Failed to replace Static NAT with PAT on Cisco router

iwriteiwrite Registered Users Posts: 2 ■□□□□□□□□□
Tried to do NAT on Cisco routers, and successfully set up Static NAT, as below configuration section (1).
But issue comes when I tried to configure PAT by simply replacing static nat command with PAT command and related access-list command, as shown in configuration section (2), nothing is showd up with command "sh ip nat translations".

I'm wondering if there is anything else need to set up beside the PAT and access-list command?

1) Router configuration of Static NAT, can ping and telnet from inside hosts to outside hosts:

!Inside port configuration
interface Ethernet0/0
ip address 10.1.234.2 255.255.255.0
ip nat inside
!
!Outside port configuration of p-to-p frame-relay
interface Serial0/0
no ip address
encapsulation frame-relay
no arp frame-relay
no frame-relay inverse-arp
!
interface Serial0/0.12 point-to-point
ip address 210.1.12.2 255.255.255.0
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 201
!
!Static NAT configuration
ip nat inside source static 10.1.234.3 210.1.12.3


(The output of "sh ip nat translations" looks good.)

2) Remain all configuration un-changed, except replacing “ip nat inside source static 10.1.234.3 210.1.12.3” command with below 2 commands to change it to PAT from Static NAT:

!PAT configuration
access-list 1 permit any log
ip nat pool globalnet 210.1.12.3 210.1.12.3 netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload


!Outout is empty of below command:
r2#sh ip nat translations

r2#

Comments

  • _Gonzalo__Gonzalo_ Member Posts: 113
    Before doing anything else, you should check if traffic has occurred. If not, no translations have been made, and so list will be empty.
  • iwriteiwrite Registered Users Posts: 2 ■□□□□□□□□□
    _Gonzalo_ wrote: »
    Before doing anything else, you should check if traffic has occurred. If not, no translations have been made, and so list will be empty.
    Thanks for your replying, and sorry I think I missed supplying some information. After replace the static nat command with PAT and access-list command, I can still ping and telnet from inside to outside. Even when the telnet session is still active, the output of "sh ip nat translations" is totally empty. It seems the PAT command doesn't make any effects here.

    The debug information on outside host (a router indeed) showed that the telnet packet from inside host is still coming with the inside IP addr (10.1.234.3) but not the NAT public IP address (210.1.234.3):
    *Aug 1 14:22:51.158: IP: s=10.1.234.3 (Serial0/0.12), d=210.1.12.1 (Serial0/0.12), len 43, rcvd 3
    *Aug 1 14:22:51.162: IP: tableid=0, s=10.1.234.3 (Serial0/0.12), d=210.1.12.1 (Serial0/0.12), routed via RIB


    Replace the PAT command with the static command back, the sh ip nat translations command works as below:
    #sh ip nat translations
    Pro Inside global Inside local Outside local Outside global
    icmp 210.1.12.3:2 10.1.234.3:2 210.1.12.1:2 210.1.12.1:2
    tcp 210.1.12.3:64349 10.1.234.3:64349 210.1.12.1:23 210.1.12.1:23
    --- 210.1.12.3 10.1.234.3 --- ---
    #

    Also right debug information:
    *Aug 1 14:19:00.678: IP: s=210.1.12.3 (Serial0/0.12), d=210.1.12.1 (Serial0/0.12), len 100, rcvd 3



    Wondering what I may do to debug and fix this problem that PAT doesn't make effect here?
  • _Gonzalo__Gonzalo_ Member Posts: 113
    iwrite wrote: »
    Wondering what I may do to debug and fix this problem that PAT doesn't make effect here?

    Sorry for the late reply, you know how summers are...

    As you know, private addresses are not routed through the internet, so if you have such results, something is terribly wrong. I´d say that you are using a simulator, not real hardware. If so, think that it could be the only cause!

    I do not know of a debug for this, but I guess it should be something like debug nat translations or debug ip nat
  • _Gonzalo__Gonzalo_ Member Posts: 113
    I forgot to advise you to either reload your router or do a (I believe this is the correct one) clear ip nat translations to make sure that there is no issue there.

    By the way, as far as I´m concerned, your config is correct.
  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    It look like you are using 3 instead of 2
Sign In or Register to comment.