Hi Cameron,

Thanks for your quick response.

I didn't get you what you mean by xlate table, could be please clear me about it?

Yes there are quite high translations on this IP, so how i can set the value to lower, could you please give me the command setp by step please?

If is sent the level to lower what are the possible causes?

And there are some denied rule hits, i saw in log (is it causing problem?).

Thanks in advance.

Regards,

Naidu.

Naidu,

It's not entirely clear from your post that it happens only for smtp server or for all the nat translations in Router. So next time this happens, check whether you are able to access other natted servers or not. There are few possibilities here. Either you are reaching maximum nat translation allowed by Router by default or you are hitting some bug. If it is the first case, then there are few commands which can alleviate this issue.

ip nat translation timeout xxx

ip nat translation tcp-timeout xxx

These two commands can delete inactive entries from NAT table to make space for newer one.

ip nat translation max-entries xxxx

This command allows you to tweak number of NAT translation allowed simultaneously.

But before using these, you need to determine what is the root cause of this issue. You can see Nat tables/statasitcs using command 'sh ip nat tr' and 'sh ip nat st'.

Hi Yagnesh,

Thank you very much for your reply.

I was facing problem with my smpt server nat only at all times and at the same time other nat's are working fine.

As you told it may be possible to me to configure the max-entries (NAT). But still I could not find the exact root cause of this issue. I need your help to find out the exact root cause, Please help me.

Is there any way to know that the maximum nat translations allowed by Router (Please find the below details about IOS, model)

Please find the below nat statics:

sh ip nat st

Total active translations: 3055 (19 static, 3036 dynamic; 3052 extended)

Outside interfaces:

FastEthernet0/0

Inside interfaces:

FastEthernet0/1

Hits: 486682368 Misses: 6613262

CEF Translated packets: 472312370, CEF Punted packets: 41256015

Expired translations: 12879103

Dynamic mappings:

-- Inside Source

[Id: 0] route-map PINP

[Id: 1] route-map nonat pool nonat refcount 2878

pool nonat: netmask 255.255.255.248

start 195.24.2.44 end 195.24.2.44

type generic, total addresses 1, allocated 1 (100%), misses 34570

-- Outside Destination

[Id: 0] route-map DKRGLDAP

Queued Packets: 0

#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Sat 18-Nov-06 15:32 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

uptime is 4 weeks, 3 days, 6 hours, 7 minutes

System returned to ROM by power-on

System restarted at 07:57:41 UTC Fri Jul 17 2009

System image file is "flash:c1841-adventerprisek9-mz.124-11.T.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 1841 (revision 6.0) with 236544K/25600K bytes of memory.

Processor board ID FCZ1037221E

2 FastEthernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Thanks in advance.

Regards,

Naidu.

Naidu,

By default there is no limit on maximum number of NAT entries allowed simultaneously by router but each NAT entry requires about 160-312 bytes of memory, so the number of translations possible is limited by the amount of memory-DRAM available on the router. Also note that maximum number of allowed NAT translations is global setting which can not be configured/impose by router on per NAT entry basis.

There is a possibility that router may have run out of memory considering many high utilized entries in your configuration and it refuses to take any new NAT entry while still servicing existing NAT entries in its NAT table. So this may give you impression that only smtp server is not working (for which new NAT entries-connection may have requested) whereas others are working (existing entries). As suggested earlier, when you face this issue again, you should verify number of active translation (using sh ip nat st) and verify that count is increasing while trying new connection.

Also use bug toolkit to rule out any software glitch for this behavior.

Meanwhile there is no harm in reducing TCP translations time out (default 24 hours) to a shorter period using above command and see if that alleviate your issue.

Hi Yagnesh,

Well explaination, thank you very much for that.

I found in one blog that if we allowed ftp port with any NAT then it will give trouble, is that correct?

Regards,

Naidu.

For FTP, if server uses random ports for communication then it may give you trouble. But it's only limited to FTP translation. Other traslation entries should remain unaffected.