Cisco: Small escape leading to non-functional NAT

I have seen that a lot of people is using search engines to look after terms like “NAT: failed to allocate address for…” or “NAT: address not stolen for…” asking for help in regard to a non-functional NAT. Of course I skipped the cases when the solution was obvious and clear like wrong NAT configuration, NAT pool or missing the access-list.

One not so clear case you have in the example below:

ip access-list standard nat_acl
permit 192.168.0.0 0.0.0.255

route-map to_nat permit 10
match ip address nat_acl

ip nat pool test_pool 172.31.0.8 172.31.0.8 prefix-length 30
ip nat inside source route-map to_nat pool test_pool overload

Maybe I should have seen the mistake at first look, but I didn’t. But I can assure you that I’m not the only one :) Quick looking and a little careless made me said that the NAT configuration looks fine. Looks fine, but not working.

Debugging with “debug ip nat” command gave me the following output:

NAT: address not stolen for 192.168.0.10, proto 1 port 10
NAT: failed to allocate address for 192.168.0.10, list/map to_nat

Not too much information here either. So I’ve started to have a look closer to the NAT configuration, when I saw this:
ip nat pool test_pool 172.31.0.8 172.31.0.8 prefix-length 30
Oh boy, how can I miss that: 172.31.0.8/30 being the network address. You cannot use the network address to translate.Often this is not seen and the configuration is taken as being OK.

The solution would be in this case (if we want to keep the prefix-length 30) to change the ip to 172.31.0.9 or 172.31.0.10.No, you cannot use 172.31.0.11 as that’s the broadcast address and would result in faulty NAT.
Another solution would be to change the prefix-length to 24 giving you 254 addresses for translation. I would recommend changin the prefix-length if you are beginning now to deploy NAT and you want a scalable solution. If you prefer to stay with  prefix-length of 30, you should take in consideration that at every 4 IP addresses you will lose 2 (network address and broadcast), which is not to fair if you are using public ranges.