Showing results for 
Search instead for 
Did you mean: 

NAT on an ASR1004



I have an ASR1004 runnining IOS-XE 15.1(1)S2. Port Gi0/0/2 of the ASR is connected to an SG300-28P switch in a trunk.

I can verify connectivity to the seperate vlans by connecting a PC to the switch in an access port and pinging the subinterface IP and beyound on the ASR.

I'm trying to set up a simple overload NAT between two of the subinterfaces. If I assign the PC with a gateway of and connect it to the switch I can ping everything and I show up in the ASR arp table, so I'm assuming it sees me and there's no VLAN or routing issue. However, it does not get NATed to the outside like I think it should. I'm not to familar with NAT but this should be pretty straightforward.

"sh ip nat translations" always says that there's 0.

Relevant configuration is:

interface GigabitEthernet0/0/2

no ip address

no ip proxy-arp

negotiation auto


interface GigabitEthernet0/0/2.20

description Management

encapsulation dot1Q 20

ip address

no ip proxy-arp


interface GigabitEthernet0/0/2.21

description WiFi

encapsulation dot1Q 21

ip address

no ip proxy-arp

ip nat inside


interface GigabitEthernet0/0/2.23

description WiFiOutside

encapsulation dot1Q 23

ip address xx.xx.2.177

no ip proxy-arp

ip nat outside


access-list 21 permit

ip nat pool WiFi xx.xx.2.178 xx.xx.2.183 netmask overload

ip nat inside source list 21 pool WiFi overload

I've tried altering the pool to only include one IP address and also altering the "ip nat inside source" line to be:

ip nat inside source list 21 interface GigabitEthernet0/0/2.23 overload

I'd guess I'm missing something outside of this configuration.. I'm about ready to open a TAC but I'd figure I'd try this first.

Thanks for any insight.

7 Replies 7


Sorry, line in the config should be:

ip nat pool WiFi xx.xx.2.178 xx.xx.2.183 netmask

wIthout the word overload.

Are you saying the packets are getting forwarded but they are not being NATed so they are retaining their 192.168.21.x address as the source address or is the situation such that the packets are not being forwarded because the NAT is not happening?


Packets are getting forwarded but retaining their 192.168.21.x address. If I ssh to a server connected to another interface on the ASR and my source address appears as 192.168.21.x.

If I try to ssh to the ASR's outside management interafce, I'm bounced by ACL 1 and it shows my IP in the log as 192.168.21.x.

I don't see anything wrong with the config you posted but I'm no expert. You mentioned ACL 1 but didn't say what it was or where it was applied or if there were other ACLs etc. so I'll just assume the problem is in a part of the config which you haven't shared with us.

Thanks Brad,

The full config has quite a bit of stuff that I'm not sure is appropriate to share on a public forum. I'll go ahead and open a TAC with Cisco.

Despite being a pretty seasoned network admin, I've not done a lot of NAT stuff in Cisco routers, so I just wanted a sanity check before opening a TAC.

The full config has quite a bit of stuff that I'm not sure is appropriate to share on a public forum.

I understand and you're right to be cautious. If you can I would appreciate you sharing, at least in a general sense, the solution when you discover it. It's like finding out how a really good books ends. Thanks and good luck.

This may be a silly question but you don't mention whether you've done this or not. I have had issues with configuring NAT on Cisco devices whereby I've had to clear the translation tables to get it to work properly ...

clear ip nat translation forced

The above usually does the trick.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers