NAT on an ASR1004

adamsechoes · ‎08-24-2012

Hi,

I have an ASR1004 runnining IOS-XE 15.1(1)S2. Port Gi0/0/2 of the ASR is connected to an SG300-28P switch in a trunk.

I can verify connectivity to the seperate vlans by connecting a PC to the switch in an access port and pinging the subinterface IP and beyound on the ASR.

I'm trying to set up a simple overload NAT between two of the subinterfaces. If I assign the PC 192.168.21.29 255.255.255.0 with a gateway of 192.168.21.1 and connect it to the switch I can ping everything and I show up in the ASR arp table, so I'm assuming it sees me and there's no VLAN or routing issue. However, it does not get NATed to the outside like I think it should. I'm not to familar with NAT but this should be pretty straightforward.

"sh ip nat translations" always says that there's 0.

Relevant configuration is:

interface GigabitEthernet0/0/2

no ip address

no ip proxy-arp

negotiation auto

!

interface GigabitEthernet0/0/2.20

description Management

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

no ip proxy-arp

!

interface GigabitEthernet0/0/2.21

description WiFi

encapsulation dot1Q 21

ip address 192.168.21.1 255.255.255.0

no ip proxy-arp

ip nat inside

!

interface GigabitEthernet0/0/2.23

description WiFiOutside

encapsulation dot1Q 23

ip address xx.xx.2.177 255.255.255.248

no ip proxy-arp

ip nat outside

!

access-list 21 permit 192.168.21.0 0.0.0.255

ip nat pool WiFi xx.xx.2.178 xx.xx.2.183 netmask 255.255.255.248 overload

ip nat inside source list 21 pool WiFi overload

I've tried altering the pool to only include one IP address and also altering the "ip nat inside source" line to be:

ip nat inside source list 21 interface GigabitEthernet0/0/2.23 overload

I'd guess I'm missing something outside of this configuration.. I'm about ready to open a TAC but I'd figure I'd try this first.

Thanks for any insight.

adamsechoes · ‎08-24-2012

Sorry, line in the config should be:

ip nat pool WiFi xx.xx.2.178 xx.xx.2.183 netmask 255.255.255.248

wIthout the word overload.

bmbreer1000 · ‎08-24-2012

Are you saying the packets are getting forwarded but they are not being NATed so they are retaining their 192.168.21.x address as the source address or is the situation such that the packets are not being forwarded because the NAT is not happening?

Brad

adamsechoes · ‎08-24-2012

Packets are getting forwarded but retaining their 192.168.21.x address. If I ssh to a server connected to another interface on the ASR and my source address appears as 192.168.21.x.

If I try to ssh to the ASR's outside management interafce, I'm bounced by ACL 1 and it shows my IP in the log as 192.168.21.x.

bmbreer1000 · ‎08-24-2012

I don't see anything wrong with the config you posted but I'm no expert. You mentioned ACL 1 but didn't say what it was or where it was applied or if there were other ACLs etc. so I'll just assume the problem is in a part of the config which you haven't shared with us.

adamsechoes · ‎08-24-2012

Thanks Brad,

The full config has quite a bit of stuff that I'm not sure is appropriate to share on a public forum. I'll go ahead and open a TAC with Cisco.

Despite being a pretty seasoned network admin, I've not done a lot of NAT stuff in Cisco routers, so I just wanted a sanity check before opening a TAC.

bmbreer1000 · ‎08-24-2012


The full config has quite a bit of stuff that I'm not sure is appropriate to share on a public forum.

I understand and you're right to be cautious. If you can I would appreciate you sharing, at least in a general sense, the solution when you discover it. It's like finding out how a really good books ends. Thanks and good luck.

gavinhday · ‎09-07-2012

This may be a silly question but you don't mention whether you've done this or not. I have had issues with configuring NAT on Cisco devices whereby I've had to clear the translation tables to get it to work properly ...

clear ip nat translation forced

The above usually does the trick.