cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2831
Views
0
Helpful
9
Replies

NAT issues

simpsoro2
Level 1
Level 1

I have a site complaining about connectivity dropping out frequently. They have a 2811 router. I turned on "debug ip nat detailed" and I get the following:

*Nov 17 21:27:48.022: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0

I'll get a couple of minutes worth of entries like that then I'll get some normal looking traffic:

*Nov 17 21:29:16.494: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2487]
*Nov 17 21:29:16.494: NAT*: s=198.246.0.22, d=74.207.112.117->10.19.232.115 [2487]
*Nov 17 21:29:16.494: NAT*: i: tcp (10.19.232.115, 1967) -> (198.246.0.22, 110) [39902]
*Nov 17 21:29:16.494: NAT*: s=10.19.232.115->74.207.112.117, d=198.246.0.22 [39902]
*Nov 17 21:29:16.550: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2495]
*Nov 17 21:29:16.550: NAT*: s=198.246.0.22, d=74.207.112.117->10.19.232.115 [2495]
*Nov 17 21:29:16.550: NAT*: i: tcp (10.19.232.115, 1967) -> (198.246.0.22, 110) [39907]
*Nov 17 21:29:16.550: NAT*: s=10.19.232.115->74.207.112.117, d=198.246.0.22 [39907]
*Nov 17 21:29:16.606: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2507]

Any ideas or pointers on what I should be looking at?

9 Replies 9

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

One possibility is that the NAT pool is exhausted and no more translations can be performed at the time. After a couple of minutes, some translation entries expire, resulting in some addresses and/or port being returned to the NAT pool and available for new translation.

Can you post the relevant parts of the configuration, especially the one concerned with NAT? Also please post the show ip nat statistics command output if possible, especially if taken in the moment of connectivity flap.

Best regards,

Peter

Here is the configured NAT info:

ip nat pool LAAB-NAT 74.207.112.65 74.207.112.124 netmask 255.255.255.192
ip nat inside source route-map EVAL-NAT pool LAAB-NAT

route-map EVAL-NAT permit 10
match ip address NAT

The site only has 20 computers total. It's an educational institution. So, during the day only 4 of those computers are on. The lab isn't in use until the evening. Here's a typical "show ip nat trans" output:

tcp 74.207.112.116:1206 10.19.232.101:1206 209.85.225.113:80 209.85.225.113:80
tcp 74.207.112.117:2022 10.19.232.115:2022 66.220.145.35:80  66.220.145.35:80
tcp 74.207.112.117:2033 10.19.232.115:2033 66.220.147.33:80  66.220.147.33:80
tcp 74.207.112.117:2034 10.19.232.115:2034 205.177.71.146:80 205.177.71.146:80
tcp 74.207.112.117:2035 10.19.232.115:2035 205.177.71.146:80 205.177.71.146:80
tcp 74.207.112.117:2036 10.19.232.115:2036 216.66.31.210:80  216.66.31.210:80
tcp 74.207.112.117:2037 10.19.232.115:2037 216.66.31.192:80  216.66.31.192:80
tcp 74.207.112.114:1844 10.19.235.110:1844 209.8.118.27:80   209.8.118.27:80

Here is the show ip nat statistics:

Total active translations: 6 (0 static, 6 dynamic; 6 extended)
Outside interfaces:
  Serial0/0/0
Inside interfaces:
  FastEthernet0/0
Hits: 21474931  Misses: 167831
CEF Translated packets: 21584749, CEF Punted packets: 1511812
Expired translations: 168558
Dynamic mappings:
-- Inside Source
[Id: 1] route-map EVAL-NAT pool LAAB-NAT refcount 6
pool LAAB-NAT: netmask 255.255.255.192
        start 74.207.112.65 end 74.207.112.124
        type generic, total addresses 60, allocated 4 (6%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Hello,

Thank you for the information. Can you please post the NAT ACL as well?

Best regards,

Peter

ip access-list extended NAT
deny   ip 10.19.224.0 0.0.3.255 10.0.0.0 0.7.255.255
deny   ip 10.19.224.0 0.0.3.255 10.8.0.0 0.7.255.255
deny   ip 10.19.224.0 0.0.3.255 10.16.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 10.0.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 10.8.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 10.16.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 192.168.0.0 0.0.0.255
permit ip 10.19.224.0 0.0.3.255 any
permit ip 10.19.232.0 0.0.3.255 any
deny   ip any any

Hello,

Thank you for your replies. Currently, I do not see any outstanding problems but I have a suggestion:

The router is currently configured to perform dynamic NAT, i.e. 1:1 translation between an internal and an external IP address. If there are no applications requiring this form of NAT then we could significantly decrease the usage of IP addresses in your pool using the dynamic PAT. That can be accomplished by adding the keyword overload at the end of the ip nat inside source command:

ip nat inside source route-map EVAL-NAT pool LAAB-NAT overload

Would you mind giving this a try?

Best regards,

Peter

I do have an application that may not work properly with PAT. I upgraded the IOS to the latest stable version last night and the errors went away. I am waiting for that office to open this morning in order to conduct some more thorough testing. Hopefully the issue is resolved. If not, I will try testing with PAT.

Hello,

Sure, give it a try. And please let me know.

Best regards,

Peter

Looks like the IOS upgrade did the trick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco