02-21-2021 01:43 PM
Hello community, I've been having some difficulties setting up PAT on my 2901 with an otherwise basic configuration.
I've implemented all the required steps for PAT as far as I can tell, there has to be some detail that I'm missing. I configured my inside and outside interfaces, set up the access list for my only subnet as of current and I've linked my ACL to the my outside interface but nothing is being translated, nothing at all is being generated in the nat translation table. Router can ping hosts on the internet and the PC, PC can ping the router but not a host on the internet.
As far as I can tell, the only things that would cause this would be if I've incorrectly configured NAT or if my router isn't set up to facilitate traffic to the internet. Ive got a permit ip any any at the end of my WAN acl and I dont have an ACL on my inside port so I don't think its that. Am I maybe missing a routing table entry?
Any insight would be appreciated. I'll paste my running config below. I'll be able to provide any other relevant information.
2901#show run Building configuration... Current configuration : 1862 bytes ! ! Last configuration change at 21:09:42 UTC Sun Feb 21 2021 by jesse ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 2901 ! boot-start-marker boot-end-marker ! ! enable secret 5 [redacted] ! no aaa new-model ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 10.0.0.1 10.0.0.64 ! ip dhcp pool DHCP network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 ! ! ! ip domain name home.lab ip cef login block-for 10 attempts 5 within 20 login delay 10 login on-failure log login on-success log no ipv6 cef ! multilink bundle-name authenticated ! ! cts logging verbose ! ! license udi pid CISCO2901/K9 sn FTX143801Q8 ! ! username jesse privilege 15 secret 5 [redacted] ! redundancy ! ! ! ! lldp run ! ! ! ! ! ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address dhcp ip access-group WAN in ip access-group WAN out ip nat outside ip virtual-reassembly in duplex auto speed auto no lldp transmit no cdp enable ! interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat source list NAT interface GigabitEthernet0/0 overload ip ssh version 2 ! ip access-list standard NAT permit 10.0.0.0 0.0.0.255 ! ip access-list extended WAN deny tcp any any eq 22 permit ip any any ! ! ! ! control-plane ! ! ! line con 0 logging synchronous login local line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 15 0 logging synchronous login local transport input ssh ! scheduler allocate 20000 1000 ! end
Solved! Go to Solution.
02-21-2021 02:57 PM - edited 02-21-2021 03:01 PM
Hello
Change to the following and test again...
Ip nat inside source list NAT .........
02-21-2021 02:57 PM - edited 02-21-2021 03:01 PM
Hello
Change to the following and test again...
Ip nat inside source list NAT .........
02-21-2021 03:10 PM
Ha, amateur move. Won't make that mistake again, thanks Paul. Marked as solution.
02-21-2021 03:11 PM - edited 02-21-2021 03:15 PM
Hello,
in addition to Paul's post, make the changes marked in bold:
2901#show run
Building configuration...
Current configuration : 1862 bytes
!
! Last configuration change at 21:09:42 UTC Sun Feb 21 2021 by jesse
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2901
!
boot-start-marker
boot-end-marker
!
enable secret 5 [redacted]
!
no aaa new-model
!
ip dhcp excluded-address 10.0.0.1 10.0.0.64
!
ip dhcp pool DHCP
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
--> dns server 8.8.8.8 8.8.4.4
!
ip domain name home.lab
ip cef
login block-for 10 attempts 5 within 20
login delay 10
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO2901/K9 sn FTX143801Q8
!
username jesse privilege 15 secret 5 [redacted]
!
redundancy
!
lldp run
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group WAN in
ip access-group WAN out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no lldp transmit
no cdp enable
!
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
--> ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
ip ssh version 2
!
ip access-list standard NAT
permit 10.0.0.0 0.0.0.255
!
ip access-list extended WAN
deny tcp any any eq 22
permit ip any any
!
control-plane
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 15 0
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
02-21-2021 04:26 PM - edited 02-21-2021 06:57 PM
Hey Georg, I really appreciate that, adding a DNS was the thing I did right after I resolved this issue. I appreciate the tip for the default route, wasnt sure how to do it with DHCP. ill be sure to use that as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide