NAT on 2621 HELP!!!

Unanswered Question
Feb 17th, 2005

I have spent a few hours trying to NAT out a few intenal 192.168.x.x hosts through both my ethernet1/0 interface and also tryed using another IP from the range. Any help GREATLY appreciated. Thanks! (Config below)

Building configuration...

Current configuration : 1021 bytes


version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption


hostname 2621





enable secret xxxx

enable password xxxx


no aaa new-model

ip subnet-zero



ip name-server xx.xx.xx.xx

ip name-server xx.xx.xx.xx


ip audit po max-events 100


interface FastEthernet0/0

ip address 65.126.x.x.x.255.252

duplex auto

speed auto


interface FastEthernet0/1

ip address

ip nat inside

speed auto



interface Ethernet1/0

ip address 65.126.x.x.x.255.240

ip nat outside



ip nat inside source list 7 interface Ethernet1/0 overload

no ip http server

no ip http secure-server

ip classless

no ip route static inter-vrf

ip route 0.0.x.x.x.121.117


line con 0

line aux 0

line vty 0 4

password xxx






I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Josef Oduwo Thu, 02/17/2005 - 21:25

At first glance I think you may have to check or define access list 7 (see this line ip nat inside source list 7 interface Ethernet1/0 overload) that will state what traffic can proceed to e1/0.

Otherwise exactly what do you want NAT to do? has a very good piece on how NAT uses ACls and covers commonly used IP ACLs.



segillett Thu, 02/17/2005 - 21:35

thanks joe, since I posted i caught that and have this in there

access-list 7 permit

it still does not. I am really at a loss here sitting in the datacenter at 9;30pm. Do I need to route the 192.x.x.x somewhere (tried all options), thanks for any more advice.

Giulio Chiappini Sat, 05/26/2012 - 13:18

7 years old post but i have the CCNA Composite exam in 36 hours so i'll ignore that and answer.

I'm assuming a basic setup (like the one in the question) with PAT and many-to-one source translation.

The steps to properly configure NAT are:

1) list all your interfaces and track which ones are your *internal* interfaces and which one is your *external* one. In the configuration given by OP, the "inside" interface is Fastethernet 0/1. The "outside" interface is Ethernet 1/0.

2) Declare the interfaces one by one, this is done in the interface configuration dialog with the statement "ip nat inside" and "ip nat outside" for the respective interfaces.

3) Gather your traffic, with an ACL. This step is necessary to teach the router which traffic he should consider for Network Address Translation. It is achieved by an acl that permits traffic coming from the subnets configured on our "inside" interfaces. In this case,

segillett wrote:

thanks joe, since I posted i caught that and have this in there

access-list 7 permit

it still does not. I am really at a loss here sitting in the datacenter at 9;30pm. Do I need to route the 192.x.x.x somewhere (tried all options), thanks for any more advice.

The reason OP can't get NAT to work is because his ACL was at first absent, and subsequently mistyped.

It should be

ip access-list standard 7


deny any

The deny statement is implied but explicitly adding it simplifies troubleshooting as every packet matching it will show up in

# show access-lists

ACLs use a "wildcard" mask notation for defining  groups of addresses. For all intents and purposes at this level, they  are just another format  for the subnet masks but they can be used in  other ways.

You obtain your wildcard mask by subtracting the  subnet mask bits (in decimal) from In this case: - (the subnet mask for a /24 network) = Therefore, the mistake lies in the ACL statement.

4) Activate NAT with the general configuration dialog statement "ip nat inside source list LISTNAME interface INTERFACEID overload

5) Troubleshoot if needed by using show access-lists, show ip nat translations, debug ip nat . It only works when you see relevant data in the output of those commands.

You do *not* have to route anything, as that would defy the entire purpose of NAT.

If i made any mistake in my post please point it out. I think i got my head around NAT pretty ok but you never know.

Any feedback is welcome.


p.juarezponte Mon, 05/28/2012 - 04:19

I think Giulio's answer is quite good.

I'd only add one thing,

I would change

ip route 0.0.x.x.x.121.117

for this other line:

ip route Ethernet1/0

The router will not have to make another search and it should be faster.

You can view if NAT is the problem using

show ip nat translations

You should see if nat is working fine.

Can you ping the next hop interface eth1/0?

Is your Eth1/0 up up?

p.juarezponte Mon, 05/28/2012 - 04:33


If you can't ping the other interface, make sure your ip address of your ETH1/0 have an ip adress between and (except the next hop

and eth1/0 should be up up, of course.

I hope this helps


Login or Register to take actions

This Discussion

Posted February 17, 2005 at 9:00 PM
Replies:5 Overall Rating:
Views:599 Votes:0
Tags: No tags.