Configure Cisco router overload NAT (IOS 15)
Can you show output of 'sh ip nat stat' and 'sh ip nat tran'?
I think the config looks correct, did you try applying an ACL on the outside interface to specifically allow the traffic?
interface GigabitEthernet0/0 ip access-group OUTBOUND out ! ip access-list extended OUTBOUND permit ip any any
here's a working example from a 1800 series:
interface FastEthernet0 description $FW_OUTSIDE$ bandwidth 34000 ip address 1.2.3.141 255.255.255.240 ip access-group OUTBOUND out ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly load-interval 60 duplex auto speed auto ! interface FastEthernet1 description $FW_INSIDE$ bandwidth 34000 ip address 192.168.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly load-interval 60 duplex auto speed auto ! ip nat pool GLOBAL_IP_POOL 1.2.3.139 1.2.3.141 prefix-length 24 ip nat inside source route-map natmap pool GLOBAL_IP_POOL overload ! ip access-list extended natrules deny ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255 permit ip 192.168.0.0 0.0.255.255 any ! route-map natmap permit 10 match ip address natrules
Hope this helps.
Edited:
I cannot spot anything weird with your config. Since you seem not to have any hits in translation tables at all, there must be a problem either on the connectivity or configuration on the client, or simply an access-list that denies the traffic.
Can you:
1) ping from the router, make sure you do it from the correct interface by entering:
ping 8.8.8.8 source 10.1.1.1
2) show access-lists
show access-lists
I set up three routers in a lab and configured rip + nat, and it works just as it is. The router in question and the remote router that specifically denies the internal network of 'the router in question'.
Related videos on Youtube
Naltharial
Work : C/C++, Web (PHP / SQL), .NET (ASP.NET, C#), Java programmer. Event manager and technical manager for Offblast LAN (Slovenian). Hobby : Reinventing the wheel to learn from it. Most of my hobby projects are available on BitBucket, usually in Python, C# or PHP.
Updated on September 18, 2022Comments
-
Naltharial over 1 year
I am attempting to configure a Cisco 2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the internet connection. I've configured DHCP pool for the local interface, which works properly (even using an additional switch, wireless access point, ...). Likewise, the WAN interface is configured to obtain its own IP by DHCP from the ISP. I can work on the LAN computers and I can access the internet directly from the router (using, for example, telnet and router's ping commands). The problem is, NAT does not work properly and connection from the LAN interface (GigabitEthernet0/1) does not reach the WAN interface (GigabitEthernet0/0).
I have followed several guides on the matter, but it seems that no matter what I do, NAT just doesn't seem to work. I have tried both the
interface GigabitEthernet0/0 overload
NAT inside source list and the NAT pool source list (being the current ISP-assigned IP) described in the guides.Attached is the complete configuration, hoping someone finds the problem I have missed.
Current configuration : 2007 bytes ! ! Last configuration change at 19:59:30 UTC Wed Jul 6 2011 ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname odin ! boot-start-marker boot-end-marker ! enable secret 5 enablesecret enable password enablepassword ! no aaa new-model ! ! ! ! no ipv6 cef ip source-route no ip routing no ip cef ! ! ip dhcp excluded-address 10.1.1.1 10.1.1.10 ! ip dhcp pool lan import all network 10.1.1.0 255.255.255.0 default-router 10.1.1.1 dns-server 8.8.8.8 ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! voice-card 0 ! ! ! ! ! ! license udi pid licensepid sn licensesn ! ! ! redundancy ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address dhcp ip nat outside ip virtual-reassembly no ip route-cache duplex auto speed auto no cdp enable no mop enabled ! ! interface ISM0/0 no ip address no ip route-cache shutdown service-module fail-open no cdp enable ! hold-queue 60 out ! interface ISM0/1 no ip address no ip route-cache shutdown no cdp enable ! ! interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip route-cache duplex auto speed auto no cdp enable ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 ! access-list 1 permit 10.1.1.0 0.0.0.255 ! ! ! ! ! snmp-server community snmp_lan RO ! control-plane ! ! ! ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 line aux 0 line 67 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 flowcontrol software line vty 0 4 password password login ! scheduler allocate 20000 1000 no process cpu extended no process cpu autoprofile hog end
UPDATE 1:
Tried specifying outbound rules by adding
interface GigabitEthernet0/0 ip access-group lan_out out ! ip access-list extended la_out permit ip any any
but to no avail.
After that, also tried utilizing nat pools and route maps, resulting in
ip nat pool lan_np 1.2.3.135 1.2.3.135 prefix-length 24 ip nat inside source route-map natmap pool lan_np overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent ! ip access-list extended lan_out permit ip any any ! access-list 101 permit ip 10.1.1.0 0.0.0.255 any ! ! ! ! route-map natmap permit 10 match ip address lan_out
Both with and without any combination of
ip route 0.0.0.0 0.0.0.0
and eitherinterface GigabitEthernet0/0
or the ISP default gateway IP. Results in ansh ip nat st
ofoffblast_odin#sh ip nat st Total active translations: 0 (0 static, 0 dynamic; 0 extended) Peak translations: 0, occurred 02:58:27 ago Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 2] route-map natmap pool offblast_lan_np refcount 0 pool offblast_lan_np: netmask 255.255.255.0 start 1.2.3.135 end 1.2.3.135 type generic, total addresses 1, allocated 0 (0%), misses 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0
Sadly, nothing so far worked. Full final configuration.
-
Naltharial almost 13 yearsFigures, I used the wrong site. Oh well. :/
-
SiXoS almost 13 yearsFrom what are you testing this? Host on lan with this router as its default route?
-
Naltharial almost 13 yearsYes, the PC is connected to GigabitEthernet0/1 with IPv4 Address. . . . . . . . . . . : 10.1.1.12 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1, with all other interfaces (on the PC) disabled.
-
SiXoS almost 13 yearsThere seem to be a typo in the access-list, "la_out", was this only when you pasted or did you actually enter it incorrectly on the router?
-
SiXoS almost 13 yearsAlso, can you try pinging from the internal address of the router directly? 'ping ip 8.8.8.8 source 10.1.1.1'
-
-
Naltharial almost 13 yearstran is completely empty, stat has everything at 0, NAT doesn't even activate. I will try the outbound rule suggestion, thank you.
-
Naltharial almost 13 yearsI've updated the OP with the attempts, but the router still refuses to even acknowledge the existence of NAT. :/
-
Naltharial almost 13 yearsIt appears that routing was actually what was wrong. I was playing with rip a bit and it seems one of them activated the routing to proceed as normal. Thanks! :D