Task 7.2


the task does not explicitly allow PBR. Using "ip nat enable" could be a solution...



  • In my SG allows, but does not actually allow to add additional ip address to R2's Fa0/0 interface :/


  • I've tested this using local policy on SW1 sourcing from a loopback withing 172.16/16 range.


    *Mar  1 01:04:23.677: NAT: s=>, d= [2309]
    *Mar  1 01:04:23.741: NAT*: s=, d=> [2309]
    *Mar  1 01:04:23.745: NAT: s=>, d= [2310]
    *Mar  1 01:04:23.809: NAT*: s=, d=> [2310]


    is the secondary address needed on R2? It would be if the hosts share the same vlan used as transit between R2 and SW1 ...what the..?!

  • In the SG we are pinging R3. How is R3 supposed to find its way back to SW1. It has no route for 167.x.27.0/24. It would have if we did not change the IP address. I do see incoming ICMP packets on R3 though so I know the NAT is working.

  • I missed that the IP should be added as secondary...

  • It took me some time to understand how this actually works; for those interested I put a packet walkthrough at http://mostlynetworking.wordpress.com/2012/01/20/nat-on-a-stick-3/

    Also note that the way task is worded suggests you should overload F0/0 ("Your design team has allocated this customer the IP address"), not use global pool.

  • I interpreted the wording the same. However, it is possible. This worked for me:


    ip acce st NAT_RULE



    ip acce ex PROUTE_RULES

     deny ip host

     permit ip any

     permit ip any host


    int l0

     ip nat inside


    int f0/0

     ip address secondary

     ip nat outside

     ip policy route-map PROUTE_NAT


    route-map PROUTE_NAT

     match ip address PROUTE_RULES

     set ip next-hop


    ip nat inside source list NAT_RULE int f0/0 overload

  • NAT on stick not working

    I am not sure why its not working i am not able to ping from sw1 as give in SG verification i had followed what is in SG verfication (configured local policy)

    Sw1# ping source

    ping fails even when pinging to sw2 with source ping fails, but normal ping without source works fine

    interface Loopback0
     ip address
     ip nat inside
     ip virtual-reassembly
     ip ospf network point-to-point

     interface FastEthernet0/0
     ip address secondary
     ip address
     ip nat outside
     ip virtual-reassembly
     ip policy route-map routemap
     speed 100

    ip nat pool natpool prefix-length 24

    route-map routemap permit 10
     match ip address insidelocal
     set interface Loopback0

    ip nat inside source list insidelocal pool natpool
    ip access-list standard insidelocal

    Please can some one help on this ...

Sign In or Register to comment.