Re: 2911: dynamic NAT problem

Jaaazman777 · ‎07-24-2012

Hello!

We have strange problem with our 2911 router.

After replacing one router with another with the same IOS 15.2(2) and the same configuration, dynamic NAT stopped working.

from sh ip nat translation we cannot see any dynamic translations, only static

here is the configuration

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip address 192.30.1.1 255.255.255.0

ip nat inside

no ip virtual-reassembly in

crypto ipsec client ezvpn fw2 inside

!

interface FastEthernet0/0/1

description WAN1

ip address 1.1.1.166 255.255.255.252

ip nat outside

no ip virtual-reassembly in

duplex auto

speed auto

crypto ipsec client ezvpn cl1

!

access-list 100 deny ip 192.30.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 192.30.0.0 0.0.255.255 any

!

route-map nat-wan1 permit 10

match ip address 100

match interface FastEthernet0/0/1

!

ip nat inside source route-map nat-wan1 interface FastEthernet0/0/1 overload

!

crypto ipsec client ezvpn cl1

connect auto

group <***> key ***

mode network-plus

peer 2.2.2.2

acl 103

username ***@domain.local password ***

xauth userid mode local

!

access-list 103 permit ip 192.30.6.0 0.0.0.255 10.100.1.0 0.0.0.63

access-list 103 permit ip 192.30.5.0 0.0.0.255 10.100.1.0 0.0.0.63

!

the ip address on FastEthernet0/0/1 is a default gateway

router-2911#sh ip route

Codes: ...

Gateway of last resort is 1.1.1.165 to network 0.0.0.0

here is dome information from debug ip nat detailed

NAT: API parameters passed: src_addr:192.30.1.57, src_port:0 dest_addr:195.13.252.210, dest_port:0, proto:6 if_input:Vlan55 pak:2BB4D628 get_translated:1

NAT: API parameters passed: src_addr:192.30.1.54, src_port:0 dest_addr:65.55.223.30, dest_port:0, proto:6 if_input:Vlan55 pak:2BB4D628 get_translated:1

rizwanr74 · ‎07-24-2012

Hi there,

Your nat seemed to be fine even though you don't need a route-map in the overload statement.

This will do the nat as well just an FYI...

ip nat inside source list 100 interface FastEthernet0/0/1 overload

Your WAN "FastEthernet0/0/1" what kind of circuit it is? because your default-gateway "1.1.1.165" is not on the same subnet.

Are you able to ping this ip "1.1.1.165" ?

please update.

thanks

Jaaazman777 · ‎07-24-2012

Hi, rizwanr74

I am able to ping 1.1.1.165

It seems to be on the same subnet as 1.1.1.166, the subnet is 1.1.1.164/30

isn't it?

I also tried ip nat inside without acl 100.

We have two WAN links, that's why, we need two WAN ip nat translations with route-maps, that matches the external interfaces

rizwanr74 · ‎07-24-2012

Have you enabled "ip routing" on the router?

Your default-gateway pushes everything to other WAN interface, just for temporally change your default-gatway to interface in qustion.

thanks

Message was edited by: Rizwan Mohamed

cadet alain · ‎07-24-2012

Hi,

if routing was disabled he wouldn't have the output he gave us in the sh ip route and furthermore NAT needs routing to function because the router first looks for a route to destination then nat the source IP.

Regards.

Alain.

Don't forget to rate helpful posts.

Jaaazman777 · ‎07-24-2012

Hello!

As far as I know ip routing is enabled by default on routers since long time.

So, in my router it is also enabled by default.

The decision about the default gw is controled by BGP

router bgp 55555

bgp log-neighbor-changes

neighbor 1.1.1.165 remote-as 7777

neighbor 1.1.1.165 description wan1

neighbor 2.2.2.253 remote-as 7777

neighbor 2.2.2.253 description wan2

!

address-family ipv4

neighbor 1.1.1.165 activate

neighbor 1.1.1.165 route-map default-in in

neighbor 2.2.2.253 activate

neighbor 2.2.2.253 prefix-list default-in in

!

route-map default-in permit 10

match ip address prefix-list default-in

set local-preference 200

!

ip prefix-list default-in seq 5 permit 0.0.0.0/0

cadet alain · ‎07-25-2012

Hi,

in initial post you gave us the output from debug ip nat detailed and it was working so is the communication not working or

just the dynamic entries are not shown in the NAT table ?

Regards.

Alain.

Don't forget to rate helpful posts.

Jaaazman777 · ‎07-25-2012

The dynamic NAT is not working, so the dynamic entries are not shown in the NAT table.

At the same time, the static NAT works fine, we have several static NAT for port translation.

I checked the debug ip nat detailed output from the other routers, where dynamic NAT works fine.

The output is not the same as here.

the "good" logs are as following

NAT*: i: tcp (10.40.7.16, 51463) -> (75.131.31.5, 25) [44269]

NAT*: s=10.40.7.16->200.200.200.178, d=75.131.31.5 [44269]

johnlloyd_13 · ‎07-25-2012

hi,

could you modify your route-map and give it a try?

route-map nat-wan1 permit 10

match ip address 100

set interface FastEthernet0/0/1

cadet alain · ‎07-25-2012

Hi,

modifying the route-map is indeed a good suggestion( thanks for pointing it out) but I would not replace the match statement with a set as it is needed for natting on multiple interfaces but rather modifying the match interface to match ip next-hop.

Regards.

Alain

Don't forget to rate helpful posts.

Jaaazman777 · ‎07-25-2012

Hello!

It seems, like the problem is in crypto ipsec client ezvpn cl1, configured on interface FastEthernet0/0/1

when I replace it, the dynamic NAT begins to work

I have no ideas, how can ezvpn influence the NAT it this case.

On the previous router with the same config and IOS everything worked fine...