Solved: Re: 8300 Static NAT - No TCP Response from One subnet

CMAC2 · ‎03-04-2025

Hello,

I am having some issues with a new static NAT configuration that has stumped me. We have two subnets, one is local(10.100.2.0/23) and the other is passed over a VPN(10.29.2.0/24). When traffic is bound for 192.168.12.0/24 it is routed to our C8300 at 10.100.3.254 and then translated to a 172.16.16.0/24 address where it is routed by a Cisco 9300 at 172.16.16.1 that I do not manage. The NAT translations appear to be working for both the 10.100.2.0 and 10.29.2.0 subnets but I do not receive any response or SYN-ACK packets for devices on the 10.29.2.0 subnet, devices on the 10.100.2.0 subnet are working perfectly fine.

Any ideas on what to check? I've posted the relevant configuration I have here:

interface GigabitEthernet0/0/3
ip address 10.100.3.254 255.255.254.0
ip nat inside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/4
ip address 172.16.16.4 255.255.255.0
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
!
ip nat inside source static 10.100.2.239 172.16.16.20
ip nat inside source static 10.29.2.96 172.16.16.21
ip nat inside source static 10.100.2.169 172.16.16.22
ip nat inside source static 10.100.2.186 172.16.16.23
ip nat inside source static 10.13.2.94 172.16.16.24
ip nat inside source static 10.100.2.142 172.16.16.25
ip nat inside source static 10.29.2.92 172.16.16.27
ip nat inside source static 10.29.2.21 172.16.16.28
ip nat inside source static 10.29.2.170 172.16.16.31
ip nat inside source static 10.29.2.117 172.16.16.32
ip nat inside source static 10.29.2.151 172.16.16.33
ip nat inside source static 10.29.2.138 172.16.16.34
ip nat inside source static 10.29.2.167 172.16.16.35
ip nat inside source static 10.29.2.103 172.16.16.36
ip nat inside source static 10.100.2.143 172.16.16.37
ip nat inside source static 10.100.2.15 172.16.16.38
ip nat inside source static 10.100.2.21 172.16.16.42
ip nat inside source static 172.16.10.21 172.16.16.43
ip nat inside source static 10.29.2.212 172.16.16.44
ip nat inside source static 10.29.2.115 172.16.16.50
ip nat inside source static 10.100.2.151 172.16.16.53
ip nat inside source static 10.29.2.104 172.16.16.60
ip nat inside source static 10.29.2.135 172.16.16.61
ip nat inside source static 10.100.2.235 172.16.16.73
ip nat inside source static 10.29.2.126 172.16.16.75
ip nat inside source static 10.29.2.144 172.16.16.84
ip nat inside source static 10.29.2.95 172.16.16.111
ip nat inside source static 10.29.2.97 172.16.16.112
ip nat inside source static 10.100.2.88 172.16.16.115
ip route 0.0.0.0 0.0.0.0 10.100.2.33
ip route 192.168.12.0 255.255.255.0 172.16.16.1 10
ip route 192.168.16.0 255.255.255.0 172.16.16.1 10
ip ssh bulk-mode 131072
!
ip access-list extended NAT
1 permit tcp any any log
2 permit udp any any log
!
ip access-list standard 2
10 permit 10.100.2.0 0.0.0.254 log
20 permit 10.29.2.0 0.0.0.255 log
30 permit 172.16.16.0 0.0.0.255 log

CMAC2 · ‎03-05-2025

This was resolved on the other side. Still waiting for more details.

View solution in original post

paul driver · ‎03-04-2025

Hello
I don't see any route on the inside nat domain for 10.29.0.0 subnet, you mention a vpn its originating from but you have not posted it?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CMAC2 · ‎03-04-2025

I am not sure what you're asking exactly but hopefully this helps.

The VPN is between the 10.29.2.0/24 and 10.100.2.0/23 subnets on a separate device. The C8300 is only used to route traffic to the 192.168.12.0 subnet from these two subnets.

Traffic going from 10.29.2.21 to 192.168.12.1 hops from 10.29.2.1 directly to the C8300 at 10.100.3.254, it is then translated to a 172.16.16.28 and goes out Ge0/0/4 to the next-hop 172.16.16.1 that is managed by someone else. They are able to see traffic from 172.16.16.28 coming in and they're able to see the SYN-ACK responses going to 172.16.16.28 but it doesn't make it back to 10.29.2.21.

paul driver · ‎03-05-2025

Hello

@CMAC2 wrote:

for the Traffic going from 10.29.2.21 to 192.168.12.1 hops from 10.29.2.1 directly to the C8300 at 10.100.3.254 t is then translated to a 172.16.16.28 and goes out Ge0/0/4 to the next-hop 172.16.16.1

Okay thank you for the clarification - so the default route covers the routing for 10.29.2.0 and you do see nat translation but no 3 way handshake completion?? - which is confusing as it wouldn't be working with out that, What are you expecting to see the n the syn-ack , as that will be subject to translation also.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎03-04-2025

I am not sure what is the issue here, but I do have an observation and a couple of questions:

- You identify one interface as nat inside, but your static nats include addresses from several other subnets. What is the deal with those subnets?

- You show extended acl NAT, but do not show where/how it is used?

- You show standard acl 2, but do not show where/how it is used?

HTH

Rick

CMAC2 · ‎03-05-2025

This was resolved on the other side. Still waiting for more details.

Richard Burts · ‎03-05-2025

Thanks for the update. Glad to know that the issue is resolved.

HTH

Rick