Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
121092
Views
30
Helpful
12
Replies

clear ip nat translation (static)

dburgess.adliteuk
Level 1
Level 1

‎12-29-2010 08:03 AM - edited ‎03-04-2019 10:54 AM

Hi hope somenone can help me on this. I am trying to change a static nat entry from this

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.246 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.246 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.246 443 interface Dialer0 443

to

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.247 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.247 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.247 443 interface Dialer0 443

I have tried various methods

from exec mode

clear ip nat translation *

no ip nat inside source static tcp 192.168.0.246 443 interface dialer0 443

But I am getting

cisco2800(config)#
%Static entry in use, cannot remove

If anyone can help me on this problem I would be greatly appreciated as it is slowing a migration of the mail servers down considerably. Thanks in advance.

4 people had this problem
Labels:
0 Helpful
12 Replies 12

Todd Pula
Level 7
Level 7

‎12-29-2010 08:10 AM

You can try to remove the "ip nat inside" and "ip nat outside" commands from the related interfaces and then do a "clear ip nat trans *".  Once disabled, you should be able to safely remove the stale static NAT entries.

Todd

dburgess.adliteuk
Level 1
Level 1
In response to Todd Pula

‎12-29-2010 08:35 AM

Hi Todd thanks for the prompt response.

ip address 192.168.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
duplex auto
speed auto
no mop enabled

So if I do a no ip nat inside on this interface will this then allow me to remove the static nat addresses. Will this affect my connectivity to the router? I am currently connecting via vpn through to the 192.168.0.254 interface.

Thanks in advance.

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to dburgess.adliteuk

‎12-30-2010 03:11 AM

hi darren,

i would suggest to use the WAN ip address for remote access to your router just to avoid any disconnection. also, reload in command would be ideal to use.

0 Helpful

mrdogantr
Level 1
Level 1

‎12-30-2010 12:39 AM

Hi Daren,

     You can use commands below on config mode.

do clear ip nat trans *

no ip nat inside source static tcp 192.168.0.246 443 interface dialer0 443

$conf t

(config)# do clear ip nat trans *

(config)# no ip nat inside source static tcp 192.168.0.246 443 interface dialer0 443

hth

Muammer

shillings
Level 4
Level 4
In response to mrdogantr

‎12-30-2010 02:59 AM

I seem to recall shutting down the LAN interface also enables you to clear all the translations, but perhaps not viable in a live setup.

0 Helpful

dburgess.adliteuk
Level 1
Level 1
In response to mrdogantr

‎12-30-2010 06:03 AM

Hi Thanks everyone for your interest and advice it is very much appreciated. The do clear ip nat trans still had the message static entry in use when I use the no ip nat inside source. I think I will have to configure the remote access on to the wan port so I can shut down the gig int. I am unsure how to do this but am sure I will find some info. I will reply back as soon as I have a breakthrough on this. At the minute I am connecting via VPN and then telnetting through the private LAN address.

Is it possible to change the startup config then reboot to load with the no ip nat inside and then add the static mappings I require.

Thanks again for all your help and assistance.

0 Helpful

shillings
Level 4
Level 4
In response to dburgess.adliteuk

‎12-30-2010 06:16 AM

You can certainly use copy http: flash: to copy a new config to the router, then copy that file to your startup-config (copy flash: startup-config) and then reload ensureing you don't say 'yes' to saving any changes from the running-config.

Personally, I'd be tempted to keep looking for an alternative, especially if it's a vital device. I prefer your idea of configuring WAN access so you can shutdown the LAN interface without loosing connectivity.

There might still be alternative ways of clearing the translations - I just recall shutting down the LAN port as working for me, but it was not critical services so I could do this without worrying.

dburgess.adliteuk
Level 1
Level 1
In response to shillings

‎12-30-2010 06:37 AM

My next option is to configure access on the wan interface. I will need to look into how to do this as I have inherited this cisco router and although I have some experience with cisco routers I am by no means an expert. I have no physical access to the router at the moment so am being extra careful not to cut the client off.

Thanks for your help.

0 Helpful

d_hildman
Level 1
Level 1

‎09-27-2014 08:37 AM

mrdogantr is correct although sometimes there is enough activity, where a new traffic flow could squeeze in between your paste.  I just had this same problem in trying to change a translation that had been collecting net flow data.  (~2k new flows/sec)  The issue also could exist on the LAN side for this user question, but since the user only shows static entries listed for WAN side, we must assume that this is where the problem exists.

You just need to temporarily block the interesting traffic in ingress (LAN or WAN), before the traffic can reach the nat engine.  Specifically, paste this:

! user fw config was not given, 
!  assume I'm building one as ACL 101
!
ip access-list ext 101
  deny tcp any host <wan ip> range 25 443
  permit ip any any
!
int dialer0
  ip access-group 101 in
!
do clear ip nat trans *
no ip nat inside source static tcp 192.168.0.246 25 interface Dialer0 25
no ip nat inside source static tcp 192.168.0.246 80 interface Dialer0 80
no ip nat inside source static tcp 192.168.0.246 443 interface Dialer0 443
! VOILA, hard part is done.
ip nat inside source static tcp 192.168.0.247 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.247 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.247 443 interface Dialer0 443

0 Helpful

helalbd_net
Level 1
Level 1

‎08-10-2017 03:00 PM

I had the same Issue and I did the following to fix it.

Router(3845)(config)#no ip nat outside source static x.x.x.x y.y.y.y

Static entry in use, do you want to delete child entries? [no]: yes <<------ I said Yes.

After Investigation, In my case I found that one user was still connected to the server reason why it was showing the static entry in use. As soon as I deleted the child entries and did "clear ip nat translation * " it resolved my Issue.

Note:  clear IP nat translation* has no impact to the production and If you delete child entries it will delete the open session on different ports for that particular static mapping only. It will not impact others.

HTH for someone who may have similar issue in future.

Regards

Mohammad 

kkrishna1
Level 1
Level 1
In response to helalbd_net

‎09-04-2017 07:14 AM

I had the same Static entry in use, do you want to delete child entries? [no]: yes <<------ I said Yes.

It doesnt allow and then I have did the  clear IP nat translation*   and then came to config mode and did 

ip nat inside source static x.x.x.x y.y.y.y  it allowed me to delete the entry

 

Reagrds,

Krishnaraj AVK

0 Helpful

mail
Level 1
Level 1
In response to helalbd_net

‎12-03-2017 01:13 PM

Many thanks, I have a few unifi sites reporting home so had to use the command quickly as the first time I was too slow and had a WAP reconnect :D It worked a treat the 2nd attempt when I got a move on.

 

Cheers again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card