IOS 2 way NAT issue

Answered Question
Aug 26th, 2010
User Badges:

Have an issue trying to get IOS to NAT both src and dst addresses.


It looks like traffic is being NAT'ed ok going from outside to in and i can see a reponse packet coming into the inside interface on the NAT router but it gets lost and never makes it back through the outside interface.


When i ping from 1.1.1.2 to 172.109.31.1 no reply but nat seems to be working- only 1 way though


debug ip nat


*Mar  1 00:31:50.231: NAT*: o: icmp (1.1.1.2, 11) -> (172.109.31.1, 11) [55]   
*Mar  1 00:31:50.235: NAT*: o: icmp (1.1.1.2, 11) -> (172.109.31.1, 11) [55]
*Mar  1 00:31:50.235: NAT*: s=1.1.1.2->192.168.241.128, d=172.109.31.1 [55]
*Mar  1 00:31:50.239: NAT*: s=192.168.241.128, d=172.109.31.1->172.26.0.1 [55]


i feel i am missing something obvious


All assistance appreciated





test topology:


test rtr-------------outside---NATrtr----inside---------test target 172.26.0.1


cfg extract shown


interface FastEthernet0/0
ip address 192.168.241.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
clock rate 2000000
!
!
ip route 172.26.0.0 255.255.0.0 192.168.241.2
!
!ip nat inside source static 172.26.0.1 172.109.31.1
ip nat outside source static 1.1.1.2 192.168.241.128
!

Correct Answer by Lei Tian about 6 years 9 months ago

Hi,


I think for NVI, the regular NAT rule wont work. Because in NVI there is no concept of inside and outside network, you need to remove the inside/outside from your NAT rule.


I think your problem is there is no route for the return traffic. try add a static route for 192.168.241.128, and point to s0/0, see if that helps.


Regards,

Lei Tian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Thu, 08/26/2010 - 09:27
User Badges:
  • Cisco Employee,

Hello,


Please try using "NAT Virtual Router" feature and see if that helps.


interface FastEthernet0/0

ip address 192.168.241.1 255.255.255.0

no ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

ip address 1.1.1.1 255.255.255.0

no ip nat outside

ip nat enable

ip virtual-reassembly

clock rate 2000000


Once you configure "ip nat enable" under both interfaces, remove and reapply

the NAT rules.


Hope this helps.


Regards,


NT

Correct Answer
Lei Tian Thu, 08/26/2010 - 10:50
User Badges:
  • Cisco Employee,

Hi,


I think for NVI, the regular NAT rule wont work. Because in NVI there is no concept of inside and outside network, you need to remove the inside/outside from your NAT rule.


I think your problem is there is no route for the return traffic. try add a static route for 192.168.241.128, and point to s0/0, see if that helps.


Regards,

Lei Tian

alpritchard Fri, 08/27/2010 - 05:36
User Badges:

folks,


many thanks for the replies...tried both.


The NVI did not help but putting a static host route into the config achieved the desired result.


Interestingly there is also an option to do this on the  outside source static command .........add-route


I stumbled over this by accident when trying out the suggestions.


cheers

Actions

This Discussion