NAT Problems (877W)

mailaglady2 · ‎04-21-2009

Hi

I have 2 routers (877W and 3825) connected back to back, I am trying to configure NAT but when I configure my access-list to match the network that must be translated I can't hop from one router to the other. But the traffic sent is received on the other side.

attached is both routers configs. Another problem here is on router 877 when I configure IP NAT INSIDE on int vlan2 traffic drops from 877.

All pings are successful on both directions.

Router 877

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip virtual-reassembly

!

interface Loopback1

ip address 10.1.1.1 255.255.255.0

!

interface Vlan1

description Connection to Router 3825

ip address 192.1.1.1 255.255.255.252

ip nat outside

ip virtual-reassembly

!

interface Vlan2

description Home LAN

ip address 192.4.1.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 Vlan1

!

ip access-list extended Mpho

permit ip any any

deny ip host 10.0.0.1 any

!

ip nat inside source list Mpho interface Vlan1 overload

Router 3825

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface Loopback1

ip address 20.0.0.1 255.255.255.0

!

interface GigabitEthernet0/0

ip address 192.2.1.1 255.255.255.0

duplex full

speed 100

!

interface GigabitEthernet0/1

ip address 192.1.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

!

ip nat inside source list Mpho interface GigabitEthernet0/1 overload

!

ip access-list extended Mpho

permit ip 192.2.1.0 0.0.0.255 any

permit ip host 2.2.2.2 any

!

Giuseppe Larosa · ‎04-21-2009

Hello Lawrence,

it should be better defining the ACL in the more specific way.

Also specific deny statement needs to be configured first or they will never match

ip access-list extended Mpho

permit ip any any

deny ip host 10.0.0.1 any

another suggestion is to use a standard ACL at first for NAT

like

access-list 11 permit 192.4.1.0 0.0.0.255

I would use a route-map to use an extended ACL like

access-list 114 deny ip any host 10.0.0.1

acess-list 114 permit ip 192.4.1.0 0.0.0.255 any

route-map selected-NAT permit 10

match ip address 114

and the line becomes

ip nat inside source route-map selected-NAT interface Vlan1 overload

And also

int vlan 2

ip nat inside

Hope to help

Giuseppe

Thotsaphon Lueangwattanaphong · ‎04-21-2009

Lawrence,

Actually when doing NAT you still need a route to tell it how to route packets out of which the interface. Because the routing process is performed first(inside to outside).

In the Ethernet segment. I would reference the next-hop to reach the other networks. You will get problems when disabling proxy-arp functions at the far end.

I wouldn't use "permit ip any any" in NAT statement. Because you will get problems when connecting to the router itself.

Router 877

!

ip access-list extended Mpho

permit ip 192.4.1.0 0.0.0.255 any

deny ip host 10.0.0.1 any

!

ip route 0.0.0.0 0.0.0.0 192.1.1.2

!

interface Vlan2

ip nat inside

!

Router 3825

!

interface GigabitEthernet0/0

ip nat inside

!

When you initiate traffic from here. You need a route.

!

ip route 0.0.0.0 0.0.0.0 192.1.1.1

!

HTH,

Toshi