Source: Cisco.com
Cisco ISR G2 Series
Cisco: Small escape leading to non-functional NAT
I have seen that a lot of people is using search engines to look after terms like “NAT: failed to allocate address for…” or “NAT: address not stolen for…” asking for help in regard to a non-functional NAT. Of course I skipped the cases when the solution was obvious and clear like wrong NAT configuration, NAT pool or missing the access-list.
One not so clear case you have in the example below:
ip access-list standard nat_acl
permit 192.168.0.0 0.0.0.255route-map to_nat permit 10
match ip address nat_aclip nat pool test_pool 172.31.0.8 172.31.0.8 prefix-length 30
ip nat inside source route-map to_nat pool test_pool overload
Maybe I should have seen the mistake at first look, but I didn’t. But I can assure you that I’m not the only one :) Quick looking and a little careless made me said that the NAT configuration looks fine. Looks fine, but not working.
Debugging with “debug ip nat” command gave me the following output:
NAT: address not stolen for 192.168.0.10, proto 1 port 10
NAT: failed to allocate address for 192.168.0.10, list/map to_nat
Not too much information here either. So I’ve started to have a look closer to the NAT configuration, when I saw this:
ip nat pool test_pool 172.31.0.8 172.31.0.8 prefix-length 30
Oh boy, how can I miss that: 172.31.0.8/30 being the network address. You cannot use the network address to translate.Often this is not seen and the configuration is taken as being OK.
The solution would be in this case (if we want to keep the prefix-length 30) to change the ip to 172.31.0.9 or 172.31.0.10.No, you cannot use 172.31.0.11 as that’s the broadcast address and would result in faulty NAT.
Another solution would be to change the prefix-length to 24 giving you 254 addresses for translation. I would recommend changin the prefix-length if you are beginning now to deploy NAT and you want a scalable solution. If you prefer to stay with prefix-length of 30, you should take in consideration that at every 4 IP addresses you will lose 2 (network address and broadcast), which is not to fair if you are using public ranges.
Cisco – Remote VTY Command Script
Running one or more interactive CLI commands is a common task in network management. Having a script to automate this task becomes a critical tool.
This script automates interactive TELNET or SSH sessions. Any command that can be issued in CLI can be issued via the VTY run command script in an automated fashion. Below are some example uses:
* Run a set of commands on hundreds of devices
* Configuration changes
* Archive configurations and software
* Audits, inventory and discovery
* Automated troubleshooting
Requirements
This script is written in Expect. A current version of Expect is required. Expect and installation requirements for Expect can be found at Expect Homepage
Tested on RHEL 5 running expect 5.43.0-5.1 and Mac OS X 10.6 running Expect 5.44.1.11.
The script is platform independent and should run on any platform that can run Expect.
Cisco IP Routing Overview – Part IV
Fourth part from IP Routing Overview.
All this material is produced by RouteHub Group consultants, so all the copyrights and greetings have to be directed to them. If was free shared on the Internet so, I hope that I’m not breaking any copyright rules here. All that i want is to make this material more visible on the Internet. This is true also for the more to come materials from them.
If you are curious who is RouteHub Group, I have found this simple explanation on their site: RouteHub Group is a Premium Cisco Consulting provider of Cisco Products, Solutions, Training, and Professional Services for small, medium, and large-sized businesses.
[flv w=640 h=505]https://ipnet.xyz/vid/routehub/Cisco-IP-Routing-part4.flv[/flv]
Please find below:
– 1st part
– 2nd part
– 3rd part
of this presentation