Solved: NAT translation failed (A) issue

orddie234 · ‎05-26-2016

Hey all,

So I'm trying to nat two services over an IP SEC tunnel.

router 1 config

ip nat inside source route-map NoNat interface GigabitEthernet0/0 overload
ip nat inside source static udp 172.16.70.1 5060 <public IP 1 > 5060 extendable
ip nat inside source static udp 172.16.70.19 53 <public IP 2 > 53 extendable
ip nat inside source static tcp 172.16.70.19 80 <public IP 2 > 80 extendable

interface GigabitEthernet0/0
 description Link to network
 ip address <public IP 1 > 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45

interface Tunnel10
 bandwidth 1000000
 ip address 10.255.255.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip mtu 1400
 ip nat inside
 ip nhrp authentication Y4a]Nwjg
 ip nhrp map multicast dynamic
 ip nhrp network-id 1006985
 ip nhrp holdtime 600
 ip virtual-reassembly in
 no ip route-cache
 delay 1000
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100698
 tunnel protection ipsec profile Orddie
end

route-map NoNat, permit, sequence 10
  Match clauses:
    ip address (access-lists): NO-NAT 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Extended IP access list NO-NAT
    1 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
    2 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
    3 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    100 permit ip any any (183353 matches)

ip route 0.0.0.0 0.0.0.0 <router 1 default gw>
ip route 10.0.3.0 255.255.255.0 10.255.255.2
ip route 172.16.0.0 255.255.0.0 10.255.255.4
ip route 192.168.1.0 255.255.255.0 10.255.255.10

Router 2 config

interface GigabitEthernet0/0.10
 description Data Network
 encapsulation dot1Q 10
 ip address 172.16.10.6 255.255.255.0

interface Tunnel10
 bandwidth 1000
 ip address 10.255.255.4 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication Y4a]Nwjg
 ip nhrp map multicast dynamic
 ip nhrp map 10.255.255.1 <router 1 public>
 ip nhrp map multicast <router 1 public>
 ip nhrp network-id 1006985
 ip nhrp holdtime 300
 ip nhrp nhs 10.255.255.1
 delay 1000
 tunnel source GigabitEthernet0/0.10
 tunnel mode gre multipoint
 tunnel key 100698
 tunnel protection ipsec profile Orddie

interface GigabitEthernet0/0.70
 description VoIP Interface
 encapsulation dot1Q 70
 ip address 172.16.70.20 255.255.255.0 secondary
 ip address 172.16.70.1 255.255.255.0
 ip policy route-map DataCenterBound

from router 1, i can ping the 172.16.70.19 IP the nat for port 80 (going to the same host) works just fine.

doing a debug on the ip nat i get the following

May 26 23:25:48.842: NAT: translation failed (A), dropping packet s=172.16.70.19 d=166.170.31.227

according to THIS LINK i issued the the ip subnet-zero on R1.

This is still not working

Philip D'Ath · ‎05-27-2016

Excellent, do the simple option and change it to a 1:1 NAT. Especially if SIP is going to be involved.

I don't believe it will resolve the issue but it is good practice to run "gold star" software releases, and for this reason I would upgrade the 2821 to 15.1.4M10 as well.

https://software.cisco.com/download/release.html?mdfid=279120798&catid=268437899&softwareid=280805680&release=15.1.4M10&relind=AVAILABLE&rellifecycle=MD&reltype=latest

View solution in original post

Philip D'Ath · ‎05-26-2016

What does the route-map DataCentreBound do?

Router 1 config looks good. Note that router2 must route the reply traffic for NAT through the tunnel. The traffic flow must be symmetric.

At the moment I can't see anything on rotuer2 which would guarantee the return traffic to go via the tunnel.

orddie234 · ‎05-27-2016

hi!

sorry this was missed from the initial report.

this is all on router two. the route map is sending the natted traffic back the DC. Please keep in mind that the TCP mapping to port 80 on the same server works as expected. when i try the DNS query, i can see the ACL matching as well

route-map DataCenterBound, permit, sequence 10
  Match clauses:
    ip address (access-lists): DataCenterBound 
  Set clauses:
    ip next-hop 10.255.255.1
Nexthop tracking current: 0.0.0.0
10.255.255.1, fib_nh:0,oce:0,status:0

Extended IP access list DataCenterBound
    1 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 (194245 matches)
    2 deny ip 172.16.0.0 0.0.255.255 10.0.3.0 0.0.0.255
    3 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.255 (1430 matches)
    4 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (3558 matches)
    100 permit tcp host 172.16.70.19 eq www any (333 matches)
    101 permit udp host 172.16.70.19 eq domain any (188 matches)

Philip D'Ath · ‎05-27-2016

I believe your configuration is correct with regard to tcp/80 and udp/53.

Does 172.16.70.19 have just the one IP address configured on it? If it has more than one IP address any chance DNS is responding from a different IP on the same machine?

What are the two router models being used, and what software versions are on them? You have have bit an IOS bug.

Is <public ip 2> used for anything else? Could you change this to being a 1:1 NAT (also change the access-list DataCenterBound to match)?

no ip nat inside source static udp 172.16.70.19 53 <public IP 2> 53 extendable
no ip nat inside source static tcp 172.16.70.19 80 <public IP 2 > 80 extendable
ip nat inside source static 172.16.70.19 <public IP 2> 53 extendable

orddie234 · ‎05-27-2016

hi!

if i do a full 1:1 nat everything works.

<public ip 2> is not used for anything else.

the 172.16.70.19 server has a single IP address and confirmed im able to pull DNS query's via LAN.

Router 1 as follows

Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 15.1(4)M10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 24-Mar-15 09:50 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

WilkesBarre-3825-01 uptime is 1 week, 1 hour, 27 minutes
System returned to ROM by power-on
System restarted at 13:48:11 EDT Fri May 20 2016
System image file is "flash:c3825-advipservicesk9-mz.151-4.M10.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory.
Processor board ID FTX1223A3XK
2 Gigabit Ethernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
125440K bytes of ATA System CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO3825 FTX1223A3XK

Router 2 is as follows

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(2)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 18-Apr-12 12:05 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)

Yrk-2ndFL-2821 uptime is 1 day, 16 hours, 22 minutes
System returned to ROM by reload at 22:54:46 EDT Wed May 25 2016
System restarted at 22:57:24 EDT Wed May 25 2016
System image file is "flash:c2800nm-adventerprisek9-mz.151-2.T5.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2821 (revision 53.51) with 509952K/14336K bytes of memory.
Processor board ID FTX0945A1U5
2 Gigabit Ethernet interfaces
2 Serial interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2821 FTX0945A1U5

Configuration register is 0x1

Philip D'Ath · ‎05-27-2016

Excellent, do the simple option and change it to a 1:1 NAT. Especially if SIP is going to be involved.

I don't believe it will resolve the issue but it is good practice to run "gold star" software releases, and for this reason I would upgrade the 2821 to 15.1.4M10 as well.

https://software.cisco.com/download/release.html?mdfid=279120798&catid=268437899&softwareid=280805680&release=15.1.4M10&relind=AVAILABLE&rellifecycle=MD&reltype=latest

orddie234 · ‎05-27-2016

i worked with another staff member and found that the route map / acl used at Router 1 was causing the issue. removed the IP any any and now inbound traffic is working.

I do not want to use 1:1 for i need several services across several servers tied to a single IP.

Philip D'Ath · ‎05-27-2016

ps. Don't use NAT unless you have to. If you have to then use 1:1 as your first choice. Only if you can't do 1:1 then use PAT (port based NAT).