Need help getting simple Nat config to work

david.santel · ‎08-20-2011

I can't seem to get the below Nat config to work. I removed the crypto from the fa0/0 for testing.

Why can't i get xlates when I ping 192.168.1.5 or 192.168.1.1? As you can see my access list isnt getting touched?

What am i missing?????

==============================================

CCC#sh access-lists

Standard IP access list 1

10 permit 10.10.10.0, wildcard bits 0.0.0.255

==============================================
CCC#sh ip nat t

CCC#
==============================================

CCC#sh ip nat s
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Outside Destination
[Id: 2] access-list 1 interface FastEthernet0/0 refcount 0
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #9 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #11 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #13 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #19 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
[0] prot 6: port #21 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
.0, flags 1
=============================================================================

CCC#sh run
Building configuration...

Current configuration : 1490 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CCC
!
boot-start-marker
boot system flash c2600-adventerprisek9-mz.124-25d.bin
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef

no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3

archive
log config
hidekeys
!
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 400
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
crypto map Petaluma_1 1 ipsec-isakmp
! Incomplete
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
!
!

interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
!
interface Serial0/0
no ip address
shutdown
clock rate 56000
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
network 1.0.0.0
network 10.0.0.0
no ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip http server
no ip http secure-server
ip nat source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
control-plane
!

line con 0
line aux 0
line vty 0 4
login
!
!
end

cadet alain · ‎08-20-2011

Hi,

Can you do the test again without the crypto map and do sh ip nat translation and if you see nothing then repeat but with the following debug on: debug ip nat.

But if you want traffic to get through the vpn tunnel you'll have to exempt it from being natted with a deny clause in an extended access-list.

Regards.

Alain.

Don't forget to rate helpful posts.

brian.bors · ‎01-17-2014

I am getting same issure:

Dynamic mappings:

-- Outside Destination

[Id: 1] access-list NAT interface FastEthernet0/0 refcount 0

[0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.

0, flags 1

[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.

0, flags 1 Dynamic mappings:
-- Outside Destination
[Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
[0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
0, flags 1
[0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
0, flags 1

I don't know what this means and will try debug ip nat and get a readout.