Re: Cisco 1841 NAT Issue - Page 2

jake.bunce · ‎03-14-2011

Hi,

I have an issue with NAT on a Cisco 1841. See following configuration:

interface FastEthernet0/0
description Connection to LAN
bandwidth 100000
ip address 10.90.0.100 255.255.0.0
ip helper-address 10.100.2.2
ip helper-address 10.100.2.3
ip load-sharing per-packet
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Dialer1
description ADSL connection
bandwidth 448
ip address X.X.X.X 255.255.255.248
ip access-group 150 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password password
ppp pap sent-username hostname password password
crypto map vpn

ip nat inside source list 102 interface Dialer1 overload

router#show ip access-list

Extended IP access list 102
10 permit ip 10.90.0.0 0.0.255.255 any !! No matches

router#show ip nat stat

Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Virtual-Access2, Dialer1
Inside interfaces:
FastEthernet0/0
Hits: 8388 Misses: 151
CEF Translated packets: 8401, CEF Punted packets: 2029356 !! The CEF Punted packets counter keeps increasing. No matches on ACL though.
Expired translations: 127
Dynamic mappings:
-- Inside Source
[Id: 3] access-list 102 interface Dialer1 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

router#show ip nat trans
(empty)

I've tried this with both a source list NAT statement, and a route-map. The router can contact hosts on the Internet:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.31.0.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/147/148 ms

Any ideas?

Thanks

Peter Kiogora · ‎03-14-2011

please post the new redone 150 acl

jake.bunce · ‎03-14-2011

Extended IP access list 150

10 permit esp any any (257967 matches)

20 permit tcp host 1.1.1.1 host X.X.X.X eq 22 (6885 matches)

30 permit udp any any eq isakmp (36765 matches)

40 permit udp any any eq non500-isakmp

50 permit icmp any any (24540 matches)

60 permit udp host 158.43.128.33 host X.X.X.X eq ntp (540 matches)

70 permit udp host 158.43.128.66 host X.X.X.X eq ntp

80 permit gre any any

90 permit udp any any eq domain

100 deny ip any any log (2329 matches)

I have also tried this with allowing any on entry 5. I am not seeing any matches on ACL 102 (interesting traffic), nor am I seeing translations in show ip nat translations.

If this issue was due to an ACL on the public facing interface, I would still expect to see translations in the NAT table.

Peter Kiogora · ‎03-14-2011

i'm sorry but i don't see the permit ip any because the deny ip any any is restricting traffic destined to your LAN from the net

jake.bunce · ‎03-14-2011

CBAC is enabled so that doesn't matter (http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac.html):

interface Dialer1

description ADSL connection

bandwidth 448

ip address X.X.X.X 255.255.255.248

ip access-group 150 in

ip nat outside
ip inspect firewall out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname hostname

ppp chap password password

ppp pap sent-username hostname password password

crypto map vpn

Also, I've applied a permit ip any any to the Dialer interface which has not solved the issue.

Peter Kiogora · ‎03-14-2011

have you tried the connection without the access lists applied?

jake.bunce · ‎03-14-2011

Yeah. This hasn't worked either.

Haris P · ‎03-14-2011

Dear

1. First remove the ACL 150 from interface
2 .Remove also ip inspect firewall out
3.Also remove crypto map vpn from interface

4.Then try ping any external IP by putting source as 10.90.0.100 ? Is this working

If yes try adding one by one and see where this stops and update . Or else please send the complate config for your router

Regards

Haris P