I'm currently studdy for CCNP TSHOOT CCNP Exam.
I had setuup a small lab with Cisco router to test lab...
in the attached file the configuration of the 2611 router... with is currently doing the NATTING between 2 others routers (a 2501 which is basically acting as a standart host, and 4500 routeur which is acting as a router on the Internet).
I used ping command to generate traffic between my 2501 and 4500 router. For testing I'm send my ping request to the interface connected to the 2611 on the wan side.
I had received some reply from 4500 on my 2501 router, but I also lost some of them, and I do not understand. With sniffer software placed between 2611 and 4500, I see ping request with source interface of my 2501 router but not NAT (in it's original state) when I see test on sniffer software I did not received reply on my 2501 for my ping request (that normal, but why something the IP address of my 2501 is not NAT and sometimes not ?)
I was defined my access-list on my 2611 as is to defined which traffic should be NAT :
ip access-list extended INTERNE
permit ip 192.168.2.0 0.0.0.255 any log
permit icmp 192.168.2.0 0.0.0.255 any log
deny ip any any log
deny icmp any any log
Because I do not defined very often access-list and to make sampler all test I had redefined the same access-list, but by defining each specific host in the LAN. I was look like working a little bit better, but it's do not always gave the intended behavior.
Also, I had done "show ip nat translation" I seen my NAT entry, I again later and I did not seen any entry. I was pass maybe 5 min. between I issued those command.
I had also done same test with 1605 router to doing NAT, but I do not received very better result, is possible for some one to help me ?
my 2611 router is currently running IOS : c2600-i-mz.122-8.T5.bin
my 1605 router is currenly running IOS : c1600-y-mz.122-26c.bin
Thanks a lot !
The config looks normal to me.
Can you please enable "debug ip packet detail " and "debug ip nat" on 26xx router and then test ping from 2501? Pls capture and paste the information over here along with "sh ip nat translations". The "acl-num" is a new ACL permitting only ICMP traffic from/to 192.168.2.x so that we can limit the packets for our requirement.