cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
587
Views
0
Helpful
5
Replies

nat stops working after 30 to 60 sec

robert.dorn
Level 1
Level 1

Hi, i have a 876 Router, connected to the Internet and a VPN.

From inside i would like to pass all traffic destinied to 192.168.0.0 255.255.255.0 to the VirtualPPP IF and al the other to the Internet (vlan2) I have created this rule, but after applying ist works only for about 30 to 60 seconds. after that only the Internet reachable.

Everytime i do a clear ip nat trans * both Interfaces will work für 30 to 60 secs again....

i am very confused, please help me. 

This is the relevant part of the cfg

ip nat inside source route-map Di1 interface Virtual-PPP1 overload

ip nat inside source route-map VLAN1 interface Vlan2 overload

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.7

access-list 103 deny  ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 103 permit ip 10.10.10.0 0.0.0.255 any

access-list 104 permit ip any 192.168.0.0 0.0.255.255

access-list 104 permit icmp any 192.168.0.0 0.0.255.255

no cdp run

!

!

!

!

route-map Di1 permit 10

match ip address 104

match interface Virtual-PPP1

!

route-map VLAN1 permit 10

match ip address 103

match interface Vlan2

5 Replies 5

gordonderick
Level 1
Level 1

I have made a few changes to your config. Have a look and see if this works for you.

!

access-list 103 permit ip any 192.168.0.0 0.0.255.255

access-list 103 permit icmp any 192.168.0.0 0.0.255.255

access-list 104 deny  ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 104 permit ip 10.10.10.0 0.0.0.255 any

!

!

!

route-map Di1 permit 10

match ip address 103

match interface Virtual-PPP1

!

route-map VLAN1 permit 10

match ip address 104

match interface Vlan2

!

Thank you very much for your assistance. But sadly the problem persists. I will attach the whole cfg, maybe you can help. Everyime i clear the nat trans it works for about 1 minute or so. After that the VPN connection still persists but no nat'ing:

For explaination: VLAN1: local ethernet, 10.10.10.x VLAN2: next gateway (Internet access) router ip 192.168.15.66, gw is 192.168.15.1. Virtual-PPP1 VPN connection to branch office where 192.168.0.1 - 192.168.0.254 should be accessible.

Already tried different IOS. From IOS, every destination is always accessible...

Hello,

Im looking at the config and trying to understand what is happening. Before i can come to any conclusion im seeing a basic flaw here. You mentioned : "i have a 876 Router, connected to the Internet and a VPN.

From inside i would like to pass all traffic destinied to 192.168.0.0 255.255.255.0 to the VirtualPPP IF"

If you see your interface the interface vlan 2 has got an IP 192.168.15.66/24 so any traffc for 192.168.0.0/24 will be routed out this interface since it is directly connected. Have a look at your routing table. (Post it here if possible)

Even the config "ip route 192.168.0.0 255.255.248.0 Virtual-PPP1" will not be considered.

Let me know.

Hi!

i will attach the route table.

Let me explain: The router has 2 Vlans: 1 is internal (10.10.10.x) and 2 is connected to another router. This is 192.168.15.1 whereas the cisco has 192.168.15.66 both are

I don' think it is a routing problem: first i can ping from the ios console to every destination, everytime (internet and vpn)

Only the client can only ping for about 30 seconds to a vpn destination. Internet works all the time.

I have debugged a bit today. I have a new (clean) config wich i will attach and i have seen that every ping paket correctly arrives at the vpn destination and is echoed. but when debugging ios with sh ip icmp i see that the destination changes as soon as it stops working. the destination now is the ip address wich was given to the 876 by the vpn server...

thank you very much in advance

Hi Robert,

if you say that the connection drops after 30-60 seconds i reckon its something to do with an IOS related bug or a timeout issue. I see that you use pseudowire could this tunnel be droping as it might be traffic based. Im just thinking aloud.

-Gordon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco