topic static nat oddity in Network Security

static nat oddity

Cameron Webster — Tue, 12 Mar 2019 02:49:17 GMT

I raised this post https://supportforums.cisco.com/thread/2243503 and have decided to re-post as a separate issue that was part of the original.

I have a cisco 1921 router which is not sticking to static NAT entries I have configured:

ip nat inside source static udp 10.22.0.81 7024 222.201.202.203 7024 route-map rmap-nat extendable

1921#sh ip nat translations udp | inc 10.22.0.81

udp 222.201.202.203:7039 10.22.0.81:7024 111.101.102.103:5006 111.101.102.103:5006

The router is not translating as per the config which is preventing VOIP calls to phones outside (well inbound udp audio is not getting in)

The route map contains an acl to prevent VPN traffic being natted:

1921#sh access-lists acl-phone-nat

Extended IP access list acl-phone-nat

10 deny ip 10.22.0.0 0.0.0.255 192.168.0.0 0.0.255.255 (1497060 matches)

20 permit ip 10.22.0.0 0.0.0.255 any (319231 matches)

Any ideas among the community about what is going wrong?

Thanks

Cammy

static nat oddity

Patrick Moubarak — Wed, 09 Oct 2013 19:33:21 GMT

can you post your NAT config on the interfaces (ip nat inside/outside or ip nat enable)

are you initiating traffic from the 10.22.0.81 or from the outside in?

Patrick

static nat oddity

Cameron Webster — Thu, 10 Oct 2013 07:20:04 GMT

The interface config is at the bottom (public and private IP's obviously changed in all posts - the public IP in use for natting is not on the same subnet as the outside interface, but I have two public ranges routed). I've also noticed that the nat seems to pick the highest inside global port number from among the static nat statements for that inside local IP address. Not very well explained but if I had these nat statements:

ip nat inside source static udp 10.22.0.81 7024 222.201.202.203 7024 route-map rmap-nat extendable

ip nat inside source static udp 10.22.0.81 7025 222.201.202.203 7025 route-map rmap-nat extendable

ip nat inside source static udp 10.22.0.81 7026 222.201.202.203 7026 route-map rmap-nat extendable

ip nat inside source static udp 10.22.0.81 10000 222.201.202.203 10000 route-map rmap-nat extendable

Then show ip nat translations | inc 10.224.0.81 would show:

udp 222.201.202.203:10000 10.22.0.81:7024 111.101.102.103:5006 111.101.102.103:5006

interface GigabitEthernet0/0

description WAN-Interface

ip address 80.201.202.114 255.255.255.224

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex full

speed 100

crypto map cmap-vpn

interface GigabitEthernet0/1

description LAN-Interface

ip address 10.200.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex full

speed 1000

Thanks

Cammy

static nat oddity

Patrick Moubarak — Fri, 11 Oct 2013 03:56:03 GMT

Hi Cammy,

I just tried this and couldn't reproduce the problem.

the only reasons I can see is:

1- you have another NAT that translates to another address (conflicting)

2- the extendable keyword; try removing it...

Patrick

static nat oddity

Cameron Webster — Mon, 14 Oct 2013 13:15:32 GMT

Hi Patrick

Annoyingly, there are no conflicting nat entries and the extendable keyword cannot be removed (the router automatically adds it).

Is anyone aware of any IOS bugs in c1900-universalk9-mz.SPA.151-4.M2 that might cause this?

Thanks

Cammy

static nat oddity

Cameron Webster — Wed, 16 Oct 2013 13:56:07 GMT

This seems to be a an issue with static nat entries for udp only. Am I missing something in the config that would make udp static nat work properly?

Thanks

Cammy

static nat oddity

Patrick Moubarak — Wed, 16 Oct 2013 18:39:58 GMT

Maybe a packet capture can help you solve this mistery... are u running the inspects for the VoIP protocol (ip inspect h323...)

You may want to open a case with the TAC to resolve this

Patrick