Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2643
Views
0
Helpful
9
Replies

NAT ACL counters not incrementing ISR 4331

Jasson
Level 1
Level 1

‎10-24-2017 01:11 AM - edited ‎03-05-2019 09:21 AM

Earlier on 15.0 and 15.1 versions of IOS. When I apply ACL to NAT, counters is incrementing , but on ISR 4331 with IOS 15.5 does not work. If I apply the ACL to the interface, the counter is incrementing, the counter does not increase only with ACLs that are related to NAT

 

I tried two versions of iOS

15.5(3)s4b

15.5(3)s6

The result is the same

 

Using the command: show ip access-lists [list name]

 

Configuration:


IMG_20171023_135403.jpgIMG_20171023_140354.jpg

 

 

 

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Georg Pauwen
VIP
VIP

‎10-24-2017 03:53 AM

Hello, 

 

looking at your screen, and just to be sure it is there, because I do not see it in your configuration: the default route, do you have that configured ?

 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

0 Helpful

Jasson
Level 1
Level 1
In response to Georg Pauwen

‎10-24-2017 04:02 AM

Yes, default route is configured:

ip route 0.0.0.0 0.0.0.0 217.20.17.2

0 Helpful

Georg Pauwen
VIP
VIP
In response to Jasson

‎10-24-2017 04:51 AM

Hello,

 

as far as I recall, on the 4000 ISR routers, packet processing now occurs in hardware, so the counters are not incremented.


Try using 'no ip route-cache cef' on the NAT enabled interfaces to see the flows and the counters increase in your access list.

0 Helpful

JassonAXE
Level 1
Level 1
In response to Georg Pauwen

‎10-25-2017 12:20 AM

I tried to apply the command that you wrote

 

Remote Desktop Manager Free [101RT02] 2017-10-25 10.14.12.jpg

 

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to JassonAXE

‎10-25-2017 12:27 AM

Hello,

 

try and disable cef globally:

 

Router(config)#no ip cef

0 Helpful

JassonAXE
Level 1
Level 1
In response to Georg Pauwen

‎10-25-2017 12:39 AM - edited ‎10-25-2017 12:40 AM

4331 - Router

Remote Desktop Manager Free [101RT02] 2017-10-25 10.32.17.jpg

 

 

 

 

 

 

 

2921 - Router

Remote Desktop Manager Free [101RT01] 2017-10-25 10.34.00.jpg

 

 

 

Honestly, I'm a bit confused

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to JassonAXE

‎10-25-2017 01:06 AM

Hello,

 

try disabling dCEF (distributed CEF). What are your options at:

 

Router(config)#no ip ?

0 Helpful

JassonAXE
Level 1
Level 1
In response to Georg Pauwen

‎10-25-2017 01:35 AM

Remote Desktop Manager Free [101RT02] 2017-10-25 11.32.08.jpg

 

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to JassonAXE

‎10-25-2017 04:03 AM

Hello,

 

not sure why this is not working. The architecture of the ISR 43xx is quite different. Usually, you cannot even configure NAT with access list logging...

 

A workaround might be to use the embedded packet capture feature:

 

HOW TO CAPTURE PACKETS ON YOUR CISCO ROUTER WITH EMBEDDED PACKET CAPTURE - CONFIGURATION, TROUBLESHOOTING & DATA EXPORT

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/1089-cisco-router-embedded-packet-capture-configuration-usage-troubleshooting-exporting.html

0 Helpful
Customers Also Viewed These Support Documents