Solved: Re: NAT issue

ruliffilur · ‎12-16-2006

Hello

I?ve got a NAT problem on a Cisco 1721 router with an IOS version of 12.4.12. I cant get NAT to work at all, have configured the usual "ip nat inside/outside" "ip nat inside source list 1 int <my internal interfance> overload and a access list for my internal network this is my old config from version 12.2:

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Stormwind

!

no logging console

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

! Default L2TP VPDN group

! Default PPTP VPDN group

accept-dialin

protocol any

virtual-template 1

!

interface Ethernet0

description Interface to Home LAN

ip address 172.16.25.1 255.255.255.0

ip nat inside

half-duplex

!

interface FastEthernet0

description Interface to WAN Internet

ip address dhcp

ip nat outside

speed auto

!

interface Serial0

no ip address

shutdown

!

interface Virtual-Template1

description Interface for VPN connections

ip unnumbered FastEthernet0

no keepalive

peer default ip address pool test

ppp encrypt mppe 128

ppp authentication ms-chap

!

ip local pool test 172.16.25.11 172.16.25.20

ip nat inside source list 1 interface FastEthernet0 overload

ip classless

no ip http server

ip pim bidir-enable

!

access-list 1 permit 172.16.25.0 0.0.0.255 log

access-list 1 remark NAT accesslist

no cdp run

!

line con 0

login local

line aux 0

login local

line vty 0 4

login local

transport preferred ssh

transport input ssh

transport output ssh

line vty 5 15

login local

transport preferred ssh

transport input ssh

transport output ssh

!

no scheduler allocate

end

I used this on a Cisco 1720 and also a 1605 that one with a 12.3 ios and it worked just fine. On the other hand this 1721 wont nat a packet. I dont get any hits in the access list nor the nat translation table. Once difference I?ve noticed is that the 1721 activates a nvi0 interface the others didnt, have nat configurations changed in ios 12.4? Also tried this "NAT on a Stick" with my 1721 and it worked fine, I could nat from my local physical router interface to a loopack without any problems.

So anyone that can help with this problem?

//Johan

ovt · ‎12-16-2006

Remove "log" from your "access-list 1" and it will work just fine.

View solution in original post

ovt · ‎12-16-2006

Remove "log" from your "access-list 1" and it will work just fine.

ruliffilur · ‎12-16-2006

Thank you it works now.

mtechnology · ‎12-18-2006

Can anyone explain the above behavior when the log keyword was used.

sourabhagarwal · ‎12-18-2006

The log keyword at the end of the individual ACL entries shows the ACL number and whether the packet was permitted or denied, in addition to port-specific information.

hope to help ... rate if it does ....

mtechnology · ‎12-20-2006

Hi Sourabh,

I know the use of the log keyword in an access-list.

What i want to understand is how the nAT started working if you remove the Log keyword

ovt · ‎12-20-2006

I guess that NATing is performed in CEF switching path and "log" requires all packets to be sent via process switching path. This might be the source of the problem.