Solved: Basic router NAT question

sdavids5670 · ‎05-07-2012

For the question, suppose the following configuration exists (partial config):

interface serial 0/0/0

ip address 10.10.10.1 255.255.255.0

ip nat outside

.

interface fa0/0

ip address 10.109.10.1 255.255.255.0

ip nat inside

.

ip access-list extended NAT_TRAFFIC

permit ip 10.109.10.0 0.0.0.255 10.201.104.0 0.0.0.15

ip nat pool MYOVERLOADPOOL 192.168.80.109 192.168.80.109 prefix-length 24

ip nat inside source list NAT_TRAFFIC pool MYOVERLOADPOOL overload

Should this work? The router takes the commands (without warning) but I'm wondering if it's really permissible to assign an address in the "ip nat pool" command that isn't part of the network range of the serial interface that is acting as the outside interface. When I ping from a device located off the inside interface (10.109.10.5 in this case) to a destination on the 10.201.104.0/28 network I do not see any NAT activity (nothing in 'show ip nat translations').

Richard Burts · ‎05-08-2012

I do not believe that it is necessary to have an interface with an address in the range of the pool. It should work fine with just the pool defined on the router. As John suggests the routing logic on remote devices needs to have a route back to this router for the address pool. And sometimes an interface with an address in the pool is the easy way to have your routing protocol advertise the subnet. But it is not necessary to have an address on an interface and there are other ways to handle the routing logic.

And as Jan suggests we need to be sure that there is not a problem with the routing logic of this router as well as with the remote router(s). Could you post the output of show ip route 10.201.104.0? I would like to verify that traffic is being sent out the serial interface.

HTH

Rick

HTH

Rick

View solution in original post

John Blakley · ‎05-08-2012

You may be able to create a loopback that falls in the range of the pool and then put "ip nat outside" on it. I'd have to lab it up, but it's worth a shot...

*Edit*

I labbed this up and it works fine without the loopback. You'll need to have a route back to the subnet that you're routing to and you should be good.

HTH, John *** Please rate all useful posts ***

Jan Hrnko · ‎05-08-2012

Hi,

yes it should work, maybe you just have problem in routing. Try to check the routing table, if it is not there try to create an loopback interface like j.blakley suggested.

Best regards,

Jan

Richard Burts · ‎05-08-2012

I do not believe that it is necessary to have an interface with an address in the range of the pool. It should work fine with just the pool defined on the router. As John suggests the routing logic on remote devices needs to have a route back to this router for the address pool. And sometimes an interface with an address in the pool is the easy way to have your routing protocol advertise the subnet. But it is not necessary to have an address on an interface and there are other ways to handle the routing logic.

And as Jan suggests we need to be sure that there is not a problem with the routing logic of this router as well as with the remote router(s). Could you post the output of show ip route 10.201.104.0? I would like to verify that traffic is being sent out the serial interface.

HTH

Rick

HTH

Rick

sdavids5670 · ‎05-08-2012

Thanks to all for the help. I think I had two things going on that caused it to fail.

1.) Instead of this:

ip nat inside source list NAT_TRAFFIC pool MYOVERLOADPOOL overload,

I had this:

ip nat source list NAT_TRAFFIC pool MYOVERLOADPOOL overload

2.) Instead of this:

ip nat pool MYOVERLOADPOOL 192.168.80.109 192.168.80.109 prefix-length 24,

I had this:

ip nat pool MYOVERLOADPOOL 192.168.80.109 192.168.80.109 prefix-length 32

The router complained when I entered the 'prefix-length 32' but it took the command nonetheless.

First I changed error #1. Still didn't work. Then I removed the 'ip nat pool...' command and readded it using 'prefix-length 30' and then it started working fine.

What a relief that it was just ID10T errors. I thought I was losing my mind.

Richard Burts · ‎05-09-2012

I am glad that you figured out what was wrong and fixed it. Thank you for posting back to the forum and telling us what was wrong and how you fixed it. This is very helpful for other people who may read this thread. Now that it is fixed perhaps you can mark the question as resolved?

HTH

Rick

HTH

Rick