03-06-2015 03:19 PM - edited 03-05-2019 12:58 AM
03-06-2015 04:13 PM
What do you have defined as access-list 101?
03-06-2015 05:06 PM
access-list 101 permit ip any any
it's a permit any any for now..
03-06-2015 05:10 PM
Can you try using the 10.49.4.0/24 subnet as the source eg.
"access-list 101 permit ip 10.49.4.0 0.0.0.255 any"
NAT can sometimes not work with "any" as the source.
Jon
03-06-2015 05:15 PM
Did you clear your translations before trying again? And any chance of an updated config so we know where you are :)
03-06-2015 05:38 PM
Thank you for looking and replying, I have fought this most of the day..
and I see translations only when traffic sourced from lo0 or g0/0 but not when it's coming in on G0/0
I created an ACL to put on G0/0 to confirm traffic source IP .. but did not do that yet.
I did do following.
I started with extended ACL
ip access-list extended pat-1
permit ip 10.0.0.0 0.255.255.255 any
and
ip nat inside source list pat-1 interface Gi0/1 overload
then tried standard list
access-list 101 permit 10.0.0.0 0.255.255.255 any
then tried checking interface ip and other IP
ip access-list extended pat-1
permit host 10.16.0.92 any
permit host 10.149.4.146 any
permit 10.80.0.0 0.0.255.255 any (my workstations)
permit any host 10.16.0.92
permit any host 10.149.4.146
permit any 10.80.0.0 0.0.255.255
just to see what counters were changing..
and traffic was sourced from 10.16
the problem is that when traffic is from 10.80.0.0/16 it does not hit the acl
and that I don't understand .
PAT Is working when I source it from lo0 or g0/0.. but not when traffic is coming across
there is NVI interface and that has g0/0 IP - created when I create the NAT rules..
between each I did a router reload.. to clear everything.
03-06-2015 05:44 PM
Can you post your current config as request by Pete.
And can you make if the full configuration.
Jon
03-06-2015 05:50 PM
I will post the full config .. but I have to hit the road will be couple of hours before I can do that.
03-07-2015 01:47 AM
It was a bit late for me last night so apologies for missing this. I re-read your original post and noticed these two bits on your output:
interface Loopback0
ip address 10.16.0.92 255.255.255.255
myrouter# ping 10.91.8.1 sou lo0
The reason why traffic is not being subject to NAT is that you're missing the ip nat inside command on your loopback interface.
04-20-2015 01:00 PM
I'm hoping someone is still monitoring this thread. Thank you in advance if you are. I have the same or maybe similar problem. I installed my spare 7301 today as a NAT gateway to my private SIP network. I configured PAT as per the numerous identical examples I found through searching the net and I have attached a current config file so you can see what I have done. I can ping 8.8.8.8 from within the router, using the "inside" interface as the source, but cannot get beyond the router from any device on the "inside" LAN.
E7_SIP#ping 8.8.8.8 source 10.7.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.7.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
E7_SIP#
Any thoughts or suggestions would be greatly appreciated.
Thanks,
Kevin
04-20-2015 02:32 PM
Add
'no ip route-cache cef'
to interface 'inside'
04-20-2015 08:20 PM
I already have that statement on both the "inside" and "outside" interfaces. Should I remove it from the "outside" interface? Thanks.
04-23-2015 06:38 AM
I just assumed you were having same problem.
Step by step..
Let's check if NAT is working.
use - sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 66.117.96.80:1 10.7.0.1:1 8.8.8.8 8.8.8.8
and you should get something like this when you ping from router and source from Inside interface.
Next ping from a host connected to inside network and check again..
use - sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 66.117.96.80:1 10.7.0.1:1 8.8.8.8 8.8.8.8
icmp 66.117.96.80:2 10.7.0.10:2 8.8.8.8 8.8.8.8 ---> do we have NAT/PAT?
if we have NAT but ping is still not working.. we are looking at routing and PAT translation is working
if there is no line for inside host - then we can work on Translation issue.
Things to check if there is no NAT..
Is packet hitting the inside interface. (use extended ACL and log)
on LAN inside in
and we should see the packet in and out.. and post logs.
ip access-list extended INGRESS
permit ip host 10.7.0.10 any log-input
permit ip any host 10.7.0.10 log-input
permit ip any any
when you add the ACL - do a ping and check NAT again.
Has it started working?
we may need to change ACL to extended ACL for PAT. does code support extended ACL
04-23-2015 04:37 PM
Thank you for the detailed response. I will do my best to answer your questions.
When I ping from the router using the inside interface as the source I get the following entry in the NAT translation log:
E7_SIP#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 66.117.96.80:5 10.7.0.1:5 8.8.8.8:5 8.8.8.8:5
E7_SIP#
When I ping from the Linux server at 10.7.0.2 I get the following, and nothing is in the NAT translation table:
[root@host ~]# ping 8.8.8.8
connect: Network is unreachable
[root@host ~]#
I added your extended access list to the in of the inside interface and I still cannot ping through the router. I had tried previously with an extended access list and it did not work. I wanted to try yours too in case I had done something wrong.
There is something I do not understand about my route table:
E7_SIP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 66.117.96.1 to network 0.0.0.0
66.0.0.0/24 is subnetted, 1 subnets
C 66.117.96.0 is directly connected, GigabitEthernet0/2
10.0.0.0/16 is subnetted, 1 subnets
C 10.7.0.0 is directly connected, GigabitEthernet0/1
S* 0.0.0.0/0 [1/0] via 66.117.96.1
E7_SIP#
Is the information above that is in red text correct? Shouldn't it say 66.0.0.0/8 and not /24? Shouldn't it also say that it's variably sub-netted?
Thank you very much for your help.
04-23-2015 06:19 PM
I don’t recall if it should say /8. Let’s just tell the router that we are sub-netting and to allow 0 subnets. Add these please
config t
ip classless
ip subnet-zero
Also please post following
sh ip access-list
then if acl INGRESS is not applied to inside – let’s apply it and ping from your Linux box and post
show log
and sho ip access-list
I am looking for confirmation if router is getting the ping - and what response is sending back to host.
10.7.0.1 is gateway for Linux?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide