Courseiva
NATCCNA 200-301

NAT on Tunnel Interface Not Translating Traffic Correctly

Presenting Symptom

Traffic sent through a tunnel interface is not being translated by NAT, causing connectivity failures for hosts behind the tunnel.

Network Context

A small branch office connects to the corporate headquarters via a GRE tunnel over the Internet. The branch router (Cisco 4321, IOS 15.9) uses NAT overload (PAT) on the physical WAN interface to translate internal traffic. However, traffic routed through the tunnel interface (Tunnel0) is not being translated, so packets exit the tunnel with private source IPs and are dropped by the remote router. The tunnel is up/up, and static routes direct traffic for the corporate subnet into the tunnel.

Diagnostic Steps

1

Verify NAT translations exist for traffic through the tunnel

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                  ---                 ---                 ---

If no translations appear for traffic sourced from inside the tunnel, NAT is not being applied. Normal output would show translations with inside local/global addresses.

2

Check which interfaces have NAT enabled

show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces: GigabitEthernet0/0/0
Inside interfaces: GigabitEthernet0/0/1

Confirm that the tunnel interface is not listed as an inside or outside interface. NAT only applies to interfaces explicitly configured with ip nat inside/outside. If the tunnel is missing, traffic routed into the tunnel bypasses NAT.

3

Examine the route table to see how traffic is forwarded

show ip route 10.1.1.0 255.255.255.0
Routing entry for 10.1.1.0/24
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 192.168.2.1, via Tunnel0
      Route metric is 0, traffic share count is 1

Traffic destined for the corporate subnet is routed into the tunnel. Since the tunnel is not a NAT inside/outside interface, packets exit the tunnel without translation.

4

Check NAT configuration on the tunnel interface

show run interface Tunnel0
interface Tunnel0
 ip address 10.0.0.2 255.255.255.252
 tunnel source GigabitEthernet0/0/0
 tunnel destination 203.0.113.1

No ip nat inside or ip nat outside command on the tunnel interface. This is the root cause: NAT must be applied to the tunnel interface to translate traffic before it enters the tunnel.

Root Cause

The tunnel interface (Tunnel0) is not configured with 'ip nat inside' or 'ip nat outside'. NAT only translates traffic that enters an inside interface and exits an outside interface. Since the tunnel is neither, traffic routed into the tunnel bypasses NAT and is sent with private source IPs.

Resolution

Apply NAT inside/outside to the tunnel interface. Typically, the tunnel is the inside interface because it carries internal traffic. On the branch router: interface Tunnel0 ip nat inside Ensure the physical WAN interface (e.g., GigabitEthernet0/0/0) is already configured as ip nat outside. If not, add: interface GigabitEthernet0/0/0 ip nat outside Also verify that the NAT ACL (access-list) permits the source subnet of traffic going through the tunnel. Example: access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

Verification

After applying the fix, run: show ip nat translations Expected output shows translations for traffic through the tunnel, e.g.: Pro Inside global Inside local Outside local Outside global --- 203.0.113.2:1024 192.168.1.10:1024 10.1.1.1:80 10.1.1.1:80 Also test connectivity from a host behind the branch router to a server at HQ (e.g., ping 10.1.1.1). Successful replies confirm NAT is working.

Prevention

1. Always configure NAT on all interfaces that carry traffic requiring translation, including tunnel interfaces. 2. Use a consistent design: define inside interfaces as those facing internal networks, and outside interfaces as those facing external networks (including tunnels to remote sites). 3. Document NAT interface assignments in network diagrams to avoid missing interfaces during changes.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where NAT is not working as expected. The exam tests understanding that NAT must be enabled on the correct interfaces (inside/outside). A common multiple-choice question asks: 'Which interface should be configured with ip nat inside when using a tunnel?' The key fact is that the tunnel interface must be explicitly configured for NAT if traffic through it needs translation.

Exam Tips

1.

Remember that NAT only translates packets that cross from an inside interface to an outside interface. If a tunnel is used, it must be designated as inside or outside accordingly.

2.

The exam often includes a scenario where NAT works for direct Internet traffic but fails for VPN/tunnel traffic. The root cause is almost always missing NAT on the tunnel interface.

3.

Memorize the output of 'show ip nat statistics' to quickly identify which interfaces have NAT enabled. If the tunnel is missing, that's the problem.

Commands Used in This Scenario

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions