Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASR 901 NAT not working

Running 15.4(2)S on the ASR 901. Trying to do a simple NAT in my lab. The problem I'm having is that the host directly connected to the router doesn't NAT but if I source a ping from the inside interface it NAT's just fine. Both are on the same network and use the same ACL to match criteria. Routes to destination are there as the directly connected host is still able to ping it, just not getting translated.

 

ASR 901 relevant config:

!
interface GigabitEthernet0/4
 no ip address
 negotiation auto
 service instance 41 ethernet
  encapsulation dot1q 41
  rewrite ingress tag pop 1 symmetric
  bridge-domain 41
 !

!
interface GigabitEthernet0/6
 no ip address
 negotiation auto
 service instance 2 ethernet
  encapsulation untagged
  bridge-domain 2
 !

(EFP is matching untagged because I'm sending pings from directly connected laptop without tagging)

!
interface Vlan41
 ip address 1.1.1.2 255.255.255.252
 ip nat outside
!
interface Vlan2
 ip address 192.168.200.1 255.255.255.0
 ip nat inside

 

access-list 50 permit 192.168.200.0 0.0.0.255

ip nat inside source list 50 interface Vlan41 overload

 

Source ping from the inside NAT interface translates fine. A host connected to the g0/6 interface pings 2.2.2.2 fine but doesn't translate, it's IP is 192.168.200.2/24

lab-asr-901#ping 2.2.2.2 source vlan 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

lab-asr-901#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 1.1.1.2:1024 192.168.200.1:23 2.2.2.2:23         2.2.2.2:1024

 

Ideas?

 

Everyone's tags (2)
4 REPLIES
New Member

I am having the exact same

I am having the exact same problem, please help !!

Cisco Employee

Hi there, Pay special

Hi there,

 

Pay special attention to the model of your ASR901 and the NAT restrictions documented here:

http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/b_asr901-scg/b_asr901-scg_chapter_0110000.html

 

Prerequisites for Configuring NAT for IP Address Conservation

 

This feature is supported only on the following PIDs of the Cisco ASR 901 Router: A901-6CZ-FS-D and A901-6CZ-FS-A.

 

There's also reference to the IOS that supports it or not:

 

This feature is available only on the new software image named asr901sec-universalk9.mz. (This feature is not available on the standalone software image named asr901-universalk9.mz. If you use asr901sec-universalk9.mz in an unsupported Cisco ASR 901 PID, the router issues a warning message and loads the software with basic features.)

 

I hope this is useful!

 

-Adrian

CCIE R&S # 37469

New Member

The problem I experience is

The problem I experience is that the router (ASR 901) will not NAT anything coming from the connected switch (Cisco 2960). I have 2 vlan trunking up to the ASR 901. The ASR 901 is configured to use the tagged traffic from the switch via the bridge domains. With this configuration I have normal L2 connectivity (DHCP for both VLANs, with different subnets, from the router to each vlan works great), but it won't even try to NAT it. However, if I ping 8.8.8.8 and source one of the SVIs attached to the bridge-domain on the ASR, it works great and I can see the NAT Translations. 

Not sure why it won't NAT traffic coming from the switch, but it will locally sourcing and IP from the same subnet?

Cisco Employee

Well it could behave that way

Well it could behave that way if it's not one of the supported routers.

 

I've seen that happen in other pieces of equipment where the commands are available BUT the feature isn't supported by the hardware.

 

If your router is NOT one of these models (A901-6CZ-FS-D or A901-6CZ-FS-A) then it won't support the feature.

 

You can check with the "show version" output.

564
Views
0
Helpful
4
Replies
CreatePlease login to create content