cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
810
Views
35
Helpful
24
Replies
Frank27
Beginner

7201 dropping NAT rules unexpectedly

We have a problem with a Ciscorouter 7200 -- Software (C7200P-SPSERVICESK9-M), Version 12.2(33)SRE2.

 

some NAT rules are being dropped and traffic is not forwarded accordingly .

 

For example, we have a NAT rule for forwarding remote SSH connections to  the N5K directly connected translating port 4000 to port 22. Sometimes this stop working and it's impossible to access by ssh from the outside. So wondering why , i try to connect to the switch from another internal network and was accepting regularly connection to its port 22.

After rebooting the router, it started to work again...

 

Any idea for troubleshooting this issue?

In the NAT logs, i did not find anything relevant. 

1 ACCEPTED SOLUTION

Accepted Solutions
marce1000
VIP Mentor

 

              - Try upgrading to latest software version , check if that can help : https://software.cisco.com/download/home/280982457/type/280805680/release/15.2.4M11

 M.

View solution in original post

24 REPLIES 24
marce1000
VIP Mentor

 

              - Try upgrading to latest software version , check if that can help : https://software.cisco.com/download/home/280982457/type/280805680/release/15.2.4M11

 M.

This is already on schedule. Thx!

Georg Pauwen
VIP Master

Hello,

 

can you post the config of the 7201 ?

Sure this is the relevant part for the NAT and services :

 

ip source-route
ip cef

no ipv6 cef

 

ip nat log translations syslog
ip nat translation timeout 300
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet0/0 4000

 

access-list 10 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
no cdp run

 

 

paul driver
VIP Expert

Hello

Check the nat statistics, max entries and timeout values applied to the rtr.

Do you have any traffic captures pertaining to this connectivity drop you can share (.pcap files etc..)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The timeout is set to 300 seconds.

But i didn't set anything else so i suppose is set to their default values ?

 

How can I check the max-entries parameter?

 

No , but i am going to sniff packets from now 

I have noticed i have a LOT of TCP Dup ACK using the packet capture..

 

can we see wireshark capture ?

MHM Cisco World
Advisor

can we see show ip nat statistic ?

Total active translations: 25 (0 static, 25 dynamic; 25 extended)
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/2
Hits: 4547 Misses: 0
CEF Translated packets: 4535, CEF Punted packets: 43
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 13

are this all output,there is some line missing ?

that's all...

...

Indeed is strange . I have only static entries. These are NAT and interfaces configurations :

 

interface GigabitEthernet0/0
description xxxx
ip address xxxx
ip access-group 101 in
ip nat outside
media-type rj45
speed 1000
duplex full
negotiation auto
!

 

interface GigabitEthernet0/2
description To-SW01
bandwidth 1000000
ip address 10.0.0.1 255.255.255.0
ip nat inside
speed 1000
duplex full
no negotiation auto
!

ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.3 7500 interface GigabitEthernet0/0 7500
ip nat inside source static tcp 10.0.0.3 7600 interface GigabitEthernet0/0 7600
ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet0/0 4000
ip nat inside source static tcp 10.0.0.3 7000 interface GigabitEthernet0/0 7000
ip nat inside source static tcp 10.0.0.3 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.0.0.3 3000 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.0.0.3 8080 interface GigabitEthernet0/0 8080

 

access-list 10 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
Total active translations: 1651 (0 static, 1651 dynamic; 1651 extended)
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/2
Hits: 196052 Misses: 0
CEF Translated packets: 192863, CEF Punted packets: 20250
Expired translations: 1365
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 1643