cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1774
Views
0
Helpful
3
Replies

IOS 2 way NAT issue

alpritchard
Level 1
Level 1

Have an issue trying to get IOS to NAT both src and dst addresses.

It looks like traffic is being NAT'ed ok going from outside to in and i can see a reponse packet coming into the inside interface on the NAT router but it gets lost and never makes it back through the outside interface.

When i ping from 1.1.1.2 to 172.109.31.1 no reply but nat seems to be working- only 1 way though

debug ip nat

*Mar  1 00:31:50.231: NAT*: o: icmp (1.1.1.2, 11) -> (172.109.31.1, 11) [55]   
*Mar  1 00:31:50.235: NAT*: o: icmp (1.1.1.2, 11) -> (172.109.31.1, 11) [55]
*Mar  1 00:31:50.235: NAT*: s=1.1.1.2->192.168.241.128, d=172.109.31.1 [55]
*Mar  1 00:31:50.239: NAT*: s=192.168.241.128, d=172.109.31.1->172.26.0.1 [55]

i feel i am missing something obvious

All assistance appreciated

test topology:

test rtr-------------outside---NATrtr----inside---------test target 172.26.0.1

cfg extract shown

interface FastEthernet0/0
ip address 192.168.241.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
clock rate 2000000
!
!
ip route 172.26.0.0 255.255.0.0 192.168.241.2
!
!ip nat inside source static 172.26.0.1 172.109.31.1
ip nat outside source static 1.1.1.2 192.168.241.128
!

1 Accepted Solution

Accepted Solutions

Lei Tian
Cisco Employee
Cisco Employee

Hi,

I think for NVI, the regular NAT rule wont work. Because in NVI there is no concept of inside and outside network, you need to remove the inside/outside from your NAT rule.

I think your problem is there is no route for the return traffic. try add a static route for 192.168.241.128, and point to s0/0, see if that helps.

Regards,

Lei Tian

View solution in original post

3 Replies 3

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Please try using "NAT Virtual Router" feature and see if that helps.

interface FastEthernet0/0

ip address 192.168.241.1 255.255.255.0

no ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

ip address 1.1.1.1 255.255.255.0

no ip nat outside

ip nat enable

ip virtual-reassembly

clock rate 2000000

Once you configure "ip nat enable" under both interfaces, remove and reapply

the NAT rules.

Hope this helps.

Regards,

NT

Lei Tian
Cisco Employee
Cisco Employee

Hi,

I think for NVI, the regular NAT rule wont work. Because in NVI there is no concept of inside and outside network, you need to remove the inside/outside from your NAT rule.

I think your problem is there is no route for the return traffic. try add a static route for 192.168.241.128, and point to s0/0, see if that helps.

Regards,

Lei Tian

folks,

many thanks for the replies...tried both.

The NVI did not help but putting a static host route into the config achieved the desired result.

Interestingly there is also an option to do this on the  outside source static command .........add-route

I stumbled over this by accident when trying out the suggestions.

cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco