Re: nat static entry in "show ip nat translations" not created

tac.spain · ‎09-06-2017

I am configuring an IPSec NAT Transparancy to send traffic to a vpn gateway

I have created two nat entries to send the ipsec traffic to the vpn gateway

inteface loopback 2
ip address 11.1.1.1 255.255.255.255

ip nat inside source static udp 172.16.222.25 500 interface Loopback2 500
---this works fine

ip nat inside source static udp 172.16.222.25 4500 interface Loopback2 4500
---but this one gives error
% Error while creating entry

However when you do a show ip nat translations appear the two created

udp 11.1.1.1:500 172.16.222.25:500 --- ---
udp 11.1.1.1:4500 172.16.222.25:4500 --- ---

Is this a normal behavior ?? in the configuration only appears the line "ip nat inside source static udp 172.16.222.25 500 interface Loopback2 500"

Is it possible that the nat-transversal input (4500) is automatically created in this IOS 15.2 (4) S2?

tac.spain · ‎09-07-2017

hi team

All suggestions are welcomed

thanks in advance

Peter Paluch · ‎09-07-2017

Hi,

I do not believe that the router would create a NAT entry for the IPsec NAT-traversal port 4500 just because you enable the NAT. It seems more likely that either some NAT entry already existed that conflicted with the static NAT entry you tried to configure, or perhaps the port 4500 on the device is being already used - just a guess, as I do not have any firm answer momentarily. I've tested 15.5XB IOS (I know it's different from yours but the NAT hasn't changed that much if at all) but I could not reproduce the behavior.

If the problem is reproducible on your device, my suggestion is to attempt to remove the offending entries for the ports 500 and 4500 from the configuration and from the NAT translation table, then run the following debugs:

debug ip nat error
debug ip nat detail
debug ip nat ipsec

and then try configuring the static NAT entries again. I would be very much interested in seeing the debug output.

Thank you!

Best regards,
Peter

tac.spain · ‎09-15-2017

Hello Peter
Thank you very much for your answer

I have been doing some testing with the nat with a lab router, I have removed all the static NAT and PAT

nat's table is empty

LAB#sho ip nat translations
LAB#
then try to configure the static NAT for NAT-T

ip nat inside source static udp 192.168.10.6 4500 loopback 2 4500

and this error occurs

% Port 4500 is being used by system,

This error is described in this BUG CSCue25168

When I configure the static NAT for IKE (and this behavior is not described in the BUG)

NAT appears for the port 4500 in the show ip nat trans without this nat this in the configuration

LAB#sho run | in nat
ip nat outside
ip nat inside
ip nat inside
ip nat inside source static udp 192.168.10.6 500 interface Loopback2 500

LAB#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 1.1.1.1:500 192.168.10.6:500 --- ---
udp 1.1.1.1:4500 192.168.10.6:4500 --- ---

the only way to remove the port 4500 nat is to restart the router,

LAB(config)#no ip nat inside source static udp 192.168.10.6 4500 loopback 2 4500
%Error while creating entry

LAB(config)#no ip nat inside source static udp 192.168.10.6 500 loopback 2 500

LAB_#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 1.1.1.1:4500 192.168.10.6:4500 --- ---

LAB#sho run | in nat
ip nat outside
ip nat inside
ip nat inside
LAB#

It is a very curious behavior, and I have not found documentation about it, I suppose it is related to the BUG CSCue25168

I will try to give access to the lab again to execute the debugs

Thanks a lot

Best Regards