Solved: Cisco C111-8p not performing NAT

Adam_S · ‎08-16-2025

Hi all,

I have a Cisco C1111-8p that is refusing to perform NAT, more specifically it is not matching the ACL. I am attempting to migrate from an old cisco 3845, which the config was moved from and working fine.

I can see that an Ip address is provided from the ISP, and static route / Gateway of last resort is installed in the routing table. NAT has been configured with overload along with a static route pointing to the ISP address, and ACL is permitting relevant addresses but the ACL is never hit and not translations take place. No NVI0 interface is created either. Have tried using the "Ip nat enable command" instead on relevant interfaces, no change. Any suggestions would be appreciated.

Ive attached a copy of the config and some NAT outputs.

Adam_S · ‎08-18-2025

Hi All,

Thanks for all the input. I finally got to the bottom of it. Seems that Cisco IOS XE software handles NAT ACLs differently than the old 3845 IOS I was used to. In this version the ACL will only be matched if it references a Standard ACL and will be ignored if it is an Extended ACL.

View solution in original post

Enes Simnica · ‎08-16-2025

gDay to u @Adam_S alright. let me go all in here. First, u’re mixing classic NAT (inside/outside) with NVI (ip nat enable).

WAN Gi0/0/1 is ip nat outside (classic).
Your LAN SVIs use ip nat enable (NVI).

When u mix the two, the router won’t treat LAN traffic as “inside,” so ur NAT_ACL never gets hit and no translations are created. That’s also why NVI0 never appears. And u have some options here.

Option 1, which is recommended, USE CLASSIC NAT only. So on every lan svi, replace ip nat enable with ip nat inside;

conf t
 int Vlan12
  no ip nat enable
  ip nat inside
 int Vlan16
  no ip nat enable
  ip nat inside
 int Vlan17
  no ip nat enable
  ip nat inside
 int Vlan20
  no ip nat enable
  ip nat inside
 int Vlan40
  no ip nat enable
  ip nat inside
 int Vlan112
  no ip nat enable
  ip nat inside
 int Vlan212
  no ip nat enable
  ip nat inside
 int Vlan213
  no ip nat enable
  ip nat inside

 int Gig0/0/1
  ip nat outside    (already present)
end

2. Tighten the NAT ACL so it only matches your internal subnets (optional but cleaner). For example:

ip access-list extended NAT_ACL
  no 10
  no 20
  no 80
  no 90
  no 100
  no 110
  10 permit ip 10.0.0.0 0.255.255.255 any
  20 permit ip 172.16.0.0 0.0.255.255 any
  30 permit ip 192.168.0.0 0.0.255.255 any

3. Keep ur existing overload rule,,,, and do some tests

OPTION B: USE NVI so no inside /outside:

 int Gig0/0/1
  no ip nat outside
  ip nat enable

 (ensure all LAN SVIs have 'ip nat enable' they already do)

end
----------------------
Then use either of these (both generally work with NVI; if in doubt, use NVI0):

ip nat source list NAT_ACL interface NVI0 overload
   or
ip nat source list NAT_ACL interface GigabitEthernet0/0/1 overload

So, if u switch to Option A (classic), u should immediately see hits in show ip nat statistics and active entries in show ip nat translations.

This turned into a long answer, but I had fun writing it! Hope it’s useful!

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

Adam_S · ‎08-17-2025

C1111-8P#show run
Building configuration...

Current configuration : 11325 bytes
!
! Last configuration change at 16:59:49 GMT Sun Aug 17 2025
! NVRAM config last updated at 16:59:52 GMT Sun Aug 17 2025
!
version 17.3
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname C1111-8P
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$sI2I5Wznyl1iPU$BhukbC/GICzIqeIin2MP8tughnrV7JhZsSVJBbKu1S6
!
no aaa new-model
clock timezone GMT 10 0
clock summer-time GMT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
!
!
!
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 10.212.0.1 10.212.0.100
ip dhcp excluded-address 10.12.0.1 10.12.0.100
ip dhcp excluded-address 10.112.0.1 10.112.0.100
ip dhcp excluded-address 10.213.0.1 10.213.0.100
ip dhcp excluded-address 172.16.0.1 172.16.0.100
ip dhcp excluded-address 192.168.20.1 192.168.20.100
ip dhcp excluded-address 172.17.0.1 172.17.0.100
ip dhcp excluded-address 10.20.0.1
ip dhcp excluded-address 192.168.40.1 192.168.40.100
!
ip dhcp pool VLAN10_MANAGEMENT
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
lease 24
!
ip dhcp pool VLAN212_W_DATA
network 10.212.0.0 255.255.255.0
default-router 10.212.0.1
dns-server 1.1.1.1
lease 24
!
ip dhcp pool VLAN213_Wireless_Voice
network 10.213.0.0 255.255.255.0
default-router 10.213.0.1
dns-server 1.1.1.1
lease 24
!
ip dhcp pool VLAN12_DATA
network 10.12.0.0 255.255.255.0
default-router 10.12.0.1
dns-server 1.1.1.1
lease 24
!
ip dhcp pool VLAN16_WIRELESS_N
network 172.16.0.0 255.255.255.0
default-router 172.16.0.1
dns-server 1.1.1.1
lease 24
!
ip dhcp pool VLAN112_Voice
network 10.112.0.0 255.255.255.0
default-router 10.112.0.1
dns-server 1.1.1.1
lease 24
!
ip dhcp pool VLAN17_HOME_AUTOMATION
network 172.17.0.0 255.255.255.0
default-router 172.17.0.1
dns-server 8.8.8.8
lease 24
!
ip dhcp pool VLAN20_GUEST_NET
network 10.20.0.0 255.255.255.0
default-router 10.20.0.1
dns-server 1.1.1.1
lease 24
!
ip dhcp pool VLAN40_VICPOL
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 202.142.142.142
lease 24
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-1392356882
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1392356882
revocation-check none
rsakeypair TP-self-signed-1392356882
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1392356882
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333932 33353638 3832301E 170D3235 30383135 30393435
32345A17 0D333530 38313530 39343532 345A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33393233
35363838 32308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100C66C 4BA12B21 89AA6EA3 1C6377EC 292F46A0 1FEEFC74 3C6EAF94
8DD40A24 A3C6062A 1BADD656 E93B1A17 490EA001 E6C4E474 23404C1A 9F943430
A6CD5E94 7785CE5A 1CA518E5 732FBF4B 28A9F299 397DA14C 59EB7EF6 B984A129
738785AA FDDD36E5 8C0364C1 B5E0C119 980B87AE FCDD4EBA 48D24053 1785F44A
D6A84EFF 165395C6 5279DE0F 7E9B1524 222AD211 855AA1E6 B58BD83E ABA5C329
41F052CA C5E93439 6BD76F5A 3DE68595 2A2F5885 D621AF70 F6F7A02E 5B349795
0DA8739D C6F12A90 9A60C27D 528AFBA5 9A75DB98 85C4C5B2 AA34D426 D6236935
82D09C85 222B53F3 74357DE0 06A6F893 931AB615 3BF0F0A5 AFD7C8D3 6149DF1F
2B55B666 475D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 14B51110 B7EB6D1C 4BEC4025 FD2892FD 0105F433
A3301D06 03551D0E 04160414 B51110B7 EB6D1C4B EC4025FD 2892FD01 05F433A3
300D0609 2A864886 F70D0101 05050003 82010100 91084946 B889EABF 27EEF5B8
892B34A4 080CB826 1486880E 2F0D2EB0 1337A8AE 37E04EF5 3A347054 EEAE7350
D4676A94 2AE824A3 115FB016 A39B091A 16216865 949AD346 8685BADA CDD06FE1
06309C05 A4B113A5 F254515C C61AB38C 95103CCD A9308F12 493549F3 E79100BC
37274BF0 68A275B8 5A7BF8CC 2352A4D7 6FEB9245 D3CFC97B BD0C1B15 3755DADB
589FC36B 78429C23 0112A07F 30AC9753 CC52340E 72A25E6D 53DA5E4B F34786FF
EF261E5B 8978D8EF DF2242BD 16F977F7 6C7FE458 F78C8028 3D118E55 1FC18C52
04DBF8EE 8ECC8411 872323F4 74A0195F CB1E784B C441D549 C7C5035C 664BECA1
C0313441 16CCD473 F563992F 17A3A82F 837BFB11
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
!
license udi pid C1111-8PLTELAWZ sn FGL2505LAKM
memory free low-watermark processor 71830
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
controller Cellular 0/2/0
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback0
ip address 10.255.255.255 255.255.255.255
ip broadcast-address 0.0.0.0
!
interface Loopback3
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.252
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
media-type rj45
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/1/0
switchport access vlan 16
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 12
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 12
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 12
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 12
spanning-tree portfast
!
interface GigabitEthernet0/1/5
spanning-tree portfast
!
interface GigabitEthernet0/1/6
spanning-tree portfast
!
interface GigabitEthernet0/1/7
description to Switch
switchport trunk native vlan 10
switchport mode trunk
!
interface Wlan-GigabitEthernet0/1/8
shutdown
!
interface Cellular0/2/0
ip address negotiated
ipv6 enable
!
interface Cellular0/2/1
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Management
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Vlan12
description Data
ip address 10.12.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan16
description Wirless_N
ip address 172.16.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip helper-address 10.12.0.2
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
interface Vlan17
description Home_Automation
ip address 172.17.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description GUEST_NET
ip address 10.20.0.1 255.255.255.0
ip nat inside
ip access-group GUEST-NET in
ip access-group GUEST-NET out
ip virtual-reassembly
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan112
description Voice
ip address 10.112.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Vlan212
description Wireless_G
ip address 10.212.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip helper-address 10.12.0.2
ip nat inside
ip virtual-reassembly
!
interface Vlan213
description Wireless_Voice
ip address 10.213.0.1 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
!
no ip http server
ip http authentication local
no ip http secure-server
no ip forward-protocol nd
ip nat translation timeout 600
ip nat translation udp-timeout 600
ip nat translation max-entries 200000
ip nat inside source list NAT_ACL interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp
!
!
ip access-list extended GUEST-NET
10 permit udp any any eq bootps
20 permit udp any any eq domain
30 permit tcp any any eq www
40 permit tcp any any eq 8080
50 permit tcp any any eq 443
60 permit udp any any eq 1194
70 permit tcp any any range 1119 1120
80 permit tcp any any range 6112 6114
90 permit icmp 10.20.0.0 0.0.0.255 10.20.0.0 0.0.0.255
100 permit ip any any
110 permit udp any any
120 permit tcp any any
ip access-list extended NAT_ACL
10 permit icmp any any fragments
20 permit icmp any any
30 permit ip 10.0.0.0 0.255.255.255 any
40 permit ip 172.17.0.0 0.0.0.255 any
50 permit ip 172.16.0.0 0.0.0.255 any
60 permit ip 192.168.40.0 0.0.0.255 any
70 permit ip 192.168.20.0 0.0.0.255 any
80 permit tcp any any established
90 permit tcp any any
100 permit ip any any
110 permit udp any any
!
!
!
!
control-plane
!
!
line con 0
privilege level 15
password 7 10620C0A111606
login
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
password 7 080D495D1D1811
login
transport input telnet
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server 129.250.35.251
!
!
!
!
!
!
end

M02@rt37 · ‎08-17-2025

Hello @Adam_S

Thanks for sharing your configuration.

On you c1111 you need to explicitly mark your interfaces for NAT, otherwise the acl will never be hit.

So, please configure your LAN-facing interface with ip nat inside command and your WAN-facing interface wirh ip nat outside command.

Then use an ACL that matche your internal subnet (for exemple permit 192.a68.1.0 0.0.0.255) and tie it to the outside interface with ip nat inside source list <your-acl> interface <wan> overload.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎08-17-2025

Your config

1- there is ip nat inside and outside

2- you use overload NAT

3- BUT

ACL NAT as I know not accept fragment or established keywords' why you use it????

MHM

MHM Cisco World · ‎08-17-2025

Also you face issue with vlan20 traffic? If YES how can same ACL apply to IN and OUT direction??

10 permit udp any any eq bootps <<- this prevent user from get IP form dhcp server

MHM

Adam_S · ‎08-18-2025

Hi All,

Thanks for all the input. I finally got to the bottom of it. Seems that Cisco IOS XE software handles NAT ACLs differently than the old 3845 IOS I was used to. In this version the ACL will only be matched if it references a Standard ACL and will be ignored if it is an Extended ACL.

MHM Cisco World · ‎08-18-2025

It not ignore extended ACL but it ignore extended ACL with keyword

MHM