NAT Cisco 2901

Unanswered Question
Mar 11th, 2012

I am attempting to configure a Cisco 2901 router using IOS 15 to   properly perform NAT/PAT translation between LAN and the internet   connection.

My Configuration:

interface GigabitEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

no ip route-cache

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface ISM0/0

no ip address

no ip route-cache

shutdown

service-module fail-open

no cdp enable

!

hold-queue 60 out

!

interface ISM0/1

no ip address

no ip route-cache

shutdown

no cdp enable

!

!

interface GigabitEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache

duplex auto

speed auto

no cdp enable

!

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

!

access-list 1 permit 10.1.1.0 0.0.0.255

!

But Nat no work

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
ton_vanengelen Mon, 03/12/2012 - 03:44

Hi,

is this all the configuration?

For I dont see a nat pool.

Something like this,  where 1.1.1.1 is just an example, replace it with your outside ip address

ip nat pool POOL-NAME 1.1.1.1 1.1.1.1 netmask 255.255.255.240

ip nat inside source list 10 pool POOL-NAME overload

access-list 10 permit 10.1.1.0 0.0.0.255

jan.hrnko Mon, 03/12/2012 - 05:55

Hi Ton,

I don't think that the nat pool is necessary because NAT overload (PAT) with overloaded interface is in use here. Therefore all private addresses are translated to Router GigabitEthernet 0/0 interface's address using different ports.

I believe that this is not causing the problem.

Best regards,

Jan

jan.hrnko Mon, 03/12/2012 - 07:13

Hi Ton,

you're welcome! Yeah, I think that all of us would appreciate more sleep at night or more coffee in the morning at least . Have a nice day!

Btw, I am really curious what could be cause of the problem here...

Best regards,

Jan

jan.hrnko Mon, 03/12/2012 - 06:01

Hi,

I have tried similar configuration as yours (NAT overload, overloaded interface with DHCP assigned IP address) but it works. Are you absolutely sure that NAT is not working correctly? Can't there be any other problem? Please try to verify NAT by using the command: show ip nat translations. Also please check if the Gi0/0 interface has ip address correctly assigned and if the default route is installed in the routing table.

Best regards,

Jan.

jersonjunior Mon, 03/12/2012 - 14:42

Hi everyone

My Full Configuration:

Current configuration : 2005 bytes

!

! Last configuration change at 21:40:23 UTC Mon Mar 12 2012

version 15.1

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Volts

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$wB9U$.k3JKiQCsqj6sXs9DW9FN/

enable password blaalalallalaa

!

no aaa new-model

no process cpu extended history

no process cpu autoprofile hog

!

no ipv6 cef

ip source-route

no ip routing

no ip cef

!

!

!

!

!

ip domain name 192.168.0.1

ip name-server 8.8.8.8

ip name-server 8.8.8.4

multilink bundle-name authenticated

!

!

!

!

!

crypto pki token default removal timeout 0

!

!

voice-card 0

!

!

!

license udi pid CISCO2901/K9 sn FTX153784LL

hw-module pvdm 0/0

!

!

!

!

redundancy

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

no ip route-cache

shutdown

no cdp enable

!

interface GigabitEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface GigabitEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/0/0

no ip address

no ip route-cache

shutdown

no fair-queue

clock rate 2000000

ip default-gateway 192.168.0.1

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.0.1 254

!

access-list 1 permit 10.1.1.0 0.0.0.255

!

!

snmp-server community public RO

!

control-plane

!

!

voice-port 0/1/0

!

voice-port 0/1/1

!

!

!

mgcp profile default

!

!

!

!

!

gatekeeper

shutdown

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password @#in4008@#

login

transport input all

!

scheduler allocate 20000 1000

end

jan.hrnko Mon, 03/12/2012 - 15:00

Hi Luiz,

I have just seen the config and I suppose I have an idea what could be causing the problem. PAT is ok, the default route is not.

In the output you have given us earlier was this:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

It is ok, it means that all traffic that cannot be routed by routing entries in the table is forwarded using interface Gi0/0

But in the output you have provided now is this:

ip route 0.0.0.0 0.0.0.0 192.168.0.1 254

There is IP address of next hop. Don't you think this is causing the problem? IP of the next hop should be public IP address, not private! So you should use ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 solution or something else but definitely not private IP address if you want to access the internet.

What do you think?

Best regards,

Jan

jersonjunior Mon, 03/12/2012 - 15:05

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

%Default route without gateway, if not a point-to-point interface, may impact performance

jersonjunior Mon, 03/12/2012 - 15:12

no ip route 0.0.0.0 0.0.0.0 192.168.0.1 254

%No matching route to delete

jersonjunior Mon, 03/12/2012 - 15:15

This route

route 0.0.0.0 0.0.0.0 192.168.0.1 254

was created automatically by DHCP

jan.hrnko Mon, 03/12/2012 - 15:33

Hi,

I see now. So you are using NAT two times? So therefore the problem could be 1. NAT is not working correctly - which I doubt because it seems to be configured properly...or something next on the link is not correct. Would you be so kind and try to ping the IP default gateway 192.168.0.1 from host with IP address of 10.1.1.2? Immediately after that please do show ip nat translations. I forgot to mention that earlier, but if there are not active connections for some time, this command will have blank output.

Best regards,

Jan

jersonjunior Mon, 03/12/2012 - 14:44

But nothing, my station with ip 10.1.1.2 dont access internet.

When i putty sh ip nat translation CLI dont return nothing.

jan.hrnko Mon, 03/12/2012 - 14:50

Hi Luiz,

Please can you verify by command sh ip route that the default route is installed in the routing table and by using command show ip interface gigabitEthernet 0/0 verify the correct state and IP of the interface? Please, if you would be so kind and paste output from these two commands aslo.Thank you!

sh ip route

show ip interface gigabitEthernet 0/0

Best regards,

Jan

jersonjunior Mon, 03/12/2012 - 15:03

sh ip route

Default gateway is 192.168.0.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

show ip interface gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up

  Internet address is 192.168.0.128/24

  Broadcast address is 255.255.255.255

  Address determined by DHCP

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is disabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is disabled

  IP Null turbo vector

  IP multicast fast switching is disabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are None

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Input features: Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check

  Output features: Post-routing NAT Outside, Stateful Inspection, NAT ALG proxy

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

dancicioiu Mon, 03/12/2012 - 15:35

Hi,

Besides I do not know what kind of internet access do you have , using private IPs ( 192.168.0/24 ) you have a little config issue :

no ip routing

no ip cef

Enable routing and cef :

conf t

ip routing

ip cef

end

wr mem

Dan

jan.hrnko Mon, 03/12/2012 - 15:40

Hi,

you are right! I have not seen it in the second configuration posted. It is most likely causing problems.

Best regards,

Jan

jersonjunior Mon, 03/12/2012 - 16:20

I do not know what is happening, I have a Cisco 3640 with NAT Running!

Jerson Júnior

dancicioiu Tue, 03/13/2012 - 02:24

Hi ,

please post :

ping 8.8.8.8

show ip route

show ip inter brie

Dan

jersonjunior Tue, 03/13/2012 - 16:25

ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/44 ms

show ip route

Default gateway is 192.168.0.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

show ip inter brie

Interface                  IP-Address      OK? Method Status                Protocol

Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down

GigabitEthernet0/0         192.168.0.128   YES DHCP   up                    up

GigabitEthernet0/1         10.1.1.1        YES NVRAM  up                    up

Serial0/0/0                unassigned      YES NVRAM  administratively down down

NVI0                       unassigned      YES unset  administratively down down

dancicioiu Tue, 03/13/2012 - 16:29

IP routing is not enabled !

Enable ip routing

conf t

ip routing

end

After that , please paste show ip route

Dan

jersonjunior Tue, 03/13/2012 - 16:49

ip routing enable but now ping to external not work

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/0

      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.0.0/24 is directly connected, GigabitEthernet0/0

L        192.168.0.128/32 is directly connected, GigabitEthernet0/0

dancicioiu Wed, 03/14/2012 - 00:05

Hi,

That's ok.

You should change the default route

conf t

no ip route 0.0.0.0 0.0.0.0 Gi0/0

ip route 0.0.0.0 0.0.0.0 192.168.0.1

end

Try to access the internet. Tell me the result.

Dan

jersonjunior Wed, 03/14/2012 - 14:45

Nothing

I have a 3640 an NAT works with this configuration:

interface Ethernet0/0

ip address 10.1.1.253 255.255.255.0

ip nat inside

half-duplex

!

interface Ethernet1/0

no ip address

shutdown

half-duplex

!

interface FastEthernet2/0

description ### Internet GVT ###

ip address dhcp

ip nat outside

duplex auto

speed auto

!

ip default-gateway 192.168.1.1

ip nat inside source list 7 interface FastEthernet2/0 overload

ip nat inside source list 101 interface Ethernet0/0 overload

ip nat inside source static 10.1.1.253 192.168.1.4

ip nat inside source static tcp 10.1.1.253 80 192.168.1.2 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

no ip http server

!

!

access-list 7 permit 10.1.1.0 0.0.0.255

jersonjunior Wed, 03/14/2012 - 15:12

Hi Everyone

Nat Works Now

Configuration:

interface GigabitEthernet0/0

ip address 192.168.1.4 255.255.255.0

ip nat outside

no ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface GigabitEthernet0/1

ip address 10.1.1.254 255.255.255.0

ip nat inside

no ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

clock rate 2000000

!

ip default-gateway 192.168.1.1

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip nat inside source static 10.1.1.254 192.168.1.4

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

access-list 1 permit 10.1.1.0 0.0.0.255

jersonjunior Wed, 03/14/2012 - 15:35

I think the solution was:

ip nat inside source static 10.1.1.254 192.168.1.4

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Actions

Login or Register to take actions

This Discussion

Posted March 11, 2012 at 12:16 PM
Stats:
Replies:28 Avg. Rating:5
Views:3353 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,710
Rank Username Points
195
80
59
57
57