IP Nat not working - please help

Unanswered Question
Sep 26th, 2008


I've got nat translation configured on my router, but it doesn't seem to be working. If I run "show ip nat statistics" I can see that their are "0" active dynamic translations.

Here's my config:


ip nat outside


ip nat inside

ip nat pool nat-pool prefix-length 26

ip nat inside source list nat-list pool nat-pool overload

ip access-list extended nat-list

permit ip host

That's it, I've got another dynamic nat configured and a static but I can't see how they can interfere with this nat not being active.

sh ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended)

Outside interfaces:

Vlan100, Vlan150

Inside interfaces:


Hits: 43379 Misses: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

access-list l-nat pool l-nat refcount 0

pool l-nat: netmask

start end

type generic, total addresses 15, allocated 0 (0%), misses 0

access-list nat-list pool nat-pool refcount 0

pool nat-pool: netmask

start end

type generic, total addresses 11, allocated 0 (0%), misses 0

Any thoughts?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 09/26/2008 - 03:47


Could you just confirm that to get to the L3 switch would route traffic out of vlan 100 ?

If so then are you sure that the source IP addresses are definitely falling in the 10.5.70.x range.

What is the output of a "sh ip nat translations"


dan_track Fri, 09/26/2008 - 05:20

Hi Jon,

Here's the output

sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- ---

As you can see it's not showing up.

How can I test the source from the router running the nat translation?

I'm quite sure no other NAT translation is occurring within the network.

Regarding the routing, I've added the following:

ip route tag 44 is a router not owned by us, but will route to that address i.e

I hope this helps.



Jon Marshall Fri, 09/26/2008 - 05:28


Firstly are you getting any hits on your access-list "nat-list"

Secondly to get to does the switch use vlan 100 interface. What is the IP address on vlan 100 ?


dan_track Fri, 09/26/2008 - 06:01


I'm not getting any hits on the access list - is this indicative of anything?

The ip address is:


Jon Marshall Fri, 09/26/2008 - 06:04


No hits means your switch is not seeing any traffic from source addresses 10.5.70.x going to host

Are you sure that traffic coming from 10.5.70.x would enter the switch on vlan 200 ?


dan_track Fri, 09/26/2008 - 06:36

Thanks for the tip.I'm having al ok now and initially it looks like you may be right.

I'll let you know.



dan_track Fri, 09/26/2008 - 08:09


Ok I've just verified and you were right. we had some strange routing occurring where this route was being routed into the router via another vlan. I've added the "ip nat inside" rule to that vlan interface.

I'm now getting hits on the access list - which is great, but the nat is still listed as inactive.

Any thoughts on this please?



Jon Marshall Fri, 09/26/2008 - 08:17


Can you post the ouput of "sh ip route" from your switch.


dan_track Fri, 09/26/2008 - 08:23

# sh ip route

Routing entry for

Known via "static", distance 1, metric 0

Tag 44

Redistributing via eigrp 100

Advertised by eigrp 100 metric 10 10 255 1 1500 route-map static-2-eigrp

Routing Descriptor Blocks:


Route metric is 0, traffic share count is 1

Jon Marshall Fri, 09/26/2008 - 08:31


Could you try just natting the source IP addresses to the vlan 100 interface and see if that gets any hits ie. replace

ip nat inside source list nat-list pool nat-pool overload


ip nat inside source lits nat-list interface vlan100 overload


dan_track Fri, 09/26/2008 - 08:36


I just tried it, but it didn't make any difference. It's still not listed as active nor does it appear in the translations output.

Any thoughts?



Jon Marshall Fri, 09/26/2008 - 09:23


Are you absolutely sure that traffic is exiting vlan 100 to get to the 3rd party router. Could you perhaps do a quick topology layout ?


dan_track Mon, 09/29/2008 - 02:34

Hi Jon,

I realised what it was, it was an access list on the vlan interface which I forgot to mention to you, my fault.

Thanks for your help though.



This Discussion