cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5341
Views
0
Helpful
7
Replies

NAT Overload not functioning correctly on router

Scott Brien
Level 1
Level 1

Hi,

We are currently experiencing issues with our NAT Overload not translating any of the inside addresses.

We are currently running BGP on this router with a public IP pool consisting on 2 Public IP addresses.

The access list used to allow private IP addresses is getting hits however we are not getting translations.

NAT config:

ip nat translation timeout never
ip nat pool PUBLIC XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.252
ip nat inside source list INTERNET_ACCESS pool PUBLIC overload

ip access-list standard INTERNET_ACCESS
permit 10.2.1.0 0.0.0.127

Sh ip Nat stat

show ip nat statistics
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
  Vlan1
Inside interfaces:
  Vlan300, Vlan303, Vlan999
Hits: 4004928  Misses: 0
CEF Translated packets: 3985743, CEF Punted packets: 19621237
Expired translations: 10266
Dynamic mappings:
-- Inside Source
[Id: 8] access-list INTERNET_ACCESS pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
        start XX.XX.XX.XX end XX.XX.XX.XX
        type generic, total addresses 2, allocated 0 (0%), misses 0

Sh IP Access-Lists

Standard IP access list INTERNET_ACCESS
    10 permit 10.2.1.0, wildcard bits 0.0.0.127 (10252 matches)

Any help would be helpful

Thanks,


Scott

7 Replies 7

rajatsetia
Level 1
Level 1

Hi Scott,

try NAT overload with route-map rather than acl

I think it should work, But WHY?? I vaguely remeber but not sure, will try to dig out something for you.

e.g.

ip access-list standard INTERNET_ACCESS
permit 10.2.1.0 0.0.0.127

route-map test permit 10
 match ip address INTERNET_ACCESS


ip nat inside source route-map test pool PUBLIC overload

Let me know if it works.

Regards,

Hi,

I have tried putting in the lines of configuration you suggested however we are still not getting any for of dynamic translation.

I have put some output below.

NAT Configuration:

ip nat translation timeout never
ip nat pool PUBLIC  XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.252
ip nat inside source list INTERNET_ACCESS pool PUBLIC overload
ip nat inside source route-map test pool PUBLIC overload

route-map test permit 10
match ip address INTERNET_ACCESS

ip access-list standard INTERNET_ACCESS
  permit 10.2.1.0 0.0.0.127

sh ip nat translations/statistics

#sh ip nat stat
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
  Vlan1, Vlan99
Inside interfaces:
  Vlan300, Vlan303, Vlan999
Hits: 4004930  Misses: 0
CEF Translated packets: 3985743, CEF Punted packets: 19621332
Expired translations: 10267
Dynamic mappings:
-- Inside Source
[Id: 9] route-map test pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
        start  XX.XX.XX.XX  end  XX.XX.XX.XX

        type generic, total addresses 2, allocated 0 (0%), misses 0

#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global

And a ping

#ping
Protocol [ip]:
Target IP address: 72.14.209.104
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan 300
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.209.104, timeout is 2 seconds:
Packet sent with a source address of 10.2.1.1


Thanks,

Scott

Hi,

I think i may have found something.

Could the permit IP any any in the following set of ACLS be causing the packet to fall into the wrong ACL

#do show ip access-lis
Standard IP access list 12 ( most recently added)
    10 permit 10.2.1.0, wildcard bits 0.0.0.127
Standard IP access list BGP_OUTGOING_ACL (added first)
    10 permit XX.XX.XX.XX  (19 matches)
Extended IP access list 100 ( Added second)
    10 permit tcp XX.XX.XX.XX 0.0.0.255 host XX.XX.XX.XX  eq bgp log (5864241 matches)
    20 permit tcp XX.XX.XX.XX  0.0.0.255 eq bgp host XX.XX.XX.XX  log (4527090 matches)
    30 permit tcp XX.XX.XX.XX  0.0.0.255 eq bgp host XX.XX.XX.XX log (4523845 matches)
    40 permit tcp XX.XX.XX.XX  0.0.0.255 host XX.XX.XX.XX eq bgp log (5841037 matches)
    50 permit ip any any (109310388 matches)
Extended IP access list INTERNET_ACCESS ( Added 3rd )
    10 permit ip 10.2.1.0 0.0.0.127 any
    20 permit ip 10.2.1.0 0.0.0.127 any log

Other than this i cannot see any other reason as to why this would not work.

Scott

hello Scott. I see you have logging configured on the extended access-list. configure logging buffered debugging

run some extended pings from the source vlan, similar to the ones you ran earlier and check the logs to see what access-list they are matching.

also, I noticed from your output that your NAT outside interface (ip nat outside) was configured for VLAN 1. Is that the interface pointing outside? Does the nat pool PUBLIC match this interface?

sh ip nat translations output will help also. Thanks

remember to rate post if it helps

Hi West,

Yes, unfortunately VLAN 1 was configured for the outside interface, yes the NAT pool matches this interface

Pro Inside global      Inside local       Outside local      Outside global
--- XX.XX.XX.XX      10.2.1.10          ---                ---
--- XX.XX.XX.XX      10.2.1.80          ---                ---

sh ip nat statistics
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
  Vlan1, Vlan99
Inside interfaces:
  Vlan300, Vlan303, Vlan999
Hits: 4012781  Misses: 0
CEF Translated packets: 3985743, CEF Punted packets: 19631979
Expired translations: 10386
Dynamic mappings:
-- Inside Source
[Id: 10] access-list 12 pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
        start XX.XX.XX.XX end XX.XX.XX.XX
        type generic, total addresses 2, allocated 0 (0%), misses 0


Will check the buffered debugging out of hours.

I have noticed static translations work correctly between interfaces e.g static nat on device in vlan 300 will translate when accessing the translated address from 303


Regards,

Scott

Hello Scott,

Which router is it(platform/IOS Ver.)? ip routing command is enabled on router?

--Jigar

Hi Jigar,

System image file is "sup-bootflash:s6523-advipservicesk9-mz.122-33.SXH5.bin" platform: cisco ME-C6524GT-8S

Ip routing is enabled.

Regards,

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: