07-18-2010 11:43 PM - edited 03-04-2019 09:06 AM
Hi,
We are currently experiencing issues with our NAT Overload not translating any of the inside addresses.
We are currently running BGP on this router with a public IP pool consisting on 2 Public IP addresses.
The access list used to allow private IP addresses is getting hits however we are not getting translations.
NAT config:
ip nat translation timeout never
ip nat pool PUBLIC XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.252
ip nat inside source list INTERNET_ACCESS pool PUBLIC overload
ip access-list standard INTERNET_ACCESS
permit 10.2.1.0 0.0.0.127
Sh ip Nat stat
show ip nat statistics
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
Vlan1
Inside interfaces:
Vlan300, Vlan303, Vlan999
Hits: 4004928 Misses: 0
CEF Translated packets: 3985743, CEF Punted packets: 19621237
Expired translations: 10266
Dynamic mappings:
-- Inside Source
[Id: 8] access-list INTERNET_ACCESS pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
start XX.XX.XX.XX end XX.XX.XX.XX
type generic, total addresses 2, allocated 0 (0%), misses 0
Sh IP Access-Lists
Standard IP access list INTERNET_ACCESS
10 permit 10.2.1.0, wildcard bits 0.0.0.127 (10252 matches)
Any help would be helpful
Thanks,
Scott
07-19-2010 04:56 AM
Hi Scott,
try NAT overload with route-map rather than acl
I think it should work, But WHY?? I vaguely remeber but not sure, will try to dig out something for you.
e.g.
ip access-list standard INTERNET_ACCESS
permit 10.2.1.0 0.0.0.127
route-map test permit 10 match ip address INTERNET_ACCESS
ip nat inside source route-map test pool PUBLIC overload
Let me know if it works.
Regards,
07-19-2010 03:39 PM
Hi,
I have tried putting in the lines of configuration you suggested however we are still not getting any for of dynamic translation.
I have put some output below.
NAT Configuration:
ip nat translation timeout never
ip nat pool PUBLIC XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.252
ip nat inside source list INTERNET_ACCESS pool PUBLIC overload
ip nat inside source route-map test pool PUBLIC overload
route-map test permit 10
match ip address INTERNET_ACCESS
ip access-list standard INTERNET_ACCESS
permit 10.2.1.0 0.0.0.127
sh ip nat translations/statistics
#sh ip nat stat
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
Vlan1, Vlan99
Inside interfaces:
Vlan300, Vlan303, Vlan999
Hits: 4004930 Misses: 0
CEF Translated packets: 3985743, CEF Punted packets: 19621332
Expired translations: 10267
Dynamic mappings:
-- Inside Source
[Id: 9] route-map test pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
start XX.XX.XX.XX end XX.XX.XX.XX
type generic, total addresses 2, allocated 0 (0%), misses 0
#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
And a ping
#ping
Protocol [ip]:
Target IP address: 72.14.209.104
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan 300
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.209.104, timeout is 2 seconds:
Packet sent with a source address of 10.2.1.1
Thanks,
Scott
07-19-2010 05:12 PM
Hi,
I think i may have found something.
Could the permit IP any any in the following set of ACLS be causing the packet to fall into the wrong ACL
#do show ip access-lis
Standard IP access list 12 ( most recently added)
10 permit 10.2.1.0, wildcard bits 0.0.0.127
Standard IP access list BGP_OUTGOING_ACL (added first)
10 permit XX.XX.XX.XX (19 matches)
Extended IP access list 100 ( Added second)
10 permit tcp XX.XX.XX.XX 0.0.0.255 host XX.XX.XX.XX eq bgp log (5864241 matches)
20 permit tcp XX.XX.XX.XX 0.0.0.255 eq bgp host XX.XX.XX.XX log (4527090 matches)
30 permit tcp XX.XX.XX.XX 0.0.0.255 eq bgp host XX.XX.XX.XX log (4523845 matches)
40 permit tcp XX.XX.XX.XX 0.0.0.255 host XX.XX.XX.XX eq bgp log (5841037 matches)
50 permit ip any any (109310388 matches)
Extended IP access list INTERNET_ACCESS ( Added 3rd )
10 permit ip 10.2.1.0 0.0.0.127 any
20 permit ip 10.2.1.0 0.0.0.127 any log
Other than this i cannot see any other reason as to why this would not work.
Scott
07-20-2010 06:49 AM
hello Scott. I see you have logging configured on the extended access-list. configure logging buffered debugging
run some extended pings from the source vlan, similar to the ones you ran earlier and check the logs to see what access-list they are matching.
also, I noticed from your output that your NAT outside interface (ip nat outside) was configured for VLAN 1. Is that the interface pointing outside? Does the nat pool PUBLIC match this interface?
sh ip nat translations output will help also. Thanks
remember to rate post if it helps
08-15-2010 09:38 PM
Hi West,
Yes, unfortunately VLAN 1 was configured for the outside interface, yes the NAT pool matches this interface
Pro Inside global Inside local Outside local Outside global
--- XX.XX.XX.XX 10.2.1.10 --- ---
--- XX.XX.XX.XX 10.2.1.80 --- ---
sh ip nat statistics
Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
Vlan1, Vlan99
Inside interfaces:
Vlan300, Vlan303, Vlan999
Hits: 4012781 Misses: 0
CEF Translated packets: 3985743, CEF Punted packets: 19631979
Expired translations: 10386
Dynamic mappings:
-- Inside Source
[Id: 10] access-list 12 pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
start XX.XX.XX.XX end XX.XX.XX.XX
type generic, total addresses 2, allocated 0 (0%), misses 0
Will check the buffered debugging out of hours.
I have noticed static translations work correctly between interfaces e.g static nat on device in vlan 300 will translate when accessing the translated address from 303
Regards,
Scott
08-15-2010 10:03 PM
Hello Scott,
Which router is it(platform/IOS Ver.)? ip routing command is enabled on router?
--Jigar
08-15-2010 10:08 PM
Hi Jigar,
System image file is "sup-bootflash:s6523-advipservicesk9-mz.122-33.SXH5.bin" platform: cisco ME-C6524GT-8S
Ip routing is enabled.
Regards,
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide