NAT issue with IOS-FW

Unanswered Question
Aug 13th, 2009

Hi All,

I am getting nating issue for every 15 days, we have below NAT statements configured in one of our IOS-FW 1841.

We have below NAT for one of our SMTP server, when i got complaint saying incoming mail traffic not working then i have to remove the NAT and re-add the NAT then its working fine (I think its not faire). So I have to dig for rootcause analysis about this issue why its happening like this.

I guess it seems something like NAT strucking, Experts can someone please help me.

Especially everytime i am getting problem with below NAT, if i remove and re-add then its working fine.

ip nat inside source static tcp 192.168.115.20 25 195.24.2.79 25 extendable

ip nat inside source static tcp 10.146.5.30 443 195.24.2.79 443 extendable

ip nat inside source static tcp 10.10.10.11 1503 195.24.2.79 1503 extendable

ip nat inside source static tcp 10.10.6.40 1741 195.24.2.79 1741 extendable

ip nat inside source static tcp 10.10.1.10 3299 195.24.2.79 3299 extendable

ip nat pool nonat 195.24.2.44 195.24.2.44 netmask 255.255.255.244

ip nat source static 195.24.2.53 10.10.10.11 route-map FKRDLDAP extendable

ip nat source static 10.28.2.11 195.24.2.53 route-map FKRDLDAP extendable

ip nat inside source route-map nonat pool nonat overload

ip nat inside source static tcp 192.168.115.30 80 195.24.2.53 80 extendable

ip nat inside source static tcp 10.10.10.11 389 195.24.2.53 389 extendable

ip nat inside source static tcp 192.168.115.30 443 195.24.2.53 443 extendable

ip nat inside source static tcp 10.13.2.10 21 195.24.2.79 21 extendable

ip nat inside source static tcp 192.168.115.20 25 195.24.2.79 25 extendable

ip nat inside source static tcp 10.146.5.30 443 195.24.2.79 443 extendable

ip nat inside source static tcp 10.10.10.11 1503 195.24.2.79 1503 extendable

ip nat inside source static tcp 10.10.6.40 1741 195.24.2.79 1741 extendable

ip nat inside source static tcp 10.10.1.10 3299 195.24.2.79 3299 extendable

ip nat inside source static 10.29.2.140 195.24.3.80 extendable

ip nat inside source static 10.146.5.100 195.24.2.36 extendable

Regards,

Naidu.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
cameron.moody Thu, 08/13/2009 - 22:54

Have you tried doing a "show ip nat statistics" at the time of the problem?

Maybe you are using up the xlate table so it can't do any more (or you have it set to a lower than required value?).

May also be worth a shot to do a "show ip nat translations" and then do a | incl of your mail server to see how many it is actually using as well.

Does anything show up in a show log as well to indicate the above? That is if you have the appropriate logging level set. Oh and will probably appear a bit before you get a call to say things are broken too :P

If the above isn't it then maybe a debug ip nat may be in order?

HTH

Cameron

ilnaiduccna Fri, 08/14/2009 - 01:55

Hi Cameron,

Thanks for your quick response.

I didn't get you what you mean by xlate table, could be please clear me about it?

Yes there are quite high translations on this IP, so how i can set the value to lower, could you please give me the command setp by step please?

If is sent the level to lower what are the possible causes?

And there are some denied rule hits, i saw in log (is it causing problem?).

Thanks in advance.

Regards,

Naidu.

yagnesh_tel Fri, 08/14/2009 - 06:49

Naidu,

It's not entirely clear from your post that it happens only for smtp server or for all the nat translations in Router. So next time this happens, check whether you are able to access other natted servers or not. There are few possibilities here. Either you are reaching maximum nat translation allowed by Router by default or you are hitting some bug. If it is the first case, then there are few commands which can alleviate this issue.

ip nat translation timeout xxx

ip nat translation tcp-timeout xxx

These two commands can delete inactive entries from NAT table to make space for newer one.

ip nat translation max-entries xxxx

This command allows you to tweak number of NAT translation allowed simultaneously.

But before using these, you need to determine what is the root cause of this issue. You can see Nat tables/statasitcs using command 'sh ip nat tr' and 'sh ip nat st'.

ilnaiduccna Mon, 08/17/2009 - 03:53

Hi Yagnesh,

Thank you very much for your reply.

I was facing problem with my smpt server nat only at all times and at the same time other nat's are working fine.

As you told it may be possible to me to configure the max-entries (NAT). But still I could not find the exact root cause of this issue. I need your help to find out the exact root cause, Please help me.

Is there any way to know that the maximum nat translations allowed by Router (Please find the below details about IOS, model)

Please find the below nat statics:

sh ip nat st

Total active translations: 3055 (19 static, 3036 dynamic; 3052 extended)

Outside interfaces:

FastEthernet0/0

Inside interfaces:

FastEthernet0/1

Hits: 486682368 Misses: 6613262

CEF Translated packets: 472312370, CEF Punted packets: 41256015

Expired translations: 12879103

Dynamic mappings:

-- Inside Source

[Id: 0] route-map PINP

[Id: 1] route-map nonat pool nonat refcount 2878

pool nonat: netmask 255.255.255.248

start 195.24.2.44 end 195.24.2.44

type generic, total addresses 1, allocated 1 (100%), misses 34570

-- Outside Destination

[Id: 0] route-map DKRGLDAP

Queued Packets: 0

#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Sat 18-Nov-06 15:32 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

uptime is 4 weeks, 3 days, 6 hours, 7 minutes

System returned to ROM by power-on

System restarted at 07:57:41 UTC Fri Jul 17 2009

System image file is "flash:c1841-adventerprisek9-mz.124-11.T.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

[email protected].

Cisco 1841 (revision 6.0) with 236544K/25600K bytes of memory.

Processor board ID FCZ1037221E

2 FastEthernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Thanks in advance.

Regards,

Naidu.

yagnesh_tel Mon, 08/17/2009 - 07:50

Naidu,

By default there is no limit on maximum number of NAT entries allowed simultaneously by router but each NAT entry requires about 160-312 bytes of memory, so the number of translations possible is limited by the amount of memory-DRAM available on the router. Also note that maximum number of allowed NAT translations is global setting which can not be configured/impose by router on per NAT entry basis.

There is a possibility that router may have run out of memory considering many high utilized entries in your configuration and it refuses to take any new NAT entry while still servicing existing NAT entries in its NAT table. So this may give you impression that only smtp server is not working (for which new NAT entries-connection may have requested) whereas others are working (existing entries). As suggested earlier, when you face this issue again, you should verify number of active translation (using sh ip nat st) and verify that count is increasing while trying new connection.

Also use bug toolkit to rule out any software glitch for this behavior.

Meanwhile there is no harm in reducing TCP translations time out (default 24 hours) to a shorter period using above command and see if that alleviate your issue.

ilnaiduccna Mon, 08/17/2009 - 21:31

Hi Yagnesh,

Well explaination, thank you very much for that.

I found in one blog that if we allowed ftp port with any NAT then it will give trouble, is that correct?

Regards,

Naidu.

yagnesh_tel Tue, 08/18/2009 - 07:48

For FTP, if server uses random ports for communication then it may give you trouble. But it's only limited to FTP translation. Other traslation entries should remain unaffected.

Actions

This Discussion