access-list 101 permit ip any any

it's a permit any any for now..

Can you try using the 10.49.4.0/24 subnet as the source eg.

"access-list 101 permit ip 10.49.4.0 0.0.0.255 any"

NAT can sometimes not work with "any" as the source.

Jon

Did you clear your translations before trying again? And any chance of an updated config so we know where you are :)

Thank you for looking and replying, I have fought this most of the day..

and I see translations only when traffic sourced from lo0 or g0/0 but not when it's coming in on G0/0

I created an ACL to put on G0/0 to confirm traffic source IP .. but did not do that yet.

I did do following.

I started with extended ACL

ip access-list extended pat-1

 permit ip 10.0.0.0 0.255.255.255 any

and

ip nat inside source list pat-1 interface Gi0/1 overload

then tried standard list

access-list 101 permit 10.0.0.0 0.255.255.255 any

then tried checking interface ip and other IP

ip access-list extended pat-1

permit host 10.16.0.92 any

permit host 10.149.4.146 any

permit 10.80.0.0 0.0.255.255 any  (my workstations)

permit any host 10.16.0.92

permit any host 10.149.4.146

permit any 10.80.0.0 0.0.255.255 

 just to see what counters were changing..

and traffic was sourced from 10.16

the problem is that when traffic is from 10.80.0.0/16 it does not hit the acl

and that I don't understand .

PAT Is working when I source it from lo0 or g0/0.. but not when traffic is coming across

there is NVI interface and that has g0/0 IP - created when I create the NAT rules..

between each I did a router reload.. to clear everything.

Can you post your current config as request by Pete.

And can you make if the full configuration.

Jon

I will post the full config .. but I have to hit the road will be couple of hours before I can do that.

It was a bit late for me last night so apologies for missing this. I re-read your original post and noticed these two bits on your output:

interface Loopback0
 ip address 10.16.0.92 255.255.255.255

myrouter# ping 10.91.8.1 sou lo0

The reason why traffic is not being subject to NAT is that you're missing the ip nat inside command on your loopback interface.

I'm hoping someone is still monitoring this thread.  Thank you in advance if you are.  I have the same or maybe similar problem.  I installed my spare 7301 today as a NAT gateway to my private SIP network.  I configured PAT as per the numerous identical examples I found through searching the net and I have attached a current config file so you can see what I have done.  I can ping 8.8.8.8 from within the router, using the "inside" interface as the source, but cannot get beyond the router from any device on the "inside" LAN.

E7_SIP#ping 8.8.8.8 source 10.7.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.7.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
E7_SIP#

Any thoughts or suggestions would be greatly appreciated.

Thanks,

Kevin

Add 

'no ip route-cache cef' 

to interface 'inside'

I already have that statement on both the "inside" and "outside" interfaces.  Should I remove it from the "outside" interface?  Thanks.

I just assumed you were having same problem.
Step by step.. 
Let's check if NAT is working.

use - sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
icmp 66.117.96.80:1         10.7.0.1:1        8.8.8.8         8.8.8.8

and you should get something like this when you ping from router and source from Inside interface.

Next ping from a host connected to inside network and check again..

use - sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
icmp 66.117.96.80:1         10.7.0.1:1        8.8.8.8         8.8.8.8
icmp 66.117.96.80:2         10.7.0.10:2        8.8.8.8         8.8.8.8    ---> do we have NAT/PAT?

if we have NAT but ping is still not working.. we are looking at routing and PAT translation is working
if there is no line for inside host - then we can work on Translation issue.

Things to check if there is no NAT..

Is packet hitting the inside interface. (use extended ACL and log)
on LAN inside in
and we should see the packet in and out.. and post logs.
ip access-list extended INGRESS
 permit ip host 10.7.0.10 any log-input
 permit ip any host 10.7.0.10 log-input
 permit ip any any
 
 when you add the ACL - do a ping and check NAT again.
 Has it started working?
 
 we may need to change ACL to extended ACL for PAT. does code support extended ACL

Thank you for the detailed response.  I will do my best to answer your questions. 

When I ping from the router using the inside interface as the source I get the following entry in the NAT translation log:

E7_SIP#sh ip nat trans         
Pro Inside global         Inside local          Outside local         Outside global
icmp 66.117.96.80:5       10.7.0.1:5            8.8.8.8:5             8.8.8.8:5
E7_SIP#

When I ping from the Linux server at 10.7.0.2 I get the following, and nothing is in the NAT translation table:

[root@host ~]# ping 8.8.8.8

connect: Network is unreachable

[root@host ~]#

I added your extended access list to the in of the inside interface and I still cannot ping through the router.  I had tried previously with an extended access list and it did not work.  I wanted to try yours too in case I had done something wrong.

There is something I do not understand about my route table:

E7_SIP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 66.117.96.1 to network 0.0.0.0

     66.0.0.0/24 is subnetted, 1 subnets
C       66.117.96.0 is directly connected, GigabitEthernet0/2
     10.0.0.0/16 is subnetted, 1 subnets
C       10.7.0.0 is directly connected, GigabitEthernet0/1
S*   0.0.0.0/0 [1/0] via 66.117.96.1
E7_SIP#

Is the information above that is in red text correct?  Shouldn't it say 66.0.0.0/8 and not /24?  Shouldn't it also say that it's variably sub-netted?

Thank you very much for your help.

I don’t recall if it should say /8. Let’s just tell the router that we are sub-netting and to allow 0 subnets. Add these please

config t

ip classless

ip subnet-zero

Also please post following

sh ip access-list

then if acl INGRESS is not applied to inside – let’s apply it and ping from your Linux box and post

show log

and sho ip access-list

I am looking for confirmation if router is getting the ping - and what response is sending back to host. 

10.7.0.1 is gateway for Linux?