Recently had a cutover where we copied a basic NAT configuration from one router to a new one. The configuration was very straight forward, similar to the below:
access-list 3 permit any log
ip nat inside source list 3 interface Loopback2 overload
During the cutover I wasn’t seeing any NAT translations building. Reviewed the config, seemed straight forward. Inside interface defined, outside interface defined, access list and an interface to overload. After staring at it for awhile I noticed that the ACL had the ‘log’ statement on the permit statement. Something told me this might be causing the issue. I removed the ‘log’ keyword off the ACL and the translations built immediately.
So what happened – what’s the big deal about logging the matching hits for the NAT ACL? When you put the ‘log’ keyword on an ACL it makes the router process switch that traffic. When you process switch the traffic, NAT does not handle the traffic. This is well documented in this Cisco FAQ: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html
I’m still not sure how this config worked on the old router, I still need to look at the entire config further as there were some other differences(IOS version, IPS enabled, and some others) but its clear that you definitely shouldn’t use the log statement on your NAT ACL’s.