NATTING issue with 877

Unanswered Question
Dec 31st, 2008

HI all,

im using Cisco 877 (c870-advipservicesk9-mz.124-2.T2) at a location

this location has a (last mile) radio bridge based internet connection (ethernet port)

i made 2 vlans on the 877

Step 1 : Vlan database

vlan 2

vlan 3


Step 2 : int vlan 2

ip nat inside

int vlan 3


ip nat outside

Step 3 : Int Fastethernet 0

switchport access vlan 2

Int fastethernet 3

switchport access vlan 3

vlan 2 connects the LAN users via Fastethernet0

vlan 3 connects to the internet device via Fastethernet 3

Then made NAT rule

ip nat inside source list 100 interface vlan3 overload

ACL 100

access-list 100 permit ip any

Default Route

ip route 125.29.12x.1

now this config works on an old 2611 with 2 real etehrnet ports

my workstation can connect to the internet just fine with 2611

but i cant seem to have it work with the new 877

any idea where im going wrong ..

i know its gota be a vlan config problem or vlan limitation .. cause the nat works fine with the other router..

plz help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rluyster Wed, 12/31/2008 - 09:15

Is the default route you entered here a typo? it is not a part of the network you have defined on VLAN 3

zaidumer Thu, 01/01/2009 - 05:04

it was a typo..

the funny thing is that i installed a 837 (which has 2 etherrnets eth2 mapped on fastethernet4 and ethernet1 mapped on fastethernet 1,2,3)

and it seems to work fine...

877 is giving problems with natting with 2 vlans defined as per my first post..

any resolution ?????????

cisco i need help..

sridsdale Thu, 01/01/2009 - 07:41

I had a similar issue a while back with overloading to virtual interfaces but I forget the exact details now.

I found that instead of overloading to the interface if I created a NAT pool with the one external address in and overloaded to the NAT pool then it worked.

Worth a shot.

Richard Burts Thu, 01/01/2009 - 11:13


I have a suggestion to change your NAT configuration. Since your NAT rule is only checking the source address you do not really need an extended access list in the NAT. I suggest changing the access list from extended to standard.

So the config would look something like this:

ip nat inside source list 10 interface vlan3 overload

access-list 10 permit ip

Give it a try and let us know if it helps.



zaidumer Fri, 01/02/2009 - 00:10

Hi Rick,

did that as well but doesnt seem to work ..

could it be an ISP issue ??

really gotten me confised now..

Richard Burts Fri, 01/02/2009 - 05:09


One way to check on possible issues is to attempt to ping some Internet resources from the router itself. Can you ping from the router?



John Blakley Fri, 01/02/2009 - 07:28

I would try to change your nat statement to a physical interface (Fa3) instead of the vlan.




This Discussion