Guest

IP Addressing Services

NAT Pools and Subnet Zero

Cisco - NAT Pools and Subnet Zero

Document ID: 13777

Updated: Jan 28, 2008

   Print

Introduction

This document discusses how Network Address Translation (NAT) pools are subject to subnet zero rules just like any other IP addresses.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Background Theory

When you configure a NAT pool such that the addresses within the pool are part of subnet zero, NAT translation fails.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: In order to find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses this network setup:

7a.gif

In this configuration example, the inside device has a default route of the NAT router. The outside device has a static route to an address to which the inside device is translated. The NAT router has this NAT configuration:

ip nat pool test 171.68.1.1 171.68.1.10 netmask  255.255.240.0
ip nat inside source list 7 pool test 

interface s 0
ip address 171.16.4.6 255.255.255.0
ip nat inside

interface s 1
ip address 171.16.6.6 255.255.255.0
ip nat outside

access-list 7 permit host 171.16.4.4

Notice that the addresses in the NAT pool test are subnet zero addresses. The ping from the inside device to the outside device fails because no translation occurs. If you run the debug ip nat command on the NAT router, it reveals these messages:

NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5
NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5
NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5
NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5
NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5

Note: The "(A)" in the debug output means that translation failed after routing occurred.

Note: In order to avoid this problem, configure the ip subnet-zero command in the NAT router. The command is enabled by default in Cisco IOS® Software Release 12.0. In earlier Cisco IOS software releases, it is not enabled by default. If the NAT is not configured properly when used with PAT, then NAT translation can fail. These are the NAT translation failure codes:

 A = Inside to outside fails after routing
 B = Outside to inside fails before routing
 C = Outside to inside fails after routing 
 D = Helpered fails 
 L = Internally generated packet fails 
 E = Inside to outside fails after routing

Related Information

Updated: Jan 28, 2008
Document ID: 13777