We have a problem with a Ciscorouter 7200 -- Software (C7200P-SPSERVICESK9-M), Version 12.2(33)SRE2.
some NAT rules are being dropped and traffic is not forwarded accordingly .
For example, we have a NAT rule for forwarding remote SSH connections to the N5K directly connected translating port 4000 to port 22. Sometimes this stop working and it's impossible to access by ssh from the outside. So wondering why , i try to connect to the switch from another internal network and was accepting regularly connection to its port 22.
After rebooting the router, it started to work again...
Any idea for troubleshooting this issue?
In the NAT logs, i did not find anything relevant.
Solved! Go to Solution.
Suggest amend the translation timeout values and your nat acl to negate the static hosts from the overload nat statement if that is those hosts are only required to be port translated on those specific ports.
ip nat translation timeout 1800
ip nat translation tcp-timeout 1800
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation synrst-timeout 30
no access-list 10
aceess-list 100 remark NAT_ACL
access-list 100 deny ip host 10.0.0.2 any
access-list 100 deny ip host 10.0.0.3 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload
clear ip nat statistics
debug ip nat translations
@MHM Cisco World not sure I follow what you are saying, the static pat statement has NO bearing on the overload access-list, it not even called upon, it specific to port forwarding on tcp 22 only
So the deny ace in the nat acl is to negate that internal host from partcipating in any dyanmic PAT (even internet browsing etc...), if you remove the dynamic pat entirley that static pat sould still port-forward for tcp 22.
As I stated "if those hosts are only required to be port translated on those specific ports"
Your gold words
"if those hosts are only required to be port translated on those specific ports"
is right and hope @Frank27 decide if the host translated to those specific port or not.
@Frank27 config is same as cisco recommend and ALL config is OK, but I start think it bug that the static NAT is disappear but work.
thank you for you replies. Well yes the actual topology is
Regarding the ssh port it is an "escamotage" or work-around for avoiding leaving port 22 open on the router itself and redirect to port 22 of the N5K for remote access. Why? Because this software version loaded inside the 7201 doesn't support the
ip ssh port 7022 rotary x
command ... but this is another problem.
Anyway, yes all internal hosts including the N5k 10.0.0.2 and the ASA as well for the HOST need to access the internet and all services. The static entries are just SSH access and ports or services (8080,80) related to the host itself while port 4000 give access to the switch and the network topology (from there).
So static entries are needed for the outside to access a service inside.
I have modified the nat timeouts as @paul driver suggested and now I am monitoring.
@MHM Cisco World I was thinking the same since can happen every 1-2 weeks that a service on 8080 or on 4000 is being dropped totally (no log entries neither in NAT translation debug about that already checked) and basecally I cannot connect or use a NAT static service without a (known) reason!
The only way I have is to reload the router!