Re: Best way to check NAT flow

Richard Tapp · ‎01-31-2025

So we have just upgraded an 1111-8P from 16.9.5 to 16.12.8.

We have a static NAT inbound that allows access to a CCTV system. This has worked fine for years.

Now the app wont work. All NAT and ZBF releate config looks the same in a Notepad++ compare.

I am seeing my test traffic hit the outside interface, but not then any more after that.

So I guess this could be ZBF or NAT, I am leaning more towards ZBF at the moment, but struggling how to capture this.

In ZBF we have hostile-DMZ (where the system is) and LAN-DMZ, this one works fine.

Another router we went from 16.12.4 to 16.12.8 which has static inbound NAT is still working ok.

I did try to revert to 16.9.5, but it just cam back up on 16.12.8

MHM Cisco World · ‎01-31-2025

It can NAT and /or zone security.

Show ip nat translate <<- share this

MHM

Richard Tapp · ‎01-31-2025

This is the one for this NAT

Pro Inside global Inside local Outside local Outside global
--- 212.154.x.x 10.82.70.10 --- ---

But I never see a flow from my public IP when testing

MHM Cisco World · ‎01-31-2025

This static NAT it permanent add to NAT entry.

From this it seem that NAT not work at all.

Can I see Router config

Thanks

MHM

Richard Tapp · ‎02-03-2025

Looks like we might be hitting this bug.

The dynamic NAT assigns ports for it to use and blocks them out.

sh ip nat portblock dynamic global

tcp:

7110 -8133 rfcnt 1 6086 -7109 rfcnt 1 5062 -6085 rfcnt 1 545 -617 rfcnt 1

udp:

5062 -6085 rfcnt 1 512 -584 rfcnt 1

Our flow uses tcp/8000. Later today I will try removing the dynamic and and reapplying the static NAT first to see what happens