cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
4
Helpful
7
Replies

Nat problem ?

EricSACSO
Level 1
Level 1

Hi,

I have a problem with my NAT on a 2611xm router

After some time of use, I have no access outside from inside, the nat table (sh ip nat translation) is empty and appears no longer work, I do not understand what is happening!

The only solution is to reboot the router, once completed, everything is working properly.

Do you have an idea to help solve the problem?

Thx.

7 Replies 7

mounir.mohamed
Level 7
Level 7

Would you share your running configurations and show proc mem and show ver output.

My running config :

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RTR-SAGES-001

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 errors

logging console critical

enable secret 5 *****

!

aaa new-model

!

!

aaa authentication login vpn_xauth_ml_1 group radius local

aaa authorization network vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

no network-clock-participate slot 1

no network-clock-participate wic 0

no ip source-route

no ip cef

ip tcp synwait-time 10

!

!

ip inspect audit-trail

ip inspect name INSPECT ...

audit-trail on

!

!

ip ips notify SDEE

no ip bootp server

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

!

spanning-tree portfast bpduguard

username Admin privilege 15 secret 5 *****

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN

key *****

dns 10.2.4.3

wins 10.2.4.3

domain vpn.priv

pool Pool_VPN

netmask 255.255.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map CMAP_1 client authentication list vpn_xauth_ml_1

crypto map CMAP_1 isakmp authorization list vpn_group_ml_1

crypto map CMAP_1 client configuration address respond

crypto map CMAP_1 65535 ipsec-isakmp dynamic DYNMAP_1

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description Interface WAN

ip address A.B.C.D 255.255.255.248

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect INSPECT out

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

crypto map CMAP_1

!

interface FastEthernet0/1

description Interface LAN

ip address X.Y.Z.2 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect INSPECT in

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

router rip

version 2

network A.B.C.D

network X.Y.Z

!

ip local pool Pool_VPN 172.20.1.1 172.20.1.50

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip flow-export source FastEthernet0/1

ip flow-export version 5 origin-as

ip flow-export destination 192.168.99.101 2000

!

ip http server

ip http access-class 1

no ip http secure-server

ip nat translation timeout 300

ip nat translation tcp-timeout 30

ip nat translation pptp-timeout 65535

ip nat translation udp-timeout 30

ip nat translation finrst-timeout 30

ip nat translation dns-timeout 10

ip nat translation icmp-timeout 10

ip nat translation port-timeout tcp 21 3600

ip nat translation port-timeout tcp 20 3600

ip nat translation max-entries 65535

ip nat translation max-entries host X.Y.Z.40 2048

ip nat pool WEB X.Y.Z.80 X.Y.Z.90 netmask 255.255.255.0

ip nat inside source route-map RouteMAP_1 pool WEB overload

ip nat inside source static 172.18.171.34 X.Y.Z.40

!

logging trap errors

logging 192.168.99.101

access-list 100 remark ACL NAT - Route-MAP 1

*****

access-list 101 remark ACL Outside

****

access-list 102 remark ACL inside

****

access-list 103 remark VTY Access-class list

****

!

snmp-server community **** RO

snmp-server enable traps ....

snmp-server enable traps rtr

no cdp run

route-map RouteMAP_1 permit 1

match ip address 100

Sh proc mem :

Processor Pool Total: 112400808 Used: 17107724 Free: 95293084

I/O Pool Total: 8388608 Used: 2043936 Free: 6344672

SH VER :

Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(5), RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Mon 31-Oct-05 20:06 by alnguyen

ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)

RTR-SAGES-001 uptime is 8 hours, 29 minutes

System returned to ROM by reload

System image file is "flash:c2600-advsecurityk9-mz.124-5.bin"

Cisco 2611XM (MPC860P) processor (revision 4.1) with 253952K/8192K bytes of memory.

Processor board ID *

M860 processor: part number 5, mask 2

2 FastEthernet interfaces

32K bytes of NVRAM.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Thx for help !

Actually i was suggest it's memroy issue but it's not, there is enough memory.

So in order to islate the probelm let's trun off the IP nat Translation time-out command and check how the life gone be, if this doesn't work i think we gone use some Ipsec debug commands, but let's try the NAT time-out first.

You May accept or ignore my idea, i'm just trying to isolate the problem with you.

Thx for your help,

I will try to turn off timeout command and we will see what happens !

The crash does not happen immediately, but after several days of use! What complicates the matter further ...

Ok, keep it under monitoring and feed us back.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: