Solved: 4451-X Basic NAT issue - router blocks return traffic, no ACLs

matthric · ‎06-09-2017

Hello,

I have an Cisco 4451-X router which I am trying to get very basic NAT Overload to work on, I have stripped it back to the bare minimum and the behavior is very odd.

This is a double NAT scenario for lab purposes, the ISP router does NAT fine, all works well in the 192.168.0.0/24 subnet
Behind the 4451 any ping to the internet (e.g. 8.8.8.8) works fine
Behind the 4451 anything else (HTTP, DNS etc) makes it out to the internet OK, the response comes back through the ISP Router and hits the external interface of the 4451 and gets dropped (I have done packet captures on both sides of the 4451.

Topology:

PC (10.10.0.5) ------------> (10.10.0.254 on Gi0/0/1) 4451-X (192.168.0.254 on Gi0/0/0) ------------> (192.168.0.1) ISP Router (ExtIP) ------------> Internet

The config is shown here, I write erase'd the 4451 and put back the bare minimum commands - this should be super simple, I have configured NAT more times than I can remember...

Thanks

Matthew

Router#sh running-config
Building configuration...

Current configuration : 1984 bytes
!
! Last configuration change at 20:12:38 UTC Fri Jun 9 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
!
subscriber templating
multilink bundle-name authenticated
!
voice-card 0/1
no watchdog
!
license udi pid ISR4451-X/K9 sn*********
!
!
redundancy
mode none
!
!
!
ip tftp source-interface GigabitEthernet0
!
!
!
!
interface GigabitEthernet0/0/0
ip address 192.168.0.254 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.10.0.254 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface Service-Engine0/1/0
!
interface ucse1/0/0
no ip address
shutdown
no negotiation auto
switchport mode trunk
!
interface ucse1/0/1
no ip address
shutdown
no negotiation auto
switchport mode trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat pool NATOUT 192.168.0.254 192.168.0.254 netmask 255.255.255.0
ip nat inside source list 4 pool NATOUT overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 4 permit 10.10.0.0 0.0.0.255
!
!
!
control-plane
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

Router#

Philip D'Ath · ‎06-09-2017

Try this.

Remove:

no ip nat pool NATOUT 192.168.0.254 192.168.0.254 netmask 255.255.255.0
no ip nat inside source list 4 pool NATOUT overload

Add:

ip nat inside source list 4 interface GigabitEthernet0/0/0 overload

View solution in original post

Philip D'Ath · ‎06-09-2017

Try this.

Remove:

no ip nat pool NATOUT 192.168.0.254 192.168.0.254 netmask 255.255.255.0
no ip nat inside source list 4 pool NATOUT overload

Add:

ip nat inside source list 4 interface GigabitEthernet0/0/0 overload

Philip D'Ath · ‎06-09-2017

I suspect the problem is that you made your NAT pool the same as your outside interface address.

matthric · ‎06-13-2017

Hi Philip,

This worked perfectly, thanks for your help - all the documentation I found referred to using:

ip nat pool NATOUT 192.168.0.254 192.168.0.254 netmask 255.255.255.0

rather than your method which works

ip nat inside source list 4 interface GigabitEthernet0/0/0 overload

Thanks!

Matthew