Skip to main content

Configure Cisco router overload NAT (IOS 15)



I am attempting to configure a Cisco 2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the internet connection. I've configured DHCP pool for the local interface, which works properly (even using an additional switch, wireless access point, ...). Likewise, the WAN interface is configured to obtain its own IP by DHCP from the ISP. I can work on the LAN computers and I can access the internet directly from the router (using, for example, telnet and router's ping commands).
The problem is, NAT does not work properly and connection from the LAN interface (GigabitEthernet0/1) does not reach the WAN interface (GigabitEthernet0/0).



I have followed several guides on the matter, but it seems that no matter what I do, NAT just doesn't seem to work. I have tried both the interface GigabitEthernet0/0 overload NAT inside source list and the NAT pool source list (being the current ISP-assigned IP) described in the guides.



Attached is the complete configuration, hoping someone finds the problem I have missed.




Current configuration : 2007 bytes
!
! Last configuration change at 19:59:30 UTC Wed Jul 6 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname odin

!
boot-start-marker
boot-end-marker
!
enable secret 5 enablesecret
enable password enablepassword
!
no aaa new-model
!
!

!
!
no ipv6 cef
ip source-route
no ip routing
no ip cef
!
!
ip dhcp excluded-address 10.1.1.1 10.1.1.10
!

ip dhcp pool lan
   import all
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   dns-server 8.8.8.8
!
!
!
multilink bundle-name authenticated
!

!
!
!
!
!
!
voice-card 0
!
!
!

!
!
!
license udi pid licensepid sn licensesn
!
!
!
redundancy
!
!

!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address dhcp
 ip nat outside

 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 !
!
interface ISM0/0
 no ip address

 no ip route-cache
 shutdown
 service-module fail-open
 no cdp enable
 !
 hold-queue 60 out
!
interface ISM0/1
 no ip address
 no ip route-cache

 shutdown
 no cdp enable
 !
!
interface GigabitEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 duplex auto

 speed auto
 no cdp enable
 !
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!
!
!
!
snmp-server community snmp_lan RO
!

control-plane
 !
!
!
!
!
!
!
!
!

gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
line aux 0
line 67
 no activation-character
 no exec

 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
 flowcontrol software
line vty 0 4
 password password
 login
!
scheduler allocate 20000 1000

no process cpu extended
no process cpu autoprofile hog
end




UPDATE 1:



Tried specifying outbound rules by adding




interface GigabitEthernet0/0
 ip access-group lan_out out
!
ip access-list extended la_out
 permit ip any any


but to no avail.




After that, also tried utilizing nat pools and route maps, resulting in



ip nat pool lan_np 1.2.3.135 1.2.3.135 prefix-length 24
ip nat inside source route-map natmap pool lan_np overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 permanent
!
ip access-list extended lan_out
 permit ip any any
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any

!
!
!
!
route-map natmap permit 10
 match ip address lan_out


Both with and without any combination of ip route 0.0.0.0 0.0.0.0 and either interface GigabitEthernet0/0 or the ISP default gateway IP. Results in an sh ip nat st of




offblast_odin#sh ip nat st
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0, occurred 02:58:27 ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0

Dynamic mappings:
-- Inside Source
[Id: 2] route-map natmap pool offblast_lan_np refcount 0
 pool offblast_lan_np: netmask 255.255.255.0
        start 1.2.3.135 end 1.2.3.135
        type generic, total addresses 1, allocated 0 (0%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0



Sadly, nothing so far worked.
Full final configuration.


Answer



Can you show output of 'sh ip nat stat' and 'sh ip nat tran'?



I think the config looks correct, did you try applying an ACL on the outside interface to specifically allow the traffic?




interface GigabitEthernet0/0

 ip access-group OUTBOUND out
!
ip access-list extended OUTBOUND
 permit ip any any



here's a working example from a 1800 series:




interface FastEthernet0

 description $FW_OUTSIDE$
 bandwidth 34000
 ip address 1.2.3.141 255.255.255.240
 ip access-group OUTBOUND out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly

 load-interval 60
 duplex auto
 speed auto
!
interface FastEthernet1
 description $FW_INSIDE$
 bandwidth 34000
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables

 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 load-interval 60
 duplex auto
 speed auto
!
ip nat pool GLOBAL_IP_POOL 1.2.3.139 1.2.3.141 prefix-length 24
ip nat inside source route-map natmap pool GLOBAL_IP_POOL overload
!

ip access-list extended natrules
 deny   ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255
 permit ip 192.168.0.0 0.0.255.255 any
!
route-map natmap permit 10
 match ip address natrules


Hope this helps.





Edited:



I cannot spot anything weird with your config. Since you seem not to have any hits in translation tables at all, there must be a problem either on the connectivity or configuration on the client, or simply an access-list that denies the traffic.



Can you:



1) ping from the router, make sure you do it from the correct interface by entering:




ping 8.8.8.8 source 10.1.1.1





2) show access-lists




show access-lists




I set up three routers in a lab and configured rip + nat, and it works just as it is.
The router in question and the remote router that specifically denies the internal network of 'the router in question'.



Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

ubuntu - Monitoring CPU, Mem, disk, on a single server

I've been looking for a simple starter solution for monitoring my [currently] single server hosted solution. Other than Nagios and similar, are there other good (simple) solutions people are using? Answer Everything depends on what you want. For example Munin is very simple, you can install and configure it in less then 10 minutes (on one server), it can sends alarms, make graphs from monitoring cpu, mem. apache connections, eaccellerator, disk io and many many more (it has many plugins). But if you are planning in future get some more machines, munin may not be enough. For example in munin you cant monitor state of individual processes, can't monitor changes in files (for security purpose). So if you wanna only see what is the utilization of basics parameters on your server and don't plan to buy some more servers Munin is what you are looking for, but if you wanna be alarmed when some of your service is down, take more control on what is happeninig on...
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits, ...
Post a Comment
Read more