Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ip nat inside source static not working

Hi all,

 

I have a 2951 configured with subinterfaces (for the inside networks) and NAT.

Outside NAT is working just fine but inside NAT is not working and I have no clue...

configs:

interface GigabitEthernet0/0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
 ip helper-address 192.168.10.10
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.254 255.255.255.0
 ip helper-address 192.168.10.10
 ip nat inside
 ip virtual-reassembly in
!         
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.254 255.255.255.0
 ip access-group 101 in
 ip helper-address 192.168.10.10
 ip nat inside
 ip virtual-reassembly in

ip nat inside source static tcp 192.168.10.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source route-map NAT interface GigabitEthernet0/0 overload

 

I'm not able to get a connection from outside to inside:

#sh ip nat trans

Pro Inside global         Inside local          Outside local         Outside global
tcp xxx.xxx.xxx.xxx:3389    192.168.10.10:3389    yyy.yyy.yyy.yyy:45378    yyy.yyy.yyy.yyy:45378
tcp xxx.xxx.xxx.xxx:3389    192.168.10.10:3389    ---                   ---

 

#sh ip nat stat
Total active translations: 426 (0 static, 426 dynamic; 426 extended)
Peak translations: 1144, occurred 02:05:28 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces: 
  GigabitEthernet0/1.10, GigabitEthernet0/1.20, GigabitEthernet0/1.30
Hits: 1888451  Misses: 0
CEF Translated packets: 1849109, CEF Punted packets: 39341
Expired translations: 31243
Dynamic mappings:
-- Inside Source
[Id: 2] route-map NAT interface GigabitEthernet0/0 refcount 424

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

 

Nothing appears at the static translations.

 

Router is running 15.4.2.T but I also tried with several 15.2 releases and always the same behaviour.

 

 

  • WAN Routing and Switching
Everyone's tags (1)
15 REPLIES

HelloWhat is your route-map

Hello

What is your route-map NAT referencing?

 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hi, route-map NAT permit 10

Hi,

 

route-map NAT permit 10
 match ip address 100
!
!
access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 deny   ip 192.168.20.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any

 

HelloI am not sure I

Hello

I am not sure I understand the logic of this access list regards NATting, are you trying to prohibit nat between these two private subnets? , if so I am on the understanding nat wont occur for the inside nat for these  internal subnets anyway.

have you tried just a using a standard acl for your nat source list?

no ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
no access-list 100

access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload

 

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hi, Those networks are

Hi,

 

Those networks are outside and they cannot be nated.

I also tried with the ACL only instead of the ROUTE-MAP, but the result is the same.

The problem is not on the outbound (outbound is working fine) the problem is inbound, the traffic reaches the router but it is not being sent to the server inside.

 

Regards

New Member

You need to check your

You need to check your routing my friend.

for the server to be natted it needs reachability to the nat router and vice versa. I have simulated it and it works for me with two commands

 

R4-------------R3---------IN----------R1----------OUT------------R2

ip nat inside source list TEST interface FastEthernet0/0 overload    -----------> outside interface
ip nat inside source static tcp 192.168.10.4 23 interface FastEthernet0/0 2333

So the outside router is telnetting to R4 from its loopback even and translation takes place.

Insid router R4 can easliy reach the loopback when I launch a ping

R4 and R3 need a default route through their respective gateways .

 

See the debug when R2 telnets R4 via its loopback 1.1.1.1

 

R1(config)#
*Mar  1 00:25:31.023: NAT*: o: tcp (1.1.1.1, 41375) -> (193.201.205.1, 2333) [52686]
*Mar  1 00:25:31.023: NAT*: o: tcp (1.1.1.1, 41375) -> (193.201.205.1, 2333) [52686]
*Mar  1 00:25:31.023: NAT*: TCP s=41375, d=2333->23
*Mar  1 00:25:31.023: NAT*: s=1.1.1.1, d=193.201.205.1->192.168.10.4 [52686]
*Mar  1 00:25:31.071: NAT*: i: tcp (192.168.10.4, 23) -> (1.1.1.1, 41375) [10270]
*Mar  1 00:25:31.071: NAT*: TCP s=23->2333, d=41375
*Mar  1 00:25:31.071: NAT*: s=192.168.10.4->193.201.205.1, d=1.1.1.1 [10270]

 

R4 now pinging outside router R2

*Mar  1 00:31:35.227: NAT: [0] Allocated Port for 192.168.10.4 -> 193.201.205.1: wanted 7 got 7
*Mar  1 00:31:35.231: NAT*: i: icmp (192.168.10.4, 7) -> (193.201.205.2, 7) [24]
*Mar  1 00:31:35.231: NAT*: i: icmp (192.168.10.4, 7) -> (193.201.205.2, 7) [24]
*Mar  1 00:31:35.231: NAT*: s=192.168.10.4->193.201.205.1, d=193.201.205.2 [24]
*Mar  1 00:31:35.243: NAT*: o: icmp (193.201.205.2, 7) -> (193.201.205.1, 7) [24]
*Mar  1 00:31:35.243: NAT*: s=193.201.205.2, d=193.201.205.1->192.168.10.4 [24]
 

 

let me know if this helps

 

Silver

Can you do a "debug ip nat

Can you do a "debug ip nat trans" and try and connect? Do you see anything in the debug that suggests it it is actually reaching the router?

New Member

Hi,With the "sh ip nat trans"

Hi,

With the "sh ip nat trans" I can see it's there:

#sh ip nat trans

Pro Inside global         Inside local          Outside local         Outside global
tcp xxx.xxx.xxx.xxx:3389    192.168.10.10:3389    yyy.yyy.yyy.yyy:45378    yyy.yyy.yyy.yyy:45378

 

I have also created a ACL applied on the outside allowing the traffic to 3389 and I can see the hits on the ACL going up.

The "debug ip nat" will give me a lot of traffic and it's not easy to check because I have more than 100 hosts inside using NAT to access internet.

 

Regards

 

Silver

Is it possible to see the ACL

Is it possible to see the ACL? You can do "debug ip nat <access-list>" to filter debug output.

Obvious question but can you see 192.168.10.10 from the router and is it listening on TCP port 3389?

New Member

Right now there is no ACL.The

Right now there is no ACL.

The router can ping 192.168.10.10 and 3389 is listening, from the router:

#telnet 192.168.10.10 3389
Trying 192.168.10.10, 3389 ... Open

 

The debug:

*May 30 09:58:16.915: NAT*: s=x.x.x.x, d=y.y.y.y->192.168.10.10 [3985]
*May 30 09:58:17.915: NAT*: s=x.x.x.x, d=y.y.y.y->192.168.10.10 [3986]

x.x.x.x -> the public IP outside the network

y.y.y.y -> the public IP of the router at int g0/0

 

3737
Views
0
Helpful
15
Replies