Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
5
Helpful
8
Replies

NAT fully works but also not working only for icmp packets

Hamidreza
Level 1
Level 1

‎02-22-2024 06:25 AM - edited ‎02-22-2024 06:27 AM

NAT is fully functional, but it seems to encounter issues specifically with ICMP packets.

Hamidreza_2-1708611890284.png

my configuration:

ip access-list extended NAT-0-0-0
120 permit IP 192.168.1.0 0.0.0.255 any
140 permit icmp 192.168.1.0 0.0.0.255 any

ip nat inside source list NAT-0-0-0 interface GigabitEthernet0/0/0 overload

The clients within the network can successfully browse the internet using TCP and UDP protocols. However, they are unable to ping public IP addresses. I've observed that an entry is created in the NAT table for each client attempting to ping public IP addresses such as 8.8.8.8. Additionally, I've captured the traffic on this router and noticed that while the ping packets are being NATed, the reply packets either cannot be NATed or NAT is not functioning properly for the reply ping packets.

Labels:
8 Replies 8

MHM Cisco World
VIP
VIP

‎02-22-2024 06:28 AM - edited ‎02-22-2024 06:30 AM

show ip nat stat
show ip nat translate 
also if you can debug ip nat

 

share above  when you ping 
MHM

Hamidreza
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2024 06:33 AM

Router#show ip nat stat
Total active translations: 2814 (0 static, 2814 dynamic; 2814 extended)
Outside interfaces:
GigabitEthernet0/0/0
Inside interfaces:
Hits: 16340314256 Misses: 112528872
Expired translations: 112525963
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-0-0-0 interface GigabitEthernet0/0/0 refcount 57
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 5089 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

0 Helpful

MHM Cisco World
VIP
VIP
In response to Hamidreza

‎02-22-2024 06:35 AM

and debug if you can 

MHM

0 Helpful

Hamidreza
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2024 06:38 AM - edited ‎02-22-2024 06:41 AM

sorry I can not share debug result, but all traffics can be NATed and I can see Ping packet also can be NATed but the ping replay pakcets can not be NATed (according to packet capture) 

MHM Cisco World
VIP
VIP
In response to Hamidreza

‎02-22-2024 06:42 AM

never mind

there is bug in IOS XE but you must check it if it same as your case or not
ASR1K NAT Intermittently Fails to Translate Some Packets - Cisco

there are two solution (after be sure that it same as your issue) 
MHM

Hamidreza
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2024 06:43 AM

I am currently using this version

Cisco IOS XE Software, Version 17.09.03a

MHM Cisco World
VIP
VIP
In response to Hamidreza

‎02-29-2024 12:43 PM

Can you try modify gatekeeper?

MHM

0 Helpful

Volgash
Level 1
Level 1

‎02-29-2024 01:19 PM - edited ‎02-29-2024 01:33 PM

 

Hi Hamidreza,
Please check if your ICMP packet is blocked in send, receive, or both. Additionally, is there any other device between your network gateway and Internet?
Also, I need.

sh inv
sh ver

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card