02-25-2014 05:28 AM - edited 03-04-2019 10:26 PM
I have two ASR 901 routers who can't seem to get out to the internet sourcing an EVC SVI which should be the inside NAT network.
======================================================
NAT ROUTER:
======================================================
interface FastEthernet0/0.120
encapsulation dot1Q 120
ip address dhcp
ip nat outside
ip virtual-reassembly in
interface FastEthernet0/0.200
encapsulation dot1Q 200
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip nat inside source list 1 interface FastEthernet0/0.120 overload
Standard IP access list 1
10 permit any log (6 matches)
======================================================
ASR:
======================================================
interface GigabitEthernet0/1
negotiation auto
synchronous mode
cdp enable
synce state slave
!
service instance 2 ethernet
encapsulation dot1q 4000
rewrite ingress tag pop 1 symmetric
bridge-domain 4000
!
service instance 3 ethernet
encapsulation dot1q 200
rewrite ingress tag pop 1 symmetric
bridge-domain 200
interface Vlan200
ip address 192.168.200.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.200.1
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.4.1.1
======================================================
There is a ME3400 in between the ASR and NAT router
I've checked that the VLAN is included on trunk and exists on switch.
Can ping 192.168.200.1 from both ASR
Any ideas what is happening here? Have I configured EVC wrong?
Solved! Go to Solution.
02-25-2014 06:53 AM
Buy you can ping from the ASR to the fa0/0.200 IP ?
If so can you temporarily change your NAT acl to be -
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
and then redo the NAT statement to use that acl and retest.
It probably won't make a difference but i have seen it work in a few instances.
Jon
02-25-2014 06:22 AM
Haven't used EVCs so i may be of limited help but what does "sh ip nat translations" show on the NAT router ?
Jon
02-25-2014 06:36 AM
Hi Jon
Posted in service provider forum, but this is a tricky one because it is hard to be sure if this is NAT, EVC, or something else!
Here is the output after ping
NAT-ROUTER#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 207.191.158.141:5 192.168.200.1:5 208.67.220.220:5 208.67.220.220:5
02-25-2014 06:44 AM
Not sure i understand the NAT output ie.
the inside local is the IP assigned to the NAT router but i would have expected that to be an IP coming from the ASR ?
Jon
02-25-2014 06:49 AM
Ah, that was after pinging on the NAT router itself. Pinging from the ASR yields no additional entries. Furthermore, "debug ip NAT" on the NAT router, then ping to the internet on the ASR - seems there is no activity.
02-25-2014 06:53 AM
Buy you can ping from the ASR to the fa0/0.200 IP ?
If so can you temporarily change your NAT acl to be -
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
and then redo the NAT statement to use that acl and retest.
It probably won't make a difference but i have seen it work in a few instances.
Jon
02-25-2014 07:01 AM
Thanks Jon you saved me a lot of headache for today. Slight change on the ACL and it all works fine!
02-25-2014 07:06 AM
No problem, glad it worked.
Just for your info i think you could have used a standard acl as well and just specified the source network.
Some people recommend that but i have always use extended acls with NAT and it seems to work fine.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide