Help with PAT!!!

deditoregalon · ‎09-15-2010

Hey, need some help with this config. I installed one Cisco 2800 a week ago. The router works fine, saving that each 10 or 12 hours the PAT simply stops working, leaving me no more choice that restart. The NAT works fine, internet is ok. The problem is with the static NAT not dynamic. I have this same config in other customers and works fine and, in the same customer, with the old router (Cisco 800) it didn't happened. Any idea?

This is the config. Thanks!!

Router#sh running-config
Building configuration...
Current configuration : 4074 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
clock timezone BA -3
ip cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
description WAN
ip address xxxx.xxxx.xxxx.xxxx 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip dns server
ip nat pool Internet xxxx.xxxx.xxxx.xxxx xxxx.xxxx.xxxx.xxxx netmask 255.255.255.240
ip nat inside source list 100 pool Internet overload
ip nat inside source static tcp 192.168.0.4 21 xxxx.xxxx.xxxx.xxxx 21 extendable
ip nat inside source static tcp 192.168.0.4 53 xxxx.xxxx.xxxx.xxxx 53 extendable
ip nat inside source static tcp 192.168.0.4 85 xxxx.xxxx.xxxx.xxxx 85 extendable
ip nat inside source static tcp 192.168.0.4 110 xxxx.xxxx.xxxx.xxxx 110 extendable
ip nat inside source static tcp 192.168.0.4 143 xxxx.xxxx.xxxx.xxxx 143 extendable
ip nat inside source static tcp 192.168.0.4 366 xxxx.xxxx.xxxx.xxxx 366 extendable
ip nat inside source static tcp 192.168.0.4 389 xxxx.xxxx.xxxx.xxxx 389 extendable
ip nat inside source static tcp 192.168.0.4 465 xxxx.xxxx.xxxx.xxxx 465 extendable
ip nat inside source static tcp 192.168.0.4 587 xxxx.xxxx.xxxx.xxxx 587 extendable
ip nat inside source static tcp 192.168.0.4 993 xxxx.xxxx.xxxx.xxxx 993 extendable
ip nat inside source static tcp 192.168.0.4 995 xxxx.xxxx.xxxx.xxxx 995 extendable
ip nat inside source static tcp 192.168.0.4 1000 xxxx.xxxx.xxxx.xxxx 1000 extendable
ip nat inside source static tcp 192.168.0.4 4069 xxxx.xxxx.xxxx.xxxx 4069 extendable
ip nat inside source static tcp 192.168.0.81 5500 xxxx.xxxx.xxxx.xxxx 5500 extendable
ip nat inside source static tcp 192.168.0.10 5520 xxxx.xxxx.xxxx.xxxx 5520 extendable
ip nat inside source static tcp 192.168.0.50 5521 xxxx.xxxx.xxxx.xxxx 5521 extendable
ip nat inside source static tcp 192.168.0.4 5522 xxxx.xxxx.xxxx.xxxx 5522 extendable
ip nat inside source static tcp 192.168.0.5 5523 xxxx.xxxx.xxxx.xxxx 5523 extendable
ip nat inside source static tcp 192.168.0.2 5524 xxxx.xxxx.xxxx.xxxx 5524 extendable
ip nat inside source static tcp 192.168.0.3 5525 xxxx.xxxx.xxxx.xxxx 5525 extendable
ip nat inside source static tcp 192.168.0.66 5526 xxxx.xxxx.xxxx.xxxx 5526 extendable
ip nat inside source static tcp 192.168.0.10 5632 xxxx.xxxx.xxxx.xxxx 5632 extendable
ip nat inside source static tcp 192.168.0.4 5902 xxxx.xxxx.xxxx.xxxx 5902 extendable
ip nat inside source static tcp 192.168.0.5 5903 xxxx.xxxx.xxxx.xxxx 5903 extendable
ip nat inside source static tcp 192.168.0.50 5906 xxxx.xxxx.xxxx.xxxx 5906 extendable
ip nat inside source static tcp 192.168.0.10 5908 xxxx.xxxx.xxxx.xxxx 5908 extendable
ip nat inside source static tcp 192.168.0.3 5909 xxxx.xxxx.xxxx.xxxx 5909 extendable
ip nat inside source static tcp 192.168.0.2 5910 xxxx.xxxx.xxxx.xxxx 5910 extendable
ip nat inside source static tcp 192.168.0.66 80 xxxx.xxxx.xxxx.xxxx 80 extendable
ip nat inside source static tcp 192.168.0.66 5550 xxxx.xxxx.xxxx.xxxx 5550 extendable
ip nat inside source static tcp 192.168.0.66 5555 xxxx.xxxx.xxxx.xxxx 5555 extendable
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp xxx.xxx.xxx.xxx 0.0.0.15 any echo
access-list 101 deny icmp any xxx.xxx.xxx.xxx 0.0.0.15 echo log
access-list 101 permit ip any any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 1
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
login local
transport input telnet
line vty 2 4
login
!
scheduler allocate 20000 1000
end
!
!
Router#

Peter Paluch · ‎09-15-2010

Hello Ezequiel,

I am not 100% sure that it will solve your problems but I see that the IP addresses you are performing static PAT on are also allowed for dynamic NAT translation in your ACL 100. It is strongly recommended that these two translations do not overlap: if you configure a static NAT/PAT for a particular inside IP/protocol/port, you should specifically exempt this inside IP, protocol and port from the ACL that governs the dynamic NAT.

It is going to be a daunting task but I recommend doing it: modify your ACL 100 so that all inside IPs and ports used in static PAT are denied in the ACL. Your ACL will be as follows:

access-list 100 deny tcp 192.168.0.4 eq 21 any
access-list 100 deny tcp 192.168.0.4 eq 53 any
access-list 100 deny tcp 192.168.0.4 eq 85 any
! and so on, for each of your static PAT one "deny" entry here
! and finally, at the end of the ACL:
access-list 100 permit ip 192.168.0.0 0.0.0.255 any

Best regards,

Peter

deditoregalon · ‎09-16-2010

Hi Peter

Well, I'll try, although I have this same config in another router and it works fine, but it's logic what you say.

Thanks! I'll post it if it works!!

Nagaraja Thanthry · ‎09-15-2010

Hello,

Can you please verify if the loss of connection coincides with the ARP timeout value on the router/upstream device?

Regards,

NT

deditoregalon · ‎09-16-2010

Hi Nagaraja

The internet pool, the dinamic one, never fails, so i don't think it will we an ARP problem. If there will be that kind of problem the whole traffic will die, i'm i right?

Thanks!!

Nagaraja Thanthry · ‎09-16-2010

Hello,

The reason I am asking if the issue and ARP timeout coincide is because the symptoms you have described indicate that the router is not accepting the connections when this happens. Since the router is doing all other functionalities fine and this is happening for about every 12 hours of working, I suspected this to be tied to an ARP issue. Sometime ago, I remember seeing a bug that was related to NAT and ARP (after ARP timeout, the router stopped passing NAT traffic). Anyways, are you seeing any logs that indicate this to be a NAT or software issue?

Regards,

NT

deditoregalon · ‎09-16-2010

Hi

Well, sincerly the customer always call me afefter rebooting the router so, i could never could see the log instants before it happens. Anyway, if it is an ARP issue, how can i prevent that the router have an ARP timeout?

regards

deditoregalon · ‎09-17-2010

Hi, I was monitoring the log from another PC and there is nothing before and after in the log that indicates something is wrong

Regards

deditoregalon · ‎09-16-2010

I was thinking that, maybe, the problem can be the IOS. In the router that works, the IOS is:

c181x-advipservicesk9-mz.124-15.T12.bin

And in the other the IOS is:

c2801-ipbase-mz.124-15.T10.bin

As you see, the first one is ipservices and the other one is ipbase. I have not clear enough what for it's every kind of IOS.

deditoregalon · ‎09-17-2010

People!, I was talking to the customer more carefuly, and told me that the only problem is the mail server, I mean the server stops receiving mails (the 192.168.0.4 in the config) and restarting the router it solves the problem; the other PAT works fine. I was following the case a few days and i noted something rare, this happened, for the two days a was following it, at 10:46am and works fine the rest of the day.

Do you have any idea?

deditoregalon · ‎09-17-2010

I could get into the router in the same time that the problem was happenning. A clear ip nat translation * solved it. What's happening?