Courseiva
IP AddressingCCNA 200-301

Private IP Range Being Routed to Internet — NAT Not Working

Presenting Symptom

Hosts on the internal network cannot access the internet, and traffic destined for public IPs is being dropped or misrouted.

Network Context

A small branch office with a Cisco 4321 ISR router running IOS XE 16.9 connects the internal LAN (192.168.1.0/24) to the internet via a single WAN link (DHCP-assigned public IP). The router is configured with NAT overload (PAT) on the WAN interface. The internal hosts use private IPs and the default gateway is the router's LAN interface (192.168.1.1). The problem is that internal hosts cannot reach external websites, but the router can ping public IPs.

Diagnostic Steps

1

Check NAT translations

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.0.2.10:1024   192.168.1.10:1024  203.0.113.5:80     203.0.113.5:80

If no translations appear, NAT is not translating traffic. If translations appear but traffic still fails, the issue may be elsewhere. Look for inside local addresses matching the LAN subnet.

2

Verify NAT configuration

show running-config | include ip nat
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
access-list 1 permit 192.168.1.0 0.0.0.255

Ensure the ACL matches the internal network. If the ACL is missing or incorrect (e.g., permits 0.0.0.0 or wrong subnet), NAT may not apply. Also verify the 'ip nat inside' and 'ip nat outside' commands on the correct interfaces.

3

Check routing for public destinations

show ip route 8.8.8.8
Routing entry for 8.8.8.0/24
  Known via "static", distance 1, metric 0
  * 0.0.0.0/0 via 203.0.113.1, GigabitEthernet0/0/0

If the route shows a default route pointing to the ISP gateway, routing is correct. If no route exists or points to an incorrect next-hop, traffic will be dropped.

4

Verify interface IPs and status

show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   203.0.113.2     YES DHCP   up                    up
GigabitEthernet0/0/1   192.168.1.1     YES manual up                    up

Ensure both interfaces are up/up. The WAN interface should have a public IP (or private if behind another NAT). The LAN interface should have the correct private IP.

Root Cause

The access-list used for NAT is misconfigured: it permits only a specific host (e.g., 192.168.1.10) instead of the entire subnet, or the ACL is missing entirely. Alternatively, the 'ip nat inside' and 'ip nat outside' commands are applied to the wrong interfaces.

Resolution

1. Configure the correct ACL to match the internal network: Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 2. Apply NAT with the correct ACL: Router(config)# ip nat inside source list 1 interface GigabitEthernet0/0/0 overload 3. Ensure interfaces are correctly assigned: Router(config)# interface GigabitEthernet0/0/1 Router(config-if)# ip nat inside Router(config-if)# interface GigabitEthernet0/0/0 Router(config-if)# ip nat outside

Verification

1. show ip nat translations — should show translations for internal hosts (e.g., 192.168.1.10 -> 203.0.113.2:port). 2. ping 8.8.8.8 from a host — should succeed. 3. show ip nat statistics — should show increasing hits.

Prevention

1. Use a standard ACL that matches the entire internal subnet (e.g., permit 192.168.1.0 0.0.0.255). 2. Always verify NAT configuration with 'show ip nat translations' after changes. 3. Document interface roles (inside/outside) to avoid misapplication.

CCNA Exam Relevance

On the CCNA 200-301 exam, NAT troubleshooting appears in multiple-choice and drag-and-drop questions. Candidates must know the 'ip nat inside source list' command, how to match ACLs to private ranges, and the difference between static NAT, dynamic NAT, and PAT. The exam tests the ability to identify why NAT is not translating traffic.

Exam Tips

1.

Remember that NAT requires both an ACL to define 'inside local' addresses and the 'overload' keyword for PAT.

2.

Common exam trap: ACL permits 0.0.0.0 255.255.255.255 (all traffic) but NAT is still not working because interfaces are not correctly assigned inside/outside.

3.

Memorize 'show ip nat translations' and 'show ip nat statistics' as the primary verification commands.

Commands Used in This Scenario

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions