cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4584
Views
10
Helpful
23
Replies

NAT overload on router works from inside the router only

zakhalid
Level 1
Level 1
I have to do NAT overload on router. 
Following is the config, and as long as I source traffic from router interface it will work.. but when traffic is across G0/0 (inside) it will not hit ACL or translate 
There is no host alive at  10.91.8.1  yet and that's no reply.. but that should not prevent translation, should it?  
Plus it's working from inside the router.. 
 
Changes 
=============
Switched from using interface to pool for nat
extended acl to standard acl 
Upgraded the code.   15.1-2 
 
and I am out of ideas.. 
 
 
IOS
c2951-universalk9-mz.SPA.152-1.T3.bin
 
 
no ip gratuitous-arps
no ip icmp rate-limit unreachable
no ip forward-protocol nd
no ip domain lookup
ip cef
no ip igmp snooping
 
interface Loopback0
 ip address 10.16.0.92 255.255.255.255
 
interface GigabitEthernet0/0
 ip address 10.149.4.146 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 ip address 10.91.1.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
 
ip route 10.91.8.0 255.255.254.0 10.91.1.2
 
ip nat pool pool91 10.91.1.1 10.91.1.1 prefix-length 24
interface GigabitEthernet0/0
 ip nat inside
!
interface GigabitEthernet0/1
 ip nat outside 
!
ip nat inside source list 101 pool pool91 overload
 
 
 
 
 
 
myrouter# ping 10.91.8.1 sou lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.91.8.1, timeout is 2 seconds:
Packet sent with a source address of 10.16.0.92 
.....
Success rate is 0 percent (0/5)
myrouter# ping 10.91.8.1        
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.91.8.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
myrouter#
myrouter#
myrouter# ping 10.91.8.1 sou g0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.91.8.1, timeout is 2 seconds:
Packet sent with a source address of 10.149.4.146 
.....
Success rate is 0 percent (0/5)
myrouter#sh ip nat tra
myrouter#sh ip nat translations 
Pro Inside global         Inside local          Outside local         Outside global
icmp 10.91.1.1:1         10.16.0.92:1        10.91.8.1:1          10.91.8.1:1
icmp 10.91.1.1:3         10.149.4.146:3       10.91.8.1:3          10.91.8.1:3
myrouter#sh ip nat statu
myrouter#sh ip nat stat 
myrouter#sh ip nat statistics 
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Peak translations: 5, occurred 00:12:27 ago
Outside interfaces:
  GigabitEthernet0/1
Inside interfaces: 
  GigabitEthernet0/0
Hits: 25  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 6
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 101 pool pool91 refcount 2
 pool pool91: netmask 255.255.255.0
        start 10.91.1.1 end 10.91.1.1
        type generic, total addresses 1, allocated 1 (100%), misses 0
 
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
myrouter#
myrouter#
23 Replies 23

E7_SIP#sh ip access-list
Standard IP access list 1
    10 permit 10.7.0.0, wildcard bits 0.0.255.255 (3 matches)
Extended IP access list INGRESS
    10 permit ip host 10.7.0.2 any log-input
    20 permit ip any host 10.7.0.2 log-input
    30 permit ip any any
E7_SIP#

 

 

interface GigabitEthernet0/1
 ip address 10.7.0.1 255.255.0.0
 ip access-group INGRESS in
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto

 

I will not  be able to test the ping from the router again until tomorrow.  I will provide log info as soon as I can.  Thank you!

I verified the access-list last night and still could not get from the inside LAN to anywhere beyond the router. 

This morning I once again logged into the router and verified I could ping from the "inside" interface to anywhere beyond the router and it worked: ping 8.8.8.8 source g0/1. 

I also pinged from the "outside" interface to a host on the "inside" LAN:  ping 10.7.0.2 source g0/2.  This was a suggestion from another thread and I had not tried it yet.  It worked.

My next step was to log in to the host on the inside LAN and verify ifconfig and run a traceroute to a host outside the router.  To my amazement it worked.  I traced from 10.7.0.2 all the way to www.ibm.com without fail.  I have been able to successfully traceroute anywhere else ever since.  My NAT translation table looks good now too. 

E7_SIP#sh ip nat trans
Pro Inside global         Inside local          Outside local         Outside global
udp 66.117.96.80:123      10.7.0.2:123          129.6.15.30:123       129.6.15.30:123
udp 66.117.96.80:123      10.7.0.2:123          132.163.4.101:123     132.163.4.101:123
udp 66.117.96.80:123      10.7.0.2:123          152.2.133.55:123      152.2.133.55:123
udp 66.117.96.80:123      10.7.0.2:123          198.60.22.240:123     198.60.22.240:123
tcp 66.117.96.80:36788    10.7.0.2:36788        184.51.115.9:80       184.51.115.9:80


Is it possible that running the outside to inside ping forced the 7301 to finally learn that it was supposed to be doing PAT?  I have also removed the extended access list from the inside interface and it is still working.

Not sure what to do if it fails again.

 

Thanks,

Kevin

it's possible - what type of switch is between router and linux?

if it's a direct connection than I have not idea what to check.. maybe the linux host but unlikely. 

I am glad it's working. It's  hard to find what was not working now.  

 

 

Hmmm...  Cheap Netgear switch that I grabbed off my shelf for testing. Maybe doing the ping to the inside LAN forced it to do some sort of ARP resolution?  Wouldn't think it was a Linux problem because the other host I was using was Win 7. Either way I'm glad its running and I thank you very much for your time and guidance.  Kevin

 

 

 

 

 

 

 

 

I just assumed you were having same problem.
Step by step.. 
Let's check if NAT is working.

use - sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
icmp 66.117.96.80:1         10.7.0.1:1        8.8.8.8         8.8.8.8


and you should get something like this when you ping from router and source from Inside interface.


Next ping from a host connected to inside network and check again..

use - sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
icmp 66.117.96.80:1         10.7.0.1:1        8.8.8.8         8.8.8.8
icmp 66.117.96.80:2         10.7.0.10:2        8.8.8.8         8.8.8.8    ---> do we have NAT/PAT?

if we have NAT but ping is still not working.. we are looking at routing and PAT translation is working
if there is no line for inside host - then we can work on Translation issue.


Things to check if there is no NAT..

Is packet hitting the inside interface. (use extended ACL and log)
on LAN inside in
and we should see the packet in and out.. and post logs.
ip access-list extended INGRESS
 permit ip host 10.7.0.10 any log-input
 permit ip any host 10.7.0.10 log-input
 permit ip any any
 
 when you add the ACL - do a ping and check NAT again.
 Has it started working?
 
 we may need to change ACL to extended ACL for PAT. does code support extended ACL

Can you please post the full config of your router as I think we may be missing some key information?

petenixon
Level 3
Level 3

Your NAT config looks a bit weird if you're only using one global address.

Try this:

interface GigabitEthernet0/0
ip nat inside

interface GigabitEthernet0/1
ip nat outside

access-list 1 permit 10.149.4.0 0.0.0.255
ip nat inside source list 1 interface Gi0/1 overload

I agree.

it should have been those four line.

I need to use 10/8 but yes

I tried that..

 

zakhalid
Level 1
Level 1

Sorry folks..

Found out that on a router when going from G0/0 to G0/1 packet is switching/CEF and not 'routing'.. when testing to confirm traffic we added an ACL and NAT started to work. We took ACL off G0/0 and NAT stopped working.

We had to disable route-cache cef

<<<<< no ip route-cache cef >>>>>

 

interface GigabitEthernet0/0
 ip address 10.149.4.146 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache cef
 load-interval 30
 duplex full
 speed 100
end

 
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: