Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
2
Helpful
6
Replies

Why does this NAT configuration not work ?

Go to solution
deebeeishere
Level 1
Level 1

‎01-11-2014 09:40 PM - edited ‎03-07-2019 05:30 PM

interface FastEthernet0/0

description To Cable Modem

ip address dhcp

ip nat outside

interface FastEthernet0/1

description To LAN

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0

ip nat inside source list NATOUT pool ovrld overload

ip access-list standard NATOUT

permit 192.168.1.0 0.0.0.255 log

-------------------

Show ip nat translations shows no translations.

The Stats

Dynamic mappings:

-- Inside Source

[Id: 3] access-list NATOUT pool ovrld refcount 0

pool ovrld: netmask 255.255.192.0

        start 72.186.194.72 end 72.186.194.72

        type generic, total addresses 1, allocated 0 (0%), misses 0

Queued Packets: 0

I can get one device to translate with a static but the dynamic does not work.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to deebeeishere

‎01-12-2014 08:49 AM

Hi,

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#gen-nat

Q.   Does Cisco IOS NAT support ACLs with a "log" keyword?

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is       used to identify packets that can be translated. The current NAT architecture       does not support ACLs with a "log" keyword.

So can you change your NAT ACL by not using the log keyword and try again.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rolf Fischer
Level 9
Level 9

‎01-12-2014 12:03 AM

Hi Derek,

ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0
ip nat inside source list NATOUT pool ovrld overload

could you try to change your config like this and see if it works then:

ip nat inside source list NATOUT interface fa0/0 overload

no ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0

HTH

Rolf

0 Helpful

Go to solution
deebeeishere
Level 1
Level 1
In response to Rolf Fischer

‎01-12-2014 07:59 AM

Hey Rolf. I used the commands like you said but it will not translate anything unless the entry is static.

ip nat inside source static 192.168.1.2 72.186.*.72      is what im using to get my main node translated while i figure out this problem. The configuration worked fine until I upgraded IOS from 12.3 to 12.4.  Thats when it quit translating. My config follows. Keep in ming that when i tried your commands I removed the static entry for 192.168.1.2

Building configuration...

[OK]

HEADEND(config)#do sh run

Building configuration...

Current configuration : 3267 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HEADEND

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$vk5M$eGiHBbhKZrvPdNz0aXhve1

!

no aaa new-model

memory-size iomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.100

ip dhcp excluded-address 192.168.1.254

ip dhcp excluded-address 192.168.1.250 192.168.1.254

!

ip dhcp pool DEESPOOL

   network 192.168.1.0 255.255.255.0

   dns-server 65.32.5.111 65.32.5.112

   domain-name dbtech.netpros.com

   default-router 192.168.1.254

!

!

!

!

crypto pki trustpoint TP-self-signed-3843280569

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3843280569

revocation-check none

rsakeypair TP-self-signed-3843280569

!

!

crypto pki certificate chain TP-self-signed-3843280569

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33383433 32383035 3639301E 170D3032 30333031 30333331

  30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343332

  38303536 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BD0F 1F06509B 67D1C1F4 C9AEFA31 89A8C059 4B17CDE8 95F23275 CFB9AC41

  D784F703 C25B630D A0461FB1 114B3608 B3387518 8F552DD7 41796488 F0C79FC0

  103A2C3F FFE388FE 7970D921 C5F754D1 68A15518 F30F91CC 26884284 5C8C3275

  B06A584D 96D2D5CB 92068B40 C05C8A4E 80E9CCE0 2DE5883F 9EF405BB 89252921

  B03D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17484541 44454E44 2E74616D 70616261 792E7272 2E636F6D

  301F0603 551D2304 18301680 14E92E8B 5F671437 6F383CCD 42AD6AE8 4CC47730

  F9301D06 03551D0E 04160414 E92E8B5F 6714376F 383CCD42 AD6AE84C C47730F9

  300D0609 2A864886 F70D0101 04050003 81810055 7BE1410C C73F83F3 26B30B9A

  569ED607 9FDCB6CD 46125795 0A8137EF 930C195B 19E79813 B6DF9B2D 6809F4A2

  A5F0BDB0 03DF87D2 81643EC7 5D619E65 132B1C12 61FB212B DAEB02A2 56E63559

  D931DF1F A3817AAF F21D8EE0 D0741B96 DBF52051 78964876 5AB7E319 5A051455

  4EA9186D 1E9ABC81 00573284 564D6BE7 486681

  quit

username derek privilege 15 secret 5 $1$rBZD$NqY/hkTEpcZV4rYqwtKAD.

!

!

!

!

interface FastEthernet0/0

description To Cable Modem

ip address dhcp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description To LAN

ip address 192.168.1.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list NATOUT interface FastEthernet0/0 overload

!

ip access-list standard NATOUT

permit 192.168.1.0 0.0.0.255 log

!

!

control-plane

!

!

line con 0

line aux 0

This is very odd it is like dynamic NAT is just broken.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to deebeeishere

‎01-12-2014 08:06 AM

It shouldn't matter, but have you tried with an extended acl? Try below:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 100 inter fa0/0 overload

If that doesn't resolve the issue, try "debug ip nat" and pass some traffic..post the results.

Thanks!
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to deebeeishere

‎01-12-2014 08:49 AM

Hi,

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#gen-nat

Q.   Does Cisco IOS NAT support ACLs with a "log" keyword?

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is       used to identify packets that can be translated. The current NAT architecture       does not support ACLs with a "log" keyword.

So can you change your NAT ACL by not using the log keyword and try again.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
deebeeishere
Level 1
Level 1
In response to cadet alain

‎01-12-2014 09:56 AM

Awesome.. I have been working on this problem for hours. Why cant you log hits on a NAT ACL ? And Thanks man!

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to deebeeishere

‎01-12-2014 10:23 AM

Hi,

I don't know the exact reason.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card