Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Intermittent NAT Translation Failures. Please help

Hello, I have a complex NAT setup where I have 2 Interfaces on a Cisco 3600. Both of these Interfaces are FastE. I will refer to them as

Fast 0/0 (External) - External IP's

Fast 1/0 (Internal) - Internal IP's

I have MANY subnets on Fast 1/0 and have NAT access lists to route internal subnets to a certain external *overloaded* IP address. We use this to make it a little easier to find out where traffic comes from if required.

We are having issues with this, where we find that customers (Randomly) will just loose connection to the Internet. They are on trusted private IP addresses and others on that same subnet leg will not have issues at the same time. Even though some of the people will possibly have the issue not long after.

The only "fix" we have found is to remove the customers firewall(just a junk linksys), place a laptop on the Internet connection (laptop still doesn't work at this point), then click repair on the Laptop. Everything works from there on, atleast until next time.... I realize what I'm saying makes no sense, but it seems to be the only thing that fixes it. I have attached a dump of the 3600's configuration, CPU stats, NAT stats, and other relevant stats so you can maybe help!!

Thank you in advance!

Blaze Lewis

8 REPLIES
Purple

Re: Intermittent NAT Translation Failures. Please help

Hi,

One very obvious thing I see is that your TCP timeout is set way too low...2500 seconds. That is only around 41 minutes... I suspect that is what is potentially causing your problems. I would wind it up to something like 10 hours (to roughly cover a working day). Set it to:

ip nat translation tcp-timeout 36000

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: Intermittent NAT Translation Failures. Please help

Please go through th4e output interpreter output for ur show tech, at teh end he says something about the NAT translations.

Also please let me know whether the computer has an IP address and can ping till router when they are facing the issue.

Thanks,

Naveen B

New Member

Re: Intermittent NAT Translation Failures. Please help

I have made some changes. I'm not sure what the errors you posted about the NAT mean. Can I get to the Interpreter that you used to make english out of my tech dump? I am using overloading, does it look like it's setup correctly? Here is my new tech-dump

Thank you again in advance!

Blaze

Purple

Re: Intermittent NAT Translation Failures. Please help

Hi Blaze,

Your config looks fine. Did increasing the TCP timeout make a difference ?

When the problem occurs again, would you be able to get the output of 'sh ip nat translations' as well as the IP address of the affected PC ? That may give more of a clue as to what is wrong...

Paresh

New Member

Re: Intermittent NAT Translation Failures. Please help

I'm not sure about the timeout yet and the timeout isn't proven to fix the issue. Will let you know as soon as I can tell. Ther are still issues, but I think it's customer related. Here is the stat dump you requested!

Thanks Again!!

Blaze

New Member

Re: Intermittent NAT Translation Failures. Please help

Hi,

You need a CCO ID to check the output interpreter. The link is https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

Also one more thing i observed in your configuration. You have so many secondary IP addresses on the outside interfae in the same subnet, which i dont think is required. The NAT should work and as the subnet is mentioned in the NAT pool it should work even if you remove it. You can try it for one and test it before doing it for all. I dont know whether this would be of any help.

thanks,

Naveen B

New Member

Re: Intermittent NAT Translation Failures. Please help

I am using the ACL to send certain Subnets to certain external IP addresses. This is for future ease of finding customers with issues. Atleast we know what subnet to look at.

Just to verify, Cisco allows to send an internal subnet to an external interface of you choosing?

Right?

Thanks again!

Blaze

Purple

Re: Intermittent NAT Translation Failures. Please help

Yes, there is no problem with doing that.

Regarding the stats dump you sent me, what was the IP address of the PC experiencing problems at that point ?

Paresh

346
Views
0
Helpful
8
Replies
CreatePlease login to create content