Solved: ASR subnet not NAT processed

Evan Roggenkamp · ‎02-25-2014

I have two ASR 901 routers who can't seem to get out to the internet sourcing an EVC SVI which should be the inside NAT network.

======================================================

NAT ROUTER:

======================================================

interface FastEthernet0/0.120

encapsulation dot1Q 120

ip address dhcp

ip nat outside

ip virtual-reassembly in

interface FastEthernet0/0.200

encapsulation dot1Q 200

ip address 192.168.200.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip nat inside source list 1 interface FastEthernet0/0.120 overload

Standard IP access list 1

10 permit any log (6 matches)

======================================================

ASR:

======================================================

interface GigabitEthernet0/1

negotiation auto

synchronous mode

cdp enable

synce state slave

!

service instance 2 ethernet

encapsulation dot1q 4000

rewrite ingress tag pop 1 symmetric

bridge-domain 4000

!

service instance 3 ethernet

encapsulation dot1q 200

rewrite ingress tag pop 1 symmetric

bridge-domain 200

interface Vlan200

ip address 192.168.200.3 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.200.1

ip route vrf MGMT 0.0.0.0 0.0.0.0 10.4.1.1

======================================================

There is a ME3400 in between the ASR and NAT router

I've checked that the VLAN is included on trunk and exists on switch.

Can ping 192.168.200.1 from both ASR

Any ideas what is happening here? Have I configured EVC wrong?

Jon Marshall · ‎02-25-2014

Buy you can ping from the ASR to the fa0/0.200 IP ?

If so can you temporarily change your NAT acl to be -

access-list 101 permit ip 192.168.200.0 0.0.0.255 any

and then redo the NAT statement to use that acl and retest.

It probably won't make a difference but i have seen it work in a few instances.

Jon

View solution in original post

Jon Marshall · ‎02-25-2014

Haven't used EVCs so i may be of limited help but what does "sh ip nat translations" show on the NAT router ?

Jon

Evan Roggenkamp · ‎02-25-2014

Hi Jon

Posted in service provider forum, but this is a tricky one because it is hard to be sure if this is NAT, EVC, or something else!

Here is the output after ping

NAT-ROUTER#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 207.191.158.141:5 192.168.200.1:5 208.67.220.220:5 208.67.220.220:5

Jon Marshall · ‎02-25-2014

Not sure i understand the NAT output ie.

the inside local is the IP assigned to the NAT router but i would have expected that to be an IP coming from the ASR ?

Jon

Evan Roggenkamp · ‎02-25-2014

Ah, that was after pinging on the NAT router itself. Pinging from the ASR yields no additional entries. Furthermore, "debug ip NAT" on the NAT router, then ping to the internet on the ASR - seems there is no activity.

Jon Marshall · ‎02-25-2014

Buy you can ping from the ASR to the fa0/0.200 IP ?

If so can you temporarily change your NAT acl to be -

access-list 101 permit ip 192.168.200.0 0.0.0.255 any

and then redo the NAT statement to use that acl and retest.

It probably won't make a difference but i have seen it work in a few instances.

Jon

Evan Roggenkamp · ‎02-25-2014

Thanks Jon you saved me a lot of headache for today. Slight change on the ACL and it all works fine!

Jon Marshall · ‎02-25-2014

No problem, glad it worked.

Just for your info i think you could have used a standard acl as well and just specified the source network.

Some people recommend that but i have always use extended acls with NAT and it seems to work fine.

Jon