Solved: Cisco 4300 port forwarding issue

Petr Solovev · ‎10-21-2018

My problem is following
A 4321 router has dual wan connection to different ISPs for redundancy. And we use IPSLA based default route manipulation scheme. And outside PAT works fine.

We also need to forward some port from outside to inside, for example - 5060/udp (SIP) and we have a lot of problem here now.

Our typical config which work fine on prior to 4xxx boxes is:

ip nat inside source static udp 10.71.0.9 5060 X.X.X.X 5060 extendable
ip nat inside source static udp 10.71.0.9 5060 Y.Y.Y.Y 5060 extendable
!X.X.X.X - public ip1, Y.Y.Y.Y - public ip2

But on 4321 this does not work anymore.

I don't know why but on 4321 (may be on IOS-XE 16.x.x) I can't have two static NAT entries in translation table.

After adding a second static NAT entry, its not appearing it translation table. Sometimes after reboot second (backup) NAT entry becoming active and we have misconfiguration NAT and routing table.

When the active static NAT entry is manualy removed from config nothing happend - no any static NAT entry in translation table anymore.

Only one way to revert situation back is:

no ip nat inside source static udp 10.71.0.9 5060 X.X.X.X 5060 extendable
ip nat inside source static udp 10.71.0.9 5060 X.X.X.X 5060 extendable

Clearing nat translation table doesn't help

Tested OS images:
16.03.07
16.03.06
16.06.04
Does anybody knows what we should to do to get old behavior?

Petr Solovev · ‎10-23-2018

Hi, again

Possible solution for Static NAT statements in dual-wan scenario is to use two different route-maps, something like this:

ip nat inside source static udp 10.71.0.9 5060 X.X.X.X 5060 route-map ISP1-STATIC-NAT-MAP extendable
ip nat inside source static udp 10.71.0.9 5060 Y.Y.Y.Y 5060 route-map ISP2-STATIC-NAT-MAP extendable
!
route-map ISP1-STATIC-NAT-MAP permit 10
 match ip address STATIC-NAT-ACL
 match interface GigabitEthernet0/0/0
!
route-map ISP2-STATIC-NAT-MAP permit 10
 match ip address STATIC-NAT-ACL
 match interface GigabitEthernet0/0/1
!
ip access-list extended STATIC-NAT-ACL
 deny ip host 10.71.0.9 10.0.0.0 0.255.255.255
 deny ip host 10.71.0.9 172.16.0.0 0.15.255.255
 deny ip host 10.71.0.9 192.168.0.0 0.0.255.255
 permit ip host 10.71.0.9 any
!

A can't find any documents about this situation. But solution above worked for me.

View solution in original post

Petr Solovev · ‎10-23-2018

Hi, again

Possible solution for Static NAT statements in dual-wan scenario is to use two different route-maps, something like this:

ip nat inside source static udp 10.71.0.9 5060 X.X.X.X 5060 route-map ISP1-STATIC-NAT-MAP extendable
ip nat inside source static udp 10.71.0.9 5060 Y.Y.Y.Y 5060 route-map ISP2-STATIC-NAT-MAP extendable
!
route-map ISP1-STATIC-NAT-MAP permit 10
 match ip address STATIC-NAT-ACL
 match interface GigabitEthernet0/0/0
!
route-map ISP2-STATIC-NAT-MAP permit 10
 match ip address STATIC-NAT-ACL
 match interface GigabitEthernet0/0/1
!
ip access-list extended STATIC-NAT-ACL
 deny ip host 10.71.0.9 10.0.0.0 0.255.255.255
 deny ip host 10.71.0.9 172.16.0.0 0.15.255.255
 deny ip host 10.71.0.9 192.168.0.0 0.0.255.255
 permit ip host 10.71.0.9 any
!

A can't find any documents about this situation. But solution above worked for me.