Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

NAT: translation failed (A), dropping packet

Hi

I'm having troubles with my Cisco 2610 (IOS 12.2(21)). I'm running NAT, which is working just fine, but recently I got a strange error when trying to connect a VPN-tunnel from inside the router to a network outside.

I get tons of (10.0.17.53 is the client inside the router):

1d01h: NAT: translation failed (A), dropping packet s=10.0.17.53 d=192.6.x.x

This is weird, because it seems to be NATing ok. Got this a few packets before the one above:

1d01h: NAT*: i: udp (10.0.17.53, 500) -> (192.6.x.x, 500) [6851]

1d01h: NAT*: s=10.0.17.53->213.113.y.y, d=192.6.x.x [6851]

1d01h: NAT*: o: udp (192.6.x.x, 500) -> (213.113.y.y, 500) [16623]

1d01h: NAT*: s=192.6.x.x, d=213.113.y.y->10.0.17.53 [16623]

So I'm really confused now. Doesn't "s=10.0.17.53 d=192.6.x.x" mean that it tries to NAT a packet from inside to 192.6.x.x? How can that fail?

Here's the important parts of my config:

ip subnet-zero

!

ip dhcp pool inside

network 10.0.17.0 255.255.255.0

default-router 10.0.17.2

!

interface Ethernet0/0

ip address 10.0.17.2 255.255.255.0

ip nat inside

half-duplex

no cdp enable

!

interface Ethernet1/0

ip address dhcp

no ip proxy-arp

ip nat outside

half-duplex

no cdp enable

!

ip nat translation timeout 3600

ip nat translation tcp-timeout 3600

ip nat translation udp-timeout 3600

ip nat translation icmp-timeout 3600

ip nat inside source list 1 interface Ethernet1/0 overload

ip classless

access-list 1 permit 10.0.17.0 0.0.0.255

no cdp run

3 REPLIES

Re: NAT: translation failed (A), dropping packet

You mean NAT normally works but fails with IPSec packets? Correct me if I'm wrong. If this is true, where does IPSec begin adn end?

Regards.

Community Member

Re: NAT: translation failed (A), dropping packet

Yep, NAT normally works. It might be IPSec that fails, do I need to forward any ports? When I try to connect with the client it suceeds to connect, but it don't receive any data (except for the connection data). Any ideas?

Thanks

Re: NAT: translation failed (A), dropping packet

As far as I know NAT is incompatible with IPSec because of its nature (Basically NAT tries to change address field in IP header, PAT even changes IP addresses and port numbers in TCP/UDP headers, But IPSec authenticates/encapsulates original packet and therefore if NAT tries to change the packet integrity will be lost). But I think there are some solutions in newer versions of IOS. Document below illustrates a scenario just like yours:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml

And a newer feature called NAT-Transperancy:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

Hope these helps, I didn't try them.

Regards.

2545
Views
0
Helpful
3
Replies
CreatePlease to create content