Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
1
Helpful
6
Replies

NAT troubleshooting

Go to solution
RickPine
Level 1
Level 1

‎08-23-2023 07:44 AM

Can I get some help understanding why my lab scenario dint work: 

I have two subnets (A) 10.0.0.0/28 and (B) 10.0.0.16/28, I wanted to set up NAT but my idea was to allow anything from (C) 10.0.0.0/24, in case I added a new subnet, anything that would fall under /24. I set up an access list to allow the entire /24 subnet with the wild mask of 10.0.0.0 0.0.0.255  but it didn't work, not one translation was logged. So I tried making the access list specific to the subnets wild mask 10.0.0.0 0.0.0.15 and 10.0.0.16 0.0.0.15, adjusted the NAT rule with the new access lists, and boom! NAT was working. 

Why did I have to allow the two specific subnets for it to work? subnet A goes from 10.0.0.1 to 10.0.0.14 and subnet B goes from 10.0.0.17 - 10.0.0.30.  Subnet C allows everything within the 10.0.0.0/24 including sub A and sub B. 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎08-23-2023 07:59 AM

Hi @RickPine 

The concept of Access List for NAT is different the concept for allow/permit traffic. For NAT the device need to match the traffic. IF you have two networks you probably have two interfaces or two vlans and if you create one ACL that does not correspond to any interface or vlan, there will be no match. 

 The command "ip nat inside" will look for the traffic that is on that interface.  

What you tried to do would work if both network /28 would leave the device for only one interface with ip nat inside command. 

View solution in original post

6 Replies 6

Go to solution
Flavio Miranda
VIP
VIP

‎08-23-2023 07:59 AM

Hi @RickPine 

The concept of Access List for NAT is different the concept for allow/permit traffic. For NAT the device need to match the traffic. IF you have two networks you probably have two interfaces or two vlans and if you create one ACL that does not correspond to any interface or vlan, there will be no match. 

 The command "ip nat inside" will look for the traffic that is on that interface.  

What you tried to do would work if both network /28 would leave the device for only one interface with ip nat inside command. 

Go to solution
RickPine
Level 1
Level 1
In response to Flavio Miranda

‎08-23-2023 08:44 AM

Ah! This makes perfect sense, I appreciate the response. Yes, there is VLAN10 and VLAN20 with int f0/0.10 ip nat inside and f0/.20 ip nat inside.  So when it comes to NAT purposes, the ACL needs to match the traffic leaving through the "ip nat inside" interface, the things CCNA doesn't teach.  How would both /28 networks leave the router via one interface only? if I have two subnets, I need to have one egress/ingress interface per subnet. 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to RickPine

‎08-23-2023 08:48 AM

"  How would both /28 networks leave the router via one interface only? if I have two subnets, I need to have one egress/ingress interface per subnet. "

 It would happen if you are connected to a ISP, for example and you setup a NAT on the router to send the NATting traffic to your ISP.  This happen usually.

0 Helpful

Go to solution
RickPine
Level 1
Level 1
In response to Flavio Miranda

‎08-23-2023 09:16 AM

Okay, I can see this happening as many homes/businesses have one ISP router with one LAN and one WAN interface. The 0/0.x and 0/0.y are logical subinterfaces on top of the 0/0 physical interface, therefore the traffic is technically going out the same interface. Is just a matter of adding an ACL and NAT rule per subnet. 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to RickPine

‎08-23-2023 09:23 AM

 Yes. If you are sending all your traffic to only one interface toward and ISP  and use NAT, it make sense to use one big subnet mask but if you are dealing with separated interfaces , you need to match your traffic.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-23-2023 08:39 AM

what device and IOS code running ?

post your example config of Interface allocated that subnets and NAT rule.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card