IOS 2 way NAT issue

Answered Question
Aug 26th, 2010

Have an issue trying to get IOS to NAT both src and dst addresses.

It looks like traffic is being NAT'ed ok going from outside to in and i can see a reponse packet coming into the inside interface on the NAT router but it gets lost and never makes it back through the outside interface.

When i ping from 1.1.1.2 to 172.109.31.1 no reply but nat seems to be working- only 1 way though

debug ip nat

*Mar  1 00:31:50.231: NAT*: o: icmp (1.1.1.2, 11) -> (172.109.31.1, 11) [55]   
*Mar  1 00:31:50.235: NAT*: o: icmp (1.1.1.2, 11) -> (172.109.31.1, 11) [55]
*Mar  1 00:31:50.235: NAT*: s=1.1.1.2->192.168.241.128, d=172.109.31.1 [55]
*Mar  1 00:31:50.239: NAT*: s=192.168.241.128, d=172.109.31.1->172.26.0.1 [55]

i feel i am missing something obvious

All assistance appreciated

test topology:

test rtr-------------outside---NATrtr----inside---------test target 172.26.0.1

cfg extract shown

interface FastEthernet0/0
ip address 192.168.241.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
clock rate 2000000
!
!
ip route 172.26.0.0 255.255.0.0 192.168.241.2
!
!ip nat inside source static 172.26.0.1 172.109.31.1
ip nat outside source static 1.1.1.2 192.168.241.128
!

I have this problem too.
0 votes
Correct Answer by Lei Tian about 6 years 3 months ago

Hi,

I think for NVI, the regular NAT rule wont work. Because in NVI there is no concept of inside and outside network, you need to remove the inside/outside from your NAT rule.

I think your problem is there is no route for the return traffic. try add a static route for 192.168.241.128, and point to s0/0, see if that helps.

Regards,

Lei Tian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Thu, 08/26/2010 - 09:27

Hello,

Please try using "NAT Virtual Router" feature and see if that helps.

interface FastEthernet0/0

ip address 192.168.241.1 255.255.255.0

no ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

ip address 1.1.1.1 255.255.255.0

no ip nat outside

ip nat enable

ip virtual-reassembly

clock rate 2000000

Once you configure "ip nat enable" under both interfaces, remove and reapply

the NAT rules.

Hope this helps.

Regards,

NT

Correct Answer
Lei Tian Thu, 08/26/2010 - 10:50

Hi,

I think for NVI, the regular NAT rule wont work. Because in NVI there is no concept of inside and outside network, you need to remove the inside/outside from your NAT rule.

I think your problem is there is no route for the return traffic. try add a static route for 192.168.241.128, and point to s0/0, see if that helps.

Regards,

Lei Tian

alpritchard Fri, 08/27/2010 - 05:36

folks,

many thanks for the replies...tried both.

The NVI did not help but putting a static host route into the config achieved the desired result.

Interestingly there is also an option to do this on the  outside source static command .........add-route

I stumbled over this by accident when trying out the suggestions.

cheers

Actions

This Discussion