Re: Can't issue no ip nat inside source list command

nkillgore · ‎08-26-2013

When I enter no ip nat inside... it gives the following output:

%Error: Dynamic mapping still in use, cannot remove

I did a clear ip nat translation *

It still doesn't work. Show command output below. Does anyone know why the Total active translations is so high?

MC-2550-DC-VG01#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

MC-2550-DC-VG01#sh ip nat stati

Total active translations: 4294967291 (0 static, 4294967291 dynamic; 0 extended)

Outside interfaces:

Inside interfaces:

Hits: 27244508 Misses: 0

CEF Translated packets: 23739612, CEF Punted packets: 17338

Expired translations: 1367826

Dynamic mappings:

-- Inside Source

[Id: 1] access-list MSCABLE_NETWORKS_3 interface Serial0/0/1:1 refcount 4294967294

Appl doors: 0

Normal doors: 0

Queued Packets: 0

Peter Paluch · ‎08-26-2013

Hello,

Strange - it seems you have already removed the ip nat inside and ip nat outside commands from your interfaces - is that correct? Alternatively, are you using ip nat enable on any of your interfaces? Would perhaps shutting the S0/0/1:1 down and reactivating it help?

What is the router type and IOS version you are running? It is possible we are running into a bug of some sorts.

Best regards,

Peter

nkillgore · ‎08-26-2013

2821 -- Version 12.4(13r)T

Yes, I removed the ip nat inside and outside commands from all interfaces. ip nat enable is not on any interfaces either. I was thinking about reloading the router, but I can't do that until the weekend.

Peter Paluch · ‎08-26-2013

Hi,

Would it be possible to actually post your sanitized configuration, or at least the NAT-related config?

Best regards,

Peter

nkillgore · ‎08-26-2013

Here you go... hopefully i took everything important out of it. I ran into this trying to clean up the config, but it's still kind of a mess

Current configuration : 14335 bytes

!

version 12.4

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service internal

!

hostname MC-2550-DC-VG01

!

boot-start-marker

boot-end-marker

!

card type t1 0 0

logging buffered 51200 warnings

!

no aaa new-model

clock timezone CST -6

clock summer-time CST recurring

network-clock-participate wic 0

network-clock-select 1 T1 0/0/0

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.24.250.1 10.24.250.99

ip dhcp excluded-address 10.24.250.200 10.24.250.254

ip dhcp excluded-address 10.24.15.1 10.24.15.99

ip dhcp excluded-address 10.24.15.200 10.24.15.254

!

ip dhcp pool DHCP-Voice-Phones

network 10.24.250.0 255.255.255.0

dns-server 32.77.42.12 32.77.42.16 10.1.42.16

default-router 10.24.250.1

domain-name ptsupply.com

option 150 ip 10.1.20.20 10.3.20.10

lease 30

!

ip dhcp pool DHCP-Wireless-Phones

network 10.24.15.0 255.255.255.0

dns-server 32.77.42.12 32.77.42.16 10.1.42.16

default-router 10.24.15.1

option 150 ip 10.1.20.20 10.3.20.10

domain-name ptsupply.com

lease 30

!

ip domain name ptsupply.com

ip name-server 32.77.42.12

ip name-server 32.77.42.16

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip urlfilter alert

!

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

voice class codec 1

codec preference 1 g711ulaw

codec preference 2 g729r8

!

voice class h323 1

h225 timeout tcp establish 3

!

vtp mode transparent

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

!

controller T1 0/0/0

framing esf

linecode b8zs

channel-group 1 timeslots 1-24

description MPLS T1 to Yale Road

!

controller T1 0/0/1

framing esf

linecode b8zs

channel-group 1 timeslots 1-24

description Internet Circuit

!

vlan 2

name Users

!

vlan 11

name Wireless_APs

!

vlan 20

name Voice_Servers

!

vlan 50

name Network_Mgmt

!

vlan 250

name Voice_Phones

!

vlan 1224

name Wireless_Internal_Users

!

vlan 1324

name Wireless_Guest_Users

!

vlan 1424

name Wireless_Scanners_Users

!

vlan 1524

!

class-map match-any APPS-XO

match protocol citrix

match protocol telnet

class-map match-any VOICE-XO

match ip dscp ef

class-map match-any CONTROL-XO

match ip dscp af31

match protocol bgp

match protocol skinny

!

policy-map QOS-XO

class VOICE-XO

priority percent 30

set ip dscp ef

class CONTROL-XO

bandwidth percent 20

set ip dscp af31

class APPS-XO

set ip dscp af21

bandwidth percent 30

class class-default

fair-queue

random-detect dscp-based

set ip dscp af11

!

interface Loopback255

ip address 10.255.255.24 255.255.255.255

no ip route-cache cef

no ip route-cache

!

interface Tunnel200

description MPLS

ip address 10.255.255.201 255.255.255.252

shutdown

tunnel source 10.24.20.240

tunnel destination 10.3.20.240

!

interface GigabitEthernet0/0

description DISABLED

no ip address

shutdown

duplex auto

speed auto

max-reserved-bandwidth 100

!

interface GigabitEthernet0/1

description DISABLED

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:1

description

ip address xxx.xxx.xxx.xxx 255.255.255.252

ip flow ingress

ip flow egress

encapsulation ppp

load-interval 30

max-reserved-bandwidth 100

service-policy output QOS-XO

!

interface Serial0/0/1:1

description Provisioned by CSM (private interface)

ip address xxx.xxx.xxx.xxx 255.255.255.252

ip flow ingress

ip flow egress

ip virtual-reassembly

encapsulation ppp

!

interface Cellular0/1/0

description Provisioned by CSM (public interface)

ip address negotiated

ip virtual-reassembly

encapsulation ppp

dialer in-band

dialer idle-timeout 1200 either

dialer string cdma

dialer-group 1

async mode interactive

no ppp lcp fast-start

!

interface FastEthernet1/0

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet1/1

description Flashing Room

switchport access vlan 2

switchport trunk native vlan 2

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/2

switchport access vlan 2

switchport trunk native vlan 2

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/3

switchport access vlan 2

switchport trunk native vlan 2

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/4

switchport access vlan 2

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/5

switchport access vlan 2

switchport trunk native vlan 2

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/6

switchport access vlan 2

switchport trunk native vlan 2

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/7

switchport access vlan 2

switchport trunk native vlan 2

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/8

description AP

switchport access vlan 11

switchport trunk native vlan 11

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/9

description AP

switchport access vlan 11

switchport trunk native vlan 11

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/10

description AP

switchport access vlan 11

switchport trunk native vlan 11

switchport mode trunk

switchport voice vlan 250

mls qos trust cos

spanning-tree portfast

!

interface FastEthernet1/11

description Printer

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet1/12

description Printer

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet1/13

description Printer

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet1/14

description Printer

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet1/15

description MCCOPIER

switchport access vlan 2

spanning-tree portfast

!

interface Vlan1

no ip address

!

interface Vlan2

description Provisioned by CSM (private interface)

ip address 10.24.2.1 255.255.255.0

ip helper-address 10.24.2.3

ip flow ingress

ip flow egress

ip virtual-reassembly

no ip route-cache cef

!

interface Vlan11

description Provisioned by CSM (private interface)

ip address 10.24.11.1 255.255.255.0

ip helper-address 10.24.2.3

ip flow ingress

ip flow egress

no ip route-cache cef

!

interface Vlan20

ip address 10.24.20.240 255.255.255.0

ip helper-address 32.77.42.12

ip helper-address 32.77.42.16

ip helper-address 10.1.42.16

max-reserved-bandwidth 100

!

interface Vlan50

description Provisioned by CSM (private interface)

ip address 10.24.50.1 255.255.255.0

ip helper-address 10.24.2.3

!

interface Vlan250

description Internal Phone Users

ip address 10.24.250.1 255.255.255.0

ip flow ingress

ip flow egress

no ip route-cache cef

h323-gateway voip interface

h323-gateway voip bind srcaddr 10.24.250.1

!

interface Vlan1224

description Provisioned by CSM (private interface)

ip address 10.24.12.1 255.255.255.0

ip helper-address 10.24.2.3

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

!

interface Vlan1324

description Provisioned by CSM (private interface)

ip address 10.24.13.1 255.255.255.0

ip helper-address 10.24.2.3

ip virtual-reassembly

!

interface Vlan1424

description Provisioned by CSM (private interface)

ip address 10.24.14.1 255.255.255.0

ip helper-address 10.24.2.3

no ip route-cache cef

no ip route-cache

!

interface Vlan1524

description Internal Wireless Phones

ip address 10.24.15.1 255.255.255.0

no ip route-cache cef

no ip route-cache

!

router bgp xxxx

no synchronization

bgp router-id 10.24.50.1

bgp log-neighbor-changes

bgp deterministic-med

network 10.24.0.0 mask 255.255.0.0

network 10.24.2.0 mask 255.255.254.0

network 10.24.2.0 mask 255.255.255.0

network 10.24.11.0 mask 255.255.255.0

network 10.24.14.0 mask 255.255.255.0

network 10.24.15.0 mask 255.255.255.0

network 10.24.20.0 mask 255.255.255.0

network 10.24.250.0 mask 255.255.255.0

network 10.255.255.24 mask 255.255.255.255

neighbor xxx.xxx.xxx.xxx remote-as xxxx

neighbor xxx.xxx.xxx.xxx description

neighbor xxx.xxx.xxx.xxx send-community

neighbor xxx.xxx.xxx.xxx soft-reconfiguration inbound

no auto-summary

!

ip forward-protocol nd

ip route 10.3.2.86 255.255.255.255 10.3.20.240

ip route 10.24.0.0 255.255.0.0 Null0

ip route 32.77.42.150 255.255.255.255 10.3.20.240

ip route 32.77.42.215 255.255.255.255 10.3.20.240

!

ip bgp-community new-format

ip flow-export version 9

ip flow-export destination xxx.xxx.xxx.xxxx 2055

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list MSCABLE_NETWORKS_3 interface Serial0/0/1:1 overload

!

ip access-list extended ROUTER-TRAFFIC

permit ip host 10.24.2.1 any

permit ip host 10.24.11.1 any

permit ip host 10.24.50.1 any

permit ip host 10.24.12.1 any

permit ip host 10.24.13.1 any

permit ip host 10.24.14.1 any

ip access-list extended SilverSky_VPN

permit ip 10.24.0.0 0.0.255.255 any

!

logging facility local1

logging source-interface Loopback255

logging 10.3.2.86

logging 10.3.2.200

access-list 1 permit any

access-list 10 permit any

dialer-list 1 protocol ip list 1

!

route-map ROUTER-TRAFFIC permit 20

match ip address ROUTER-TRAFFIC

set ip next-hop 208.xxx.xxx.xxx

!

scheduler allocate 20000 1000

ntp clock-period 17180215

ntp server 32.77.42.12

!

end

Peter Paluch · ‎08-26-2013

Hi,

Thank you very much for the configuration. I do not see anything suspicious (apart from deactivated CEF and/or Fast Switching on several interfaces with the no ip route-cache [ cef ] commands - why is that?)

I wonder - does the MSCABLE_NETWORKS_3 ACL exist? If it does not, can you please create it with a single deny any rule?

Best regards,

Peter

nkillgore · ‎08-26-2013

I deleted that ACL.

the no cef stuff was done by the person who was here before me. I have been turning it back on when I notice it. I have no idea why it was disabled in the first place.

I will add the acl back

Peter Paluch · ‎08-26-2013

Hi,

Regarding that ACL - did you remove it before or after you noticed this issue? The thing is that referencing a missing ACL effectively results into permit any behavior, and Cisco is very clear on the fact that using a permit any style of ACLs with NAT is not supported. If you removed the ACL before you noticed you are unable to delete the ip nat statement then it may actually be caused by the missing ACL - that is why I suggested to create it with the deny any entry that prevents any more NAT entries from being created. Though... you have removed the inside/outside designations so this may not have any effect after all...

I admit - I am confused here. It seems to me to be a bug.

Best regards,

Peter

nkillgore · ‎08-26-2013

i added it back with a deny any any statement. I still can't delete the thing.

Peter Paluch · ‎08-26-2013

Hi,

I am afraid the restart is currently the only option.

Best regards,

Peter

Edwin Matos · ‎08-26-2013

description Provisioned by CSM (private interface)

MSCABLE_NETWORKS_3

Those two lines tells me that someone was using Cisco Serutity Manager or some other device manager. If Possible try to use the same to remove the nat. Some times this tool due place hidden commands

do a

show running-config full

and make sure that access list is gone and that you done see any other nat related entries

show running-config full | i nat