12-25-2003 05:23 AM - edited 03-02-2019 12:33 PM
Hi
I'm having troubles with my Cisco 2610 (IOS 12.2(21)). I'm running NAT, which is working just fine, but recently I got a strange error when trying to connect a VPN-tunnel from inside the router to a network outside.
I get tons of (10.0.17.53 is the client inside the router):
1d01h: NAT: translation failed (A), dropping packet s=10.0.17.53 d=192.6.x.x
This is weird, because it seems to be NATing ok. Got this a few packets before the one above:
1d01h: NAT*: i: udp (10.0.17.53, 500) -> (192.6.x.x, 500) [6851]
1d01h: NAT*: s=10.0.17.53->213.113.y.y, d=192.6.x.x [6851]
1d01h: NAT*: o: udp (192.6.x.x, 500) -> (213.113.y.y, 500) [16623]
1d01h: NAT*: s=192.6.x.x, d=213.113.y.y->10.0.17.53 [16623]
So I'm really confused now. Doesn't "s=10.0.17.53 d=192.6.x.x" mean that it tries to NAT a packet from inside to 192.6.x.x? How can that fail?
Here's the important parts of my config:
ip subnet-zero
!
ip dhcp pool inside
network 10.0.17.0 255.255.255.0
default-router 10.0.17.2
!
interface Ethernet0/0
ip address 10.0.17.2 255.255.255.0
ip nat inside
half-duplex
no cdp enable
!
interface Ethernet1/0
ip address dhcp
no ip proxy-arp
ip nat outside
half-duplex
no cdp enable
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 3600
ip nat translation icmp-timeout 3600
ip nat inside source list 1 interface Ethernet1/0 overload
ip classless
access-list 1 permit 10.0.17.0 0.0.0.255
no cdp run
12-25-2003 07:00 AM
You mean NAT normally works but fails with IPSec packets? Correct me if I'm wrong. If this is true, where does IPSec begin adn end?
Regards.
12-25-2003 07:26 AM
Yep, NAT normally works. It might be IPSec that fails, do I need to forward any ports? When I try to connect with the client it suceeds to connect, but it don't receive any data (except for the connection data). Any ideas?
Thanks
12-25-2003 01:47 PM
As far as I know NAT is incompatible with IPSec because of its nature (Basically NAT tries to change address field in IP header, PAT even changes IP addresses and port numbers in TCP/UDP headers, But IPSec authenticates/encapsulates original packet and therefore if NAT tries to change the packet integrity will be lost). But I think there are some solutions in newer versions of IOS. Document below illustrates a scenario just like yours:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml
And a newer feature called NAT-Transperancy:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html
Hope these helps, I didn't try them.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide