Nat problem ?

Unanswered Question
Apr 14th, 2008
User Badges:

Hi,


I have a problem with my NAT on a 2611xm router


After some time of use, I have no access outside from inside, the nat table (sh ip nat translation) is empty and appears no longer work, I do not understand what is happening!


The only solution is to reboot the router, once completed, everything is working properly.


Do you have an idea to help solve the problem?


Thx.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mounir.mohamed Mon, 04/14/2008 - 06:16
User Badges:
  • Gold, 750 points or more

Would you share your running configurations and show proc mem and show ver output.

EricSACSO Mon, 04/14/2008 - 07:11
User Badges:

My running config :


no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RTR-SAGES-001

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 errors

logging console critical

enable secret 5 *****

!

aaa new-model

!

!

aaa authentication login vpn_xauth_ml_1 group radius local

aaa authorization network vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

no network-clock-participate slot 1

no network-clock-participate wic 0

no ip source-route

no ip cef

ip tcp synwait-time 10

!

!

ip inspect audit-trail

ip inspect name INSPECT ...

audit-trail on

!

!

ip ips notify SDEE

no ip bootp server

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

!

spanning-tree portfast bpduguard

username Admin privilege 15 secret 5 *****

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN

key *****

dns 10.2.4.3

wins 10.2.4.3

domain vpn.priv

pool Pool_VPN

netmask 255.255.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map CMAP_1 client authentication list vpn_xauth_ml_1

crypto map CMAP_1 isakmp authorization list vpn_group_ml_1

crypto map CMAP_1 client configuration address respond

crypto map CMAP_1 65535 ipsec-isakmp dynamic DYNMAP_1

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description Interface WAN

ip address A.B.C.D 255.255.255.248

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect INSPECT out

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

crypto map CMAP_1

!

interface FastEthernet0/1

description Interface LAN

ip address X.Y.Z.2 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect INSPECT in

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

router rip

version 2

network A.B.C.D

network X.Y.Z

!

ip local pool Pool_VPN 172.20.1.1 172.20.1.50

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip flow-export source FastEthernet0/1

ip flow-export version 5 origin-as

ip flow-export destination 192.168.99.101 2000

!

ip http server

ip http access-class 1

no ip http secure-server

ip nat translation timeout 300

ip nat translation tcp-timeout 30

ip nat translation pptp-timeout 65535

ip nat translation udp-timeout 30

ip nat translation finrst-timeout 30

ip nat translation dns-timeout 10

ip nat translation icmp-timeout 10

ip nat translation port-timeout tcp 21 3600

ip nat translation port-timeout tcp 20 3600

ip nat translation max-entries 65535

ip nat translation max-entries host X.Y.Z.40 2048

ip nat pool WEB X.Y.Z.80 X.Y.Z.90 netmask 255.255.255.0

ip nat inside source route-map RouteMAP_1 pool WEB overload

ip nat inside source static 172.18.171.34 X.Y.Z.40

!

logging trap errors

logging 192.168.99.101

access-list 100 remark ACL NAT - Route-MAP 1

*****

access-list 101 remark ACL Outside

****

access-list 102 remark ACL inside

****

access-list 103 remark VTY Access-class list

****

!

snmp-server community **** RO

snmp-server enable traps ....


snmp-server enable traps rtr

no cdp run

route-map RouteMAP_1 permit 1

match ip address 100


EricSACSO Mon, 04/14/2008 - 07:13
User Badges:

Sh proc mem :


Processor Pool Total: 112400808 Used: 17107724 Free: 95293084

I/O Pool Total: 8388608 Used: 2043936 Free: 6344672


EricSACSO Mon, 04/14/2008 - 07:35
User Badges:

SH VER :


Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(5), RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Mon 31-Oct-05 20:06 by alnguyen


ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)


RTR-SAGES-001 uptime is 8 hours, 29 minutes

System returned to ROM by reload

System image file is "flash:c2600-advsecurityk9-mz.124-5.bin"



Cisco 2611XM (MPC860P) processor (revision 4.1) with 253952K/8192K bytes of memory.

Processor board ID *

M860 processor: part number 5, mask 2

2 FastEthernet interfaces

32K bytes of NVRAM.

32768K bytes of processor board System flash (Read/Write)


Configuration register is 0x2102



Thx for help !

mounir.mohamed Mon, 04/14/2008 - 11:03
User Badges:
  • Gold, 750 points or more

Actually i was suggest it's memroy issue but it's not, there is enough memory.


So in order to islate the probelm let's trun off the IP nat Translation time-out command and check how the life gone be, if this doesn't work i think we gone use some Ipsec debug commands, but let's try the NAT time-out first.


You May accept or ignore my idea, i'm just trying to isolate the problem with you.

EricSACSO Tue, 04/15/2008 - 01:25
User Badges:

Thx for your help,


I will try to turn off timeout command and we will see what happens !


The crash does not happen immediately, but after several days of use! What complicates the matter further ...



mounir.mohamed Tue, 04/15/2008 - 01:30
User Badges:
  • Gold, 750 points or more

Ok, keep it under monitoring and feed us back.

Actions

This Discussion