Running 15.4(2)S on the ASR 901. Trying to do a simple NAT in my lab. The problem I'm having is that the host directly connected to the router doesn't NAT but if I source a ping from the inside interface it NAT's just fine. Both are on the same network and use the same ACL to match criteria. Routes to destination are there as the directly connected host is still able to ping it, just not getting translated.
ASR 901 relevant config:
no ip address
service instance 41 ethernet
encapsulation dot1q 41
rewrite ingress tag pop 1 symmetric
no ip address
service instance 2 ethernet
(EFP is matching untagged because I'm sending pings from directly connected laptop without tagging)
ip address 188.8.131.52 255.255.255.252
ip nat outside
ip address 192.168.200.1 255.255.255.0
ip nat inside
access-list 50 permit 192.168.200.0 0.0.0.255
ip nat inside source list 50 interface Vlan41 overload
Source ping from the inside NAT interface translates fine. A host connected to the g0/6 interface pings 184.108.40.206 fine but doesn't translate, it's IP is 192.168.200.2/24
lab-asr-901#ping 220.127.116.11 source vlan 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
lab-asr-901#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 22.214.171.124:1024 192.168.200.1:23 126.96.36.199:23 188.8.131.52:1024
Pay special attention to the model of your ASR901 and the NAT restrictions documented here:
Prerequisites for Configuring NAT for IP Address Conservation
This feature is supported only on the following PIDs of the Cisco ASR 901 Router: A901-6CZ-FS-D and A901-6CZ-FS-A.
There's also reference to the IOS that supports it or not:
This feature is available only on the new software image named asr901sec-universalk9.mz. (This feature is not available on the standalone software image named asr901-universalk9.mz. If you use asr901sec-universalk9.mz in an unsupported Cisco ASR 901 PID, the router issues a warning message and loads the software with basic features.)
I hope this is useful!
CCIE R&S # 37469
The problem I experience is that the router (ASR 901) will not NAT anything coming from the connected switch (Cisco 2960). I have 2 vlan trunking up to the ASR 901. The ASR 901 is configured to use the tagged traffic from the switch via the bridge domains. With this configuration I have normal L2 connectivity (DHCP for both VLANs, with different subnets, from the router to each vlan works great), but it won't even try to NAT it. However, if I ping 184.108.40.206 and source one of the SVIs attached to the bridge-domain on the ASR, it works great and I can see the NAT Translations.
Not sure why it won't NAT traffic coming from the switch, but it will locally sourcing and IP from the same subnet?
Well it could behave that way if it's not one of the supported routers.
I've seen that happen in other pieces of equipment where the commands are available BUT the feature isn't supported by the hardware.
If your router is NOT one of these models (A901-6CZ-FS-D or A901-6CZ-FS-A) then it won't support the feature.
You can check with the "show version" output.