Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT problem, [NAT: translation failed (E)]

hello!

i have a problem on a 1812 router in NATing to the outside interface.

the config:

Router(config)#do show run

Building configuration...

Current configuration : 1447 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 20000

!

no aaa new-model

!

!

dot11 syslog

!

!

ip cef

!

!        

!

multilink bundle-name authenticated

!

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

ip address 1.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

no ip address

!

interface Vlan5

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet1

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map NAT interface FastEthernet1 overload

!

ip access-list extended NAT_ADRESE

permit ip any any

!

!        

!

!

route-map NAT permit 1

match ip address NAT_ADRESE

!

!

!

!

control-plane

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password a

login

transport input telnet

line vty 5 15

password a

login

transport input telnet

!        

end

when i try to telnet to the fa 0 interface (1.1.1.1) from a directly connected PC (1.1.1.2) i get this debug output:

Router#

*Nov  3 09:29:30.359: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:29:30.359: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 52, rcvd 3

*Nov  3 09:29:30.359: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:29:30.359: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 44, sending

*Nov  3 09:29:30.359: NAT: translation failed (E), dropping packet s=1.1.1.1 d=1.1.1.2

Router#

*Nov  3 09:29:32.359: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:29:32.359: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 44, sending

*Nov  3 09:29:32.359: NAT: translation failed (E), dropping packet s=1.1.1.1 d=1.1.1.2

Router#

*Nov  3 09:29:33.363: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:29:33.363: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 52, rcvd 3

*Nov  3 09:29:33.363: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:29:33.363: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 40, sending

*Nov  3 09:29:33.363: NAT: translation failed (E), dropping packet s=1.1.1.1 d=1.1.1.2

Router#

*Nov  3 09:29:36.359: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:29:36.359: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 44, sending

*Nov  3 09:29:36.359: NAT: translation failed (E), dropping packet s=1.1.1.1 d=1.1.1.2

Router#

*Nov  3 09:29:39.359: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:29:39.359: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 48, rcvd 3

*Nov  3 09:29:39.359: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:29:39.359: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 40, sending

*Nov  3 09:29:39.359: NAT: translation failed (E), dropping packet s=1.1.1.1 d=1.1.1.2

Router#

*Nov  3 09:29:44.359: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:29:44.359: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 44, sending

*Nov  3 09:29:44.359: NAT: translation failed (E), dropping packet s=1.1.1.1 d=1.1.1.2

this is very strange to me because the NAT statement refers to the access-list which permits all ip traffic!

then i discovered that when i edit the access-list and remove the permit statement and only have the deny one

!

ip access-list extended NAT_ADRESE

deny   ip any any log

!

everything works fine:

Router#

*Nov  3 09:31:01.175: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:31:01.175: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 52, rcvd 3

*Nov  3 09:31:01.175: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:31:01.175: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 44, sending

*Nov  3 09:31:01.175: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:31:01.175: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 40, rcvd 3

*Nov  3 09:31:01.175: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:31:01.175: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 46, rcvd 3

*Nov  3 09:31:01.175: Telnet6: 1 1 251 1

*Nov  3 09:31:01.179: TCP6: Telnet sent WILL ECHO (1)

*Nov  3 09:31:01.179: Telnet6: 2 2 251 3

Router# 09:31:01.179: TCP6: Telnet sent WILL SUPPRESS-GA (3)

*Nov  3 09:31:01.179: Telnet6: 80000 80000 253 24

*Nov  3 09:31:01.179: TCP6: Telnet sent DO TTY-TYPE (24)

*Nov  3 09:31:01.179: Telnet6: 10000000 10000000 253 31

*Nov  3 09:31:01.179: TCP6: Telnet sent DO WINDOW-SIZE (31)

*Nov  3 09:31:01.179: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:31:01.179: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 52, sending

*Nov  3 09:31:01.179: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:31:01.179: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 82, sending

*Nov  3 09:31:01.179: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:31:01.179: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 55, rcvd 3

*Nov  3 09:31:01.179: TCP6: Telnet received DO SUPPRESS-GA (3)

*Nov  3 09:31:01.179: TCP6: Telnet received WILL TTY-TYPE (24)

*Nov  3 09:31:01.179: Telnet6: Sent SB 24 1

*Nov  3 09:31:01.179: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:31:01.179: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 46, sending

*Nov  3 09:31:01.179: TCP6: Telnet received DO ECHO (1)

*Nov  3 09:31:01.179: TCP6: Telnet received WILL WINDOW-SIZE (31)

*Nov  3 09:31:01.179: Telnet6: recv SB NAWS 157 67

*Nov  3 09:31:01.183: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:31:01.183: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 40, rcvd 3

*Nov  3 09:31:01.183: IP: tableid=0, s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), routed via RIB

*Nov  3 09:31:01.183: IP: s=1.1.1.2 (FastEthernet0), d=1.1.1.1 (FastEthernet0), len 51, rcvd 3

*Nov  3 09:31:01.183: Telnet6: recv SB 24 0 vt100

*Nov  3 09:31:01.391: IP: tableid=0, s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), routed via FIB

*Nov  3 09:31:01.391: IP: s=1.1.1.1 (local), d=1.1.1.2 (FastEthernet0), len 40, sending

note that this is a lab router with a very limited configuration, i have this problem on a real production router, but only when i try to login to the router from the outside, otherwise all internet traffic works perfectly (of course, the access-list  is more similar to the one when the login traffic is refused because of the failed NAT translation)


Everyone's tags (2)
4 REPLIES

NAT problem, [NAT: translation failed (E)]

Your NAT statement needs to be changed:

ip nat inside source route-map NAT interface FastEthernet1 overload

to:

ip nat inside source route-map NAT interface FastEthernet0 overload

John

HTH, John *** Please rate all useful posts ***
New Member

NAT problem, [NAT: translation failed (E)]

well, that's a little embarasing....i fixed it, NAT translation works fine now, but the problem is still here, i get connection time out on the telnet client (SecureCRT), which does not happen when the source list for NAT has only the deny ip any any statement

Re: NAT problem, [NAT: translation failed (E)]

No need to be embarrassed...you should see some of my posts

Okay, try this acl instead:

deny ip host 1.1.1.1 any

permit ip any any

HTH, John *** Please rate all useful posts ***
New Member

NAT problem, [NAT: translation failed (E)]

that worked!

but (there is always a but!), in this case we are talking about a lab router with a static "outside" address. the situation that i actually have is a router with a dialer interface connected to the outside, and a private subnet on the inside which i want to NAT to the internet (overload the dialer interface). as soon as i enter any permit statement in the acl that define the addresses to be NATed, the remote login to the router (i connect to the public IP on the dialer interface) breaks, and all i get is a connection time-out error

1095
Views
0
Helpful
4
Replies