addresses are definitely falling in the 10.5.70.x range.


What is the output of a "sh ip nat translations"


Jon


dan_track Fri, 09/26/2008 - 05:20

Hi Jon,


Here's the output

sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 10.44.156.16 10.45.170.23 --- ---


As you can see it's not showing up.


How can I test the source from the router running the nat translation?


I'm quite sure no other NAT translation is occurring within the network.


Regarding the routing, I've added the following:


ip route 10.28.20.192 255.255.255.224 10.28.20.130 tag 44


10.28.20.130 is a router not owned by us, but will route to that address i.e 10.28.20.200.


I hope this helps.


Thanks

Dan

Jon Marshall Fri, 09/26/2008 - 05:28

Dan


Firstly are you getting any hits on your access-list "nat-list"


Secondly to get to 10.28.20.130 does the switch use vlan 100 interface. What is the IP address on vlan 100 ?


Jon

dan_track Fri, 09/26/2008 - 06:01

Hi,


I'm not getting any hits on the access list - is this indicative of anything?


The ip address is:


10.28.20.190 255.255.255.192


Dan.

Jon Marshall Fri, 09/26/2008 - 06:04

Dan


No hits means your switch is not seeing any traffic from source addresses 10.5.70.x going to host 10.28.20.200.


Are you sure that traffic coming from 10.5.70.x would enter the switch on vlan 200 ?


Jon

dan_track Fri, 09/26/2008 - 06:36

Thanks for the tip.I'm having al ok now and initially it looks like you may be right.


I'll let you know.


Thanks

Dan

dan_track Fri, 09/26/2008 - 08:09

Hi


Ok I've just verified and you were right. we had some strange routing occurring where this route was being routed into the router via another vlan. I've added the "ip nat inside" rule to that vlan interface.


I'm now getting hits on the access list - which is great, but the nat is still listed as inactive.


Any thoughts on this please?


Thanks

Dan

Jon Marshall Fri, 09/26/2008 - 08:17

Dan


Can you post the ouput of "sh ip route 10.28.20.200" from your switch.


Jon

dan_track Fri, 09/26/2008 - 08:23

# sh ip route 10.28.20.200

Routing entry for 10.28.20.192/27

Known via "static", distance 1, metric 0

Tag 44

Redistributing via eigrp 100

Advertised by eigrp 100 metric 10 10 255 1 1500 route-map static-2-eigrp

Routing Descriptor Blocks:

* 10.28.20.130

Route metric is 0, traffic share count is 1

Jon Marshall Fri, 09/26/2008 - 08:31

Dan


Could you try just natting the source IP addresses to the vlan 100 interface and see if that gets any hits ie. replace


ip nat inside source list nat-list pool nat-pool overload


with


ip nat inside source lits nat-list interface vlan100 overload


Jon

dan_track Fri, 09/26/2008 - 08:36

Hey,


I just tried it, but it didn't make any difference. It's still not listed as active nor does it appear in the translations output.


Any thoughts?


Thanks

Dan

Jon Marshall Fri, 09/26/2008 - 09:23

Dan


Are you absolutely sure that traffic is exiting vlan 100 to get to the 3rd party router. Could you perhaps do a quick topology layout ?


Jon

dan_track Mon, 09/29/2008 - 02:34

Hi Jon,


I realised what it was, it was an access list on the vlan interface which I forgot to mention to you, my fault.


Thanks for your help though.


Dan

Actions

This Discussion