jcculliton
asked on
Cisco IOS NAT overload issue
I am having trouble with a basic PAT/overload configuration of my Cisco ISR router where I have a public static IP address and want to allow my internal private address hosts to access the internet.
Outside interface: GigabitEthernet0/0/1
Inside interface: GigabitEthernet0/1/1
I am able to ping outside (internet) hosts from my inside hosts. However, nothing else (TCP/UDP) seems to work. I'm not able to get replies to DNS lookups, http doesn't work.
I have run show ip nat translations and it seems to indicate that PAT is working correctly:
I have verified that these outgoing packets are arriving at their destination by trying to access a web server that I control and confirming in the logs that an http request was received. However, the replies are not received by the inside hosts.
Below is my configuration. Any thoughts on what might be wrong?
Outside interface: GigabitEthernet0/0/1
Inside interface: GigabitEthernet0/1/1
I am able to ping outside (internet) hosts from my inside hosts. However, nothing else (TCP/UDP) seems to work. I'm not able to get replies to DNS lookups, http doesn't work.
I have run show ip nat translations and it seems to indicate that PAT is working correctly:
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp XXX.XXX.XXX.110:1036 10.10.27.11:58148 YYY.YYY.YYY.183:80 YYY.YYY.YYY.183:80
udp XXX.XXX.XXX.110:1033 10.10.27.11:61164 8.8.8.8:53 8.8.8.8:53
udp XXX.XXX.XXX.110:1032 10.10.27.11:64615 8.8.4.4:53 8.8.4.4:53
udp XXX.XXX.XXX.110:1028 10.10.27.11:64611 8.8.8.8:53 8.8.8.8:53
udp XXX.XXX.XXX.110:1027 10.10.27.11:60143 8.8.4.4:53 8.8.4.4:53
udp XXX.XXX.XXX.110:1030 10.10.27.11:64613 8.8.8.8:53 8.8.8.8:53
udp XXX.XXX.XXX.110:1024 10.10.27.140:32780 8.8.4.4:53 8.8.4.4:53
I have verified that these outgoing packets are arriving at their destination by trying to access a web server that I control and confirming in the logs that an http request was received. However, the replies are not received by the inside hosts.
Below is my configuration. Any thoughts on what might be wrong?
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.15.01.S.155-2.S1-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
!
no ip domain lookup
!
subscriber templating
!
multilink bundle-name authenticated
!
voice-card 0/4
no watchdog
!
license udi pid ISR4331/K9 sn XXXXXXX
spanning-tree extend system-id
!
username XXXXXXX privilege 15 secret 5 XXXXXXX
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
ip tftp source-interface GigabitEthernet0/1/1
ip ssh rsa keypair-name sshkey
ip ssh version 2
!
interface GigabitEthernet0/0/0
no ip address
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
ip address XXX.XXX.XXX.110 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/1
ip address 10.10.27.2 255.255.255.0
ip nat inside
negotiation auto
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip nat pool ovrld XXX.XXX.XXX.110 XXX.XXX.XXX.110 netmask 255.255.255.252
ip nat inside source list 7 pool ovrld overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.109
!
access-list 7 permit 10.10.27.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input ssh
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry... that should be GigabitEthernet0/0/1 and not GigabitEthernet0/1.
ASKER
That worked! I thought I had tried that before, but must have made some other error in my configuration. Thanks for your help!