04-14-2008 05:12 AM - edited 03-03-2019 09:32 PM
Hi,
I have a problem with my NAT on a 2611xm router
After some time of use, I have no access outside from inside, the nat table (sh ip nat translation) is empty and appears no longer work, I do not understand what is happening!
The only solution is to reboot the router, once completed, everything is working properly.
Do you have an idea to help solve the problem?
Thx.
04-14-2008 06:16 AM
Would you share your running configurations and show proc mem and show ver output.
04-14-2008 07:11 AM
My running config :
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTR-SAGES-001
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 errors
logging console critical
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login vpn_xauth_ml_1 group radius local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip cef
ip tcp synwait-time 10
!
!
ip inspect audit-trail
ip inspect name INSPECT ...
audit-trail on
!
!
ip ips notify SDEE
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
spanning-tree portfast bpduguard
username Admin privilege 15 secret 5 *****
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key *****
dns 10.2.4.3
wins 10.2.4.3
domain vpn.priv
pool Pool_VPN
netmask 255.255.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map CMAP_1 client authentication list vpn_xauth_ml_1
crypto map CMAP_1 isakmp authorization list vpn_group_ml_1
crypto map CMAP_1 client configuration address respond
crypto map CMAP_1 65535 ipsec-isakmp dynamic DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Interface WAN
ip address A.B.C.D 255.255.255.248
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect INSPECT out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map CMAP_1
!
interface FastEthernet0/1
description Interface LAN
ip address X.Y.Z.2 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect INSPECT in
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
router rip
version 2
network A.B.C.D
network X.Y.Z
!
ip local pool Pool_VPN 172.20.1.1 172.20.1.50
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip flow-export source FastEthernet0/1
ip flow-export version 5 origin-as
ip flow-export destination 192.168.99.101 2000
!
ip http server
ip http access-class 1
no ip http secure-server
ip nat translation timeout 300
ip nat translation tcp-timeout 30
ip nat translation pptp-timeout 65535
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 10
ip nat translation port-timeout tcp 21 3600
ip nat translation port-timeout tcp 20 3600
ip nat translation max-entries 65535
ip nat translation max-entries host X.Y.Z.40 2048
ip nat pool WEB X.Y.Z.80 X.Y.Z.90 netmask 255.255.255.0
ip nat inside source route-map RouteMAP_1 pool WEB overload
ip nat inside source static 172.18.171.34 X.Y.Z.40
!
logging trap errors
logging 192.168.99.101
access-list 100 remark ACL NAT - Route-MAP 1
*****
access-list 101 remark ACL Outside
****
access-list 102 remark ACL inside
****
access-list 103 remark VTY Access-class list
****
!
snmp-server community **** RO
snmp-server enable traps ....
snmp-server enable traps rtr
no cdp run
route-map RouteMAP_1 permit 1
match ip address 100
04-14-2008 07:13 AM
Sh proc mem :
Processor Pool Total: 112400808 Used: 17107724 Free: 95293084
I/O Pool Total: 8388608 Used: 2043936 Free: 6344672
04-14-2008 07:35 AM
SH VER :
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(5), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Mon 31-Oct-05 20:06 by alnguyen
ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
RTR-SAGES-001 uptime is 8 hours, 29 minutes
System returned to ROM by reload
System image file is "flash:c2600-advsecurityk9-mz.124-5.bin"
Cisco 2611XM (MPC860P) processor (revision 4.1) with 253952K/8192K bytes of memory.
Processor board ID *
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
32K bytes of NVRAM.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Thx for help !
04-14-2008 11:03 AM
Actually i was suggest it's memroy issue but it's not, there is enough memory.
So in order to islate the probelm let's trun off the IP nat Translation time-out command and check how the life gone be, if this doesn't work i think we gone use some Ipsec debug commands, but let's try the NAT time-out first.
You May accept or ignore my idea, i'm just trying to isolate the problem with you.
04-15-2008 01:25 AM
Thx for your help,
I will try to turn off timeout command and we will see what happens !
The crash does not happen immediately, but after several days of use! What complicates the matter further ...
04-15-2008 01:30 AM
Ok, keep it under monitoring and feed us back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide