Re: Troubleshooting NAT Problem

sdross · ‎09-10-2003

I have a T1 line with my service provider. I have a 1602 router that was setup with dhcp and NAT. I could ping from my pc to my router (the LAN and WAN side), but I could not ping the ISP router from my PC.

After telnetting into the router I could ping my PC, I could ping the ISP and yahoo.com, everything, etc.

I disabled NAT and got a static address from my ISP and everything works fine. Is this a bug or is something not enable?

jcleary · ‎09-10-2003

Could you paste the configs

sdross · ‎09-10-2003

Here is the config to my router

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

logging buffered 4096 debugging

no logging console

enable secret 5 xxx

!

ip subnet-zero

ip name-server x.x.x.21

ip name-server x.x.x.22

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp pool local

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server x.x.x.21 x.x.x.22

domain-name xxx.net

lease 2

!

interface Loopback0

no ip address

no ip directed-broadcast

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Serial0

no ip address

no ip directed-broadcast

shutdown

service-module 56k clock source line

service-module 56k network-type dds

!

interface Serial1

ip address x.x.x.42 255.255.255.252

ip access-group 110 out

no ip directed-broadcast

ip nat outside

service-module t1 data-coding inverted

service-module t1 timeslots 1-12

!

ip nat pool lan x.x.x.42 x.x.x.42 netmask 255.255.255.252

ip nat inside source list 1 pool lan overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial1

no ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 110 deny udp any any range netbios-ns netbios-ss

access-list 110 deny tcp any any range 137 139

access-list 110 deny udp any any eq bootpc

access-list 110 deny udp any any eq snmp

access-list 110 permit ip any any

!

line con 0

exec-timeout 30 0

password xxx

login

transport input none

line vty 0 4

exec-timeout 30 0

password xxx

login

!

end

dnagarajachary · ‎09-10-2003

For a single ip address you are using a pool. I think this is not needed. You could give

ip nat inside source list 1 interface serial 1 overload.

This should do the natting to all the private ip addresses with different port numbers.

-Deepu

thisisshanky · ‎09-10-2003

Like, Deepu suggested, you dont need that pool configured. Just "ip nat inside source list 1 int s1 overload" should work.

Now give a show ip nat translation and see if translations are happening correct or not.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

ericlinji · ‎09-10-2003

I have the same problem with you. I can't ping outside but can FTP, telnet... I can't think out why. :D

Better change the IOS to another version.

ericlinji · ‎09-10-2003

Yes, I agree. You'd better change the NAT pool address or use interface address.

My problem is sloved. It's a bug ( I used ACL logging for NAT related ACLs).

BUG ID: CSCdt67507

IP NAT: issues with overload and cef/fast switching

Internet Control Message Protocol (ICMP) pings are not translated through Network Address Translation (NAT) in fast path if NAT Overload and ACL Logging are enabled.

Work Around: Don't use ACL logging for NAT related ACLs.

sdross · ‎09-11-2003

I will go ahead and try the suggestion stated above many times. My question though is what is the difference from using the overload with one address or using the Serial1 interface which has only one address? Same thing isn't it? I have probably 2 dozen plus T1s setup for clients this way and this is the first one that I have had trouble with. Also it is not just the pings that are not returning, I cannot surf, telnet, or anything as I think someone mentioned above.

Anyway, I will give it a try and let everyone know.