1

I am attempting to configure a Cisco 2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the internet connection. I've configured DHCP pool for the local interface, which works properly (even using an additional switch, wireless access point, ...). Likewise, the WAN interface is configured to obtain its own IP by DHCP from the ISP. I can work on the LAN computers and I can access the internet directly from the router (using, for example, telnet and router's ping commands). The problem is, NAT does not work properly and connection from the LAN interface (GigabitEthernet0/1) does not reach the WAN interface (GigabitEthernet0/0).

I have followed several guides on the matter, but it seems that no matter what I do, NAT just doesn't seem to work. I have tried both the interface GigabitEthernet0/0 overload NAT inside source list and the NAT pool source list (being the current ISP-assigned IP) described in the guides.

Attached is the complete configuration, hoping someone finds the problem I have missed.

Current configuration : 2007 bytes ! ! Last configuration change at 19:59:30 UTC Wed Jul 6 2011 ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname odin ! boot-start-marker boot-end-marker ! enable secret 5 enablesecret enable password enablepassword ! no aaa new-model ! ! ! ! no ipv6 cef ip source-route no ip routing no ip cef ! ! ip dhcp excluded-address 10.1.1.1 10.1.1.10 ! ip dhcp pool lan import all network 10.1.1.0 255.255.255.0 default-router 10.1.1.1 dns-server 8.8.8.8 ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! voice-card 0 ! ! ! ! ! ! license udi pid licensepid sn licensesn ! ! ! redundancy ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address dhcp ip nat outside ip virtual-reassembly no ip route-cache duplex auto speed auto no cdp enable no mop enabled ! ! interface ISM0/0 no ip address no ip route-cache shutdown service-module fail-open no cdp enable ! hold-queue 60 out ! interface ISM0/1 no ip address no ip route-cache shutdown no cdp enable ! ! interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip route-cache duplex auto speed auto no cdp enable ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 ! access-list 1 permit 10.1.1.0 0.0.0.255 ! ! ! ! ! snmp-server community snmp_lan RO ! control-plane ! ! ! ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 line aux 0 line 67 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 flowcontrol software line vty 0 4 password password login ! scheduler allocate 20000 1000 no process cpu extended no process cpu autoprofile hog end

UPDATE 1:

Tried specifying outbound rules by adding

interface GigabitEthernet0/0 ip access-group lan_out out ! ip access-list extended la_out permit ip any any

but to no avail.

After that, also tried utilizing nat pools and route maps, resulting in

ip nat pool lan_np 1.2.3.135 1.2.3.135 prefix-length 24 ip nat inside source route-map natmap pool lan_np overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent ! ip access-list extended lan_out permit ip any any ! access-list 101 permit ip 10.1.1.0 0.0.0.255 any ! ! ! ! route-map natmap permit 10 match ip address lan_out

Both with and without any combination of ip route 0.0.0.0 0.0.0.0 and either interface GigabitEthernet0/0 or the ISP default gateway IP. Results in an sh ip nat st of

offblast_odin#sh ip nat st Total active translations: 0 (0 static, 0 dynamic; 0 extended) Peak translations: 0, occurred 02:58:27 ago Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 2] route-map natmap pool offblast_lan_np refcount 0 pool offblast_lan_np: netmask 255.255.255.0 start 1.2.3.135 end 1.2.3.135 type generic, total addresses 1, allocated 0 (0%), misses 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0

Sadly, nothing so far worked. Full final configuration.

Improve this question
6
  • Figures, I used the wrong site. Oh well. :/ Commented Jul 7, 2011 at 7:56
  • From what are you testing this? Host on lan with this router as its default route? Commented Jul 7, 2011 at 16:48
  • Yes, the PC is connected to GigabitEthernet0/1 with IPv4 Address. . . . . . . . . . . : 10.1.1.12 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1, with all other interfaces (on the PC) disabled. Commented Jul 7, 2011 at 16:57
  • There seem to be a typo in the access-list, "la_out", was this only when you pasted or did you actually enter it incorrectly on the router? Commented Jul 8, 2011 at 6:09
  • Also, can you try pinging from the internal address of the router directly? 'ping ip 8.8.8.8 source 10.1.1.1' Commented Jul 8, 2011 at 6:11

2 Answers 2

Reset to default
1

Can you show output of 'sh ip nat stat' and 'sh ip nat tran'?

I think the config looks correct, did you try applying an ACL on the outside interface to specifically allow the traffic?

 interface GigabitEthernet0/0 ip access-group OUTBOUND out ! ip access-list extended OUTBOUND permit ip any any


here's a working example from a 1800 series:

 interface FastEthernet0 description $FW_OUTSIDE$ bandwidth 34000 ip address 1.2.3.141 255.255.255.240 ip access-group OUTBOUND out ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly load-interval 60 duplex auto speed auto ! interface FastEthernet1 description $FW_INSIDE$ bandwidth 34000 ip address 192.168.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly load-interval 60 duplex auto speed auto ! ip nat pool GLOBAL_IP_POOL 1.2.3.139 1.2.3.141 prefix-length 24 ip nat inside source route-map natmap pool GLOBAL_IP_POOL overload ! ip access-list extended natrules deny ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255 permit ip 192.168.0.0 0.0.255.255 any ! route-map natmap permit 10 match ip address natrules

Hope this helps.


Edited:

I cannot spot anything weird with your config. Since you seem not to have any hits in translation tables at all, there must be a problem either on the connectivity or configuration on the client, or simply an access-list that denies the traffic.

Can you:

1) ping from the router, make sure you do it from the correct interface by entering:

ping 8.8.8.8 source 10.1.1.1

2) show access-lists

show access-lists

I set up three routers in a lab and configured rip + nat, and it works just as it is. The router in question and the remote router that specifically denies the internal network of 'the router in question'.

Improve this answer
3
  • tran is completely empty, stat has everything at 0, NAT doesn't even activate. I will try the outbound rule suggestion, thank you. Commented Jul 7, 2011 at 8:20
  • I've updated the OP with the attempts, but the router still refuses to even acknowledge the existence of NAT. :/ Commented Jul 7, 2011 at 16:24
  • It appears that routing was actually what was wrong. I was playing with rip a bit and it seems one of them activated the routing to proceed as normal. Thanks! :D Commented Jul 8, 2011 at 14:57
0

Since this question has now gotten over 1000 views (whoah), I will post the accurate answer: from what I was told later (after using some of the configs posted by @3molo), the line

no ip routing

was at fault for NAT not working correctly (in hindsight, pretty obvious).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.