Courseiva
NATCCNA 200-301

NAT Overload ACL Denying Traffic That Should Be NAT'd

Presenting Symptom

Internal hosts cannot reach the internet, but NAT overload is configured and the ACL appears to permit the traffic.

Network Context

A small branch office with a Cisco 4321 router (IOS XE 16.9) connects to the ISP via GigabitEthernet0/0/0 (public IP 203.0.113.1). Inside hosts on VLAN 10 (192.168.1.0/24) are behind the router. NAT overload (PAT) is configured on the outside interface, with an ACL to identify which inside traffic to translate. The engineer can ping the ISP next-hop but not external servers.

Diagnostic Steps

1

Check NAT translations

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.1:1024  192.168.1.10:1024  8.8.8.8:80         8.8.8.8:80

If no translations appear, NAT is not being triggered. If translations appear but traffic still fails, the issue may be outside the NAT process.

2

Verify NAT configuration

show running-config | section ip nat
ip nat pool POOL 203.0.113.1 203.0.113.1 netmask 255.255.255.0
ip nat inside source list NAT_ACL interface GigabitEthernet0/0/0 overload
access-list NAT_ACL permit 192.168.1.0 0.0.0.255

Check that the ACL is named correctly and permits the correct subnet. A common mistake is using a wrong ACL number or missing the permit statement.

3

Examine the ACL in detail

show access-list NAT_ACL
Standard IP access list NAT_ACL
    10 deny   ip 192.168.1.0 0.0.0.255 any (4 matches)
    20 permit ip any any (0 matches)

If the ACL has a deny statement for the inside subnet, traffic from that subnet will not be NATed. The matches counter shows how many packets matched each line. Here, the deny line is matching, so traffic is blocked from NAT.

4

Confirm ACL is applied correctly to NAT

show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces: GigabitEthernet0/0/0
Inside interfaces: GigabitEthernet0/0/1
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list NAT_ACL interface GigabitEthernet0/0/0 refcount 0

The 'Hits: 0' indicates no packets have matched the NAT rule. This confirms the ACL is not permitting the traffic. The ACL must be corrected to permit the inside subnet.

Root Cause

The ACL used for NAT overload (NAT_ACL) contains a deny statement for the inside subnet (192.168.1.0/24) before the permit any statement. This causes traffic from that subnet to be denied by the ACL, so NAT never translates the packets.

Resolution

Remove the incorrect deny statement and ensure the ACL permits the inside subnet. Use the following commands: conf t ip access-list standard NAT_ACL no 10 permit 192.168.1.0 0.0.0.255 end Alternatively, if the ACL is empty, create a new one: conf t no access-list NAT_ACL access-list NAT_ACL permit 192.168.1.0 0.0.0.255 ip nat inside source list NAT_ACL interface GigabitEthernet0/0/0 overload end

Verification

Run 'show ip nat translations' and 'show access-list NAT_ACL'. Expected output: show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.1:1024 192.168.1.10:1024 8.8.8.8:80 8.8.8.8:80 show access-list NAT_ACL Standard IP access list NAT_ACL 10 permit 192.168.1.0 0.0.0.255 (5 matches) Also verify internet connectivity from an inside host (e.g., ping 8.8.8.8).

Prevention

1. Always review ACLs carefully before applying them to NAT; ensure the permit statement for the inside network comes before any deny statements. 2. Use named ACLs with descriptive names to reduce confusion. 3. Test NAT with a single host before deploying to the entire subnet.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of NAT overload configuration and the role of ACLs in identifying traffic to translate. Expect a troubleshooting question where you must identify why NAT is not working, often presented as a drag-and-drop or multiple-choice question. Key fact: The ACL must permit the inside local network; a deny statement will block translation.

Exam Tips

1.

Remember that the ACL in NAT is used to identify traffic to be translated; it does not filter traffic like a firewall ACL.

2.

When troubleshooting NAT, always check 'show ip nat translations' first; if empty, check the ACL with 'show access-list'.

3.

The order of ACL entries matters: the first match is applied. Ensure permit for inside network comes before any deny.

Commands Used in This Scenario

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions