09-27-2013 12:35 AM - edited 03-07-2019 03:42 PM
Hi,
I'm trying to configure a 2811 with IOS 15.1 for NATTING. I have searched and read a lot and I don't see what I'm doing wrong. If anyone could give me some advice or show me what I'm missing or doing wrong.
I have checked if my ACL is getting hit -> none
When I'm doing static 1-to-1 NATTING it works.
Thanks in advance.
Here is my config:
Current configuration : 1456 bytes
!
! Last configuration change at 09:21:22 UTC Fri Sep 27 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname flgw-utrecht
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name xxxxxxxxxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn xxxxxxxxx
vtp domain xxxxxxx
vtp mode transparent
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface Loopback0 - for testing purposes
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0 - LAN
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1 - INTERNET - My host can ping up to here
ip address xx.xx.xx.130 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
!
router eigrp 1
network 192.168.0.0 0.0.255.255
network 192.168.40.1 0.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.129 - IP on provider router
!
access-list 100 permit ip 192.168.100.0 0.0.0.255 any log - My host subnet
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
09-27-2013 12:40 AM
hi,
kindly re-configure your NAT ACL:
access-list 100 permit ip 192.168.40.0 0.0.0.255 any log
09-27-2013 12:46 AM
hi johnlloyd_13,
Thanks you for replying.
I changed this but it still did not work.
My host has the IP 192.168.100.2/24. I thought I have to allow this subnet. Because this is the source and this does not change right?
09-27-2013 12:51 AM
Hmmmnnn... NAT config is correct after you modified the ACL 100.
Can you enter this commands on the router and post the output here.
ping 4.2.2.2 source f0/0
!
sh ip nat trans
Please rate replies and mark question as "answered" if applicable.
09-27-2013 01:10 AM
Hi rr_cuares,
My setup is currently not on the internet. So I cannot ping 4.2.2.2
I'm simulating the connection between my NAT router and my ISP router.
My NAT router can ping the ISP router, that's no problem because the NAT router is directly connected. My host cannot ping the ISP router with my current NAT config. Only when I configure static NAT 1-to-1 it works.
I can try to draw the situation if that helps.
09-27-2013 12:57 AM
hi,
how many subnets are there over your LAN?
you should modify your LAN interface or add a secondary LAN IP.
interface fa0/0
ip address 192.168.100.1 255.255.255.0
access-list 100 permit ip 192.168.100.0 0.0.0.255 any log
09-27-2013 01:16 AM
I have different SVI in my switch configure. I have just placed 1 host in a particular subnet which is the 192.168.100.0/24, the SVI has IP address 192.168.100.250, the host has IP 192.168.100.2. I have a static ip route 0.0.0.0 0.0.0.0 that points to 192.168.40.1 which is the NAT router IP address facing my switch. I have eigrp running between my NAT router and my switch, so my NAT router knows how to get back to my switch.
09-27-2013 01:31 AM
could you post a network diagram or give a text diagram?
is your 2811 able to ping the switch SVIs?
also post your switch config and omit sensitive data.
09-27-2013 01:03 AM
try to put the accesslist in this way and try whether NAT is happening
access-list 100 permit ip 192.168.0.0 0.0.255.255 any log
09-27-2013 01:19 AM
I already tried this. I have even tried permit ip any any. That did not work either. The ACL is not hit.
09-27-2013 01:08 AM
your saying that ur hosts in 192.168.100.0/24 can currently ping your outside ip address xx.xx.xx.130 , are you doing any nating for hosts in 192.168.100/24 before their packets reach Router 2811 (flgw-utrecht)
---
Posted by WebUser Marwan Hassan from Cisco Support Community App
09-27-2013 01:24 AM
No NATTING at all.
Host is able to ping NAT router outside facing IP xx.xx.xx.130 because it has a route to it and the NAT router has a route back to the host.
What I think is happening is that, NAT is not happening, the packet is reaching xx.xx.xx.129 but because the source is still 192.168.100.2, it doesn't have a way back. Because the ISP router only has the xx.xx.xx.130 route and not the 192.168.100.0/24 route.
09-27-2013 01:13 AM
also get the output for sh access-list 100.
through this we can know if there is any hit on this access-list.
09-27-2013 01:25 AM
There is no hit on the ACL
Here is the output:
Extended IP access list 100
10 permit ip 192.168.0.0 0.0.255.255 any log
09-27-2013 01:54 AM
just for checking purpose can you remove eigrp and use static route and then see what is happening.
at least we should get hit on access-list
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: