cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
0
Helpful
9
Replies

1841 NAT(?) issue

Hi All,

Happy new year to you all.

I have a problem that has me perplexed.  I have a production 1841 that was working fine but stopped behaving after a reload, and I can't get it going properly again.  He is a Picture of what is meant to happen. http://i48.tinypic.com/30nktgm.png

How it was setup, and working fine for months,

fa/0/0 - 203.xx.xx.28  all other IPs allotted by ISP were just routed by them to this IP.

Loopback5 - 203.xx.xx.96

Vlan 1 - 192.168.84.0/24 subnet overload NAT'd out fa0/0

VLan 86 - 192.168.86.0/24 subnet overload NAT'd out lo5 (so that .86 traffic appeared to originate from 203.xx.xx.96)

after the reload, this would work for a few minutes (about 5) then just stop allowing any NAT or Static PAT on the 86 subnet (others still worked fine).

I can see no errors in the logs, the sh int shows nothing untoward, the deb ip pack shows the packets being routed but then just disappearing.

So I gave up and sent the 86 outbound traffic to be overload NAT'd with the rest of the traffic and that worked fine.  But it shows the traffic originating from the wrong IP to the internet. (this is an issue for the mail server in particular).

in this configuration I then assigned the 203.xx.xx.96 IP to the fa0/0 port so we could still use static PAT.  If I assign that IP to a loopback again, it works fine for 5 minutes then stops passing traffic again.

The router had a smartnet and it ran out 3 weeks prior to it playing up.  it is being renewed but being Christmas that is taking too long to get a tac case opened.

Any suggestions on how to diagnose the problem properly? Ask any questions you want.

My goal, as per the diagram, is for 84 subnet to appear to the net to come from 203.xx.xx.28 and the 86 subnet to appear to the net to come from 203.xx.xx.96.

Message was edited by: Ross Marston

Message was edited by: Ross Marston and current config attached.

9 REPLIES 9
Jeff Van Houten
Contributor

What type connection to the ISP?

Sent from Cisco Technical Support iPad App

Hi Jeff,

The connection is a 100Mb Ethernet handoff.  It's in a Data Centre.  Please ask any other info as i am sure i haven't explained the situation adequately.

pnalamwa
Beginner

Hi ,

In your current config if you add the below mentioned config it should work

ip nat pool 20 203.xx.xx.96 203.xx.xx.96 netmask 255.255.255.0

ip nat inside source list aclAllowXxxxVPN pool 20 overload

In the above config i have assumed that the ACL aclAllowXxxxVPN would be the traffic need to be natted to .96 ip address.

Regards

Paresh

Hi Paresh,

Actually the aclAllowXxxVPN ACL is the interesting traffic for the Crypto Map.  Some traffic originating on the 192.168.86.0/24 subnet does not get NAT'd to the internet.  It get nNAT'd over Lo1 and out the CryptoMap to a ThirdParty if it is destined for 172.27.1.0/24 or 10.125.0.0/16.

That idea of the NAT pool should work but I cant seem to get it to.  If we used that method to Overload NAT the .86. traffic destined for the internet, and we also wanted traffic sourced from the internet to be PAT'd to servers on the .86. subnet, where should we assign (bind) the 203.xx.xx.96 IP?

OK, To supply the results of some additional testing...

I re tried the pool method outlined about and added the following to the config.

  • I removed the IP 203.xx.xx.96 secondary address from fa0/0
  • I removed te permit ip 192.168.86.0 0.0.0.255 from the aclAllowNat
  • I added ip nat pool XXXNatpool 203.xx.xx.96 203.xx.xx.96 netmask 255.255.255.0
  • I added ip nat inside source list aclXXXNAT pool XXXNatpool overload

That worked great for about 5 minutes again.  Then it just stops allowing any traffic sourced from the 192.168.86.0/24 subnet to return to it.  for instance, after about 5 minutes I can no longer ping the DG from VL86 (I can when the config is first applied)  After 5 minutes or so, I can no longer ping 8.8.8.8 from vl86, whereas I can when i first apply the config. I see no errors in deb ip pack det (appart from a lack of returning traffic)

So I have left that config in place and added ip address 203.xx.xx.96 255.255.255.0 secondary back on to the fa0/0 interface and it seems to be working for now.

If anyone can shed any light on this I would be greatly appreciative.

Dear ramtech,

check wildcard mask.i think in your configuration so many access list is there. better to configure 2 access list for 2 diffrent interface 1st block all and then allow which you want via access list with proper wildcard mask

R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

R1(config)# ip nat inside source list 100 interface serial 0/0 overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

access-list  101 deny ip X.X.X.X 0.0.1.255 Y.Y.Y.Y.0.0.0.0

access-list  101 deny ip X.X.X.X 0.0.1.255 Y.Y.Y.Y 0.0.0.0

access-list  101 permit ip X.X.X.X 0.0.1.255 any

modify you ip address and try

priveous msg XXXX is you WAN ip and YYYY is your remote ip

Hi ,

Can you perform "debug ip nat detail" and check for the errors.

What IOS version you are using ?

Regards

Paresh

Hi Hardik,
Either you've accidentally replied to the wrong thread, or I have not explained the problem at all well. Your answer does not relate to my problem at all.

Sent from Cisco Technical Support iPhone App