wierd NAT and ACL behaviour on Cisco 877

marioderosa2008 · ‎11-17-2013

Hi all,

I am experiencing an issue where my Cisco 877 router's ATM interface keeps restarting due to dhcp lease timeout from my ISP every hour. I resolved this issue by applying an inbound ACL permitting DHCP packets on the ATM interface.

But... The only way I could get this ACL to work was by removing the static 1 to 1 NAT rule forwarding all incoming traffic. to my internal firewall.

It seems that I cannot both have an ACL inbound on the ATM and a static 1 to 1 NAT statement to work in conjunction with one another.

If my ISP would allow me to configure my static ip manually on the ATM then I wouldn't have this issue but they will not allow me to do this.

Is this how IOS works? I am running 12.4(24) T8 advanced ip services using a Cisco 877-M router.

Any help appreciated!

Mario

Sent from Cisco Technical Support iPad App

cadet alain · ‎11-17-2013

Hi,

I don't understand how an inbound ACL permitting dhcp packets would solve lease timeout issues, can you provide your running config .

Regards

Alain

Don't forget to rate helpful posts.

marioderosa2008 · ‎11-17-2013

Sure I willl post the config.

What happens is the lease from the ISP is 3400seconds, 1hr. The router tries to rebind the address every 30 mins. But the router never receives the dhcp reply from ISP so dhcp lease expires and restarts ATM interface.

As soon as I apply a permit ip any any ACL to ATM interface, router receives reply packets from dhcp and ATM never drops.

Then I add a static NAT rule, and this breaks dhcp replies again despite the permit ip any any ACL.

I will upload my config ASAP.

Mario

Sent from Cisco Technical Support iPad App

marioderosa2008 · ‎11-17-2013

Hi,

my current router config is attached...

Below is lease info from ISP

router#sh dhcp lease

Temp IP addr: x.x.x.x for peer on Interface: ATM0.1

Temp sub net mask: 255.255.255.0

DHCP Lease server: 78.86.240.1, state: 7 Renewing

DHCP transaction id: 2439

Lease: 3540 secs, Renewal: 1770 secs, Rebind: 3097 secs

Temp default-gateway addr: 46.65.124.1

Next timer fires after: 00:13:39

Retry count: 1 Client-ID: cisco-5898.3517.1ade-AT0.1

Client-ID hex dump: 636973636F2D353839382E333531372E

316164652D4154302E31

Hostname: router

Logs showing ATM flapping because of lease expiration...

*Mar 1 08:44:24.307: %DHCP-5-RESTART: Interface ATM0.1 is being restarted by DHCP

*Mar 1 08:44:31.556: %DHCP-6-ADDRESS_ASSIGN: Interface ATM0.1 assigned DHCP address 46.65.124.89, mask 255.255.255.0, hostname router

*Mar 1 09:43:34.388: %DHCP-5-RESTART: Interface ATM0.1 is being restarted by DHCP

*Mar 1 09:43:41.765: %DHCP-6-ADDRESS_ASSIGN: Interface ATM0.1 assigned DHCP address 46.65.124.89, mask 255.255.255.0, hostname router

As you can see the router cannot complete the renewal because the DHCP packet is not received by the router from the ISP.

As soon as I remove the static NAT ACL, the renewal works OK...

Mario

pieterh · ‎11-17-2013

You Cannot forward ALL incomming packets if destination of DHCP packets is router itself.

Sent from Cisco Technical Support iPad App

marioderosa2008 · ‎11-17-2013

I thought that too so what I did is to write NAT ACL statements for specific TCP ports rather than forwarding ALL traffic.

will it work then if i make NAT statements specific for TCP ports?

Mario