Showing results for 
Search instead for 
Did you mean: 


ASR 901 NAT not working

Running 15.4(2)S on the ASR 901. Trying to do a simple NAT in my lab. The problem I'm having is that the host directly connected to the router doesn't NAT but if I source a ping from the inside interface it NAT's just fine. Both are on the same network and use the same ACL to match criteria. Routes to destination are there as the directly connected host is still able to ping it, just not getting translated.


ASR 901 relevant config:

interface GigabitEthernet0/4
 no ip address
 negotiation auto
 service instance 41 ethernet
  encapsulation dot1q 41
  rewrite ingress tag pop 1 symmetric
  bridge-domain 41

interface GigabitEthernet0/6
 no ip address
 negotiation auto
 service instance 2 ethernet
  encapsulation untagged
  bridge-domain 2

(EFP is matching untagged because I'm sending pings from directly connected laptop without tagging)

interface Vlan41
 ip address
 ip nat outside
interface Vlan2
 ip address
 ip nat inside


access-list 50 permit

ip nat inside source list 50 interface Vlan41 overload


Source ping from the inside NAT interface translates fine. A host connected to the g0/6 interface pings fine but doesn't translate, it's IP is

lab-asr-901#ping source vlan 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

lab-asr-901#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global




Everyone's tags (2)

I am having the exact same

I am having the exact same problem, please help !!

Cisco Employee

Hi there, Pay special

Hi there,


Pay special attention to the model of your ASR901 and the NAT restrictions documented here:


Prerequisites for Configuring NAT for IP Address Conservation


This feature is supported only on the following PIDs of the Cisco ASR 901 Router: A901-6CZ-FS-D and A901-6CZ-FS-A.


There's also reference to the IOS that supports it or not:


This feature is available only on the new software image named (This feature is not available on the standalone software image named If you use in an unsupported Cisco ASR 901 PID, the router issues a warning message and loads the software with basic features.)


I hope this is useful!



CCIE R&S # 37469


The problem I experience is

The problem I experience is that the router (ASR 901) will not NAT anything coming from the connected switch (Cisco 2960). I have 2 vlan trunking up to the ASR 901. The ASR 901 is configured to use the tagged traffic from the switch via the bridge domains. With this configuration I have normal L2 connectivity (DHCP for both VLANs, with different subnets, from the router to each vlan works great), but it won't even try to NAT it. However, if I ping and source one of the SVIs attached to the bridge-domain on the ASR, it works great and I can see the NAT Translations. 

Not sure why it won't NAT traffic coming from the switch, but it will locally sourcing and IP from the same subnet?

Cisco Employee

Well it could behave that way

Well it could behave that way if it's not one of the supported routers.


I've seen that happen in other pieces of equipment where the commands are available BUT the feature isn't supported by the hardware.


If your router is NOT one of these models (A901-6CZ-FS-D or A901-6CZ-FS-A) then it won't support the feature.


You can check with the "show version" output.