I am trying to get NAT to work on a 7613 w/sup720 and am having some unexpected results.
IOS Version 12.2(18)SXF7
Here is the config:
ip address X.X.100.1 255.255.255.0
ip nat outside
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip nat inside source list 105 interface GigabitEthernet9/44 overload
access-list 105 permit ip 192.168.100.0 0.0.0.255 any
The unexpected results are that the access list is not get any hits when I try to ping through to a public address. I debug NAT and do not see any log entries, so then I tried adding the public network to the access list and started to see hits on the access list and nat log entries???
"ip nat inside source list" command performs the following tasks:
1)Translates the source of the IP packets that travel outside to inside.
2)Translates the destination of the IP packets that travel inside to outside
The access list should containg the public ip address for the NAT to work properly and to be able to ping the public ip address.
For details on Inside NAT refer:
Don't see your pool for Nat overload... Im not a nat expert but shouldn't you have
ip nat pool pool30 220.127.116.11 18.104.22.168 netmask 255.255.255.192
HTH, Please rate if so
Thanks for the reply.
All of the documentation, including the link you provided (bottom of the page Example), shows an access list permitting only the inside networks. My understanding is that the first part of the "ip nat inside source list" command is to identify the inside ip addresses and the second part identifying the outside interface (or pool). I think I should see the access list be hit when I ping from an inside address to an outside address??
Andrew, are you saying that you cannot reach any external addresses from the inside network -- as you have configured it to do?
Or are you saying that you do have connectivity to external addresses, but that you don't see the ACL hitting up?
OK, it doesn't work.
Is your routing correct? Do you have a route to the destination networks in your routing table? If not, the router will drop the packet before even trying to do any NATing (order of operations).
I do not have a static route but there is a local route (directly connected).
1#sho ip route 192.168.100.0
Routing entry for 192.168.100.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via GigabitEthernet9/45
Route metric is 0, traffic share count is 1
Of course you have a directly connected route to a network that your interface belongs to.
I was asking about a route in the routing table for the destination network.
A router routes a packet based on the destination IP address in the IP datagram header it receives on its interface, unless PBR is being used, which is another story.
Do you have a route to the destination network?
Yes, this router has a full BGP route table. The destination network is definately known. I can ping the address from the router.
How about you post the entire config and lets take a closer look at everything?
I meant to ask you about the 'portfast' configs on the L3 interfaces? Why do you have them? Portfast is an STP feature that is applied to L2 interfaces that connect end-users.
Curious, are both those interfaces in an 'up, up' state?
Im also trying to remember if you have to configure the 'no switchport' command to make it an L3 interface on the 7613.
The portfast was leftover from a previous role this interface had. I removed it on both and still no luck.
You do have to execute the no switchport command before you assign an IP address to an interface. Both of the interfaces are up and can be reached via ping.
I will post the entire config tomorrow.
Thanks for your help.