Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
5
Helpful
5
Replies

Dynamic Source NAT

Alfredo Bosca Bataller
Level 1
Level 1

‎01-08-2015 04:17 PM - edited ‎03-07-2019 10:09 PM

Good morning,

 

I have to create a lot of NAT's in order to navigate some machines. The issue is that can't to create a Overload assigning the IP from interface because I wan to exit with different IP.

 

Then I am trying to create a pool with unique public IP to each machine in order to navigate. However cisco router display this issue:

 

"*Jan  9 01:05:34.767: NAT: translation failed (A), dropping packet s=10.8.8.8 d=8.8.8.8.
*Jan  9 01:05:36.763: NAT: translation failed (A), dropping packet s=10.8.8.8 d=8.8.8.8."

I know that this stage is different beacuse the majority are a network inside that assign one pool of IP's. Thus I need your help. 

The setting is:

1) Create ACL

show access-lists dynamic-source-nat
Extended IP access list dynamic-source-nat
    10 permit ip host 10.8.8.8 host 8.8.8.8 log (15 matches)

2)Pool with unique IP

ip nat pool dynamic-source-nat 200.195.5.5 200.105.5.5 prefix-length 32

3)Create dynamic Source NAT

ip nat inside source list dynamic-source-nat pool dynamic-source-nat

 

Thanks in advance!

 

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956
Labels:
0 Helpful
5 Replies 5

ghostinthenet
Level 7
Level 7

‎01-08-2015 09:02 PM

There's a typo in your NAT pool. Either you're translating to 200.195.5.5 or 200.105.5.5, but not both.

Also, even though you're only mapping a single source address in the ACL for now, I would still add an overload option to the end of your NAT statement, just for flexibility.

Let me know if either of those observations help.

0 Helpful

Alfredo Bosca Bataller
Level 1
Level 1
In response to ghostinthenet

‎01-08-2015 11:58 PM

Sorry Jody; I have wrote wrong the pool:

ip nat pool dynamic-source-nat 200.195.5.5 200.195.5.5 prefix-length 32

And the ACL is necessary because I have to add more IP to permit Inside with the Pool IP.

 

Then, ¿do you know this issue? Like the pool work fine.

 

"*Jan  9 01:05:34.767: NAT: translation failed (A), dropping packet s=10.8.8.8 d=8.8.8.8.
*Jan  9 01:05:36.763: NAT: translation failed (A), dropping packet s=10.8.8.8 d=8.8.8.8."

Best regards,

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956
0 Helpful

ghostinthenet
Level 7
Level 7
In response to Alfredo Bosca Bataller

‎01-09-2015 04:19 AM

If you're going to add more sources to the ACL later, you'll definitely need to overload your NAT. Does the failure stop when you adjust the statement as follows?

ip nat inside source list dynamic-source-nat pool dynamic-source-nat overload
0 Helpful

Dimitri_Toronto
Level 1
Level 1

‎12-28-2020 06:57 PM

remove the word LOG from the end of the ACL.

0 Helpful

paul driver
VIP
VIP

‎12-29-2020 02:34 AM - edited ‎12-29-2020 11:08 AM

Hello

@Alfredo Bosca Bataller wrote:

I am trying to create a pool with unique public IP to each machine in order to navigate. However cisco router  

The setting is:

1) Create ACL

show access-lists dynamic-source-nat
Extended IP access list dynamic-source-nat
    10 permit ip host 10.8.8.8 host 8.8.8.8 log (15 matches)

2)Pool with unique IP

ip nat pool dynamic-source-nat 200.195.5.5 200.105.5.5 prefix-length 32

3)Create dynamic Source NAT

ip nat inside source list dynamic-source-nat pool dynamic-source-nat

 

First of all your nat pool statement is incorrect (I assume its just a typo in this post) also you have "log" keyword appended to the nat access-list which isn't applicable when used with nat.
ip nat pool dynamic-source-nat 200.195.5.5 200.105.5.5 prefix-length 32

Now presently you are performing dynamic port address translation (PAT) - (many lan hosts to one public ip), So for each lan host to obtain a unique public ip address through NAT then you’ll require a large public address pool which it seems you don’t have and you will need to extend your nat access-list to incorporate a larger inside host range

Example 1:
no dynamic-source-nat
ip access-list extended dynamic-source-nat
permit ip  10.8.8.0 0.0.0.255 any
ip nat pool dynamic-source-nat 200.195.5.5 200.195.5.105 prefix-length 24
ip nat inside source list dynamic-source-nat pool dynamic-source-nat  ( overload - use this ONLY if you wish to reuse the nat pool once exhausted)


Example 2 nat will alocate each inside lan address to a public ip address matching on the host area of the ip address.

Example 2:
ip access-list extended dynamic-source-nat
permit ip  host 10.8.8.5 any
permit ip  host 10.8.8.6 any
permit ip  host 10.8.8.7  any
etc..
ip nat pool dynamic-source-nat 200.195.5.5 200.195.5.10 prefix-length 24 match-host
ip nat inside source list dynamic-source-nat pool dynamic-source-nat


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card