In my Network one Distribution Switch,Firewall,Routers are connected.Through DS all Access Switches are connected.Firewall inside interface connected to DS and Outside is Connected to Router. the thing is everyone able to access internet with a good speed at the same time Static and Dynamic IP's are translating private to Public and vice-versa. In between this environment dynamic NATted IP Users unable to acces internet suddenly and there is no issue with Statically NATted IPs. Once i fire the Command shut and no shut command on WAN interface of the Router again Dynamic User able to access internet. Inbetween this interval What were happed no one knows even ther is CRC and Input errors are genarating on firewall as well as on Router. And there is no logs found between that time.
Anyone help me on this because it is happening since last few months and it is being headache for us.
Did you check the logs in both the router and the firewall when this problem occurs? The logs may provide you a clue about what is happening during the network freeze for your dynamic nat users.
There is no logs found in firewall as well in Routers.
One more thing i have observed that ip nat pool cisco x.x.x.x x.x.x.x mask is 255.255.255.224 (both first and last IP's are Same)
in which when i saw ip nat translation by using command show ip nat translation in which last port is showing 65412. upto this port there is only one public IP is being in use i have not seen any other public ip being translated.is there any issue with natting
I think you are using NAT overload and problem could be that you have reached maximum number of tcp ports that can be used for NAT overload/PAT (port address translation) connections.
As you have mentioned that first and last IP in NAT pool is same and that means only one IP hs been used for NAT overload and that is why it is getting fully utilized when you reach limit of number of tcp ports that can be used for PAT
You can do couple of things
- Increase the number of IP in NAT IP Pool
- check for Xlate (NAT connection) time out, i hope its defualt if not it should not be too high. This may lead to many "not in use" translation entries in the table
Hope this helps
If the pool of NAT addresses has the same first and last IP is because you're doing PAT.
Can you post the configuration?
Some time Dynamically natted Users are not able to access internet for a delay of time after few menutes again they are able to access.
While this happens, they established Internet automatically on their own? Or do you have to do a reset of some sort?
What do you get on the ''sh ip nat statistics''
Do a test...
Try to PING the default gateway of the router from a working user. The IP that shows under the statement ''sh ip route'' for ip route 0.0.0.0 0.0.0.0 x.x.x.x
If the working user can PING that IP.... then try a non-working user to PING that IP when Internet fails.
I want to see if when Internet fails, if the user not able to get to the Internet is still able to PING the router's defaullt gateway.
With this test, we will determine if when Internet fails, if the problem is indeed the router, or perhaps is something else.
1, When i fire shut/no shut command on Routers interface/remove the cable from Router port result is everyone able to access Internet
Total active translations: 800 (10 static, 790 dynamic; 792 extended)
Hits: 62362023 Misses: 0
CEF Translated packets: 61675320, CEF Punted packets: 686880
Expired translations: 470702
-- Inside Source
[Id: 1] access-list Internet pool BPO refcount 568
pool BPO: netmask 255.255.255.224
start x.x.x.215 end x.x.x.215
type generic, total addresses 1, allocated 1 (100%), misses 3045
Appl doors: 0
Normal doors: 0
Queued Packets: 0
There so many vlans are configured in my network and default gateway for each vlan users is vlan ip which is configured on Switch and they don't have an access to ping to Router IP.
There one of dynamically assigned ip is my system ip and whenever it happen im able to ping to router LAN ip as well WAN ip but i will lost internet connectivity.
If you still can PING the WAN IP when there's no Internet, I don't think it is a problem with the router...
How is your setup?
LAN -- Router -- Internet device --- Cloud
Something like that?
You say that you can still PING the Internet device from the LAN (through the router) when the problem happens?
connectivity is like LAN-Firewall-Router-Cloud
I can ping the WAN ip but not able to access internet. Once like to remember you that my nat pool is something like given below.
ip nat pool BPO x.x.x.x x.x.x.x mask 255.255.255.224 and the first and last ip is same.
I don't think the problem is the pool because is PAT.
However, try the following...
Remove the pool and add...
access-list 190 permit ip 10.0.0.0 0.0.0.255 any ---> change 10.0.0.0 0.0.0.255 with your internal network scheme
ip nat inside source list 190 interface
What you're doing is changing the NAT pool (not an actual pool just an IP), to be the outside IP of the router itself.