Hi All,
I'm having a rather bizarre and highly annoying problem with static NAT on an ME6524.
I've created a virtual router (VRF CORPNET) which has one physical L3 interface, one SVI and one Loopback.
This Virtual router has the sole purpose of NATing our internet-addressable IP addresses to another set of addresses on our Corporate WAN.
There are two NAT rules - a single 1-1 Static NAT, and an overload NAT for everything else, which uses the Loopback address.
The 1-1 Static NAT is used to NAT our VPN ASA, which is used to establish a Site-Site VPN to one of our counterparts on the Corporate WAN.
This works fine most of the time, however once or twice a day, the NAT just stops working, our Site-site VPN drops, and traffic is being seen on our counterpart's firewall with source address un-NATed (They see 200.200.200.1, when they should see 30.30.30.65).
When we go onto the 6524 and do a show ip nat translations we get the following (200.200.200.1 is our VPN ASA - 200.200.200.10 is just user traffic):
ZR-BDG1-6524#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 30.30.30.65:500 200.200.200.1:500 30.30.40.4:500 30.30.40.4:500
udp 30.30.30.65:500 200.200.200.1:500 30.30.40.4:500 30.30.40.4:500
udp 30.30.30.65:500 200.200.200.1:500 30.30.40.4:500 30.30.40.4:500
udp 30.30.30.65:4500 200.200.200.1:4500 30.30.40.4:4500 30.30.40.4:4500
--- 30.30.30.65 200.200.200.1 --- ---
tcp 30.30.30.64:4137 200.200.200.10:34924 32.21.11.6:443 32.21.11.6:443
tcp 30.30.30.64:4123 200.200.200.10:47371 32.21.11.6:443 32.21.11.6:443
As you can see, for some reason we have multiple identical PAT entries for port 500.
While this is the case, traffic from our VPN ASA is crossing the box without being NATed.
If I issue a clear ip nat trans * then the situation is immediately resolved, and the VPN reconnects without issue.
Please see sanitised config attached.
Has anyone seen this issue before, or can assist in troubleshooting this problem?
Many thanks in advance.
Nick
