NAT Problems (877W)

Unanswered Question
Apr 21st, 2009

Hi

I have 2 routers (877W and 3825) connected back to back, I am trying to configure NAT but when I configure my access-list to match the network that must be translated I can't hop from one router to the other. But the traffic sent is received on the other side.

attached is both routers configs. Another problem here is on router 877 when I configure IP NAT INSIDE on int vlan2 traffic drops from 877.

All pings are successful on both directions.

Router 877

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip virtual-reassembly

!

interface Loopback1

ip address 10.1.1.1 255.255.255.0

!

interface Vlan1

description Connection to Router 3825

ip address 192.1.1.1 255.255.255.252

ip nat outside

ip virtual-reassembly

!

interface Vlan2

description Home LAN

ip address 192.4.1.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 Vlan1

!

ip access-list extended Mpho

permit ip any any

deny ip host 10.0.0.1 any

!

ip nat inside source list Mpho interface Vlan1 overload

Router 3825

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface Loopback1

ip address 20.0.0.1 255.255.255.0

!

interface GigabitEthernet0/0

ip address 192.2.1.1 255.255.255.0

duplex full

speed 100

!

interface GigabitEthernet0/1

ip address 192.1.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

!

ip nat inside source list Mpho interface GigabitEthernet0/1 overload

!

ip access-list extended Mpho

permit ip 192.2.1.0 0.0.0.255 any

permit ip host 2.2.2.2 any

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 04/21/2009 - 04:52

Hello Lawrence,

it should be better defining the ACL in the more specific way.

Also specific deny statement needs to be configured first or they will never match

ip access-list extended Mpho

permit ip any any

deny ip host 10.0.0.1 any

another suggestion is to use a standard ACL at first for NAT

like

access-list 11 permit 192.4.1.0 0.0.0.255

I would use a route-map to use an extended ACL like

access-list 114 deny ip any host 10.0.0.1

acess-list 114 permit ip 192.4.1.0 0.0.0.255 any

route-map selected-NAT permit 10

match ip address 114

and the line becomes

ip nat inside source route-map selected-NAT interface Vlan1 overload

And also

int vlan 2

ip nat inside

Hope to help

Giuseppe

thotsaphon Tue, 04/21/2009 - 04:55

Lawrence,

Actually when doing NAT you still need a route to tell it how to route packets out of which the interface. Because the routing process is performed first(inside to outside).

In the Ethernet segment. I would reference the next-hop to reach the other networks. You will get problems when disabling proxy-arp functions at the far end.

I wouldn't use "permit ip any any" in NAT statement. Because you will get problems when connecting to the router itself.

Router 877

!

ip access-list extended Mpho

permit ip 192.4.1.0 0.0.0.255 any

deny ip host 10.0.0.1 any

!

ip route 0.0.0.0 0.0.0.0 192.1.1.2

!

interface Vlan2

ip nat inside

!

Router 3825

!

interface GigabitEthernet0/0

ip nat inside

!

When you initiate traffic from here. You need a route.

!

ip route 0.0.0.0 0.0.0.0 192.1.1.1

!

HTH,

Toshi

Actions

This Discussion