cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
786
Views
35
Helpful
24
Replies
Frank27
Beginner

7201 dropping NAT rules unexpectedly

We have a problem with a Ciscorouter 7200 -- Software (C7200P-SPSERVICESK9-M), Version 12.2(33)SRE2.

 

some NAT rules are being dropped and traffic is not forwarded accordingly .

 

For example, we have a NAT rule for forwarding remote SSH connections to  the N5K directly connected translating port 4000 to port 22. Sometimes this stop working and it's impossible to access by ssh from the outside. So wondering why , i try to connect to the switch from another internal network and was accepting regularly connection to its port 22.

After rebooting the router, it started to work again...

 

Any idea for troubleshooting this issue?

In the NAT logs, i did not find anything relevant. 

1 ACCEPTED SOLUTION

Accepted Solutions
marce1000
VIP Mentor

 

              - Try upgrading to latest software version , check if that can help : https://software.cisco.com/download/home/280982457/type/280805680/release/15.2.4M11

 M.

View solution in original post

24 REPLIES 24
marce1000
VIP Mentor

 

              - Try upgrading to latest software version , check if that can help : https://software.cisco.com/download/home/280982457/type/280805680/release/15.2.4M11

 M.

This is already on schedule. Thx!

Georg Pauwen
VIP Master

Hello,

 

can you post the config of the 7201 ?

Sure this is the relevant part for the NAT and services :

 

ip source-route
ip cef

no ipv6 cef

 

ip nat log translations syslog
ip nat translation timeout 300
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet0/0 4000

 

access-list 10 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
no cdp run

 

 

paul driver
VIP Expert

Hello

Check the nat statistics, max entries and timeout values applied to the rtr.

Do you have any traffic captures pertaining to this connectivity drop you can share (.pcap files etc..)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The timeout is set to 300 seconds.

But i didn't set anything else so i suppose is set to their default values ?

 

How can I check the max-entries parameter?

 

No , but i am going to sniff packets from now 

I have noticed i have a LOT of TCP Dup ACK using the packet capture..

 

can we see wireshark capture ?

MHM Cisco World
Advisor

can we see show ip nat statistic ?

Total active translations: 25 (0 static, 25 dynamic; 25 extended)
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/2
Hits: 4547 Misses: 0
CEF Translated packets: 4535, CEF Punted packets: 43
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 13