Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3379
Views
0
Helpful
3
Replies

NAT: translation failed (A), dropping packet

snase
Level 1
Level 1

‎12-25-2003 05:23 AM - edited ‎03-02-2019 12:33 PM

Hi

I'm having troubles with my Cisco 2610 (IOS 12.2(21)). I'm running NAT, which is working just fine, but recently I got a strange error when trying to connect a VPN-tunnel from inside the router to a network outside.

I get tons of (10.0.17.53 is the client inside the router):

1d01h: NAT: translation failed (A), dropping packet s=10.0.17.53 d=192.6.x.x

This is weird, because it seems to be NATing ok. Got this a few packets before the one above:

1d01h: NAT*: i: udp (10.0.17.53, 500) -> (192.6.x.x, 500) [6851]

1d01h: NAT*: s=10.0.17.53->213.113.y.y, d=192.6.x.x [6851]

1d01h: NAT*: o: udp (192.6.x.x, 500) -> (213.113.y.y, 500) [16623]

1d01h: NAT*: s=192.6.x.x, d=213.113.y.y->10.0.17.53 [16623]

So I'm really confused now. Doesn't "s=10.0.17.53 d=192.6.x.x" mean that it tries to NAT a packet from inside to 192.6.x.x? How can that fail?

Here's the important parts of my config:

ip subnet-zero

!

ip dhcp pool inside

network 10.0.17.0 255.255.255.0

default-router 10.0.17.2

!

interface Ethernet0/0

ip address 10.0.17.2 255.255.255.0

ip nat inside

half-duplex

no cdp enable

!

interface Ethernet1/0

ip address dhcp

no ip proxy-arp

ip nat outside

half-duplex

no cdp enable

!

ip nat translation timeout 3600

ip nat translation tcp-timeout 3600

ip nat translation udp-timeout 3600

ip nat translation icmp-timeout 3600

ip nat inside source list 1 interface Ethernet1/0 overload

ip classless

access-list 1 permit 10.0.17.0 0.0.0.255

no cdp run

1 person had this problem
Labels:
0 Helpful
3 Replies 3

kkalaycioglu
Level 4
Level 4

‎12-25-2003 07:00 AM

You mean NAT normally works but fails with IPSec packets? Correct me if I'm wrong. If this is true, where does IPSec begin adn end?

Regards.

0 Helpful

snase
Level 1
Level 1
In response to kkalaycioglu

‎12-25-2003 07:26 AM

Yep, NAT normally works. It might be IPSec that fails, do I need to forward any ports? When I try to connect with the client it suceeds to connect, but it don't receive any data (except for the connection data). Any ideas?

Thanks

0 Helpful

kkalaycioglu
Level 4
Level 4
In response to snase

‎12-25-2003 01:47 PM

As far as I know NAT is incompatible with IPSec because of its nature (Basically NAT tries to change address field in IP header, PAT even changes IP addresses and port numbers in TCP/UDP headers, But IPSec authenticates/encapsulates original packet and therefore if NAT tries to change the packet integrity will be lost). But I think there are some solutions in newer versions of IOS. Document below illustrates a scenario just like yours:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml

And a newer feature called NAT-Transperancy:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

Hope these helps, I didn't try them.

Regards.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card