Document ID: 13777
This document discusses how Network Address Translation (NAT) pools are subject to subnet zero rules just like any other IP addresses.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
When you configure a NAT pool such that the addresses within the pool are part of subnet zero, NAT translation fails.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
In this configuration example, the inside device has a default route of the NAT router. The outside device has a static route to an address to which the inside device is translated. The NAT router has this NAT configuration:
ip nat pool test 22.214.171.124 126.96.36.199 netmask 255.255.240.0 ip nat inside source list 7 pool test interface s 0 ip address 188.8.131.52 255.255.255.0 ip nat inside interface s 1 ip address 184.108.40.206 255.255.255.0 ip nat outside access-list 7 permit host 220.127.116.11
Notice that the addresses in the NAT pool test are subnet zero addresses. The ping from the inside device to the outside device fails because no translation occurs. If you run the debug ip nat command on the NAT router, it reveals these messages:
NAT: translation failed (A), dropping packet s=18.104.22.168 d=22.214.171.124 NAT: translation failed (A), dropping packet s=126.96.36.199 d=188.8.131.52 NAT: translation failed (A), dropping packet s=184.108.40.206 d=220.127.116.11 NAT: translation failed (A), dropping packet s=18.104.22.168 d=22.214.171.124 NAT: translation failed (A), dropping packet s=126.96.36.199 d=188.8.131.52
Note: The "(A)" in the debug output means that translation failed after routing occurred.
Note: In order to avoid this problem, configure the ip subnet-zero command in the NAT router. The command is enabled by default in Cisco IOS® Software Release 12.0. In earlier Cisco IOS software releases, it is not enabled by default. If the NAT is not configured properly when used with PAT, then NAT translation can fail. These are the NAT translation failure codes:
A = Inside to outside fails after routing B = Outside to inside fails before routing C = Outside to inside fails after routing D = Helpered fails L = Internally generated packet fails E = Inside to outside fails after routing
- Subnet Zero and the All-Ones Subnet
- Verifying NAT Operation and Basic NAT Troubleshooting
- NAT Order of Operation
- Configuring Network Address Translation: Getting Started
- Network Address Translation (NAT) Support Page
- IP Addressing and Application Services Support Page
- IP Routing Support Page
- Technical Support - Cisco Systems
|Updated: Jan 28, 2008||Document ID: 13777|