×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT fails temporarily on static NATs after router reload

Unanswered Question
Apr 19th, 2004
User Badges:

We have a 2611 with both dynamic and static nat configured.


Whenever we reload the router, our static NAT'd devices fail to get out/back in for several hours--then, eventually, everything will start to work again.


We have tested this on several different host systems: Windows, UNIX, etc., and as long as the static nat is active for a host, it can't get out.


If we remove the static NAT, the internal hosts can now get out--but of course, we lose the inbound connectivity.


Is there anything wrong with this configuration that could explain this behavior??


debug nat detailed -- shows our attempts from one of the hosts...but no reply is coming back in...


--->

Apr 19 2004 14:13:17.792 PDT: NAT*: i: icmp (192.168.0.1, 1779) -> (14.32.17.1, 1779) [60517]

Apr 19 2004 14:13:17.792 PDT: NAT*: s=192.168.0.1->14.32.17.228, d=14.32.17.1 [60517]

Apr 19 2004 14:13:18.788 PDT: NAT*: i: icmp (192.168.0.1, 1779) -> (14.32.17.1, 1779) [60643]

Apr 19 2004 14:13:18.792 PDT: NAT*: s=192.168.0.1->14.32.17.228, d=14.32.17.1 [60643]

Apr 19 2004 14:13:19.788 PDT: NAT*: i: icmp (192.168.0.1, 1779) -> (14.32.17.1, 1779) [60644]

Apr 19 2004 14:13:19.788 PDT: NAT*: s=192.168.0.1->14.32.17.228, d=14.32.17.1 [60644]

<---


----------

Config exceprt attached--note, we added deny host entries for each of the static nat'd internal host IPs to access-list 1

----------


Thanks for any input,


Kevin




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nz-ipv6 Mon, 04/19/2004 - 13:52
User Badges:

Hi Kevin,


Before I say anything,a friendly advise,never ever put your original IP addresses on any web site.It would be headache for you and is not recommended.If I was you,I would change the addresses to bogus ones.


I don't see anything wrong with your config,apart from the fact that


1) What is the use of access-list 100 when everything is allowed?


2)In case it works automatically after some hours then I would do the following


Search Cisco for bug


Upgrade IOS


Contact TAC.


Cheers

Trib

k-brackley Tue, 04/20/2004 - 19:48
User Badges:

Thanks, searching for bugs now. May have to go back to a previous version.


ACL 100 was used to control access to another ethernet segment (which is down now, and being clear out).


(Those aren't my real IPs...I changed them all before posting)...thanks again,


Kevin

k-brackley Thu, 04/22/2004 - 20:12
User Badges:

I had route-map statements to handle my vpn traffic through nat, but when this problem started, I removed all crypto and route-maps to see if that was causing any problems and to simplify troubleshooting.


I will revisit this and see if I can get a working NAT, but what I don't understand is, as configured, the static NAT'd inside hosts will EVENTUALLY start working...why would they not work from the start, or what would make them start working after a couple of hours?


Tks/Kevin

Actions

This Discussion