01-11-2014 09:40 PM - edited 03-07-2019 05:30 PM
interface FastEthernet0/0
description To Cable Modem
ip address dhcp
ip nat outside
interface FastEthernet0/1
description To LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0
ip nat inside source list NATOUT pool ovrld overload
ip access-list standard NATOUT
permit 192.168.1.0 0.0.0.255 log
-------------------
Show ip nat translations shows no translations.
The Stats
Dynamic mappings:
-- Inside Source
[Id: 3] access-list NATOUT pool ovrld refcount 0
pool ovrld: netmask 255.255.192.0
start 72.186.194.72 end 72.186.194.72
type generic, total addresses 1, allocated 0 (0%), misses 0
Queued Packets: 0
I can get one device to translate with a static but the dynamic does not work.
Solved! Go to Solution.
01-12-2014 08:49 AM
Hi,
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#gen-nat
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.
So can you change your NAT ACL by not using the log keyword and try again.
Regards
Alain
Don't forget to rate helpful posts.
01-12-2014 12:03 AM
Hi Derek,
ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0
ip nat inside source list NATOUT pool ovrld overload
could you try to change your config like this and see if it works then:
ip nat inside source list NATOUT interface fa0/0 overload
no ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0
HTH
Rolf
01-12-2014 07:59 AM
Hey Rolf. I used the commands like you said but it will not translate anything unless the entry is static.
ip nat inside source static 192.168.1.2 72.186.*.72 is what im using to get my main node translated while i figure out this problem. The configuration worked fine until I upgraded IOS from 12.3 to 12.4. Thats when it quit translating. My config follows. Keep in ming that when i tried your commands I removed the static entry for 192.168.1.2
Building configuration...
[OK]
HEADEND(config)#do sh run
Building configuration...
Current configuration : 3267 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HEADEND
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$vk5M$eGiHBbhKZrvPdNz0aXhve1
!
no aaa new-model
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.250 192.168.1.254
!
ip dhcp pool DEESPOOL
network 192.168.1.0 255.255.255.0
dns-server 65.32.5.111 65.32.5.112
domain-name dbtech.netpros.com
default-router 192.168.1.254
!
!
!
!
crypto pki trustpoint TP-self-signed-3843280569
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3843280569
revocation-check none
rsakeypair TP-self-signed-3843280569
!
!
crypto pki certificate chain TP-self-signed-3843280569
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383433 32383035 3639301E 170D3032 30333031 30333331
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343332
38303536 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD0F 1F06509B 67D1C1F4 C9AEFA31 89A8C059 4B17CDE8 95F23275 CFB9AC41
D784F703 C25B630D A0461FB1 114B3608 B3387518 8F552DD7 41796488 F0C79FC0
103A2C3F FFE388FE 7970D921 C5F754D1 68A15518 F30F91CC 26884284 5C8C3275
B06A584D 96D2D5CB 92068B40 C05C8A4E 80E9CCE0 2DE5883F 9EF405BB 89252921
B03D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17484541 44454E44 2E74616D 70616261 792E7272 2E636F6D
301F0603 551D2304 18301680 14E92E8B 5F671437 6F383CCD 42AD6AE8 4CC47730
F9301D06 03551D0E 04160414 E92E8B5F 6714376F 383CCD42 AD6AE84C C47730F9
300D0609 2A864886 F70D0101 04050003 81810055 7BE1410C C73F83F3 26B30B9A
569ED607 9FDCB6CD 46125795 0A8137EF 930C195B 19E79813 B6DF9B2D 6809F4A2
A5F0BDB0 03DF87D2 81643EC7 5D619E65 132B1C12 61FB212B DAEB02A2 56E63559
D931DF1F A3817AAF F21D8EE0 D0741B96 DBF52051 78964876 5AB7E319 5A051455
4EA9186D 1E9ABC81 00573284 564D6BE7 486681
quit
username derek privilege 15 secret 5 $1$rBZD$NqY/hkTEpcZV4rYqwtKAD.
!
!
!
!
interface FastEthernet0/0
description To Cable Modem
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description To LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list NATOUT interface FastEthernet0/0 overload
!
ip access-list standard NATOUT
permit 192.168.1.0 0.0.0.255 log
!
!
control-plane
!
!
line con 0
line aux 0
This is very odd it is like dynamic NAT is just broken.
01-12-2014 08:06 AM
It shouldn't matter, but have you tried with an extended acl? Try below:
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 100 inter fa0/0 overload
If that doesn't resolve the issue, try "debug ip nat" and pass some traffic..post the results.
Thanks!
John
*** Please rate all useful posts ***
01-12-2014 08:49 AM
Hi,
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#gen-nat
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.
So can you change your NAT ACL by not using the log keyword and try again.
Regards
Alain
Don't forget to rate helpful posts.
01-12-2014 09:56 AM
Awesome.. I have been working on this problem for hours. Why cant you log hits on a NAT ACL ? And Thanks man!
01-12-2014 10:23 AM
Hi,
I don't know the exact reason.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide