I've encountered a really odd issue. Here's the situation:
Two routers: 2821 (R1) and 2811(R2). R1 is the main router that carries to-Internet traffic. R2 is a VPN gateway, being also a default gateway for one VLAN (say VLAN111, 10.111.222.0/24). R2 is hosting an IPSec tunnel and routes multicast traffic from VLAN111 to a certain destination (R1 has multicast routing disabled). R2 is separated from the rest of the network - it doesn't participate in any routing protocols, it simply uses R1 as it's gateway. Currently there's only one user on VLAN111 - say 10.111.222.99. We use private IP addresses internally - R1 does NAT for the internal users, so traffic is sourced from it's main public IP address. R1 is also a vpn gateway for remote clients (using Cisco VPN client) - it listens for the VPN client requests on the same public IP address. Suddenly, I received a notification that users are unable to connect to R1 using their vpn clients. This is what I found on R1:
# show ip nat translations | inc 10.111
--- [public IP]:0 10.111.222.99:0 --- ---
Which is nothing else but a 1-to-1 static NAT that captures the main public IP and NATs it to an IP on VLAN111. I did some sanity checks, went through the configuration archive and running-config, and I found nothing related to this. Is there any reasonable explanation why such translation can appear suddenly? Or is it a bug? This has happened two times already during the last few weeks. It wasn't happening when there were no users on VLAN111. Nothing related to this on the switches either (all Catalyst 4948).
R1: (C2800NM-ADVIPSERVICESK9-M), Version 12.4(3d), RELEASE SOFTWARE (fc3)
R2: (C2800NM-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)
I must note that although it looks like a static NAT translations, it is a dynamic one and the problem goes away as soon as I do "clear ip nat translation *" - but reappears after a few weeks.
Did anyone experience this before?