Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
4
Replies

NAT fails temporarily on static NATs after router reload

k-brackley
Level 1
Level 1

‎04-19-2004 01:25 PM - edited ‎03-02-2019 03:06 PM

We have a 2611 with both dynamic and static nat configured.

Whenever we reload the router, our static NAT'd devices fail to get out/back in for several hours--then, eventually, everything will start to work again.

We have tested this on several different host systems: Windows, UNIX, etc., and as long as the static nat is active for a host, it can't get out.

If we remove the static NAT, the internal hosts can now get out--but of course, we lose the inbound connectivity.

Is there anything wrong with this configuration that could explain this behavior??

debug nat detailed -- shows our attempts from one of the hosts...but no reply is coming back in...

--->

Apr 19 2004 14:13:17.792 PDT: NAT*: i: icmp (192.168.0.1, 1779) -> (14.32.17.1, 1779) [60517]

Apr 19 2004 14:13:17.792 PDT: NAT*: s=192.168.0.1->14.32.17.228, d=14.32.17.1 [60517]

Apr 19 2004 14:13:18.788 PDT: NAT*: i: icmp (192.168.0.1, 1779) -> (14.32.17.1, 1779) [60643]

Apr 19 2004 14:13:18.792 PDT: NAT*: s=192.168.0.1->14.32.17.228, d=14.32.17.1 [60643]

Apr 19 2004 14:13:19.788 PDT: NAT*: i: icmp (192.168.0.1, 1779) -> (14.32.17.1, 1779) [60644]

Apr 19 2004 14:13:19.788 PDT: NAT*: s=192.168.0.1->14.32.17.228, d=14.32.17.1 [60644]

<---

----------

Config exceprt attached--note, we added deny host entries for each of the static nat'd internal host IPs to access-list 1

----------

Thanks for any input,

Kevin

Labels:
Preview file
4 KB
0 Helpful
4 Replies 4

nz-ipv6
Level 1
Level 1

‎04-19-2004 01:52 PM

Hi Kevin,

Before I say anything,a friendly advise,never ever put your original IP addresses on any web site.It would be headache for you and is not recommended.If I was you,I would change the addresses to bogus ones.

I don't see anything wrong with your config,apart from the fact that

1) What is the use of access-list 100 when everything is allowed?

2)In case it works automatically after some hours then I would do the following

Search Cisco for bug

Upgrade IOS

Contact TAC.

Cheers

Trib

0 Helpful

k-brackley
Level 1
Level 1
In response to nz-ipv6

‎04-20-2004 07:48 PM

Thanks, searching for bugs now. May have to go back to a previous version.

ACL 100 was used to control access to another ethernet segment (which is down now, and being clear out).

(Those aren't my real IPs...I changed them all before posting)...thanks again,

Kevin

0 Helpful

olorunloba
Level 5
Level 5
In response to k-brackley

‎04-21-2004 12:17 AM

I think you should use route maps with the nat configuration. NAT will only check the access-list when there are no existing translations that match.

Check the following url

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

0 Helpful

k-brackley
Level 1
Level 1
In response to olorunloba

‎04-22-2004 08:12 PM

I had route-map statements to handle my vpn traffic through nat, but when this problem started, I removed all crypto and route-maps to see if that was causing any problems and to simplify troubleshooting.

I will revisit this and see if I can get a working NAT, but what I don't understand is, as configured, the static NAT'd inside hosts will EVENTUALLY start working...why would they not work from the start, or what would make them start working after a couple of hours?

Tks/Kevin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents