Running 15.4(2)S on the ASR 901. Trying to do a simple NAT in my lab. The problem I'm having is that the host directly connected to the router doesn't NAT but if I source a ping from the inside interface it NAT's just fine. Both are on the same network and use the same ACL to match criteria. Routes to destination are there as the directly connected host is still able to ping it, just not getting translated.
ASR 901 relevant config:
! interface GigabitEthernet0/4 no ip address negotiation auto service instance 41 ethernet encapsulation dot1q 41 rewrite ingress tag pop 1 symmetric bridge-domain 41 !
! interface GigabitEthernet0/6 no ip address negotiation auto service instance 2 ethernet encapsulation untagged bridge-domain 2 !
(EFP is matching untagged because I'm sending pings from directly connected laptop without tagging)
! interface Vlan41 ip address 126.96.36.199 255.255.255.252 ip nat outside ! interface Vlan2 ip address 192.168.200.1 255.255.255.0 ip nat inside
access-list 50 permit 192.168.200.0 0.0.0.255
ip nat inside source list 50 interface Vlan41 overload
Source ping from the inside NAT interface translates fine. A host connected to the g0/6 interface pings 188.8.131.52 fine but doesn't translate, it's IP is 192.168.200.2/24
lab-asr-901#ping 184.108.40.206 source vlan 2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: Packet sent with a source address of 192.168.200.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
lab-asr-901#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 18.104.22.168:1024 192.168.200.1:23 22.214.171.124:23 126.96.36.199:1024
Prerequisites for Configuring NAT for IP Address Conservation
This feature is supported only on the following PIDs of the Cisco ASR 901 Router: A901-6CZ-FS-D and A901-6CZ-FS-A.
There's also reference to the IOS that supports it or not:
This feature is available only on the new software image named asr901sec-universalk9.mz. (This feature is not available on the standalone software image named asr901-universalk9.mz. If you use asr901sec-universalk9.mz in an unsupported Cisco ASR 901 PID, the router issues a warning message and loads the software with basic features.)
The problem I experience is that the router (ASR 901) will not NAT anything coming from the connected switch (Cisco 2960). I have 2 vlantrunking up to the ASR 901. The ASR 901 is configured to use the tagged traffic from the switch via the bridge domains. With this configuration I have normal L2 connectivity (DHCP for both VLANs, with different subnets, from the router to each vlan works great), but it won't even try to NAT it. However, if I ping 188.8.131.52 and source one of the SVIs attached to the bridge-domain on the ASR, it works great and I can see the NAT Translations.
Not sure why it won't NAT traffic coming from the switch, but it will locally sourcing and IP from the same subnet?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...