NAT translation occur only for ICMP packets, no TCP or UDP translation

Eman.Bakri · ‎03-16-2020

I have problem in Cisco ASR 1001 Router, when i do PAT for different subnets, ping to 8.8.8.8 done successfully but when trying any other service I don't found any translation in (Show ip nat translation) only icmp appear, so the subnet could not access internet, even DNS service not occur successfully.

when I removed NAT command and paste it again nat translation occur and internet service work normally, then I tried to add more subnets to ACL used in this NAT command the issue happen again

Spooster IT Services · ‎03-16-2020

Hi eng.emanbakri21,

1) Can you please share your NAT configuration?

2) Also are you using Access List directly in your NAT statement? If yes, then I would recommend to use Route Map.

Spooster IT Services Team

Eman.Bakri · ‎03-16-2020

ip nat inside source list 7 interface Loopback2 overload Above one of NAT command that is not working, loopback2 contain the public IP used for NAT. Yes I use Access list for nat and it is working fine for years, this issue happen only before two weeks, can you please explain why to use route-map not access list and the difference in nat command when use it by both? Thanks a lot for your reply.

Jaderson Pessoa · ‎03-16-2020

Guy, please, share your configuration to us provide a better solution to you. Thanks.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Eman.Bakri · ‎03-16-2020

ip nat inside source list 7 interface Loopback2 overload !!! interface Loopback2!!!!!! description Access-List-7!!!!!! ip address x.x.x.x 255.255.255.255 end !! !Standard IP access list 7!!! 10 permit 172.18.150.0, wildcard bits 0.0.0.255 !!! !

Spooster IT Services · ‎03-16-2020

Hi eng.emanbakri21,

1) When you are saying you are removing the NAT commands, what exactly are you doing? And how are you removing the NAT commands?

2) Can you please test by calling this ACL in the Route MAP and use this route map in the NAT command?

3) Which IOS version are you using in the router?

Spooster IT Services Team

Eman.Bakri · ‎03-17-2020

1/

no ip nat inside source list 7 interface Loopback2 overload
then
ip nat inside source list 7 interface Loopback2 overload
after this NAT work but not for all entries in ACL, and then is no normal behavior in selecting 
which entries work

2/ I try to configure nat using route-map the same issue happen.

Cristian Matei · ‎03-17-2020

Hi,

@Eman.Bakri I asked you for some info "show run | sec ip nat", "show access-list" and the inside/outside NAT interfaces complete configuration"

Regards,

Cristian Matei.

Spooster IT Services · ‎03-17-2020

Eman.Bakri,

Your configuration looks good and the steps you are performing are normal. What IOS version you are using? I would like to suggest you try the following configuration. We have this config running on 500+ sites without any issue.

ip access-list extended NAT

permit ip 172.18.150.0 0.0.0.255 any
!
route-map NAT permit 10

match ip address NAT

!

ip nat inside source route-map NAT interface Loopback2 overload

!

interface <interface name/number>

ip nat inside

!

interface <inteface name/number>

ip nat outside

Please rate if you find this helpful.

Spooster IT Services Team

Cristian Matei · ‎03-16-2020

Hi,

Post your "show run | sec ip nat", "show access-list" and the inside/outside NAT interfaces complete configuration. Route-maps are required when you want to configure policy-based NAT.

Regards,

Cristian Matei.