Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT tables

I have a redudant WAN with two ISPs. When once link fails it connects out over the other, for HTTP etc this works instantley.

Behind the Router (1800) is a PIX doing IPSEC. The remote peer as two addresses for the PIX. When I take one interface down it takes around 10 minutes for the NAT table on the router to change to the new outside WAN address, hence VPN doesn't come up till then. I have dynamic NAT setup for all traffic, and static NAT to both outside interfaces to the outside address of the PIX. Nat rule forward UDP/500 and UDP/4500 - used for IPSEC NAT Traversal.

Does anyone know how to reduce the time the NAT table checks for valid connections? Bear in mind the NAT table keeps a connection even when I have disabled the associated interface.

Thanks,

10 REPLIES
Purple

Re: NAT tables

Howdy,

You can adjust the NAT timeouts using:

ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout} {seconds | never}

Hope that helps.

Paresh

New Member

Re: NAT tables

I tried that and changed UDP timeout to 5 seconds. I believe the default is 5 min for UDP and 1 min for DNS. Still takes serveral minutes before the UDP/4500 IPSEC NAT-T traffic disapears from the NAT table even when interface is shut down or disabled. The IPSEC from the PIX does re-connect eventually but only after the NAT rule on the router goes which can take over 10 mins depending on the SA lifetime and then the NAT lifetime.

I'm sure cisco recommend this as a way to add redudancy to a PIX, with a router and mutliple WAN interfaces.

Anyone else got this working (fast)?

Purple

Re: NAT tables

Hi,

Is it possible for you to post the relevant config ?

There may be a workaround...

Paresh

New Member

Re: NAT tables

No problem.

192.100.151.1 is the PIX (outside)

See attachment

Purple

Re: NAT tables

Hi again,

It does not appear to be a NAT issue. I believe you need to adjust the timers on your remote peer (the one with the 2 addresses configured for your PIX). Since the translations you have got are static, NAT timeouts are not the concern here. As soon as a packet comes in from the remote peer (addressed to your backup IP) the translation should work.

In some testing I did a few months ago, I found that when using the extendable keyword for inside static translations, sessions initiated from the inside network always used the lowest-numbered inside global address specified, even if you had multiple inside global addresses configured. It was only when inbound sessions came in that the other entries were used. So if you can adjust the time for the remote peer to switch to the backup IP, I believe your problem may be solved.

Hope that helps - pls rate posts that help.

Regards,

Paresh

New Member

Re: NAT tables

Do you mean alter the ISAKMP keep alives on both PIXs to adjust the timers? I have changed these to 10 seconds and retry after 10. One side affect of doing this is that if I disabled the primary it swicthes over ok. When I turn the primary back on its sticking with the backup route for the IPSEC traffic. HTTP etc is back to using the main link.

That is interesting about the order of the NAT rules, I will try and switch the order so see if that helps.

Purple

Re: NAT tables

Yeah, I did mean the ISAKMP timers...It's strange that it's still taking so long..

Paresh

New Member

Re: NAT tables

Yes I can see on the router NAT it look like various UDP/500 and eventually UDP/4500 NAT occurs. Im not sure if the PIX is reponding quick enough before it retries. I also find it strange that although NAT traversal is set on both PIXs that it tries UDP/500 first. It is now switching over very quickly from FE0/0 to ATM. One draw back I think of the ISAKMP keep alives that it is still using the ATM even when the FE0/0 comes back. I have static route and policy based routing set. Im guessing this is about as good as it gets!

Purple

Re: NAT tables

So how long is it taking to switch over now ?

Paresh

New Member

Re: NAT tables

288
Views
0
Helpful
10
Replies
CreatePlease login to create content