Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Advanced NAT problem

I have a Cisco 1720 router with leased line to internet and ISDN backup to internet. The ISDN backup is using "Backup interface" method. My ISP assign different IP pool for my leased line and ISDN. So I use route-map so that the router will select appropiate pool when using leased line or ISDN.

For testing purposes, When I am connecting using leased line, I issue a continuous ping to my ISP primary DNS server, When I remove the leased line connection, the ISDN kick in and runs fine, but my ping never recovered from "request timeout"! if I stop the ping and issue a new ping to my ISP secondary DNS server,, I got reply. when I cancel this ping and ping back, it still request timeout!

Now when I put back the leased line connection, the ISDN goes down. Now I can ping but I cannot ping

It seems like the NAT translation for continuously stick to leased line although I am using ISDN backup. likewise the NAT translation for stick to ISDN connection even though I am using leased line.

Why?? How to solve this problem??

  • Other Network Infrastructure Subjects

Re: Advanced NAT problem

I'd suggest running some debugs the next time you test the failover to see what is happening to the translations... debug ip nat and debug ip nat detailed.

Cisco Employee

Re: Advanced NAT problem

First you need to make sure that the dns servers, primary and secondary, assigned via leased line and via isdn PPP link are the same.

Now you can automatically clear that nat entries using command "ip nat translation .....". You can use "ip nat translation dns-timeout 5" where 5 is in secs to clear that dns nat entry in 5 secs.

Pl. visit following url for more on that

New Member

Re: Advanced NAT problem

DNS server is the same for leased line and ISDN. Pinging the dns server is just an example. It happens even when I ping another fixed public IP. Does the "ip nat translation dns-timeout 5" command resolve issues like pinging to another fixed public IP?

New Member

Re: Advanced NAT problem

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

My config is as follows:

--moderator edit-- router#sh ru

Building configuration...

Current configuration : 1709 bytes


version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption


hostname --moderator edit-- router


logging rate-limit console 10 except errors

enable secret 5 --moderator edit-- xxxxxxx


memory-size iomem 25

ip subnet-zero

no ip source-route

no ip finger

no ip domain-lookup


isdn switch-type basic-net3




interface BRI0

ip address --moderator edit-- nnn.nn.nn.250

ip nat outside

encapsulation ppp

dialer idle-timeout 60

dialer map ip --moderator edit-- nnn.nn.nn.249 name --moderator edit-- router 65375200

dialer-group 1

isdn switch-type basic-net3

ppp authentication pap callin

ppp pap sent-username --moderator edit-- router password 7 --moderator edit--


interface FastEthernet0

ip address --moderator edit-- qqq.qqq.qqq.4

ip nat inside

speed auto


interface Serial0

backup delay 0 30

backup interface BRI0

ip address --moderator edit-- rrr.rr.rr.250

no ip proxy-arp

ip nat outside

no cdp enable


ip nat pool MAYPOOL --moderator edit-- --moderator edit-- netmask

ip nat pool Leased_Line_Pool --moderator edit-- vvv.vvv.vvv.33 --moderator edit-- vvv.vvv.vvv.33 prefix-length 28

ip nat inside source route-map ISDN_Map pool MAYPOOL overload

ip nat inside source route-map Leased_Line_Map pool Leased_Line_Pool overload

ip classless

ip route --moderator edit-- rrr.rr.rr.249

ip route --moderator edit-- nnn.nn.nn.249 200

no ip http server


access-list 1 permit --moderator edit-- ttt.ttt.0.0

dialer-list 1 protocol ip permit

route-map ISDN_Map permit 10

match ip address 1

match interface BRI0


route-map Leased_Line_Map permit 10

match ip address 1

match interface Serial0



line con 0

logging synchronous

transport input none

line aux 0

line vty 0 4

password 7 --moderator edit--



no scheduler allocate


New Member

Re: Advanced NAT problem

take the "match ip address 1" statement out from both of the route maps.

Since basically you are defining the same rule in two different route maps.

Once the "match ip address 1" rules gets parsed then the NAT does not in effect bothers for other rules.

The catch here is to have the policies in your route maps as different as possible. Try just with match interface statement & that should work for you.

New Member

Re: Advanced NAT problem

I have a similar problem using route-maps with two different pools. The situation occurs when the first link goes down and the second link assumes the connection but the NAT doesn’t change the pool unless enter manual command like clear ip nat translation *.

Some part of my configuration is as follows:

Interface Serial0/0:0

ip address

ip nat outside


Interface Serial0/1:0

ip address

ip nat outside

ip nat pool RS102 netmask

ip nat pool RS101 netmask

!two different pools

ip nat inside source route-map POOL1 pool RS101

ip nat inside source route-map POOL2 pool RS102

!two different route-maps

ip route

ip route 50

!two default routes with different administrative distance

access-list 10 permit

access-list 20 permit

route-map POOL2 permit 10

match ip next-hop 20


route-map POOL1 permit 10

match ip next-hop 10

ip nat translation timeout 10

NAT translation never expires !

cpe-nat-multi-h#sh ip nat tran ic ver

Pro Inside global Inside local Outside local Outside global


create 00:00:29, use 00:00:00, left 00:00:09, Map-Id(In): 1,


create 00:00:25, use 00:00:00, left 00:00:09, Map-Id(In): 1,

C is directly connected, Serial0/1:0 is subnetted, 1 subnets

C is directly connected, FastEthernet3/0

S* [50/0] via

IOS software: c3640-jsx-mz.122-13.T.bin

The NAT doesn’t assume the condition defined in route-maps to change the pool (even using only one statement in each Route-map).

Does this problem represent a Bug? Any suggestion?



Re: Advanced NAT problem

This is interesting but the real problem here is the isp thats making people buy two address pools. That's rediculous and unecessisary. For one thing it means you cannot have any incoming traffic, no onsite servers for email or web hosting. Your DNS on the internet will only point to one of the address spaces and it can take 7 days to update DNS on the internet. Not a very good failover time. The ISP should be able to reroute to the same pool through the isdn backup.

To make this work you need to make the route maps sensitive to the status of the WAn circuit. i dont think thats possible.

New Member

Re: Advanced NAT problem

Thanks for the answer, but the explanation is trying to show that the change from one pool to another doesn’t work correctly, because any kind of combination was already configured in Route-map (match interface, match ip next-hop) and NAT translation never expires the time for the instance because it doesn’t use the information on Route-maps.

These two statements can be sensitive to the status of the wan circuit, but unfortunately the pools are not changed if one link goes down because the NAT seems that doesn’t use the information on Route-maps.

This case is not a commercial case but technical and the customer will not “buy” two addresses from the same ISP. He has a configuration with two different addresses from two ISPs and is trying to use some kind of automatic redundancy without BGP.


Re: Advanced NAT problem

have you seen this doc? It might help, its called nat order of operation.