08-20-2011 09:04 AM - edited 03-07-2019 01:48 AM
I can't seem to get the below Nat config to work. I removed the crypto from the fa0/0 for testing.
Why can't i get xlates when I ping 192.168.1.5 or 192.168.1.1? As you can see my access list isnt getting touched?
What am i missing?????
==============================================
CCC#sh access-lists
Standard IP access list 1
10 permit 10.10.10.0, wildcard bits 0.0.0.255
==============================================
CCC#sh ip nat t
CCC#
==============================================
CCC#sh ip nat s
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Outside Destination
[Id: 2] access-list 1 interface FastEthernet0/0 refcount 0
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #9 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #11 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #13 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #19 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #21 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
=============================================================================
CCC#sh run
Building configuration...
Current configuration : 1490 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CCC
!
boot-start-marker
boot system flash c2600-adventerprisek9-mz.124-25d.bin
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
archive
log config
hidekeys
!
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 400
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
crypto map Petaluma_1 1 ipsec-isakmp
! Incomplete
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
!
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
!
interface Serial0/0
no ip address
shutdown
clock rate 56000
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
network 1.0.0.0
network 10.0.0.0
no ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip http server
no ip http secure-server
ip nat source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
08-20-2011 09:45 AM
Hi,
Can you do the test again without the crypto map and do sh ip nat translation and if you see nothing then repeat but with the following debug on: debug ip nat.
But if you want traffic to get through the vpn tunnel you'll have to exempt it from being natted with a deny clause in an extended access-list.
Regards.
Alain.
01-17-2014 07:19 AM
I am getting same issure:
Dynamic mappings:
-- Outside Destination
[Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
[0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1 Dynamic mappings:
-- Outside Destination
[Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
[0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
I don't know what this means and will try debug ip nat and get a readout.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide