Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Static NAT problem on ME6524 running VRF-Lite

(Apologies for the cross-post - I've not had any responses in LAN Routing  & Switching for several days, so trying here, as this is getting to be a quite  serious issue for us)

Hi All,

I'm having a rather bizarre and highly annoying problem with static NAT on an ME6524.

I've created a virtual router (VRF CORPNET) which has one physical L3 interface, one SVI and one Loopback.

This  Virtual router has the sole purpose of NATing our internet-addressable  IP addresses to another set of addresses on our Corporate WAN.

There are two NAT rules - a single 1-1 Static NAT, and an overload NAT for everything else, which uses the Loopback address.

The  1-1 Static NAT is used to NAT our VPN ASA, which is used to establish a  Site-Site VPN to one of our counterparts on the Corporate WAN.

This  works fine most of the time, however once or twice a day, the NAT just  stops working,  our Site-site VPN drops, and traffic is being seen on  our counterpart's firewall with source address un-NATed (They see  200.200.200.1, when they should see 30.30.30.65).

When we go onto the 6524 and do a show ip nat translations we get the following (200.200.200.1 is our VPN ASA - 200.200.200.10 is just user traffic):

ZR-BDG1-6524#sh ip nat translations

Pro Inside global         Inside local          Outside local         Outside global

udp 30.30.30.65:500     200.200.200.1:500       30.30.40.4:500      30.30.40.4:500

udp 30.30.30.65:500     200.200.200.1:500       30.30.40.4:500      30.30.40.4:500

udp 30.30.30.65:500     200.200.200.1:500       30.30.40.4:500      30.30.40.4:500

udp 30.30.30.65:4500    200.200.200.1:4500      30.30.40.4:4500     30.30.40.4:4500

--- 30.30.30.65         200.200.200.1           ---                   ---

tcp 30.30.30.64:4137    200.200.200.10:34924    32.21.11.6:443      32.21.11.6:443

tcp 30.30.30.64:4123    200.200.200.10:47371    32.21.11.6:443      32.21.11.6:443

As you can see, for some reason we have multiple identical PAT entries for port 500.

While this is the case, traffic from our VPN ASA is crossing the box without being NATed.

If I issue a clear ip nat trans * then the situation is immediately resolved, and the VPN reconnects without issue.

Please see sanitised config attached.

Has anyone seen this issue before, or can assist in troubleshooting this problem?

Many thanks in advance.

Nick

Everyone's tags (3)
1 REPLY
Bronze

Static NAT problem on ME6524 running VRF-Lite

Update:

Have updated IOS from 12.2(33)SXI5 to SXI8 this morning.

Am currently monitoring the situation.

Nick

405
Views
0
Helpful
1
Replies
CreatePlease login to create content