07-21-2017 08:53 AM - edited 03-08-2019 11:25 AM
Hi, need some advice; I configured my Cisco 877 Router using some new Public IP address I got from my ISP but when I do a NAT using a pool of addresses; I can't browse the internet. The only way I will be able to browse the internet is if I do a NAT using an Interface and this happens only when using the fiber connection. I also have a DSL link of which I only changed the public IP address in the configuration of my Cisco 877 Router to reflect the Public IP address of the dsl link and my NAT using the pool of addresses works, as well when doing a NAT over an Interface. Please help.
07-21-2017 09:48 AM
Hi,
Can you post "sh run" from the router and point out the interface that is not working?
HTH
07-21-2017 10:39 AM
Hi Reza, thanks for the reply, see below my current router config using fiber link. with the current config I cannot browse.
interface FastEthernet0
switchport access vlan 5
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.30.1 255.255.255.192
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address 190.x.x.146 255.255.255.240
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 190.x.x.145
!
no ip http server
no ip http secure-server
ip nat pool BTL 190.x.x.147 190.x.x.148 netmask 255.255.255.240
ip nat inside source list INTERNET-BROwSING pool BTL overload
!
ip access-list extended INTERNET-BROwSING
permit ip 192.168.30.0 0.0.0.63 any
07-21-2017 10:52 AM
Hi,
Have you tried the NAT statement with prefix-list and test?
ip nat pool BTL 190.x.x.147 190.x.x.148 prefix-length 27
HTH
07-21-2017 11:07 AM
Hi,
I just modified the config to
ip nat pool BTL 190.x.x.147 190.x.x.148 prefix-length 28
and is still not working. See ping from within router.
Router#ping 4.2.2.2 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
.....
Success rate is 0 percent (0/5
07-21-2017 11:38 AM
In addition, can you use the nat statement without overload?
ip nat inside source list INTERNET-BROwSING pool BTL
HTH
07-21-2017 11:48 AM
Hi Reza, thank you for you help really appreciate it.
even without the overload, I still cannot browse. Like I mentioned in the original post, this happens only on the fiber link. If I switch over to dsl and use the public ips assigned on dsl network using the same nat pool statement, it works. Do you think its a problem with our ISP, I even tried a different router and still have the same problem?
07-21-2017 12:02 PM
Hi,
I don't think this is an ISP issue.
So, if you ping say 8.8.8.8 without the source address, this should use the outgoing interface which is vlan1 Does it work?
If it does than this is not an issue with the ISP.
ping 8.8.8.8
Can you try it with static nat and test?
ip nat inside source list INTERNET-BROwSING interface vlan5 overload
no ip nat pool BTL 190.x.x.147 190.x.x.148 netmask 255.255.255.240
HTH
07-21-2017 12:13 PM
Hi Reza,
yes if I ping 8.8.8.8 which uses the outgoing interface vlan 5 as per my configuration, it works.
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 ms
when I modified the NAT state to a static NAT
ip nat inside source list INTERNET-BROwSING interface Vlan5 overload,
it works as well
Router#ping 8.8.8.8 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/32 ms
I'm puzzled, i'm not sure what i'm missing.
07-21-2017 12:23 PM
Hi,
So, definitely is not an ISP issue or NAT because static NAT works fine.
Have a look at this link and look at the section for dynamic NAT and see if anything is missing:
http://www.ciscozine.com/nat-and-pat-a-complete-explanation/
HTH
07-21-2017 12:52 PM
Hello,
on a side note, try a standard access list or a route map (with or without the 'overload'):
access-list 10 permit 192.168.30.0 0.0.0.63
!
ip nat pool BTL 190.x.x.147 190.x.x.148 netmask 255.255.255.240
ip nat inside source list 10 pool BTL (overload)
or
access-list 100 permit ip 192.168.30.0 0.0.0.63 any
!
ip nat pool BTL 190.x.x.147 190.x.x.148 netmask 255.255.255.240
!
route-map TO_ISP permit 10
match ip address 100
!
ip nat inside source route-map TO_ISP pool BTL (overload)
07-22-2017 01:39 AM
If you cleared NAT table during switching from DSL to fiber, most likely that this is ISP routers configuration. For testing, you might also want to include 190.x.x.146 in your pool configuration, otherwise .146 will not be used for NAT. If you include this one in pool most likely you will be able to successfully forward traffic via that IP address (at least until all ports in are not exhausted from .146 (or at least pool with just .146 will work)) while using NAT pool via fiber.
From data that are available here, I don't think this is configuration issue on your side. I guess that ISP is not routing traffic properly for some reason (like, ISP is statically advertise your network range from DSL router into their network?) so return traffic does not have proper return path, or some similar issue.
07-22-2017 04:13 AM
Hello
I have see this before that you cannot nat sourced from the rtrs interface nat is applied on, but its successful from behind the natted interface.
I cannot remember if i upgraded the IOS or utilized NVI nat ( domain less nat)
Have you tested ping from behind the vlans other than the svi address themselves or tried NVI nat?
sh run | in ip nat
ping 8.8.8.8 (from host behind natted vlan)
sh ip nat translations
debug ip nat detail
debug ip packet detail
OR
int x/x
no ip nat inside
ip nat enable
int x/x
no ip nat outside
ip nat enable
no ip nat inside source list INTERNET-BROwSING pool BT
ip nat source list INTERNET-BROwSING pool BT
sh ip nat nvi translations
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide