02-22-2024 06:25 AM - edited 02-22-2024 06:27 AM
NAT is fully functional, but it seems to encounter issues specifically with ICMP packets.
my configuration:
ip access-list extended NAT-0-0-0
120 permit IP 192.168.1.0 0.0.0.255 any
140 permit icmp 192.168.1.0 0.0.0.255 any
ip nat inside source list NAT-0-0-0 interface GigabitEthernet0/0/0 overload
The clients within the network can successfully browse the internet using TCP and UDP protocols. However, they are unable to ping public IP addresses. I've observed that an entry is created in the NAT table for each client attempting to ping public IP addresses such as 8.8.8.8. Additionally, I've captured the traffic on this router and noticed that while the ping packets are being NATed, the reply packets either cannot be NATed or NAT is not functioning properly for the reply ping packets.
02-22-2024 06:28 AM - edited 02-22-2024 06:30 AM
show ip nat stat
show ip nat translate
also if you can debug ip nat
share above when you ping
MHM
02-22-2024 06:33 AM
Router#show ip nat stat
Total active translations: 2814 (0 static, 2814 dynamic; 2814 extended)
Outside interfaces:
GigabitEthernet0/0/0
Inside interfaces:
Hits: 16340314256 Misses: 112528872
Expired translations: 112525963
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-0-0-0 interface GigabitEthernet0/0/0 refcount 57
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 5089 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
02-22-2024 06:35 AM
and debug if you can
MHM
02-22-2024 06:38 AM - edited 02-22-2024 06:41 AM
sorry I can not share debug result, but all traffics can be NATed and I can see Ping packet also can be NATed but the ping replay pakcets can not be NATed (according to packet capture)
02-22-2024 06:42 AM
never mind
there is bug in IOS XE but you must check it if it same as your case or not
ASR1K NAT Intermittently Fails to Translate Some Packets - Cisco
there are two solution (after be sure that it same as your issue)
MHM
02-22-2024 06:43 AM
I am currently using this version
Cisco IOS XE Software, Version 17.09.03a
02-29-2024 12:43 PM
Can you try modify gatekeeper?
MHM
02-29-2024 01:19 PM - edited 02-29-2024 01:33 PM
Hi Hamidreza,
Please check if your ICMP packet is blocked in send, receive, or both. Additionally, is there any other device between your network gateway and Internet?
Also, I need.
sh inv
sh ver
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide