08-26-2013 09:03 AM - edited 03-07-2019 03:07 PM
When I enter no ip nat inside... it gives the following output:
%Error: Dynamic mapping still in use, cannot remove
I did a clear ip nat translation *
It still doesn't work. Show command output below. Does anyone know why the Total active translations is so high?
MC-2550-DC-VG01#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
MC-2550-DC-VG01#sh ip nat stati
Total active translations: 4294967291 (0 static, 4294967291 dynamic; 0 extended)
Outside interfaces:
Inside interfaces:
Hits: 27244508 Misses: 0
CEF Translated packets: 23739612, CEF Punted packets: 17338
Expired translations: 1367826
Dynamic mappings:
-- Inside Source
[Id: 1] access-list MSCABLE_NETWORKS_3 interface Serial0/0/1:1 refcount 4294967294
Appl doors: 0
Normal doors: 0
Queued Packets: 0
08-26-2013 12:14 PM
Hello,
Strange - it seems you have already removed the ip nat inside and ip nat outside commands from your interfaces - is that correct? Alternatively, are you using ip nat enable on any of your interfaces? Would perhaps shutting the S0/0/1:1 down and reactivating it help?
What is the router type and IOS version you are running? It is possible we are running into a bug of some sorts.
Best regards,
Peter
08-26-2013 12:20 PM
2821 -- Version 12.4(13r)T
Yes, I removed the ip nat inside and outside commands from all interfaces. ip nat enable is not on any interfaces either. I was thinking about reloading the router, but I can't do that until the weekend.
08-26-2013 12:28 PM
Hi,
Would it be possible to actually post your sanitized configuration, or at least the NAT-related config?
Best regards,
Peter
08-26-2013 12:56 PM
Here you go... hopefully i took everything important out of it. I ran into this trying to clean up the config, but it's still kind of a mess
Current configuration : 14335 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
!
hostname MC-2550-DC-VG01
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
logging buffered 51200 warnings
!
no aaa new-model
clock timezone CST -6
clock summer-time CST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.24.250.1 10.24.250.99
ip dhcp excluded-address 10.24.250.200 10.24.250.254
ip dhcp excluded-address 10.24.15.1 10.24.15.99
ip dhcp excluded-address 10.24.15.200 10.24.15.254
!
ip dhcp pool DHCP-Voice-Phones
network 10.24.250.0 255.255.255.0
dns-server 32.77.42.12 32.77.42.16 10.1.42.16
default-router 10.24.250.1
domain-name ptsupply.com
option 150 ip 10.1.20.20 10.3.20.10
lease 30
!
ip dhcp pool DHCP-Wireless-Phones
network 10.24.15.0 255.255.255.0
dns-server 32.77.42.12 32.77.42.16 10.1.42.16
default-router 10.24.15.1
option 150 ip 10.1.20.20 10.3.20.10
domain-name ptsupply.com
lease 30
!
!
ip domain name ptsupply.com
ip name-server 32.77.42.12
ip name-server 32.77.42.16
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip urlfilter alert
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
!
voice class h323 1
h225 timeout tcp establish 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp mode transparent
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
!
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
description MPLS T1 to Yale Road
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
description Internet Circuit
!
vlan 2
name Users
!
vlan 11
name Wireless_APs
!
vlan 20
name Voice_Servers
!
vlan 50
name Network_Mgmt
!
vlan 250
name Voice_Phones
!
vlan 1224
name Wireless_Internal_Users
!
vlan 1324
name Wireless_Guest_Users
!
vlan 1424
name Wireless_Scanners_Users
!
vlan 1524
!
class-map match-any APPS-XO
match protocol citrix
match protocol telnet
class-map match-any VOICE-XO
match ip dscp ef
class-map match-any CONTROL-XO
match ip dscp af31
match protocol bgp
match protocol skinny
!
!
policy-map QOS-XO
class VOICE-XO
priority percent 30
set ip dscp ef
class CONTROL-XO
bandwidth percent 20
set ip dscp af31
class APPS-XO
set ip dscp af21
bandwidth percent 30
class class-default
fair-queue
random-detect dscp-based
set ip dscp af11
!
!
!
!
!
interface Loopback255
ip address 10.255.255.24 255.255.255.255
no ip route-cache cef
no ip route-cache
!
interface Tunnel200
description MPLS
ip address 10.255.255.201 255.255.255.252
shutdown
tunnel source 10.24.20.240
tunnel destination 10.3.20.240
!
interface GigabitEthernet0/0
description DISABLED
no ip address
shutdown
duplex auto
speed auto
max-reserved-bandwidth 100
!
interface GigabitEthernet0/1
description DISABLED
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:1
description
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip flow ingress
ip flow egress
encapsulation ppp
load-interval 30
max-reserved-bandwidth 100
service-policy output QOS-XO
!
interface Serial0/0/1:1
description Provisioned by CSM (private interface)
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip flow ingress
ip flow egress
ip virtual-reassembly
encapsulation ppp
!
interface Cellular0/1/0
description Provisioned by CSM (public interface)
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 1200 either
dialer string cdma
dialer-group 1
async mode interactive
no ppp lcp fast-start
!
interface FastEthernet1/0
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet1/1
description Flashing Room
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/2
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/3
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/4
switchport access vlan 2
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/5
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/6
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/7
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/8
description AP
switchport access vlan 11
switchport trunk native vlan 11
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/9
description AP
switchport access vlan 11
switchport trunk native vlan 11
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/10
description AP
switchport access vlan 11
switchport trunk native vlan 11
switchport mode trunk
switchport voice vlan 250
mls qos trust cos
spanning-tree portfast
!
interface FastEthernet1/11
description Printer
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet1/12
description Printer
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet1/13
description Printer
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet1/14
description Printer
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet1/15
description MCCOPIER
switchport access vlan 2
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan2
description Provisioned by CSM (private interface)
ip address 10.24.2.1 255.255.255.0
ip helper-address 10.24.2.3
ip flow ingress
ip flow egress
ip virtual-reassembly
no ip route-cache cef
!
interface Vlan11
description Provisioned by CSM (private interface)
ip address 10.24.11.1 255.255.255.0
ip helper-address 10.24.2.3
ip flow ingress
ip flow egress
no ip route-cache cef
!
interface Vlan20
ip address 10.24.20.240 255.255.255.0
ip helper-address 32.77.42.12
ip helper-address 32.77.42.16
ip helper-address 10.1.42.16
max-reserved-bandwidth 100
!
interface Vlan50
description Provisioned by CSM (private interface)
ip address 10.24.50.1 255.255.255.0
ip helper-address 10.24.2.3
!
interface Vlan250
description Internal Phone Users
ip address 10.24.250.1 255.255.255.0
ip flow ingress
ip flow egress
no ip route-cache cef
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.24.250.1
!
interface Vlan1224
description Provisioned by CSM (private interface)
ip address 10.24.12.1 255.255.255.0
ip helper-address 10.24.2.3
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
!
interface Vlan1324
description Provisioned by CSM (private interface)
ip address 10.24.13.1 255.255.255.0
ip helper-address 10.24.2.3
ip virtual-reassembly
!
interface Vlan1424
description Provisioned by CSM (private interface)
ip address 10.24.14.1 255.255.255.0
ip helper-address 10.24.2.3
no ip route-cache cef
no ip route-cache
!
interface Vlan1524
description Internal Wireless Phones
ip address 10.24.15.1 255.255.255.0
no ip route-cache cef
no ip route-cache
!
router bgp xxxx
no synchronization
bgp router-id 10.24.50.1
bgp log-neighbor-changes
bgp deterministic-med
network 10.24.0.0 mask 255.255.0.0
network 10.24.2.0 mask 255.255.254.0
network 10.24.2.0 mask 255.255.255.0
network 10.24.11.0 mask 255.255.255.0
network 10.24.14.0 mask 255.255.255.0
network 10.24.15.0 mask 255.255.255.0
network 10.24.20.0 mask 255.255.255.0
network 10.24.250.0 mask 255.255.255.0
network 10.255.255.24 mask 255.255.255.255
neighbor xxx.xxx.xxx.xxx remote-as xxxx
neighbor xxx.xxx.xxx.xxx description
neighbor xxx.xxx.xxx.xxx send-community
neighbor xxx.xxx.xxx.xxx soft-reconfiguration inbound
no auto-summary
!
ip forward-protocol nd
ip route 10.3.2.86 255.255.255.255 10.3.20.240
ip route 10.24.0.0 255.255.0.0 Null0
ip route 32.77.42.150 255.255.255.255 10.3.20.240
ip route 32.77.42.215 255.255.255.255 10.3.20.240
!
ip bgp-community new-format
ip flow-export version 9
ip flow-export destination xxx.xxx.xxx.xxxx 2055
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list MSCABLE_NETWORKS_3 interface Serial0/0/1:1 overload
!
ip access-list extended ROUTER-TRAFFIC
permit ip host 10.24.2.1 any
permit ip host 10.24.11.1 any
permit ip host 10.24.50.1 any
permit ip host 10.24.12.1 any
permit ip host 10.24.13.1 any
permit ip host 10.24.14.1 any
ip access-list extended SilverSky_VPN
permit ip 10.24.0.0 0.0.255.255 any
!
logging facility local1
logging source-interface Loopback255
logging 10.3.2.86
logging 10.3.2.200
access-list 1 permit any
access-list 10 permit any
dialer-list 1 protocol ip list 1
!
!
!
route-map ROUTER-TRAFFIC permit 20
match ip address ROUTER-TRAFFIC
set ip next-hop 208.xxx.xxx.xxx
!
!
!
!
!
!
scheduler allocate 20000 1000
ntp clock-period 17180215
ntp server 32.77.42.12
!
end
08-26-2013 01:22 PM
Hi,
Thank you very much for the configuration. I do not see anything suspicious (apart from deactivated CEF and/or Fast Switching on several interfaces with the no ip route-cache [ cef ] commands - why is that?)
I wonder - does the MSCABLE_NETWORKS_3 ACL exist? If it does not, can you please create it with a single deny any rule?
Best regards,
Peter
08-26-2013 01:27 PM
I deleted that ACL.
the no cef stuff was done by the person who was here before me. I have been turning it back on when I notice it. I have no idea why it was disabled in the first place.
I will add the acl back
08-26-2013 01:45 PM
Hi,
Regarding that ACL - did you remove it before or after you noticed this issue? The thing is that referencing a missing ACL effectively results into permit any behavior, and Cisco is very clear on the fact that using a permit any style of ACLs with NAT is not supported. If you removed the ACL before you noticed you are unable to delete the ip nat statement then it may actually be caused by the missing ACL - that is why I suggested to create it with the deny any entry that prevents any more NAT entries from being created. Though... you have removed the inside/outside designations so this may not have any effect after all...
I admit - I am confused here. It seems to me to be a bug.
Best regards,
Peter
08-26-2013 01:49 PM
i added it back with a deny any any statement. I still can't delete the thing.
08-26-2013 02:07 PM
Hi,
I am afraid the restart is currently the only option.
Best regards,
Peter
08-26-2013 02:54 PM
description Provisioned by CSM (private interface)
MSCABLE_NETWORKS_3
Those two lines tells me that someone was using Cisco Serutity Manager or some other device manager. If Possible try to use the same to remove the nat. Some times this tool due place hidden commands
do a
show running-config full
and make sure that access list is gone and that you done see any other nat related entries
show running-config full | i nat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide