So here is a simple scenario where all you need to do is setup NAT (Network Address Translation) – very simple indeed. Sometimes, however, the most simple networking setup could still give us some headache. And usually, it will be something extremely simple … so simple, that it would even cross your mind.

See below the network diagram I’ll be working on.

 nat-lab-v2

The Host is actually a Cisco router on which I have disabled IP routing and, set it up with a default gateway of 192.168.1.254 using the ip default-gateway command. The router, acting as the gateway for the network, is a Cisco 1700 series router running IOS v12.4(23).

You can see below my configuration (I have left only the relevant commands):

interface Ethernet0
ip address 89.89.89.89 255.255.255.254
ip nat enable
!
interface FastEthernet0
ip address 192.168.1.254 255.255.255.0
ip nat enable
!
ip route 0.0.0.0 0.0.0.0 89.89.89.88
!
ip nat source list 10 interface Ethernet0 overload
!
access-list 10 remark ****** NAT ACL ******
access-list 10 permit 192.168.0.0 0.0.255.255 log

Ok … so this should work – to confirm, I’ve also enabled NAT debugging on the NAT router:

nat-host

There is also no debug output on the router’s console!

So what is wrong? Can you spot it?

Solution

According to Cisco’s documentation:

Q. Does Cisco IOS NAT support ACLs with a “log” keyword?
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with “log” keyword.

That’s right – if you remove the “log” keyword, NAT suddenly starts working – see snippet below:

nat-lab-config

However, the log keyword can be very useful indeed when troubleshooting. What I found is that the statement above is true, depending on the platform and IOS version in use.

Despite the lab above running on GNS3, I have recently seen this behaviour on live environment, on Cisco 3900 series routers.

Advice
Next time you find yourself setting up NAT, as part of your troubleshooting, in those moments when you are just confident regarding the configuration, include the step of checking whether the log keyword is being used. If it is, remove it!

Thank you,
Signature
View Rafael A Couto Cabral's profile on LinkedIn



Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>