03-27-2022 08:44 PM
We have a problem with a Ciscorouter 7200 -- Software (C7200P-SPSERVICESK9-M), Version 12.2(33)SRE2.
some NAT rules are being dropped and traffic is not forwarded accordingly .
For example, we have a NAT rule for forwarding remote SSH connections to the N5K directly connected translating port 4000 to port 22. Sometimes this stop working and it's impossible to access by ssh from the outside. So wondering why , i try to connect to the switch from another internal network and was accepting regularly connection to its port 22.
After rebooting the router, it started to work again...
Any idea for troubleshooting this issue?
In the NAT logs, i did not find anything relevant.
Solved! Go to Solution.
03-30-2022 07:34 AM - edited 03-31-2022 02:25 PM
..
03-30-2022 08:00 AM
I got your point but I don't understand Your logic :
If the interface outside is a public IP address Should I revert the NAT?
Can you please make me an real example of what do you mean?
03-29-2022 11:15 PM
Hello,
duplicate TCP ACKs usually mean there is packet loss, and TCP is trying to recover. From where are you actually initiating these connections ?
Also, can you post the output of:
show ip shh
03-30-2022 10:53 AM - edited 03-30-2022 02:15 PM
Hello
Suggest amend the translation timeout values and your nat acl to negate the static hosts from the overload nat statement if that is those hosts are only required to be port translated on those specific ports.
ip nat translation timeout 1800
ip nat translation tcp-timeout 1800
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation synrst-timeout 30
no access-list 10
aceess-list 100 remark NAT_ACL
access-list 100 deny ip host 10.0.0.2 any
access-list 100 deny ip host 10.0.0.3 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload
clear ip nat statistics
debug ip nat translations
03-30-2022 05:02 PM - edited 03-31-2022 02:25 PM
...
03-30-2022 07:26 PM
so there is no difference in the actual NAT configuration...
03-31-2022 06:30 AM
Hello
@MHM Cisco World not sure I follow what you are saying, the static pat statement has NO bearing on the overload access-list, it not even called upon, it specific to port forwarding on tcp 22 only
So the deny ace in the nat acl is to negate that internal host from partcipating in any dyanmic PAT (even internet browsing etc...), if you remove the dynamic pat entirley that static pat sould still port-forward for tcp 22.
As I stated "if those hosts are only required to be port translated on those specific ports"
03-31-2022 08:47 AM - edited 03-31-2022 05:20 PM
Your gold words
"if those hosts are only required to be port translated on those specific ports"
is right and hope @Frank27 decide if the host translated to those specific port or not.
@Frank27 config is same as cisco recommend and ALL config is OK, but I start think it bug that the static NAT is disappear but work.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13778-9.html
03-31-2022 08:52 PM - edited 03-31-2022 08:58 PM
HI @paul driver @MHM Cisco World ,
thank you for you replies. Well yes the actual topology is
7201-->>N5k-->>ASA-->>HOST
Regarding the ssh port it is an "escamotage" or work-around for avoiding leaving port 22 open on the router itself and redirect to port 22 of the N5K for remote access. Why? Because this software version loaded inside the 7201 doesn't support the
ip ssh port 7022 rotary x
command ... but this is another problem.
Anyway, yes all internal hosts including the N5k 10.0.0.2 and the ASA as well for the HOST need to access the internet and all services. The static entries are just SSH access and ports or services (8080,80) related to the host itself while port 4000 give access to the switch and the network topology (from there).
So static entries are needed for the outside to access a service inside.
I have modified the nat timeouts as @paul driver suggested and now I am monitoring.
@MHM Cisco World I was thinking the same since can happen every 1-2 weeks that a service on 8080 or on 4000 is being dropped totally (no log entries neither in NAT translation debug about that already checked) and basecally I cannot connect or use a NAT static service without a (known) reason!
The only way I have is to reload the router!
04-24-2022 10:54 PM
Hi all , I solved this upgrading to the latest IOS version available for the 7201 series router.
No more problems detected as the configuration has not been changed since the IOS update.
Thanks for help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide