Cisco IOS NAT overload issue

I am having trouble with a basic PAT/overload configuration of my Cisco ISR router where I have a public static IP address and want to allow my internal private address hosts to access the internet.

Outside interface: GigabitEthernet0/0/1
Inside interface: GigabitEthernet0/1/1

I am able to ping outside (internet) hosts from my inside hosts. However, nothing else (TCP/UDP) seems to work. I'm not able to get replies to DNS lookups, http doesn't work.

I have run show ip nat translations and it seems to indicate that PAT is working correctly:

Router#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
tcp  XXX.XXX.XXX.110:1036  10.10.27.11:58148     YYY.YYY.YYY.183:80    YYY.YYY.YYY.183:80
udp  XXX.XXX.XXX.110:1033  10.10.27.11:61164     8.8.8.8:53            8.8.8.8:53
udp  XXX.XXX.XXX.110:1032  10.10.27.11:64615     8.8.4.4:53            8.8.4.4:53
udp  XXX.XXX.XXX.110:1028  10.10.27.11:64611     8.8.8.8:53            8.8.8.8:53
udp  XXX.XXX.XXX.110:1027  10.10.27.11:60143     8.8.4.4:53            8.8.4.4:53
udp  XXX.XXX.XXX.110:1030  10.10.27.11:64613     8.8.8.8:53            8.8.8.8:53
udp  XXX.XXX.XXX.110:1024  10.10.27.140:32780    8.8.4.4:53            8.8.4.4:53

Open in new window


I have verified that these outgoing packets are arriving at their destination by trying to access a web server that I control and confirming in the logs that an http request was received. However, the replies are not received by the inside hosts.

Below is my configuration. Any thoughts on what might be wrong?

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.15.01.S.155-2.S1-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no aaa new-model
!
no ip domain lookup
!
subscriber templating
!
multilink bundle-name authenticated
!
voice-card 0/4
 no watchdog
!
license udi pid ISR4331/K9 sn XXXXXXX
spanning-tree extend system-id
!
username XXXXXXX privilege 15 secret 5 XXXXXXX
!
redundancy
 mode none
!
vlan internal allocation policy ascending
!
ip tftp source-interface GigabitEthernet0/1/1
ip ssh rsa keypair-name sshkey
ip ssh version 2
! 
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address XXX.XXX.XXX.110 255.255.255.252
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/1
 ip address 10.10.27.2 255.255.255.0
 ip nat inside
 negotiation auto
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
ip nat pool ovrld XXX.XXX.XXX.110 XXX.XXX.XXX.110 netmask 255.255.255.252
ip nat inside source list 7 pool ovrld overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.109
!
access-list 7 permit 10.10.27.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
!
end

Open in new window

jccullitonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
Rather than setting up a pool, have you tried using the interface address?

no ip nat inside source list 7 pool ovrld overload
no ip nat pool ovrld XXX.XXX.XXX.110 XXX.XXX.XXX.110 netmask 255.255.255.252
ip nat inside source list 7 interface GigabitEthernet0/1 overload

I've seen cases where traffic doesn't forward back when the pool includes the interface IP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jody LemoineNetwork ArchitectCommented:
Sorry... that should be GigabitEthernet0/0/1 and not GigabitEthernet0/1.
0
jccullitonAuthor Commented:
That worked! I thought I had tried that before, but must have made some other error in my configuration. Thanks for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.