[c-nsp] problems with NAT

Roger Wiklund copse at xy.org
Mon Aug 23 08:34:54 EDT 2010


Strange,  I would start by simplifying the NAT to a very basic level.
Skip the pool and just to overload directly to fa0/0.

something like:

ip nat inside source list 10 interface fa0/0 overload

access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.20.1.0 0.0.0.255

if that works, try adding your real config.

Or, you could try with this scenario:  On c7200-is-mz.122-3.bin, NAT
works on everything
except for SIP traffic (udp 5060) from the multilink1.

and then disable the SIP aware NAT with "no ip nat service sip udp
port 5060" In theory you will need this enabled. But we actually
always disable it when we do SIP NAT, otherwise it wont work with our
PBX.


Regards, Roger

On Sun, Aug 22, 2010 at 9:03 PM, Lee Starnes <lee.t.starnes at gmail.com> wrote:
> Hi,
>
> We are seeing a problem with NAT on a Cisco 7206VXR that has us completely
> stumped. The setup is working using a 1721, but when replacing that with the
> 7206 it does not seem to work.
>
> Current setup:
>
> Internet connection comes into a 2950 switch switch. They is handed to
> several devices on vlan 10 including the 1721 as a trunked vlan on its
> fa0.1. The 1721 also have fa0.2 on vlan 20 which is the private network.
> There are 2 T1s connected to this router on s0 and s1 in a multilink bundle
> (multilink1). Interfaces multilink1 and fa0.2 are configured as ip nat
> inside. fa0.1 is configured as ip nat outside. Static nat mappings to
> devices on the private ethernet and to the T1 network work great.
>
> Now, we replaced that 1721 with a 7206VXR and the NAT does not work
> correctly and the behavior is different depending upon what IOS version we
> load. The difference is network configuration now is that instead of using a
> trunk of vlans, there are individual fast ethernet ports. So fa0.1 and fa0.2
> get replaced with fa0/0 and fa0/1.
>
> Here is the issue. On c7200-is-mz.123-25.bin, NAT only works on devices on
> the private ethernet. On c7200-is-mz.122-3.bin, NAT works on everything
> except for SIP traffic (udp 5060) from the multilink1. On
> c7200-advipservicesk9-mz.124-
> 2.T5.bin, NAT does not seem to work on any traffic on the multilink and only
> partially works on private ethernet traffic. Seems to not want to NAT some
> traffic and leaves it as sourced from the private IP.
>
> I have included the interface and NAT portions of the config below. There
> are more NAT mappings than shown, but just included the first two. Does
> anyone know why this would work on the 1721 and not the 7206?
>
> interface Multilink1
>  description T1s to office
>  ip address 172.20.1.1 255.255.255.252
>  ip nat inside
>  load-interval 30
>  ppp multilink
>  ppp multilink fragment disable
>  ppp multilink links maximum 2
>  ppp multilink links minimum 1
>  ppp multilink group 1
>  service-policy output adtran-VoIP-policy
> !
> interface FastEthernet0/0
>  description Public internet at colo
>  ip address y.y.y.17 255.255.255.240
>  ip nat outside
> !
> interface FastEthernet0/1
>  description Private network at colo
>  ip address 10.10.100.254 255.255.255.0
>  ip nat inside
> !
>
>
> ip nat translation max-entries 10000
> ip nat pool pool1 y.y.y.18 y.y.y.18 netmask 255.255.255.240
> ip nat inside source list 10 pool pool1 overload
>
>
> ip nat inside source static 172.20.1.2 y.y.y.19
> ip nat inside source static 10.10.100.21 y.y.y.21
> ip nat inside source static tcp 10.2.2.3 443 y.y.y.51 443 extendable
> ip nat inside source static tcp 10.2.2.3 80 y.y.y.51 80 extendable
> !
> access-list 10 permit 10.0.0.0 0.255.255.255
> access-list 10 permit 172.20.1.0 0.0.0.255
>
>
> Thanks,
>
> -Lee
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list