Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
12
Replies

Dynamic NAT problem - urgent help required

raj.panchal
Level 1
Level 1

‎06-22-2005 06:05 AM - edited ‎03-03-2019 09:52 AM

I am trying to do dyanamic nat on my router. My requirement is to provide private ip users internet access. I am trying to use pool of public ip address to nat the private ip users.

The configuration is as below :

interface GigabitEthernet0/0

description **** UPLINK - TO INTERNET ****

ip address 202.54.x.y 255.255.255.224

no ip unreachables

ip accounting output-packets

ip virtual-reassembly

ip route-cache flow

no ip mroute-cache

duplex full

speed 100

media-type rj45

no negotiation auto

interface GigabitEthernet0/2.405

encapsulation dot1Q 405

ip address 172.20.27.1 255.255.255.0

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip nat pool global 210.211.x.2 210.211.x.254 netmask 255.255.255.0

ip nat inside source list 11 pool global

access-list 11 permit 172.20.0.0 0.0.255.255

access-list 11 permit 10.41.38.0 0.0.1.255

My problem is i am not able to browse internet with this configuration, where as i am able to ping and trace internet ip address.

Also when i use overload option with the nat pool defination every thing works fine. This confirms that there is no routing problem with my public ip and private ips.

My router version details are :

Cisco IOS Software, 7301 Software (C7301-G4JS-M), Version 12.3(8)T3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2004 by Cisco Systems, Inc.

Compiled Wed 21-Jul-04 02:36 by eaarmas

ROM: System Bootstrap, Version 12.3(4r)T2, RELEASE SOFTWARE (fc1)

BOOTLDR: 7301 Software (C7301-BOOT-M), Version 12.3(3)B, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

please try to help me figuring out what could be the issue .

Labels:
0 Helpful
12 Replies 12

m.lammerse
Level 1
Level 1

‎06-22-2005 06:17 AM

Hi Raj,

I don't see a 'ip nat outside' command on your external interface. Did you forget to include in the post, or is it missing from your router config?

HTH

Marcel

0 Helpful

raj.panchal
Level 1
Level 1
In response to m.lammerse

‎06-22-2005 08:03 AM

Dear Marcel,

I forgot to mention in the post !!

But in production environment its there

raj

0 Helpful

rais.ahmad
Level 1
Level 1

‎06-22-2005 06:18 AM

Do you have ip nat outside under your Internet Interface. Without overload, I believe you will be limited to 254 simultaneous connections.

Thanks.

0 Helpful

raj.panchal
Level 1
Level 1
In response to rais.ahmad

‎06-22-2005 08:06 AM

Dear Rais,

I do have ip nat outiside on my internet interface , i forgot to mention the same in my post

I agree with you that without overload i will be limited to 254 simultaneous sessions.. but for that i have assessed the simultaneous sessions requirments and this should suffice my requirments ..

raj

0 Helpful

jsdeprey
Level 1
Level 1

‎06-22-2005 06:43 AM

You said "Also when i use overload option with the nat pool defination every thing works fine"

So maybe you do have the ip nat outside command on the G0/0 interface already?

Why not just leave the overload command on the pool? if you are running out of ips outbound this is a good thing.

Also you mentioned "My problem is i am not able to browse internet with this configuration, where as i am able to ping and trace internet ip address"

That makes it sound like you are having a problem with DNS or something.

Is the DNS server a internal server and located on another interface maybe another vlan router interface than what you have provided? if that is the case maybe that "ip nat outside" command on g0/0 is a problem after all.

0 Helpful

raj.panchal
Level 1
Level 1
In response to jsdeprey

‎06-22-2005 08:11 AM

hi,

i do have nat outside command on g0/0 , i have forgot to mention it here in the post.

I expecting one to one dynamic nat .. and hence dont wish to have overload with one ip or interface .

i am pinging the internet hosts through their FQDN i.e i try to ping www.yahoo.com and do get the reply , hence i can rule out the dns resolution problem as suspected by you.

Also the dns is on ther internet and not in my lan.

When i see the nat translation , i do see that nat translations are happening for services like dns,ftp,telnet,http , icmp etc ..

but still not able to browse :(

0 Helpful

rais.ahmad
Level 1
Level 1
In response to raj.panchal

‎06-22-2005 09:20 AM

What happens if you telnet to www.yahoo.com on port 80? Do you get NAT translation created in the router? Do you have a firewall on your network that may be blocking http?

Thanks.

0 Helpful

aravindhs
Level 1
Level 1
In response to rais.ahmad

‎06-22-2005 09:39 AM

Hi

If you could post a diagram of the highlevel setup of ur network. Just curious to know if there is any firewall, proxy, cacheflow,load-balancer kinds of boxes involved here..

Also is it not working from anywhere at all?

Cheers

Arav

0 Helpful

raj.panchal
Level 1
Level 1
In response to rais.ahmad

‎06-22-2005 10:50 PM

Dear Rais,

I dont have any firewall in between my users and internet

Also i tried telnet to port 80 on yahoo.com and i do see the nat translations !!! for port 80

In the below nat table , 66.94.234.13 is the ip for yahoo and my pc ip is 172.20.114.6

Guys u gotta help me crack this out !!!

==========================================

VSNL_BRAS_1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 210.211.130.132:135 172.20.114.6:135 210.211.160.203:4273 210.211.160.203:4273

tcp 210.211.130.138:135 172.20.114.6:135 210.211.216.42:3932 210.211.216.42:3932

tcp 210.211.130.136:135 172.20.114.6:135 210.211.253.219:1625 210.211.253.219:1625

tcp 210.211.130.134:139 172.20.114.6:139 210.182.251.127:1250 210.182.251.127:1250

tcp 210.211.130.134:445 172.20.114.6:445 210.211.161.213:2274 210.211.161.213:2274

tcp 210.211.130.128:445 172.20.114.6:445 210.211.162.206:4384 210.211.162.206:4384

tcp 210.211.130.134:445 172.20.114.6:445 210.211.166.59:1327 210.211.166.59:1327

tcp 210.211.130.135:445 172.20.114.6:445 210.211.184.16:4070 210.211.184.16:4070

tcp 210.211.130.129:445 172.20.114.6:445 210.211.184.105:2664 210.211.184.105:2664

tcp 210.211.130.138:1209 172.20.114.6:1209 66.94.234.13:80 66.94.234.13:80

tcp 210.211.130.135:1212 172.20.114.6:1212 66.94.234.13:80 66.94.234.13:80

tcp 210.211.130.143:1215 172.20.114.6:1215 66.94.234.13:80 66.94.234.13:80

tcp 210.211.130.136:1216 172.20.114.6:1216 66.94.234.13:80 66.94.234.13:80

--- 210.211.130.143 172.20.114.6 --- ---

0 Helpful

m.lammerse
Level 1
Level 1
In response to raj.panchal

‎06-23-2005 06:33 AM

Hi Raj,

2 more suggestions:

1. Simplify the configuration by remove the ip virtual-reassembly command under the interfaces

It's a non-standard, firewall related function that may work in unexpected ways.

2. Do a debug ip packet with an access-list matching the traffic you're generating

This will give you clues as to what is happening.

An please post the results of the above.

HTH

Marcel

0 Helpful

alfredshum
Level 1
Level 1

‎06-23-2005 12:09 AM

You may want to try to use the same PC and directly connect to the Internet without the router and hard code a public IP from your pool to your PC and also hard code the DNS server and default gateway. Then try to access web sites again.

0 Helpful

rais.ahmad
Level 1
Level 1
In response to alfredshum

‎06-23-2005 05:46 AM

Were you able to connect using telnet?

Let's take the telnet to port 80 one step further and issue an http GET / command from the keyboard once the telnet gets connected. Do you see any text before the telnet connection breaks?

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card