Solved: Re: 7201 dropping NAT rules unexpectedly

Frank27 · ‎03-27-2022

We have a problem with a Ciscorouter 7200 -- Software (C7200P-SPSERVICESK9-M), Version 12.2(33)SRE2.

some NAT rules are being dropped and traffic is not forwarded accordingly .

For example, we have a NAT rule for forwarding remote SSH connections to the N5K directly connected translating port 4000 to port 22. Sometimes this stop working and it's impossible to access by ssh from the outside. So wondering why , i try to connect to the switch from another internal network and was accepting regularly connection to its port 22.

After rebooting the router, it started to work again...

Any idea for troubleshooting this issue?

In the NAT logs, i did not find anything relevant.

marce1000 · ‎03-28-2022

- Try upgrading to latest software version , check if that can help : https://software.cisco.com/download/home/280982457/type/280805680/release/15.2.4M11

M.

View solution in original post

marce1000 · ‎03-28-2022

- Try upgrading to latest software version , check if that can help : https://software.cisco.com/download/home/280982457/type/280805680/release/15.2.4M11

M.

Frank27 · ‎03-28-2022

This is already on schedule. Thx!

Georg Pauwen · ‎03-28-2022

Hello,

can you post the config of the 7201 ?

Frank27 · ‎03-28-2022

Sure this is the relevant part for the NAT and services :

ip source-route
ip cef

no ipv6 cef

ip nat log translations syslog
ip nat translation timeout 300
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet0/0 4000

access-list 10 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
no cdp run

paul driver · ‎03-28-2022

Hello

Check the nat statistics, max entries and timeout values applied to the rtr.

Do you have any traffic captures pertaining to this connectivity drop you can share (.pcap files etc..)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Frank27 · ‎03-28-2022

The timeout is set to 300 seconds.

But i didn't set anything else so i suppose is set to their default values ?

How can I check the max-entries parameter?

No , but i am going to sniff packets from now

Frank27 · ‎03-29-2022

I have noticed i have a LOT of TCP Dup ACK using the packet capture..

MHM Cisco World · ‎03-29-2022

can we see wireshark capture ?

MHM Cisco World · ‎03-28-2022

can we see show ip nat statistic ?

Frank27 · ‎03-29-2022

Total active translations: 25 (0 static, 25 dynamic; 25 extended)
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/2
Hits: 4547 Misses: 0
CEF Translated packets: 4535, CEF Punted packets: 43
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 13