Hello!
On router series 4300 (cisco 4331) I have encountered a weird issue about NAT.
We had to configure two different NAT (PAT), similar as if we had two different ISPs. One was used for internet (usual browsing through ISP) and one to reach a service of the service provider through MPLS. We used same configuration as we did on older cisco routers, using route-maps, defining "match interface" as destination interface, using "ip nat inside" and "ip nat outside", and configuring NAT (PAT) by using "interface" as IP address that will be used for PAT. When trying to establish TCP connection through MPLS -from- router (telnet <IP> <PORT>), everything works fine, but when trying to establish same connection from another source (for example switch) -through- router the connection sometimes works and sometimes not, for example: 17 times it works, 18th attempt does not. Service provider can't really know what is the source, because SP sees same source IP (=router). Configuration on the interfaces is not standard (see below), because we are also using IPsec with GRE and routing protocol, but in order to avoid any IPsec/routing issues I've added zone-policy and other configuration so that new service is reachable from LAN, too.
We had IOS 15.4(3)S4.
We upgraded IOS to 15.5(3)S2 and we got new issues:
1. Both lines were removed from running-configuration:
ip nat inside source route-map NAT1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT_V4 interface GigabitEthernet0/0/1.4 overload
2. When I tried to add them, I got this issue:
%Overload not allowed: no create flow entry configured
3. When I added same lins without keyword "overload", router did accept, NAT is working, but show running-configuration and startup-configuration (after copying to startup) show both lines -with- keyword "overload". After restart it may happen both lines will be dropped again .. - I didn't have opportunity to verify.
Below is part of configuration
zone security INTERNET
zone security V1
zone security V4
class-map type inspect match-any PROTOKOLI
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all SPLOSNO
match class-map PROTOKOLI
policy-map type inspect PM_V1_V4
class type inspect SPLOSNO
inspect
class class-default
pass (I also tried "drop")
zone-pair security ZP_V1_V4 source V1 destination V4
service-policy type inspect PM_V1_V4
interface GigabitEthernet0/0/0
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
...
interface GigabitEthernet0/0/1.1
ip nat inside
zone-member security V1
ip tcp adjust-mss 1320
ip virtual-reassembly
...
interface GigabitEthernet0/0/1.4
ip nat outside
zone-member security V4
ip tcp adjust-mss 1320
ip virtual-reassembly
...
interface Vlan1
no ip address
shutdown
-> All about Vlan1 was added after upgrade + 2 additional lines
ip nat inside source route-map NAT1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT_V4 interface GigabitEthernet0/0/1.4 overload
route-map NAT_V4 deny 10
match ip address <standard ACL with IP of router on interface GigabitEthernet0/0/1.4>
(I had also tried to remove this)
route-map NAT_V4 permit 20
match interface GigabitEthernet0/0/1.4
I also added "match ip address DONAT" to specify source IPs to be NATted
route-map NAT1 deny 5
match ip address <standard ACL with IP of router on interface GigabitEthernet0/0/0>
!
route-map NAT1 deny 20
match ip address <extended ACLs with IP address of GRE to exempt NAT for IPsec>
!
route-map NAT1 permit 50
match interface GigabitEthernet0/0/0
