Cart
In this blog post, we are going to walk through Cisco’s recommended troubleshooting steps for the case where there is no NAT translation entry in the NAT table for an existing NAT configuration. We will elaborate on these recommended steps from Cisco and ensure we can use the most optimal and efficient verification commands against actual scenario equipment. I have enhanced the Cisco steps a bit to be more comprehensive for all troubleshooting scenarios.
In our simple scenario, we have HOSTA system participating in the 10.x internal network space. It is to be translated to an overloaded inside global address in the 200.x space on the NATROUTER. We have attempted to ping through the NATROUTER to a WEBSERVER system in the outside network, and we have no translation in the NAT table as you can see:
NATROUTER#show ip nat translations NATROUTER#
The first troubleshooting step recommended by Cisco is:
- Ensure there is no ACL blocking the inbound traffic to the NAT device
This is certainly great advice since if the packets are not making it through the NAT device, they certainly have no chance to be translated. An efficient way to confirm no inbound ACL in this case is the command show ip interface fastethernet0/0 command:
NATROUTER#show ip interface fastethernet 0/0 FastEthernet0/0 is up, line protocol is up Internet address is 10.0.0.100/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set ...
Notice in the last lines of this partial show output, we can clearly see there is no inbound list set.
To further our evidence that we can communicate from the inside to the NATROUTER properly, let’s ping through the device from the HOSTA to the inside global address that is on Fa0/1.
HOSTA#ping 200.0.0.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.0.0.100, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/18/36 ms
Well, it would certainly appear our inside packets are not being blocked in any way on the NATROUTER.
Now, for the second recommended troubleshooting step from Cisco:
- Ensure the source addresses for translation are being properly defined (ACLs) and the NAT instructions are correct.
This is obviously critical. To fulfill this verification, we run show access-lists and show run | include nat:
NATROUTER#show access-lists Standard IP access list AL_NATSOURCE 10 permit 10.0.0.0, wildcard bits 0.255.255.255 NATROUTER#show run | include nat ip nat inside source list AL_NATSOURCE interface FastEthernet0/1 overload NATROUTER#
Here we can see that our access list is constructed properly and referenced properly in the NAT instructions. The NAT instructions also seem correct.
The next step when troubleshooting no NAT entry in the table is:
- Ensure there is enough available addresses in the NAT pool
In our NAT instructions here, we are ensuring that we use Port Address Translation (PAT) and use the external interface IP for this overloading. As a result of this configuration, we have plenty of available addresses in the pool. The issue here must be caught by our forth and final step of troubleshooting:
- Ensure the INSIDE and OUTSIDE interfaces for the NAT are defined correctly.
We actually can and should catch this problem with our earlier:
NATROUTER#show run | include nat ip nat inside source list AL_NATSOURCE interface FastEthernet0/1 overload NATROUTER#
Notice from the output of this command, we are missing our NAT INSIDE and NAT OUTSIDE designations. Let’s take care of those now:
NATROUTER(config)#interface fastEthernet 0/0 NATROUTER(config-if)#ip nat inside NATROUTER(config-if)#interface fastEthernet 0/1 NATROUTER(config-if)#ip nat outside
Excellent, be sure to save this new configuration, and then ping through from HOSTA. Finally, check the all-important NAT translation table:
NATROUTER#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 200.0.0.100:1 10.0.0.1:1 200.0.0.1:1 200.0.0.1:1 NATROUTER#
We will be back with more Cisco recommended troubleshooting methodologies. Until then, happy studies, and may all your pings be successful.
Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv
Tags: CCIE, NAT, r&s, Troubleshooting
Thanks Anthony..its nice and helpful.