Re: NAT Problem

remco.gussen · ‎10-24-2006

I'm trying to set up a nat implementation in my network.

I defined the ip nat inside / outside commands on the right interfaces. A overload mechanism works ok and i want a static nat entry too. The ip nat inside source static 172.17.9.2 10.239.250.66 is entered. The access list for the overload mechanism works fine. However, the static nat doesn't work. A ping or whatever isn's posible. When i enter debug ip nat, i can see that he's translating the address.

Why isn't there any commnunication posible through this static nat ?

Gr.

Remco

jlkeys · ‎10-25-2006

Which address is inside and which is outside?

mark.edwards · ‎10-25-2006

the static NAT should take preference over the dynamic pool. Perhaps there is a dynamic entry already which needs clearing?

m.sir · ‎10-25-2006

Check following document

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

M.

remco.gussen · ‎10-25-2006

I already checked this document. According to me, there is nothing wrong. Maybe a bug in the IOS ?

michaelc0n · ‎10-25-2006

plz specify a ping from where to where...also can you post your ACL? Thx!

[EDIT]

Also what protocol/port did you specify on the static nat entry i.e.

ip nat inside source static tcp "inside ip" 25 "outside ip" 25

[EDIT-2]

Do you have any route maps? If so, plz post, if not try implementing one.

amit-singh · ‎10-25-2006

Hi Remco,

Do you have any other ip address in the range 10.239.250.x. If your config is all correct and you have used the correct statements, then I would suggest you to try changing the NAT with a different IP. I have been into the same situation where the IP given to me by ISP was already in used and it didnt work for me. I requested another IP and it worked for me.

Just trying to relate it in case if you config is all correct. You can paste your config and let us check.

HTH, Please rate if it does.

-amit singh

remco.gussen · ‎10-25-2006

This is (a part of) my config:

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.309

description ***-Data

encapsulation dot1Q 309

ip address 172.17.9.250 255.255.255.0

ip nat inside

!

interface FastEthernet0/0.409

description ***-Management

encapsulation dot1Q 409

ip address 10.239.9.240 255.255.255.0

!

interface FastEthernet0/0.500

description Shared-Internet

encapsulation dot1Q 500

ip address 10.239.250.65 255.255.254.0

ip nat outside

!

interface Serial0/0

no ip address

no ip mroute-cache

shutdown

no fair-queue

!

interface Serial0/1

no ip address

shutdown

!

interface BRI1/0

no ip address

shutdown

!

interface BRI1/1

no ip address

shutdown

!

interface BRI1/2

no ip address

shutdown

!

interface BRI1/3

no ip address

shutdown

!

ip nat inside source list 10 interface FastEthernet0/0.500 overload

ip nat inside source static 172.17.9.2 10.239.250.66

ip classless

ip route 0.0.0.0 0.0.0.0 10.239.251.254

ip route 172.16.4.0 255.255.255.0 10.239.9.254

no ip http server

!

access-list 10 permit 172.17.9.0 0.0.0.255

access-list 23 permit 172.16.4.0 0.0.0.255

!

line con 0

exec-timeout 0 0

login local

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 0 0

login local

!

end

dradhika · ‎10-27-2006

Hi Remco,

1. To clear nat translations you can use

router# clear ip nat translations *

This will remove all the dynamic entries from the nat table

2.

For your nat static rule,

ip nat inside source static 172.17.9.2 10.239.250.66

(a)

I see that outside interface has ip address '10.239.250.65' and you are specifying "10.239.250.66" which is in this network. Not sure if it is allowed.

If it is allowed

(b)

Can you try giving the below and check if you can see "172.17.9.2" under inside local and "10.239.250.66" under inside global

router# sh ip nat translations

If there is an entry under it then NAT translation might be working fine. The problem could be with ping.

As per the config you sent, I am guessing when you use ping command from your inside network, the echo request packet would have been sent to 10.239.251.254

So check on 10.239.251.254 if there is a route to 10.239.250.66?

If it not there then you give the following command

10.239.251.254(config)# ip route 10.239.250.66 255.255.255.255 10.239.250.65

HTH,

Radhika

remco.gussen · ‎10-29-2006

Hi Radhika

I already tried to clear the nat translations. No effect....

I already tried the "show ip nat translation" command and indeed, it shows the correct inside local and inside global addresses.....

The route isn't needed. Is is in the same network as the outside interface (10.239.250.65 /23 is in the same network as 10.239.251.254). And with the overload mechanism everythings works fine.....

I realy don't know where to find the problem... Maybe a problem with the IOS version ??

Gr.

Remco

5d-swan · ‎10-29-2006

Hi Remco

You could try two things (listed in my order of pref):

1) in your access list for the outbound overload nat, deny the address that has a static nat

2) Use a route-map for matching the overload NAT as this works on a host/port basis rather than just host.

Good luck

Dan :-)

kamlesh.sharma · ‎10-29-2006

Hi All,

I think configuration of nat is OK but

" ip nat inside source static 172.17.9.2 10.239.250.66 "

Lets think about the L2-L3 mapping. router is translating the inside address 172.17.9.2 to outside address 10.239.250.66 but when the Machine on the network 10.239.250.0/23 try to access 10.239.250.66 it should have a L3-L2 mapping mean ARP entry for sending packets right so you need to have this IP configure on atleast one device which can reply to arp request with the mac address which is not happening in your case.

What i will suggest you to configure this ip adddress on the router's outside interface as secondary so that router will reply ARP packet for that ip address.

You can try putting static entry in your next hope router for 10.239.250.66 and the mac address of the NAT router's outside interface. but that this solution will work for router only no other PC will be able to access 172.17.9.2

i hope you understood the problem.

Please rate the post if it helps

thanks

kamlesh

remco.gussen · ‎10-31-2006

Problem Solved !

Behind this NAT router, there is another PIX 515 Firewall. The 10.239.250.65 address is translated there to a real public ip address. I tried to NAT the 10.239.250.65 address to another free public address and everything works... Strange... A problem with a single public ip address in a complete public range ?

Thanx for the support anyway..

Gr,

Remco