Nat problem ?

Unanswered Question
Apr 14th, 2008
User Badges:


I have a problem with my NAT on a 2611xm router

After some time of use, I have no access outside from inside, the nat table (sh ip nat translation) is empty and appears no longer work, I do not understand what is happening!

The only solution is to reboot the router, once completed, everything is working properly.

Do you have an idea to help solve the problem?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mounir.mohamed Mon, 04/14/2008 - 06:16
User Badges:
  • Gold, 750 points or more

Would you share your running configurations and show proc mem and show ver output.

EricSACSO Mon, 04/14/2008 - 07:11
User Badges:

My running config :

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers


hostname RTR-SAGES-001





security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 errors

logging console critical

enable secret 5 *****


aaa new-model



aaa authentication login vpn_xauth_ml_1 group radius local

aaa authorization network vpn_group_ml_1 local


aaa session-id common


resource policy


no network-clock-participate slot 1

no network-clock-participate wic 0

no ip source-route

no ip cef

ip tcp synwait-time 10



ip inspect audit-trail

ip inspect name INSPECT ...

audit-trail on



ip ips notify SDEE

no ip bootp server

ip ssh time-out 60

ip ssh authentication-retries 2






spanning-tree portfast bpduguard

username Admin privilege 15 secret 5 *****




crypto isakmp policy 1

hash md5

authentication pre-share

group 2


crypto isakmp client configuration group VPN

key *****



domain vpn.priv

pool Pool_VPN




crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto dynamic-map DYNMAP_1 1

set transform-set ESP-3DES-SHA




crypto map CMAP_1 client authentication list vpn_xauth_ml_1

crypto map CMAP_1 isakmp authorization list vpn_group_ml_1

crypto map CMAP_1 client configuration address respond

crypto map CMAP_1 65535 ipsec-isakmp dynamic DYNMAP_1




interface Null0

no ip unreachables


interface FastEthernet0/0

description Interface WAN

ip address A.B.C.D

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect INSPECT out

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

crypto map CMAP_1


interface FastEthernet0/1

description Interface LAN

ip address X.Y.Z.2

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect INSPECT in

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled


router rip

version 2

network A.B.C.D

network X.Y.Z


ip local pool Pool_VPN

ip route FastEthernet0/0

ip flow-export source FastEthernet0/1

ip flow-export version 5 origin-as

ip flow-export destination 2000


ip http server

ip http access-class 1

no ip http secure-server

ip nat translation timeout 300

ip nat translation tcp-timeout 30

ip nat translation pptp-timeout 65535

ip nat translation udp-timeout 30

ip nat translation finrst-timeout 30

ip nat translation dns-timeout 10

ip nat translation icmp-timeout 10

ip nat translation port-timeout tcp 21 3600

ip nat translation port-timeout tcp 20 3600

ip nat translation max-entries 65535

ip nat translation max-entries host X.Y.Z.40 2048

ip nat pool WEB X.Y.Z.80 X.Y.Z.90 netmask

ip nat inside source route-map RouteMAP_1 pool WEB overload

ip nat inside source static X.Y.Z.40


logging trap errors


access-list 100 remark ACL NAT - Route-MAP 1


access-list 101 remark ACL Outside


access-list 102 remark ACL inside


access-list 103 remark VTY Access-class list



snmp-server community **** RO

snmp-server enable traps ....

snmp-server enable traps rtr

no cdp run

route-map RouteMAP_1 permit 1

match ip address 100

EricSACSO Mon, 04/14/2008 - 07:13
User Badges:

Sh proc mem :

Processor Pool Total: 112400808 Used: 17107724 Free: 95293084

I/O Pool Total: 8388608 Used: 2043936 Free: 6344672

EricSACSO Mon, 04/14/2008 - 07:35
User Badges:


Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(5), RELEASE SOFTWARE (fc3)

Technical Support:

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Mon 31-Oct-05 20:06 by alnguyen

ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)

RTR-SAGES-001 uptime is 8 hours, 29 minutes

System returned to ROM by reload

System image file is "flash:c2600-advsecurityk9-mz.124-5.bin"

Cisco 2611XM (MPC860P) processor (revision 4.1) with 253952K/8192K bytes of memory.

Processor board ID *

M860 processor: part number 5, mask 2

2 FastEthernet interfaces

32K bytes of NVRAM.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Thx for help !

mounir.mohamed Mon, 04/14/2008 - 11:03
User Badges:
  • Gold, 750 points or more

Actually i was suggest it's memroy issue but it's not, there is enough memory.

So in order to islate the probelm let's trun off the IP nat Translation time-out command and check how the life gone be, if this doesn't work i think we gone use some Ipsec debug commands, but let's try the NAT time-out first.

You May accept or ignore my idea, i'm just trying to isolate the problem with you.

EricSACSO Tue, 04/15/2008 - 01:25
User Badges:

Thx for your help,

I will try to turn off timeout command and we will see what happens !

The crash does not happen immediately, but after several days of use! What complicates the matter further ...

mounir.mohamed Tue, 04/15/2008 - 01:30
User Badges:
  • Gold, 750 points or more

Ok, keep it under monitoring and feed us back.


This Discussion