Re: 1841 NAT(?) issue

ramtech.computing · ‎12-30-2012

Hi All,

Happy new year to you all.

I have a problem that has me perplexed. I have a production 1841 that was working fine but stopped behaving after a reload, and I can't get it going properly again. He is a Picture of what is meant to happen. http://i48.tinypic.com/30nktgm.png

How it was setup, and working fine for months,

fa/0/0 - 203.xx.xx.28 all other IPs allotted by ISP were just routed by them to this IP.

Loopback5 - 203.xx.xx.96

Vlan 1 - 192.168.84.0/24 subnet overload NAT'd out fa0/0

VLan 86 - 192.168.86.0/24 subnet overload NAT'd out lo5 (so that .86 traffic appeared to originate from 203.xx.xx.96)

after the reload, this would work for a few minutes (about 5) then just stop allowing any NAT or Static PAT on the 86 subnet (others still worked fine).

I can see no errors in the logs, the sh int shows nothing untoward, the deb ip pack shows the packets being routed but then just disappearing.

So I gave up and sent the 86 outbound traffic to be overload NAT'd with the rest of the traffic and that worked fine. But it shows the traffic originating from the wrong IP to the internet. (this is an issue for the mail server in particular).

in this configuration I then assigned the 203.xx.xx.96 IP to the fa0/0 port so we could still use static PAT. If I assign that IP to a loopback again, it works fine for 5 minutes then stops passing traffic again.

The router had a smartnet and it ran out 3 weeks prior to it playing up. it is being renewed but being Christmas that is taking too long to get a tac case opened.

Any suggestions on how to diagnose the problem properly? Ask any questions you want.

My goal, as per the diagram, is for 84 subnet to appear to the net to come from 203.xx.xx.28 and the 86 subnet to appear to the net to come from 203.xx.xx.96.

Message was edited by: Ross Marston

Message was edited by: Ross Marston and current config attached.

Jeff Van Houten · ‎12-31-2012

What type connection to the ISP?

Sent from Cisco Technical Support iPad App

ramtech.computing · ‎12-31-2012

Hi Jeff,

The connection is a 100Mb Ethernet handoff. It's in a Data Centre. Please ask any other info as i am sure i haven't explained the situation adequately.

pnalamwa · ‎12-31-2012

Hi ,

In your current config if you add the below mentioned config it should work

ip nat pool 20 203.xx.xx.96 203.xx.xx.96 netmask 255.255.255.0

ip nat inside source list aclAllowXxxxVPN pool 20 overload

In the above config i have assumed that the ACL aclAllowXxxxVPN would be the traffic need to be natted to .96 ip address.

Regards

Paresh

ramtech.computing · ‎12-31-2012

Hi Paresh,

Actually the aclAllowXxxVPN ACL is the interesting traffic for the Crypto Map. Some traffic originating on the 192.168.86.0/24 subnet does not get NAT'd to the internet. It get nNAT'd over Lo1 and out the CryptoMap to a ThirdParty if it is destined for 172.27.1.0/24 or 10.125.0.0/16.

That idea of the NAT pool should work but I cant seem to get it to. If we used that method to Overload NAT the .86. traffic destined for the internet, and we also wanted traffic sourced from the internet to be PAT'd to servers on the .86. subnet, where should we assign (bind) the 203.xx.xx.96 IP?

ramtech.computing · ‎12-31-2012

OK, To supply the results of some additional testing...

I re tried the pool method outlined about and added the following to the config.

I removed the IP 203.xx.xx.96 secondary address from fa0/0
I removed te permit ip 192.168.86.0 0.0.0.255 from the aclAllowNat
I added ip nat pool XXXNatpool 203.xx.xx.96 203.xx.xx.96 netmask 255.255.255.0
I added ip nat inside source list aclXXXNAT pool XXXNatpool overload

That worked great for about 5 minutes again. Then it just stops allowing any traffic sourced from the 192.168.86.0/24 subnet to return to it. for instance, after about 5 minutes I can no longer ping the DG from VL86 (I can when the config is first applied) After 5 minutes or so, I can no longer ping 8.8.8.8 from vl86, whereas I can when i first apply the config. I see no errors in deb ip pack det (appart from a lack of returning traffic)

So I have left that config in place and added ip address 203.xx.xx.96 255.255.255.0 secondary back on to the fa0/0 interface and it seems to be working for now.

If anyone can shed any light on this I would be greatly appreciative.

Hardik Vaidh · ‎01-01-2013

Dear ramtech,

check wildcard mask.i think in your configuration so many access list is there. better to configure 2 access list for 2 diffrent interface 1st block all and then allow which you want via access list with proper wildcard mask

R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any

R1(config)# ip nat inside source list 100 interface serial 0/0 overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

access-list 101 deny ip X.X.X.X 0.0.1.255 Y.Y.Y.Y.0.0.0.0

access-list 101 deny ip X.X.X.X 0.0.1.255 Y.Y.Y.Y 0.0.0.0

access-list 101 permit ip X.X.X.X 0.0.1.255 any

modify you ip address and try

Hardik Vaidh · ‎01-01-2013

priveous msg XXXX is you WAN ip and YYYY is your remote ip

pnalamwa · ‎01-01-2013

Hi ,

Can you perform "debug ip nat detail" and check for the errors.

What IOS version you are using ?

Regards

Paresh

ramtech.computing · ‎01-01-2013

Hi Hardik,
Either you've accidentally replied to the wrong thread, or I have not explained the problem at all well. Your answer does not relate to my problem at all.

Sent from Cisco Technical Support iPhone App