10-09-2013 08:04 AM - edited 03-11-2019 07:49 PM
Hi
I raised this post https://supportforums.cisco.com/thread/2243503 and have decided to re-post as a separate issue that was part of the original.
I have a cisco 1921 router which is not sticking to static NAT entries I have configured:
ip nat inside source static udp 10.22.0.81 7024 222.201.202.203 7024 route-map rmap-nat extendable
1921#sh ip nat translations udp | inc 10.22.0.81
udp 222.201.202.203:7039 10.22.0.81:7024 111.101.102.103:5006 111.101.102.103:5006
The router is not translating as per the config which is preventing VOIP calls to phones outside (well inbound udp audio is not getting in)
The route map contains an acl to prevent VPN traffic being natted:
1921#sh access-lists acl-phone-nat
Extended IP access list acl-phone-nat
10 deny ip 10.22.0.0 0.0.0.255 192.168.0.0 0.0.255.255 (1497060 matches)
20 permit ip 10.22.0.0 0.0.0.255 any (319231 matches)
Any ideas among the community about what is going wrong?
Thanks
Cammy
10-09-2013 12:33 PM
can you post your NAT config on the interfaces (ip nat inside/outside or ip nat enable)
are you initiating traffic from the 10.22.0.81 or from the outside in?
Patrick
10-10-2013 12:20 AM
Hi
The interface config is at the bottom (public and private IP's obviously changed in all posts - the public IP in use for natting is not on the same subnet as the outside interface, but I have two public ranges routed). I've also noticed that the nat seems to pick the highest inside global port number from among the static nat statements for that inside local IP address. Not very well explained but if I had these nat statements:
ip nat inside source static udp 10.22.0.81 7024 222.201.202.203 7024 route-map rmap-nat extendable
ip nat inside source static udp 10.22.0.81 7025 222.201.202.203 7025 route-map rmap-nat extendable
ip nat inside source static udp 10.22.0.81 7026 222.201.202.203 7026 route-map rmap-nat extendable
ip nat inside source static udp 10.22.0.81 10000 222.201.202.203 10000 route-map rmap-nat extendable
Then show ip nat translations | inc 10.224.0.81 would show:
udp 222.201.202.203:10000 10.22.0.81:7024 111.101.102.103:5006 111.101.102.103:5006
interface GigabitEthernet0/0
description WAN-Interface
ip address 80.201.202.114 255.255.255.224
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex full
speed 100
crypto map cmap-vpn
interface GigabitEthernet0/1
description LAN-Interface
ip address 10.200.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex full
speed 1000
Thanks
Cammy
10-10-2013 08:56 PM
Hi Cammy,
I just tried this and couldn't reproduce the problem.
the only reasons I can see is:
1- you have another NAT that translates to another address (conflicting)
2- the extendable keyword; try removing it...
Patrick
10-14-2013 06:15 AM
Hi Patrick
Annoyingly, there are no conflicting nat entries and the extendable keyword cannot be removed (the router automatically adds it).
Is anyone aware of any IOS bugs in c1900-universalk9-mz.SPA.151-4.M2 that might cause this?
Thanks
Cammy
10-16-2013 06:56 AM
Hi
This seems to be a an issue with static nat entries for udp only. Am I missing something in the config that would make udp static nat work properly?
Thanks
Cammy
10-16-2013 11:39 AM
Maybe a packet capture can help you solve this mistery... are u running the inspects for the VoIP protocol (ip inspect h323...)
You may want to open a case with the TAC to resolve this
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide