Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1782
Views
5
Helpful
7
Replies

NVI NAT (ip nat enable) Port Forward (ip nat source) Not Working

sndguru
Level 1
Level 1

‎09-04-2018 06:11 AM - edited ‎03-05-2019 10:53 AM

 

I have been trying for years to move over to NVI NAT on two different routers (C877 and C1801) but neither seem to do it.  I'm wondering if I'm doing something wrong or if the versions I'm running have a flaw, currently a C180X-ADVIPSERVICESK9-M), Version 12.4(15)T17.

 

Below is what I'm attempting:

 

interface Vlan1
 ip nat enable
!
interface Dialer1
 ip nat enable
!
ip nat source static tcp xxx.xx.xx.x 80 interface Dialer1 80
ip nat source static tcp xxx.xx.xx.x 443 interface Dialer1 443
ip nat source static tcp xxx.xx.xx.x 22 interface Dialer1 2222
ip nat source list 170 interface Dialer1 overload

 

But with this configuration the static translations fail to appear in "show ip nat nvi trans".  I get the NAT overload translations, therefore outbound network traffic is working.  But nothing hits the inbound services from the internet.

 

I end up having to go to:

 

interface Vlan1
 ip nat enable
 ip nat inside
!
interface Dialer1
 ip nat enable
 ip nat outside
!
ip nat source static tcp xxx.xx.xx.x 80 interface Dialer1 80
ip nat source static tcp xxx.xx.xx.x 443 interface Dialer1 443
ip nat source static tcp xxx.xx.xx.x 22 interface Dialer1 2222
ip nat inside source list 170 interface Dialer1 overload

 

 

Which is a sort of hybrid setup, but the static translations still only appear in "show ip nat trans" although that are stated as an NVI configuration.

 

Pro Inside global         Inside local          Outside local         Outside global
tcp xx.xxx.xxx.xx:80      xxx.xx.x.xx:80        ---                   ---
tcp xx.xxx.xxx.xx:443     xxx.xx.x.xx:443       ---                   ---
tcp xx.xxx.xxx.xx:2222    xxx.xx.x.xx:22        ---                   ---

 

So I'm sort of thinking in the versions/routers I've been using none of them seem to actually differentiate between "ip nat inside source" and "ip nat source" or am I missing something?

 

So basically I think I've decided I will forever be running split brain dns, or at least until IPv4 is depreciated for IPv6.

Labels:
0 Helpful
7 Replies 7

rasmus.elmholt
Level 7
Level 7

‎09-04-2018 07:58 AM

Hi

Please note that NAT NVI is only recommended when you want to NAT between VRFs. Otherwise the "normal" NAT is still recommended.

Your configuration is correct by the way. Cant say why/if they show up in the show ip nat translations and not show ip nat nvi translations

sndguru
Level 1
Level 1
In response to rasmus.elmholt

‎09-04-2018 08:58 PM - edited ‎09-04-2018 09:03 PM

Not that it's my main drive, but I've got a couple of VLANs that are locked down (guest access), I've opened these up by ACLs for traffic to these internal services, but it means I need to manage that as well as externally not to mention using my internal DNS for the guests

 

I don't really want to add VRF to the mix too, but I guess I could try that. Thanks for confirming my configuration is correct and giving me another angle to try.

0 Helpful

rasmus.elmholt
Level 7
Level 7

‎09-04-2018 09:14 AM

Hi

Tried it out and got this results:
FW#show run | inc nat|inter
interface FastEthernet0/0
ip nat enable
interface FastEthernet1/0
ip nat enable
interface FastEthernet2/0
ip nat source list NAT interface FastEthernet0/0 overload
ip nat source static tcp 192.168.0.10 80 interface FastEthernet0/0 80
FW#show ip nat nvi trans
Pro Source global Source local Destin local Destin global
icmp 8.8.8.2:1 192.168.0.10:1 8.8.8.1:1 8.8.8.1:1
tcp 8.8.8.2:80 192.168.0.10:80 --- ---
FW#show ip nat trans
Pro Inside global Inside local Outside local Outside global

Both the source and the destination NAT works.
8.8.8.0/24 is my outside network and fa 0/0 is my outside interface
0 Helpful

sndguru
Level 1
Level 1
In response to rasmus.elmholt

‎09-04-2018 08:50 PM

Thanks rasmus.elmholt for your time on this. What router version and software are you using?
0 Helpful

rasmus.elmholt
Level 7
Level 7
In response to sndguru

‎09-05-2018 03:32 AM

(VIOS-ADVENTERPRISEK9-M), Version 15.6(3)M2 runinng on VIRL.

Remember to mark post as solved if you are happy with the response.
0 Helpful

sndguru
Level 1
Level 1
In response to rasmus.elmholt

‎09-05-2018 05:07 PM

Right, you seem on quite a different league to me then, 1,000 dollar router (in it's day) compared with a 4,000 dollar router, LOL. Plus the firmware increase of ADVENTERPRISE.
0 Helpful

rasmus.elmholt
Level 7
Level 7
In response to sndguru

‎09-11-2018 07:39 AM

Hi
I also tested this on a 897 which is a 500 dollar router, but with a 15.x IOS and I got the same results as I showed before.
I don't think it is the price but maybe the version number. :-)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card