Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
0
Helpful
1
Replies

1-to-1 NAT translation "appears"

wojciechowczarek
Level 1
Level 1

‎04-23-2008 03:31 AM - edited ‎03-05-2019 10:33 PM

I've encountered a really odd issue. Here's the situation:

Two routers: 2821 (R1) and 2811(R2). R1 is the main router that carries to-Internet traffic. R2 is a VPN gateway, being also a default gateway for one VLAN (say VLAN111, 10.111.222.0/24). R2 is hosting an IPSec tunnel and routes multicast traffic from VLAN111 to a certain destination (R1 has multicast routing disabled). R2 is separated from the rest of the network - it doesn't participate in any routing protocols, it simply uses R1 as it's gateway. Currently there's only one user on VLAN111 - say 10.111.222.99. We use private IP addresses internally - R1 does NAT for the internal users, so traffic is sourced from it's main public IP address. R1 is also a vpn gateway for remote clients (using Cisco VPN client) - it listens for the VPN client requests on the same public IP address. Suddenly, I received a notification that users are unable to connect to R1 using their vpn clients. This is what I found on R1:

# show ip nat translations | inc 10.111

...

...

--- [public IP]:0 10.111.222.99:0 --- ---

Which is nothing else but a 1-to-1 static NAT that captures the main public IP and NATs it to an IP on VLAN111. I did some sanity checks, went through the configuration archive and running-config, and I found nothing related to this. Is there any reasonable explanation why such translation can appear suddenly? Or is it a bug? This has happened two times already during the last few weeks. It wasn't happening when there were no users on VLAN111. Nothing related to this on the switches either (all Catalyst 4948).

Versions:

R1: (C2800NM-ADVIPSERVICESK9-M), Version 12.4(3d), RELEASE SOFTWARE (fc3)

R2: (C2800NM-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)

I must note that although it looks like a static NAT translations, it is a dynamic one and the problem goes away as soon as I do "clear ip nat translation *" - but reappears after a few weeks.

Did anyone experience this before?

Best regards,

Wojciech

Labels:
0 Helpful
1 Reply 1

aghaznavi
Level 5
Level 5

‎04-29-2008 08:46 AM

The issue may be due to full static nat and vpn functions are not working all at the same time. configure to have the full static nat and vpn functions working all at the same time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card