Re: IOS NAT Process not 'un-doing' NATs

Daniel Smith · ‎12-11-2019

We have observed that on an upstream firewall, there are log messages about 'unable to locate egress interface' for packets that are from 74.x.x.x to 167.x.x.x. The odd thing is that the 167.x.x.x is part of a NAT process on a downstream ASR1001X that connects a third party in the 74.x.x.x IP address space. The router has a translation process with overload functionality, that translates internal hosts into the 167.x.x.x network. The presence of the log message on the upstream firewall, makes me thing the router did not 'un-do' the translation. Here is the nat config on the router:

ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat pool nat-pool 167.x.x.99 167.x.x.100 netmask 255.255.255.248
ip nat inside source list xlate pool nat-pool vrf xxxxxx overload

ip access-list standard xlate

permit 10.0.0.0 0.255.255.255

I suspect this has to do with the translation timeouts, but not sure. Any suggestions are greatly appreciated!

paul driver · ‎12-12-2019

Hello
In theory your ASA is on the outside perimeter of your ASR so it shouldn't really matter regards you nat on the ASR if that is the ASA and the upstream firewall are aware how to route towards 74.x.x.x vrf subnet via the global rib.

Can you post a simple topology diagram please it would make it a lot easier to understand your current setup

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-12-2019

Hello,

what type/model is the upstream firewall ? And if it is an ASA, which IOS version are you running ?