NAT Configured But Internet Access Not Working
Presenting Symptom
Internal hosts can ping the router's inside interface but cannot access the internet or ping the outside interface IP.
Network Context
A small branch office with a Cisco 4321 router running IOS XE 16.9. The router has a single inside interface (GigabitEthernet0/0/0, 192.168.1.1/24) connected to a switch with PCs, and an outside interface (GigabitEthernet0/0/1, 203.0.113.2/30) connected to an ISP router. NAT is configured to translate inside local addresses to the outside interface IP. The problem occurs after a recent configuration change.
Diagnostic Steps
Verify NAT translations exist
show ip nat translationsPro Inside global Inside local Outside local Outside global --- 203.0.113.2 192.168.1.10 ... ...
If no translations appear, NAT is not being triggered. If translations show but traffic still fails, the issue may be routing or ACL.
Check NAT configuration
show running-config | include ip natip nat inside source list 1 interface GigabitEthernet0/0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255
Verify the NAT statement and ACL are correct. Common mistakes: wrong ACL, missing 'overload', or misconfigured inside/outside interfaces.
Verify inside/outside interface assignments
show ip interface brief | include GigabitEthernetInterface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 192.168.1.1 YES NVRAM up up GigabitEthernet0/0/1 203.0.113.2 YES NVRAM up up
Check that both interfaces are up/up. Then run 'show running-config interface GigabitEthernet0/0/0' and 'show running-config interface GigabitEthernet0/0/1' to confirm 'ip nat inside' and 'ip nat outside' are present.
Check routing to the internet
show ip route 0.0.0.0Gateway of last resort is 203.0.113.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 203.0.113.1
If no default route exists, traffic cannot reach the internet even with NAT. The default route should point to the ISP next-hop.
Root Cause
The inside and outside interfaces were not correctly assigned with 'ip nat inside' and 'ip nat outside' commands. The NAT configuration was present but the router did not know which interfaces were inside and outside, so NAT translations were never created.
Resolution
Verification
1. Run 'show ip nat translations' - should show translations for inside hosts. 2. From a PC, ping 8.8.8.8 - should succeed. 3. Run 'show ip nat statistics' - verify total translations and hits.
Prevention
1. Always configure 'ip nat inside' and 'ip nat outside' immediately after defining NAT rules. 2. Use a configuration template or automation to ensure interface assignments are not missed. 3. After any NAT configuration change, verify with 'show ip nat translations' and a test ping.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario appears in troubleshooting questions (multiple choice or drag-and-drop) where you must identify why NAT is not working. The exam tests your ability to verify NAT interface assignments and translation entries. Key fact: NAT requires both inside and outside interface designations to function.
Exam Tips
Always check 'show ip nat translations' first; if empty, the issue is likely interface assignment or ACL.
Remember that 'ip nat inside source list' requires an ACL that matches the inside local addresses.
The default route must point to the ISP next-hop; without it, translated packets have no path.
Commands Used in This Scenario
show ip nat statistics
Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.
show ip nat translations
Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.
show running-config
Displays the current active configuration in DRAM, showing all non-default settings.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions