So here is a simple scenario where all you need to do is setup NAT (Network Address Translation) – very simple indeed. Sometimes, however, the most simple networking setup could still give us some headache. And usually, it will be something extremely simple … so simple, that it would even cross your mind.

See below the network diagram I’ll be working on.


The Host is actually a Cisco router on which I have disabled IP routing and, set it up with a default gateway of using the ip default-gateway command. The router, acting as the gateway for the network, is a Cisco 1700 series router running IOS v12.4(23).

You can see below my configuration (I have left only the relevant commands):

interface Ethernet0
ip address
ip nat enable
interface FastEthernet0
ip address
ip nat enable
ip route
ip nat source list 10 interface Ethernet0 overload
access-list 10 remark ****** NAT ACL ******
access-list 10 permit log

Ok … so this should work – to confirm, I’ve also enabled NAT debugging on the NAT router:


There is also no debug output on the router’s console!

So what is wrong? Can you spot it?


According to Cisco’s documentation:

Q. Does Cisco IOS NAT support ACLs with a “log” keyword?
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with “log” keyword.

That’s right – if you remove the “log” keyword, NAT suddenly starts working – see snippet below:


However, the log keyword can be very useful indeed when troubleshooting. What I found is that the statement above is true, depending on the platform and IOS version in use.

Despite the lab above running on GNS3, I have recently seen this behaviour on live environment, on Cisco 3900 series routers.

Next time you find yourself setting up NAT, as part of your troubleshooting, in those moments when you are just confident regarding the configuration, include the step of checking whether the log keyword is being used. If it is, remove it!

Thank you,
View Rafael A Couto Cabral's profile on LinkedIn

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>