Configure Cisco router overload NAT (IOS 15)

cisco router nat
8,083

Can you show output of 'sh ip nat stat' and 'sh ip nat tran'?

I think the config looks correct, did you try applying an ACL on the outside interface to specifically allow the traffic?

interface GigabitEthernet0/0
 ip access-group OUTBOUND out
!
ip access-list extended OUTBOUND
 permit ip any any


here's a working example from a 1800 series:

interface FastEthernet0
 description $FW_OUTSIDE$
 bandwidth 34000
 ip address 1.2.3.141 255.255.255.240
 ip access-group OUTBOUND out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 load-interval 60
 duplex auto
 speed auto
!
interface FastEthernet1
 description $FW_INSIDE$
 bandwidth 34000
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 load-interval 60
 duplex auto
 speed auto
!
ip nat pool GLOBAL_IP_POOL 1.2.3.139 1.2.3.141 prefix-length 24
ip nat inside source route-map natmap pool GLOBAL_IP_POOL overload
!
ip access-list extended natrules
 deny   ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255
 permit ip 192.168.0.0 0.0.255.255 any
!
route-map natmap permit 10
 match ip address natrules

Hope this helps.


Edited:

I cannot spot anything weird with your config. Since you seem not to have any hits in translation tables at all, there must be a problem either on the connectivity or configuration on the client, or simply an access-list that denies the traffic.

Can you:

1) ping from the router, make sure you do it from the correct interface by entering:

ping 8.8.8.8 source 10.1.1.1

2) show access-lists

show access-lists

I set up three routers in a lab and configured rip + nat, and it works just as it is. The router in question and the remote router that specifically denies the internal network of 'the router in question'.

Share:
8,083

Related videos on Youtube

Naltharial
Author by

Naltharial

Work : C/C++, Web (PHP / SQL), .NET (ASP.NET, C#), Java programmer. Event manager and technical manager for Offblast LAN (Slovenian). Hobby : Reinventing the wheel to learn from it. Most of my hobby projects are available on BitBucket, usually in Python, C# or PHP.

Updated on September 18, 2022

Comments

  • Naltharial
    Naltharial over 1 year

    I am attempting to configure a Cisco 2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the internet connection. I've configured DHCP pool for the local interface, which works properly (even using an additional switch, wireless access point, ...). Likewise, the WAN interface is configured to obtain its own IP by DHCP from the ISP. I can work on the LAN computers and I can access the internet directly from the router (using, for example, telnet and router's ping commands). The problem is, NAT does not work properly and connection from the LAN interface (GigabitEthernet0/1) does not reach the WAN interface (GigabitEthernet0/0).

    I have followed several guides on the matter, but it seems that no matter what I do, NAT just doesn't seem to work. I have tried both the interface GigabitEthernet0/0 overload NAT inside source list and the NAT pool source list (being the current ISP-assigned IP) described in the guides.

    Attached is the complete configuration, hoping someone finds the problem I have missed.

    Current configuration : 2007 bytes
!
! Last configuration change at 19:59:30 UTC Wed Jul 6 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname odin
!
boot-start-marker
boot-end-marker
!
enable secret 5 enablesecret
enable password enablepassword
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
no ip routing
no ip cef
!
!
ip dhcp excluded-address 10.1.1.1 10.1.1.10
!
ip dhcp pool lan
   import all
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   dns-server 8.8.8.8
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
license udi pid licensepid sn licensesn
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 !
!
interface ISM0/0
 no ip address
 no ip route-cache
 shutdown
 service-module fail-open
 no cdp enable
 !
 hold-queue 60 out
!
interface ISM0/1
 no ip address
 no ip route-cache
 shutdown
 no cdp enable
 !
!
interface GigabitEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 !
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!
!
!
!
snmp-server community snmp_lan RO
!
control-plane
 !
!
!
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
line aux 0
line 67
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
 flowcontrol software
line vty 0 4
 password password
 login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end

    UPDATE 1:

    Tried specifying outbound rules by adding

    interface GigabitEthernet0/0
 ip access-group lan_out out
!
ip access-list extended la_out
 permit ip any any

    but to no avail.

    After that, also tried utilizing nat pools and route maps, resulting in

    ip nat pool lan_np 1.2.3.135 1.2.3.135 prefix-length 24
ip nat inside source route-map natmap pool lan_np overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent
!
ip access-list extended lan_out
 permit ip any any
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
!
!
!
!
route-map natmap permit 10
 match ip address lan_out

    Both with and without any combination of ip route 0.0.0.0 0.0.0.0 and either interface GigabitEthernet0/0 or the ISP default gateway IP. Results in an sh ip nat st of

    offblast_odin#sh ip nat st
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0, occurred 02:58:27 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] route-map natmap pool offblast_lan_np refcount 0
 pool offblast_lan_np: netmask 255.255.255.0
        start 1.2.3.135 end 1.2.3.135
        type generic, total addresses 1, allocated 0 (0%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

    Sadly, nothing so far worked. Full final configuration.

    • Naltharial
      Naltharial almost 13 years
      Figures, I used the wrong site. Oh well. :/
    • SiXoS
      SiXoS almost 13 years
      From what are you testing this? Host on lan with this router as its default route?
    • Naltharial
      Naltharial almost 13 years
      Yes, the PC is connected to GigabitEthernet0/1 with IPv4 Address. . . . . . . . . . . : 10.1.1.12 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1, with all other interfaces (on the PC) disabled.
    • SiXoS
      SiXoS almost 13 years
      There seem to be a typo in the access-list, "la_out", was this only when you pasted or did you actually enter it incorrectly on the router?
    • SiXoS
      SiXoS almost 13 years
      Also, can you try pinging from the internal address of the router directly? 'ping ip 8.8.8.8 source 10.1.1.1'
  • Naltharial
    Naltharial almost 13 years
    tran is completely empty, stat has everything at 0, NAT doesn't even activate. I will try the outbound rule suggestion, thank you.
  • Naltharial
    Naltharial almost 13 years
    I've updated the OP with the attempts, but the router still refuses to even acknowledge the existence of NAT. :/
  • Naltharial
    Naltharial almost 13 years
    It appears that routing was actually what was wrong. I was playing with rip a bit and it seems one of them activated the routing to proceed as normal. Thanks! :D

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cisco Router - NAT in and out on the same interface
cisco ip nat / port forwarding
Create NAT rule and security policies for port 443/80 on a Cisco ASA 5510
Unable to connect on natted server from a host computer on the same LAN using public IP address
how to connect to a remote desktop behind a router?
What are the risks of NOT using a firewall (home computer)?
How to connect wireless router to work network with NAT?
Using an ADSL modem/router as modem only
How bypass ISP using CGNAT and open all ports? SSH? VPN?
Multiple static WAN addresses on Asus RT-N66U?