1. Home
  2. Cisco Systems
  3. NAT problem

NAT problem

We believe we have a NAT issue we need help with. In the configuration FastEthernet0/0 is on the internal network while Dialer0 uses BRI ports (not shown) to connect to an external WAN.

All internal (192.168.0.0) hosts can access the X.Y.211.0 network as they are NATted.

However we also require that the router be able to access the X.Y.211.0 network so that we can use IP SLA object tracking to detect when the network is unavailable and failover to a backup WAN. Unfortunately we can't ping anything in the X.Y.211.0 network from the router and we assume it is because only traffic coming into the FastEthernet0/0 interface is being NATted, but not traffic generated from within the router.

So how can we NAT all traffic going out the Dialer0 interface, not just traffic coming from the FastEthernet0/0 interface?

interface FastEthernet0/0 description *** INTERNAL LAN *** ip address 192.168.0.100 255.255.255.0 ip nat inside

interface Dialer0 description *** ISDN TO WAN *** ip address X.Y.121.198 255.255.255.252 ip nat outside encapsulation ppp

ip route X.Y.211.0 255.255.255.0 Dialer0 ip route 0.0.0.0 0.0.0.0 192.168.0.67

ip nat inside source list IPWAN_NATLIST interface Dialer0 overload ip access-list extended IPWAN_NATLIST permit ip any X.Y.211.0 0.0.0.255

Any help would be much appreciated.

Reply to
Rudi
Loading thread data ...

See if you can specify a source interface or address for the SLA traffic. If so specify the inside interface. This will get natted. I would be surprised if you can't.

You can with a ping, tftp ... for exmple. ip tftp source-interface

router#ping 14.12.24.2 sou Dot11Radio0

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.12.24.2, timeout is 2 seconds: Packet sent with a source address of 10.88.37.129 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =3D 64/72/76 ms

router#sh ip nat tr Pro Inside global Inside local Outside local Outside global

icmp 92.10.38.48:0 10.88.37.129:0 14.12.24.2:0

14.12.24.2:0
Reply to
bod43

I can't ping the destination regardless of the source address I use. Even if I use the Dialer0 interface as the source address/interface it fails, despite the fact that all internal traffic is being NATted with the address of this interface. This makes me think it may not actually be a NAT issue?

Any suggestions?

Reply to
Rudi

When you ping from the router, the source address of the packets is the interface the packet uses to get to the destinaton by default, so show ip route X.Y.211.0 ought to tell you.

Also all local traffic is considred to be inside as far as NAT is concerned so it may be natted as well.

You have:

so the ping from the router might also be natted. Try changing your ACL to:

Reply to
Martin Gallagher

Martin, That one is new to me. Usually of course you would never notice. I did check - well it's just my way and it is indeed true it seems:)

Amazing. Do you happen to have a pointer to any documentation regarding this?

Rudi,

Sorry I did not really think this through and jumped on your NAT diagnosis.

So the real issue seems to be that you have *no* communications over the ISDN to X.Y.211.0.

Do the intermediate routers have routes? Do the target and intermediate routers have *return* routes?

Does the ISDN come up? sh isdn stat L3 should be multi-something established

PPP? ?

Check that the packets are going out the dialer with deb ip packet

I see that you do not seem to have a dialer-group statement. But maybe you have just left it out of the post?

Reply to
bod43

It's mentioned in the Usage Guidelines for the ip nat inside... command:

"Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates."

formatting link

Reply to
Martin Gallagher

Oh dear! I did a bit of a search but of course the obvious did not occur to me.

Thanks.

Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.