Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT overload / VRF problem


I have a router 2821 in IOS 12.4, configured with IP dynamic NAT (overloaded) with different VRF.

IP flows correctly, but after 1 hour on the VRF_FIRST and 4 hours on the VRF_SECOND, the users application hangs.

One solution founded was to create a STATIC IP NAT TRANSLATION for one user. In this casen the problem doesn't appear. But because we have a large number of users, this solution is impossible for all user.

The only solution (for the moment) is to clear the IP NAT translation table in the VRF.

Is there a solution to resolve this problem?

Please note that we DON'T want to route between the two VRF.

Thanks for your help.

The config is in the file attached to this post:


Re: NAT overload / VRF problem

NAT must be enabled for this symptom to occur. The problem is seen when an application uses two well known ports: one for source and the other for destination. The outgoing translation is created, but on the return trip, using the previous source port as the destination, NAT may use the incorrect algorithm.

For example, if a PPTP session is initiated to the well known port 1723 from source port 21 (FTP), then the outgoing packet will create a FTP translation (we look at source information when going from in->out). When the packet is returned, we again look at the source information to know what kind of packet this is. In this case we have the source port will be 1723, and NAT will assume this is a PPTP packet. This will try to perform PPTP NAT operations on a data structure that NAT built for a FTP packet and may lead to a crash.