NAT is not working on 2811

Gideon Chong · ‎09-27-2013

Hi,

I'm trying to configure a 2811 with IOS 15.1 for NATTING. I have searched and read a lot and I don't see what I'm doing wrong. If anyone could give me some advice or show me what I'm missing or doing wrong.

I have checked if my ACL is getting hit -> none

When I'm doing static 1-to-1 NATTING it works.

Thanks in advance.

Here is my config:

Current configuration : 1456 bytes

!

! Last configuration change at 09:21:22 UTC Fri Sep 27 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname flgw-utrecht

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

!

ip domain name xxxxxxxxxx

no ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

!

crypto pki token default removal timeout 0

!

license udi pid CISCO2811 sn xxxxxxxxx

vtp domain xxxxxxx

vtp mode transparent

!

redundancy

!

interface Loopback0 - for testing purposes

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0 - LAN

ip address 192.168.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1 - INTERNET - My host can ping up to here

ip address xx.xx.xx.130 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

router eigrp 1

network 192.168.0.0 0.0.255.255

network 192.168.40.1 0.0.0.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.129 - IP on provider router

!

access-list 100 permit ip 192.168.100.0 0.0.0.255 any log - My host subnet

!

control-plane

!

mgcp profile default

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

end

johnlloyd_13 · ‎09-27-2013

hi,

kindly re-configure your NAT ACL:

access-list 100 permit ip 192.168.40.0 0.0.0.255 any log

Gideon Chong · ‎09-27-2013

hi johnlloyd_13,

Thanks you for replying.

I changed this but it still did not work.

My host has the IP 192.168.100.2/24. I thought I have to allow this subnet. Because this is the source and this does not change right?

Rejohn Cuares · ‎09-27-2013

Hmmmnnn... NAT config is correct after you modified the ACL 100.

Can you enter this commands on the router and post the output here.

ping 4.2.2.2 source f0/0

!

sh ip nat trans

Please rate replies and mark question as "answered" if applicable.

Gideon Chong · ‎09-27-2013

Hi rr_cuares,

My setup is currently not on the internet. So I cannot ping 4.2.2.2

I'm simulating the connection between my NAT router and my ISP router.

My NAT router can ping the ISP router, that's no problem because the NAT router is directly connected. My host cannot ping the ISP router with my current NAT config. Only when I configure static NAT 1-to-1 it works.

I can try to draw the situation if that helps.

johnlloyd_13 · ‎09-27-2013

hi,

how many subnets are there over your LAN?

you should modify your LAN interface or add a secondary LAN IP.

interface fa0/0

ip address 192.168.100.1 255.255.255.0

access-list 100 permit ip 192.168.100.0 0.0.0.255 any log

Gideon Chong · ‎09-27-2013

I have different SVI in my switch configure. I have just placed 1 host in a particular subnet which is the 192.168.100.0/24, the SVI has IP address 192.168.100.250, the host has IP 192.168.100.2. I have a static ip route 0.0.0.0 0.0.0.0 that points to 192.168.40.1 which is the NAT router IP address facing my switch. I have eigrp running between my NAT router and my switch, so my NAT router knows how to get back to my switch.

johnlloyd_13 · ‎09-27-2013

could you post a network diagram or give a text diagram?

is your 2811 able to ping the switch SVIs?

also post your switch config and omit sensitive data.

shine pothen · ‎09-27-2013

try to put the accesslist in this way and try whether NAT is happening

access-list 100 permit ip 192.168.0.0 0.0.255.255 any log

Gideon Chong · ‎09-27-2013

I already tried this. I have even tried permit ip any any. That did not work either. The ACL is not hit.

fb_webuser · ‎09-27-2013

your saying that ur hosts in 192.168.100.0/24 can currently ping your outside ip address xx.xx.xx.130 , are you doing any nating for hosts in 192.168.100/24 before their packets reach Router 2811 (flgw-utrecht)

---

Posted by WebUser Marwan Hassan from Cisco Support Community App

Gideon Chong · ‎09-27-2013

No NATTING at all.

Host is able to ping NAT router outside facing IP xx.xx.xx.130 because it has a route to it and the NAT router has a route back to the host.

What I think is happening is that, NAT is not happening, the packet is reaching xx.xx.xx.129 but because the source is still 192.168.100.2, it doesn't have a way back. Because the ISP router only has the xx.xx.xx.130 route and not the 192.168.100.0/24 route.

shine pothen · ‎09-27-2013

also get the output for sh access-list 100.

through this we can know if there is any hit on this access-list.

Gideon Chong · ‎09-27-2013

There is no hit on the ACL

Here is the output:

Extended IP access list 100

10 permit ip 192.168.0.0 0.0.255.255 any log

shine pothen · ‎09-27-2013

just for checking purpose can you remove eigrp and use static route and then see what is happening.

at least we should get hit on access-list