cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1217
Views
0
Helpful
7
Replies

Broken Pat/Overload after upgrade from 1711 to 891

jcopelandghs
Level 1
Level 1

Hey All

So I had this remote site with an old 1711 that was being used for their internet/VPN endpoint back into our corp network here over a comcast business cable modem.
I ordered a new 891 got it here, pretty much just put the config from one over to the other (changing interface names and such and acls that were labeled with interface names) and sent it on its way to them.
The vpn tunnel back to our corporate offices comes up and they can access all of our internal stuff fine with no issues.
However the normal stuff where they nat directly out to the internet isnt working.
I can "sh ip nat translations" and see the nats being built but they dont seem to get any traffic passing as far as I can tell. When I "debug ip nat" I also notice that the nats translations being built up seem to timeout/die relatively quickly like there was no active traffic going through them to keep them up.
My overload nat statement uses a route-map that points to an ACL that just has multiple deny lines through the top to keep VPN destined traffic from getting natted but the last line is an allow from the internal subnet so that it will get natted.
I was thinking if that was messed up that I wouldnt be seeing my nat entries, so that must be partially correct I guess. Drawing a blank here. Any help would be greatly appreciated. I will attach a sanitized version of the config from the 1711 that I pretty much copied over to the 891.
I am wondering if there is something syntax wise that less this function on the 1711 but not on the 891.
Thanks for taking a look!
-J

3 Accepted Solutions

Accepted Solutions