Thx for the reply.  I am working through the NAT trouble shooter here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml

Yes. On both my 2811 (doing NAT just fine), I can ping 77.125.65.99 (google.com).  I can do this from the 1811 too.  When I source on both to the inside interface, the 2811 works, the 1811 does not.  I can ping from a switch on int fa1 to the 1811 just fine on the inside.  I can also ping from a laptop in that switch to the int fa1 inside too.  NAT does not work.

I ran:

"debug ip packet 1 det"

"term mon"

And then:

"ping 74.125.65.99 so 172.16.1.1"

Success rate is 0 percent (0/5)

I am also running ping -t from the laptop to 74.125.65.99

Debug shows nothing.

When I run:

"show ip nat translation"

It returns a blank, nothing.

When I run:

"show ip nat statistics"

I get:

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces:

  FastEthernet0

Inside interfaces:

  FastEthernet1

Hits: 0  Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 pool internet refcount 0

pool internet: netmask 255.255.255.252

        start [public ip] end [public ip]

        type generic, total addresses 1, allocated 0 (0%), misses 0

Queued Packets: 0

Note: I have removed the public IP here, but it is the same in both places.

Can you change -

access-list 1 permit 172.16.1.1 0.0.0.31

to

access-list 1 permit 172.16.1.0 0.0.0.31

Jon

Hi,

can you do this:

ip nat pool [name] [public ip] [public ip] prefix-length 28

ip nat inside source list 1 pool [name] overload

access-list 1 permit 172.16.1.0 0.0.0.31

Regards.

Alain.

1st, this is correct now:

"access-list 1 permit 172.16.1.0 0.0.0.31"

Rerunning "show ip nat statistics" I show this:

Total active translations: 68 (0 static, 68 dynamic; 68 extended)

Outside interfaces:

  FastEthernet0

Inside interfaces:

  FastEthernet1

Hits: 994  Misses: 1

CEF Translated packets: 49, CEF Punted packets: 1871

Expired translations: 210

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 pool internet refcount 68

pool internet: netmask 255.255.255.252

        start [public ip] end [public ip]

        type generic, total addresses 1, allocated 1 (100%), misses 0

Queued Packets: 0

Running: "show ip nat translation" I get:

Pro Inside global      Inside local       Outside local      Outside global

icmp [public ip]:19   172.16.1.1:19     74.125.65.99:19    74.125.65.99:19

icmp [public ip]:1    172.16.1.2:1      74.125.65.99:1     74.125.65.99:1

udp [public ip]:49579 172.16.1.2:49579  66.18.32.2:53      66.18.32.2:53

udp [public ip]:49579 172.16.1.2:49579  66.18.32.3:53      66.18.32.3:53

[continues with 172.16.1.2 udp traffic; 172.16.1.2 is the laptop running ping -t to google ip]

However, I still get no replies from the 1811 when sourcing a ping from the inside int to the google ip, and it still works good when just pinging from public int.

The laptop also cannot get to google or the google ip from the inside.

After changing the line:

"ip nat pool internet [public ip] [public ip] prefix-length 30"

To:

"ip nat pool internet [public ip] [public ip] prefix-length 28"

I still get 0 success rate when doing:

"ping 74.125.65.99 source 172.16.1.1"

And show about the same:

#show ip nat translation

Pro Inside global      Inside local       Outside local      Outside global

icmp [public ip]:4    172.16.1.1:4      74.125.65.99:4     74.125.65.99:4

#show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)

Outside interfaces:

  FastEthernet0

Inside interfaces:

  FastEthernet1

Hits: 15  Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 2

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 pool internet refcount 1

pool internet: netmask 255.255.255.240

        start [public ip] end [public ip]

        type generic, total addresses 1, allocated 1 (100%), misses 0

Queued Packets: 0

Hi,

Can you post the running config.

Alain.

Here it is.  The VPN is not mapped to any interface.  I have removed anything sensitive:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname [hostname]

!

boot-start-marker

boot-end-marker

!

enable secret 5 [secret]

enable password [password]

!

no aaa new-model

!

resource policy

!

!

!

ip cef

!

!

!

!

!

!

!

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key [key] address [public ip]

!

!

crypto ipsec transform-set [name] esp-3des esp-sha-hmac

!

crypto map [name] 10 ipsec-isakmp

set peer [public ip]

set transform-set [name]

match address 101

!

!

!

!

interface FastEthernet0

ip address [public ip] 255.255.255.240

ip nat outside

ip virtual-reassembly

speed auto

half-duplex

!

interface FastEthernet1

ip address 172.16.31.5 255.255.255.224

ip nat inside

ip virtual-reassembly

speed auto

half-duplex

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface FastEthernet4

shutdown

!

interface FastEthernet5

shutdown

!

interface FastEthernet6

shutdown

!

interface FastEthernet7

shutdown

!

interface FastEthernet8

shutdown

!

interface FastEthernet9

shutdown

!

interface Vlan1

no ip address

shutdown

!

interface Async1

no ip address

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 [public ip gateway]

!

!

no ip http server

no ip http secure-server

ip nat pool [name] [public ip] [public ip] prefix-length 30

ip nat inside source list 1 pool [name] overload

!

access-list 1 permit 172.16.31.0 0.0.0.31

access-list 101 permit ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255

snmp-server community public RO

!

!

!

!

!

!

control-plane

!

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

password [password]

login

!

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Hi,

what about a PC pinging 8.8.8.8 ?

if it sill doesn't work then do this:

config#int f0

no ip route-cache cef

config#int f1

no ip route-cache cef

config# no service-timestamp debug

config#access-list 100 permit icmp any any

config# logging buffered debug

config# logging buffered 100000

#debug ip packet detail 100

#debug ip nat

# sh loggin

and  do your ping from host to 8.8.8.8 and post output

then reenable CEF on both interfaces with ip route-cache cef

Alain.

NAT is working now.  Basically, I did 3 things today:

I changed this:

ip nat pool [name] [public ip] [public ip] prefix-length 30

ip nat inside source list 1 pool [name] overload

!

access-list 1 permit 172.16.31.0 0.0.0.31

To this:

ip nat inside source list 110 interface FastEthernet0 overload

!

access-list 110 permit ip 172.16.31.0 0.0.0.31 any

It still would not work, but I was only trying to ping from the router, sourcing from the private, 172.16.31.5, interface.

I then had a nagging feeling about having the 2 interfaces set at half duplex, so I set both to auto.  Then, I tried pinging google.com from the laptop, and voila! It pinged.

I went back to do:

"ping google.com source 172.16.31.5"

From the router, and it worked too.

I _think_ setting the interfaces from half duplex to auto might have been it, but who knows.

Anyhow, before making those 3 changes, it did not work today, and it did not really work until after changing the duplexing.