Internet Access Problem

Unanswered Question
May 26th, 2010

Dear All,

  In my Network one Distribution Switch,Firewall,Routers are connected.Through DS all Access Switches are connected.Firewall inside interface connected to DS and Outside is Connected to Router.  the thing is everyone able to access internet with a good speed at the same time Static and Dynamic IP's are translating private to Public and vice-versa. In between this environment dynamic NATted IP Users unable to acces internet suddenly and there is no issue with Statically NATted IPs. Once i fire the Command shut and no shut command on WAN interface of the Router again Dynamic User able to access internet. Inbetween this interval What were happed no one knows even ther is CRC and Input errors are genarating on firewall as well as on Router. And there is no logs found between that time.

   Anyone help me on this because it is happening since last few months and it is being headache for us.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Thu, 05/27/2010 - 03:20


Did you check the logs in both the router and the firewall when this problem occurs? The logs may provide you a clue about what is happening during the network freeze for your dynamic nat users.


md farook Thu, 05/27/2010 - 04:26

There is no logs found in firewall as well in Routers.

One more thing i have observed that ip nat pool cisco x.x.x.x x.x.x.x mask is (both first and last IP's are Same)

in which when i saw ip nat translation by using command show ip nat translation in which last port is showing 65412. upto this port there is only one public IP is being in use i have not seen any other public ip being there any issue with natting

rajatsetia Thu, 05/27/2010 - 04:40


I think you are using NAT overload and problem could be that you have reached maximum number of tcp ports that can be used for NAT overload/PAT (port address translation) connections.

As you have mentioned that first and last IP in NAT pool is same and that means only one IP hs been used for NAT overload and that is why it is getting fully utilized when you reach limit of number of tcp ports that can be used for PAT

You can do couple of things

- Increase the number of IP in NAT IP Pool

- check for Xlate (NAT connection) time out, i hope its defualt if not it should not be too high. This may lead to many "not in use" translation entries in the table

Hope this helps

Kind Regards,

Federico Coto F... Thu, 05/27/2010 - 04:40


If the pool of NAT addresses has the same first and last IP is because you're doing PAT.

Can you post the configuration?


md farook Thu, 05/27/2010 - 04:57

ip nat pool BPO x.x.x.215 x.x.x.215 netmask

ip nat inside source list Internet pool BPO overload

Federico Coto F... Thu, 05/27/2010 - 05:04

You said the inside users are getting translated back and forth fine correct?

What is the problem you're seeing exactly?


md farook Thu, 05/27/2010 - 05:25


Some time Dynamically natted Users are not able to access internet for a delay of time after few menutes again they are able to access.

Federico Coto F... Thu, 05/27/2010 - 05:32

While this happens, they established Internet automatically on their own?  Or do you have to do a reset of some sort?

What do you get on the ''sh ip nat statistics''

Do a test...

Try to PING the default gateway of the router from a working user. The IP that shows under the statement ''sh ip route'' for ip route x.x.x.x

If the working user can PING that IP.... then try a non-working user to PING that IP when Internet fails.

I want to see if when Internet fails, if the user not able to get to the Internet is still able to PING the router's defaullt gateway.

With this test, we will determine if when Internet fails, if the problem is indeed the router, or perhaps is something else.


md farook Thu, 05/27/2010 - 05:43

1, When i fire shut/no shut command on Routers interface/remove the cable from Router port result is everyone able to access Internet


Total active translations: 800 (10 static, 790 dynamic; 792 extended)
Outside interfaces:
Inside interfaces:
Hits: 62362023  Misses: 0
CEF Translated packets: 61675320, CEF Punted packets: 686880
Expired translations: 470702
Dynamic mappings:
-- Inside Source
[Id: 1] access-list Internet pool BPO refcount 568
pool BPO: netmask
        start x.x.x.215 end x.x.x.215
        type generic, total addresses 1, allocated 1 (100%), misses 3045
Appl doors: 0
Normal doors: 0
Queued Packets: 0


There so many vlans are configured in my network and default gateway for each vlan users is vlan ip which is configured on Switch and they don't have an access to ping to Router IP.


There one of dynamically assigned ip is my system ip and whenever it happen im able to ping to router LAN ip as well WAN ip but i will lost internet connectivity.

Federico Coto F... Thu, 05/27/2010 - 05:48

If you still can PING the WAN IP when there's no Internet, I don't think it is a problem with the router...

How is your setup?

LAN -- Router -- Internet device --- Cloud

Something like that?

You say that you can still PING the Internet device from the LAN (through the router) when the problem happens?


md farook Thu, 05/27/2010 - 05:54

connectivity is like LAN-Firewall-Router-Cloud

I can ping the WAN ip but not able to access internet. Once like to remember you that my nat pool is something like given below.

ip nat pool BPO x.x.x.x x.x.x.x mask and the first and last ip is same.

Federico Coto F... Thu, 05/27/2010 - 06:16

I don't think the problem is the pool because is PAT.

However, try the following...

Remove the pool and add...

access-list 190 permit ip any   --->   change with your internal network scheme

ip nat inside source list 190 interface overload

What you're doing is changing the NAT pool (not an actual pool just an IP), to be the outside IP of the router itself.


md farook Thu, 05/27/2010 - 06:23

i will try it tommorow and let you know bcz in live setup we can't make any

kind of changes.

Latchum Naidu Thu, 05/27/2010 - 08:34

HI Farook,

I experienced the same situation in my network.

I guess it is issue with NAT overload.

Try to find which source is doing more translates and on which ports, if they are using ports like FTP like that ones will consume more process.

Do you have any open nats?

Apart from that, mu suggestion is to keep daily check list like...

clear nat statements at every day or once a while if there are more nat statements.

clear arp, cache, mac-a and counters

Try to observe cpu & memory usage.



md farook Thu, 05/27/2010 - 21:15

Hi Naidu,

  There is no FTP applications are being in use in my network and i need to know one more thing. Can tell me how many Public IPs are usable in natting from below given line

     x.x.x.x x.x.x.x mask ---First and Last ips are same

     x.x.x.x x.x.x.x mask -- first ip(like 192) and the last ip(like 195) are different


This Discussion