Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT: translation failed (A), dropping packet


I'm having troubles with my Cisco 2610 (IOS 12.2(21)). I'm running NAT, which is working just fine, but recently I got a strange error when trying to connect a VPN-tunnel from inside the router to a network outside.

I get tons of ( is the client inside the router):

1d01h: NAT: translation failed (A), dropping packet s= d=192.6.x.x

This is weird, because it seems to be NATing ok. Got this a few packets before the one above:

1d01h: NAT*: i: udp (, 500) -> (192.6.x.x, 500) [6851]

1d01h: NAT*: s=>213.113.y.y, d=192.6.x.x [6851]

1d01h: NAT*: o: udp (192.6.x.x, 500) -> (213.113.y.y, 500) [16623]

1d01h: NAT*: s=192.6.x.x, d=213.113.y.y-> [16623]

So I'm really confused now. Doesn't "s= d=192.6.x.x" mean that it tries to NAT a packet from inside to 192.6.x.x? How can that fail?

Here's the important parts of my config:

ip subnet-zero


ip dhcp pool inside




interface Ethernet0/0

ip address

ip nat inside


no cdp enable


interface Ethernet1/0

ip address dhcp

no ip proxy-arp

ip nat outside


no cdp enable


ip nat translation timeout 3600

ip nat translation tcp-timeout 3600

ip nat translation udp-timeout 3600

ip nat translation icmp-timeout 3600

ip nat inside source list 1 interface Ethernet1/0 overload

ip classless

access-list 1 permit

no cdp run


Re: NAT: translation failed (A), dropping packet

You mean NAT normally works but fails with IPSec packets? Correct me if I'm wrong. If this is true, where does IPSec begin adn end?


Community Member

Re: NAT: translation failed (A), dropping packet

Yep, NAT normally works. It might be IPSec that fails, do I need to forward any ports? When I try to connect with the client it suceeds to connect, but it don't receive any data (except for the connection data). Any ideas?


Re: NAT: translation failed (A), dropping packet

As far as I know NAT is incompatible with IPSec because of its nature (Basically NAT tries to change address field in IP header, PAT even changes IP addresses and port numbers in TCP/UDP headers, But IPSec authenticates/encapsulates original packet and therefore if NAT tries to change the packet integrity will be lost). But I think there are some solutions in newer versions of IOS. Document below illustrates a scenario just like yours:

And a newer feature called NAT-Transperancy:

Hope these helps, I didn't try them.


CreatePlease to create content