topic NAT overload on router works from inside the router only in Routing and SD-WAN

NAT overload on router works from inside the router only

zakhalid — Tue, 05 Mar 2019 08:58:07 GMT

I have to do NAT overload on router.

Following is the config, and as long as I source traffic from router interface it will work.. but when traffic is across G0/0 (inside) it will not hit ACL or translate

There is no host alive at 10.91.8.1 yet and that's no reply.. but that should not prevent translation, should it?

Plus it's working from inside the router..

Changes

=============

Switched from using interface to pool for nat

extended acl to standard acl

Upgraded the code. 15.1-2

and I am out of ideas..

IOS

c2951-universalk9-mz.SPA.152-1.T3.bin

no ip gratuitous-arps

no ip icmp rate-limit unreachable

no ip forward-protocol nd

no ip domain lookup

ip cef

no ip igmp snooping

interface Loopback0

ip address 10.16.0.92 255.255.255.255

interface GigabitEthernet0/0

ip address 10.149.4.146 255.255.255.252

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

load-interval 30

duplex full

speed 100

interface GigabitEthernet0/1

ip address 10.91.1.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

ip route 10.91.8.0 255.255.254.0 10.91.1.2

ip nat pool pool91 10.91.1.1 10.91.1.1 prefix-length 24

interface GigabitEthernet0/0

ip nat inside

interface GigabitEthernet0/1

ip nat outside

ip nat inside source list 101 pool pool91 overload

myrouter# ping 10.91.8.1 sou lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.91.8.1, timeout is 2 seconds:

Packet sent with a source address of 10.16.0.92

.....

Success rate is 0 percent (0/5)

myrouter# ping 10.91.8.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.91.8.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

myrouter#

myrouter# ping 10.91.8.1 sou g0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.91.8.1, timeout is 2 seconds:

Packet sent with a source address of 10.149.4.146

.....

Success rate is 0 percent (0/5)

myrouter#sh ip nat tra

myrouter#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 10.91.1.1:1 10.16.0.92:1 10.91.8.1:1 10.91.8.1:1

icmp 10.91.1.1:3 10.149.4.146:3 10.91.8.1:3 10.91.8.1:3

myrouter#sh ip nat statu

myrouter#sh ip nat stat

myrouter#sh ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 2 extended)

Peak translations: 5, occurred 00:12:27 ago

Outside interfaces:

GigabitEthernet0/1

Inside interfaces:

GigabitEthernet0/0

Hits: 25 Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 6

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 101 pool pool91 refcount 2

pool pool91: netmask 255.255.255.0

start 10.91.1.1 end 10.91.1.1

type generic, total addresses 1, allocated 1 (100%), misses 0

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

myrouter#

What do you have defined as

Robert Falconer — Sat, 07 Mar 2015 00:13:10 GMT

What do you have defined as access-list 101?

Your NAT config looks a bit

petenixon — Sat, 07 Mar 2015 00:19:24 GMT

Your NAT config looks a bit weird if you're only using one global address.

Try this:

interface GigabitEthernet0/0
ip nat inside

interface GigabitEthernet0/1
ip nat outside

access-list 1 permit 10.149.4.0 0.0.0.255
ip nat inside source list 1 interface Gi0/1 overload

access-list 101 permit ip any

zakhalid — Sat, 07 Mar 2015 01:06:07 GMT

access-list 101 permit ip any any

it's a permit any any for now..

I agree.it should have been

zakhalid — Sat, 07 Mar 2015 01:07:05 GMT

I agree.

it should have been those four line.

I need to use 10/8 but yes

I tried that..

Can you try using the 10.49.4

Jon Marshall — Sat, 07 Mar 2015 01:10:32 GMT

Can you try using the 10.49.4.0/24 subnet as the source eg.

"access-list 101 permit ip 10.49.4.0 0.0.0.255 any"

NAT can sometimes not work with "any" as the source.

Jon

Did you clear your

petenixon — Sat, 07 Mar 2015 01:15:37 GMT

Did you clear your translations before trying again? And any chance of an updated config so we know where you are 🙂

Thank you for looking and

zakhalid — Sat, 07 Mar 2015 01:38:55 GMT

Thank you for looking and replying, I have fought this most of the day..

and I see translations only when traffic sourced from lo0 or g0/0 but not when it's coming in on G0/0

I created an ACL to put on G0/0 to confirm traffic source IP .. but did not do that yet.

I did do following.

I started with extended ACL

ip access-list extended pat-1

permit ip 10.0.0.0 0.255.255.255 any

and

ip nat inside source list pat-1 interface Gi0/1 overload

then tried standard list

access-list 101 permit 10.0.0.0 0.255.255.255 any

then tried checking interface ip and other IP

ip access-list extended pat-1

permit host 10.16.0.92 any

permit host 10.149.4.146 any

permit 10.80.0.0 0.0.255.255 any (my workstations)

permit any host 10.16.0.92

permit any host 10.149.4.146

permit any 10.80.0.0 0.0.255.255

just to see what counters were changing..

and traffic was sourced from 10.16

the problem is that when traffic is from 10.80.0.0/16 it does not hit the acl

and that I don't understand .

PAT Is working when I source it from lo0 or g0/0.. but not when traffic is coming across

there is NVI interface and that has g0/0 IP - created when I create the NAT rules..

between each I did a router reload.. to clear everything.

Can you post your current

Jon Marshall — Sat, 07 Mar 2015 01:44:58 GMT

Can you post your current config as request by Pete.

And can you make if the full configuration.

Jon

Can you please post the full

petenixon — Sat, 07 Mar 2015 01:46:21 GMT

Can you please post the full config of your router as I think we may be missing some key information?

I will post the full config .

zakhalid — Sat, 07 Mar 2015 01:50:54 GMT

I will post the full config .. but I have to hit the road will be couple of hours before I can do that.

It was a bit late for me last

petenixon — Sat, 07 Mar 2015 09:47:17 GMT

It was a bit late for me last night so apologies for missing this. I re-read your original post and noticed these two bits on your output:

interface Loopback0
ip address 10.16.0.92 255.255.255.255

myrouter# ping 10.91.8.1 sou lo0

The reason why traffic is not being subject to NAT is that you're missing the ip nat inside command on your loopback interface.

Sorry folks..Found out that

zakhalid — Mon, 16 Mar 2015 22:49:47 GMT

Sorry folks..

Found out that on a router when going from G0/0 to G0/1 packet is switching/CEF and not 'routing'.. when testing to confirm traffic we added an ACL and NAT started to work. We took ACL off G0/0 and NAT stopped working.

We had to disable route-cache cef

<<<<< no ip route-cache cef >>>>>

interface GigabitEthernet0/0
ip address 10.149.4.146 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
load-interval 30
duplex full
speed 100
end

I'm hoping someone is still

Kevin Hamilton — Mon, 20 Apr 2015 20:00:12 GMT

I'm hoping someone is still monitoring this thread. Thank you in advance if you are. I have the same or maybe similar problem. I installed my spare 7301 today as a NAT gateway to my private SIP network. I configured PAT as per the numerous identical examples I found through searching the net and I have attached a current config file so you can see what I have done. I can ping 8.8.8.8 from within the router, using the "inside" interface as the source, but cannot get beyond the router from any device on the "inside" LAN.

E7_SIP#ping 8.8.8.8 source 10.7.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.7.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
E7_SIP#

Any thoughts or suggestions would be greatly appreciated.

Thanks,

Kevin

Add 'no ip route-cache cef'

zakhalid — Mon, 20 Apr 2015 21:32:56 GMT

Add

'no ip route-cache cef'

to interface 'inside'

I already have that

Kevin Hamilton — Tue, 21 Apr 2015 03:20:10 GMT

I already have that statement on both the "inside" and "outside" interfaces. Should I remove it from the "outside" interface? Thanks.

I just assumed you were

zakhalid — Thu, 23 Apr 2015 13:38:27 GMT

I just assumed you were having same problem.
Step by step..
Let's check if NAT is working.

use - sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 66.117.96.80:1 10.7.0.1:1 8.8.8.8 8.8.8.8

and you should get something like this when you ping from router and source from Inside interface.

Next ping from a host connected to inside network and check again..

use - sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
icmp 66.117.96.80:1         10.7.0.1:1        8.8.8.8         8.8.8.8
icmp 66.117.96.80:2         10.7.0.10:2        8.8.8.8         8.8.8.8    ---> do we have NAT/PAT?

if we have NAT but ping is still not working.. we are looking at routing and PAT translation is working
if there is no line for inside host - then we can work on Translation issue.

Things to check if there is no NAT..

Is packet hitting the inside interface. (use extended ACL and log)
on LAN inside in
and we should see the packet in and out.. and post logs.
ip access-list extended INGRESS
permit ip host 10.7.0.10 any log-input
permit ip any host 10.7.0.10 log-input
permit ip any any

when you add the ACL - do a ping and check NAT again.
Has it started working?

we may need to change ACL to extended ACL for PAT. does code support extended ACL

I just assumed you were

zakhalid — Thu, 23 Apr 2015 13:46:22 GMT

I just assumed you were having same problem.
Step by step..
Let's check if NAT is working.

use - sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 66.117.96.80:1 10.7.0.1:1 8.8.8.8 8.8.8.8

and you should get something like this when you ping from router and source from Inside interface.

Next ping from a host connected to inside network and check again..

if we have NAT but ping is still not working.. we are looking at routing and PAT translation is working
if there is no line for inside host - then we can work on Translation issue.

Things to check if there is no NAT..

Thank you for the detailed

Kevin Hamilton — Thu, 23 Apr 2015 23:37:31 GMT

Thank you for the detailed response. I will do my best to answer your questions.

When I ping from the router using the inside interface as the source I get the following entry in the NAT translation log:

E7_SIP#sh ip nat trans
Pro Inside global         Inside local          Outside local         Outside global
icmp 66.117.96.80:5       10.7.0.1:5            8.8.8.8:5             8.8.8.8:5
E7_SIP#

When I ping from the Linux server at 10.7.0.2 I get the following, and nothing is in the NAT translation table:

[root@host ~]# ping 8.8.8.8

connect: Network is unreachable

[root@host ~]#

I added your extended access list to the in of the inside interface and I still cannot ping through the router. I had tried previously with an extended access list and it did not work. I wanted to try yours too in case I had done something wrong.

There is something I do not understand about my route table:

E7_SIP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 66.117.96.1 to network 0.0.0.0

     66.0.0.0/24 is subnetted, 1 subnets
C       66.117.96.0 is directly connected, GigabitEthernet0/2
     10.0.0.0/16 is subnetted, 1 subnets
C       10.7.0.0 is directly connected, GigabitEthernet0/1
S*   0.0.0.0/0 [1/0] via 66.117.96.1
E7_SIP#

Is the information above that is in red text correct? Shouldn't it say 66.0.0.0/8 and not /24? Shouldn't it also say that it's variably sub-netted?

Thank you very much for your help.

I don’t recall if it should

zakhalid — Fri, 24 Apr 2015 01:19:38 GMT

I don’t recall if it should say /8. Let’s just tell the router that we are sub-netting and to allow 0 subnets. Add these please

config t

ip classless

ip subnet-zero

Also please post following

sh ip access-list

then if acl INGRESS is not applied to inside – let’s apply it and ping from your Linux box and post

show log

and sho ip access-list

I am looking for confirmation if router is getting the ping - and what response is sending back to host.

10.7.0.1 is gateway for Linux?