Document ID: 13777
Updated: Jan 28, 2008
Contents
Introduction
This document discusses how Network Address Translation (NAT) pools are subject to subnet zero rules just like any other IP addresses.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Background Theory
When you configure a NAT pool such that the addresses within the pool are part of subnet zero, NAT translation fails.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: In order to find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .
Network Diagram
This document uses this network setup:
In this configuration example, the inside device has a default route of the NAT router. The outside device has a static route to an address to which the inside device is translated. The NAT router has this NAT configuration:
ip nat pool test 171.68.1.1 171.68.1.10 netmask 255.255.240.0 ip nat inside source list 7 pool test interface s 0 ip address 171.16.4.6 255.255.255.0 ip nat inside interface s 1 ip address 171.16.6.6 255.255.255.0 ip nat outside access-list 7 permit host 171.16.4.4
Notice that the addresses in the NAT pool test are subnet zero addresses. The ping from the inside device to the outside device fails because no translation occurs. If you run the debug ip nat command on the NAT router, it reveals these messages:
NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5 NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5 NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5 NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5 NAT: translation failed (A), dropping packet s=171.16.4.4 d=171.16.6.5
Note: The "(A)" in the debug output means that translation failed after routing occurred.
Note: In order to avoid this problem, configure the ip subnet-zero command in the NAT router. The command is enabled by default in Cisco IOS® Software Release 12.0. In earlier Cisco IOS software releases, it is not enabled by default. If the NAT is not configured properly when used with PAT, then NAT translation can fail. These are the NAT translation failure codes:
A = Inside to outside fails after routing B = Outside to inside fails before routing C = Outside to inside fails after routing D = Helpered fails L = Internally generated packet fails E = Inside to outside fails after routing
Related Information
- Subnet Zero and the All-Ones Subnet
- Verifying NAT Operation and Basic NAT Troubleshooting
- NAT Order of Operation
- Configuring Network Address Translation: Getting Started
- Network Address Translation (NAT) Support Page
- IP Addressing and Application Services Support Page
- IP Routing Support Page
- Technical Support - Cisco Systems
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.