Cisco 881 loses NAT NVI mappings after reload

joenyland · ‎12-11-2012

I've just purchased a new Cisco 881.

I'm using NAT NVI for my inbound static mappings. However, regardless of the fact that the config is saved to nvram, after a reload of the router, the NAT mappings are setup as traditional inside/outside mappings. This means that inbound connections in to the router on the required services fail, until someone logs on to the router and re-applies the NVI mappings.

Why would this be happening?

Here's a sanitised version of my startup-config:

!
! Last configuration change at 20:20:15 UTC Tue Dec 11 2012 by xxx
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-xxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxx
 revocation-check none
 rsakeypair TP-self-signed-xxx
!
!
crypto pki certificate chain TP-self-signed-xxx
 certificate self-signed 01
  xxx
            quit
ip gratuitous-arps
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip domain list dmz.xxx.local
ip domain list xxx.local
ip domain name dmz.xxx.local
ip name-server 192.168.1.x
ip cef
login block-for 3 attempts 3 within 3
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxx
!
!
username admin privilege 15 secret 4 xxx
username joe secret 4 xxx
!
!
!
!
!
ip ssh time-out 60
! 
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface FastEthernet4
 ip address dhcp
 ip nat enable
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.x 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
!
interface Vlan2
 ip address 192.168.0.x 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.2 993 interface FastEthernet4 993
ip nat source static tcp 192.168.1.2 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.2 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.2 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.2 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.2 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
banner motd 
Authorized Access only
!
line con 0
 exec-timeout 15 0
 login authentication local_auth
line aux 0
 exec-timeout 15 0
 login authentication local_auth
line vty 0 4
 access-class 2 in
 login authentication local_auth
 length 0
 transport input all
!
!
end

I'd appreciate any suggestions as to how I can stop this from happening.

Thanks.

joenyland · ‎12-13-2012

No one any ideas?

Elton Babcock · ‎12-13-2012

Can you give me an idea of topology here? I only see one NAT interface in the config. What do you mean you need to login and re-apply the NAT mappings?

Sent from Cisco Technical Support iPhone App

Elton Babcock · ‎12-13-2012

Also jus thinking is there a reason you are using the NVI instead of just using tradition NAT? I have always found the NVI to be somewhat "buggy".

Sent from Cisco Technical Support iPhone App

joenyland · ‎12-13-2012

Sorry, the config included in my original post was a little out of date. I've updated the NAT section of the config above with the mappings that I have setup on the router.

The topology is pretty simple: 192.168.1.0/24 Vlan --> Cisco 881 --> ADSL modem --> WAN

192.168.0.0/24 Vlan ----^

WAN from the modem is connected to FE4 on the 881. The 192.168.1.0/24 Vlan is connected to FE1 and FE2.

(FE4 serves as the 192.168.0.0/24 Vlan, to allow access to the configuration interface of the ADSL modem.)

I am using NAT NVI as I belive this is the only method which allows users on the LAN to access services via the WAN IP. E.g. A client on 192.168.1.10 can browse sites which are running on 192.168.1.2 using the WAN IP assigned to FE4. Traditional NAT would not allow me to do this, unless I am mistaken?

The above works great, just not after the router has be reloaded for whatever reason. My old Linksys WAG320N could handle the same kind of NAT configuration which survived reboots.

Elton Babcock · ‎12-13-2012

You are correct about users being able to browse to the WAN IP using only the NVI and not the traditional configuration.

When you reboot the router can you get the output of "show IP NAT translations"

I am thinking that the issue lies in the fact that you haven't designated the LAN ports as NAT enabled as well. I don't know if there is a logical interface on that specific model router for those ports or just the physical ports that can take this command. Either way try to enable NAT on those interfaces, save your config and reboot.

Sent from Cisco Technical Support iPhone App

joenyland · ‎12-13-2012

Thanks for the suggestion Elton.

Unfortunately, I believe the LAN ports on this router are layer 2 only, thus they will not take `ip nat` configuration:

Router1(config-if)#ip nat enable

^

% Invalid input detected at '^' marker.

Router1(config-if)#ip ?

Interface IP configuration subcommands:

address Set the IP address of an interface

admission Apply Network Admission Control

auth-proxy Apply authentication proxy

ddns Configure dynamic DNS

device IP device tracking

dhcp Configure DHCP parameters for this interface

igmp IGMP interface commands

rsvp RSVP Interface Commands

vrf VPN Routing/Forwarding parameters on the interface

Here's the result of `show IP NAT translations` as requested:

Router1#show ip nat translations | include ---

tcp 188.222.181.173:25 192.168.1.2:25 --- ---

tcp 188.222.181.173:80 192.168.1.2:80 --- ---

tcp 188.222.181.173:143 192.168.1.2:143 --- ---

tcp 188.222.181.173:443 192.168.1.2:443 --- ---

tcp 188.222.181.173:587 192.168.1.2:587 --- ---

tcp 188.222.181.173:993 192.168.1.2:993 --- ---

tcp 188.222.181.173:1723 192.168.1.2:1723 --- ---

Router1#

As the rules are setup as NVI type rules, they should not be showing up in the command above, instead they should show up in return to the following command:

Router1#show ip nat nvi translations

Router1#

Any ideas why this would happen?

Elton Babcock · ‎12-14-2012

I am not totally familiar with this model router but is there a logical interface on the router for your LAN side?

For example I know on the 831s there are interfaces such as E1, E2, that represent a group of your ports.

If not I wonder if you can apply the NAT enable statement to the VLAN 1 interface as that seems to be your logical inside interface.

Let me know if that works.

Sent from Cisco Technical Support iPhone App

joenyland · ‎12-28-2012

Elton, thanks for the continued inout and I'm sorry for the delay in replying.

The grouped interface that you mention are not available as far as I can tell on the 881/891's, at least. You'll notice from my configuration which I provided in my original port that I do already have `ip nat enable` on both the WAN (FE4) and the LAN (VLAN1) interfaces. The issue lies more with the configuraiton of these rules at boot up - once the rules have been manually applied after boot, NAT works fine however I shouldn't need to do this if the router restarts. This will cause a great deal of inconvenience if the router restarts whilst we are out the office, leaving us with no access to resources on the LAN in the office, until someone physically goes over to the office, consoles in to the router and re-applies the NAT rules.

The only progress that I have been able to make with this issue is that I seem to have narrowed down the problem to the WAN IP address being acquired via DHCP as opposed to statically assigned. If the WAN interface is configured with a fictional static address, after a reload the NAT NVI rules are setup correctly. The problem is my IP is sent from the ISP via DHCP. Any suggestions how I can work around this? I'm unable to firm up a price from my suppliers to obtain a SmartNet contract to allow me to access TAC.

Also, I have managed to obtain an 891 router from my supplier and this unit demonstrates the same behaviour as above.

Elton Babcock · ‎12-28-2012

Weird that it would work with a static IP configured.

Your NAT statements do point to the actual physical port and not the external IP so that shouldn't be a problem. This is what I do on my routers.

I am wondering if you can do 1 ACL for your Inside to Outside NATing.

Such as:

no ip nat source list 1 interface FastEthernet4 overload

no ip nat source list 2 interface FastEthernet4 overload

ip access-list standard FOR_NAT

permit 192.168.0.0 0.0.0.255

permit 192.168.1.0 0.0.0.255

ip nat source list FOR_NAT interface FastEthernet4 overload

Maybe the router only wants to see 1 inside to outside NAT statement instead of 2.

Another thing you could consider is if this external IP has an external DNS name that users connect to, you could ditch the NVI configuration and use an internal DNS server to point your internal users to the local IP addresses of the server using the external DNS name. This is very common practice.

Let me know how it works out.

Elton

sklic · ‎01-02-2013

Any luck on this? I'm having the exact same issue on an 1841 with IOS 15.1 and almost the exact same configuration. Show ip nat trans shows the port-based NVIs at startup rather than under show ip nat nvi trans. That is until I manually renter them into the config at which point they show up under show ip nat nvi trans and it starts working again. Very weird.

Elton Babcock · ‎01-02-2013

I'm running version 15 on my 1841 at home using NVI instead of tradition NAT configuration. Seems to be working fine for me but I haven't done any port forwarding currently.

Is that where your issue lies with the forwarded ports or all NAT isn't working after a reload? If it is the port forwards, i'll go ahead and set one up and do a reload to see if it sticks. Sounds like this could be a bug.

I'll have to check my exact version when I get home. What exact software code are you running on your 1841?

Elton

sklic · ‎01-02-2013

Everything works fine until I reload. The PAT overload continues to work fine (Internet access continues to work), however my static ports stop working and show up as standard nat rather than nvi nat in the show ip nat commands. If I retype the static pat lines, all works again.

I'm running Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(3)T4, RELEASE SOFTWARE (fc1)

NAT LINES IN QUESTION:

ip nat source static tcp 192.168.168.50 8123 interface FastEthernet0/1 8123

ip nat source static tcp 192.168.168.50 25565 interface FastEthernet0/1 25565

ip nat source static tcp 192.168.168.50 80 interface FastEthernet0/1 80

ip nat source static tcp 192.168.168.55 3074 interface FastEthernet0/1 3074

ip nat source static udp 192.168.168.55 3074 interface FastEthernet0/1 3074

ip nat source static udp 192.168.168.55 88 interface FastEthernet0/1 88

ip nat source route-map ISP1_NAT interface FastEthernet0/1 overload

Elton Babcock · ‎01-02-2013

I'll check my router when I get home and configure a quick static port and do a reload to see how it works.

I just recently upgraded to ver. 15 over the weekend so I haven't had much time to play with it on the router.

Elton

Elton Babcock · ‎01-02-2013

Hey guys,

I just confirmed that my 1841 router has issues keeping the static NVI mappings after a reload. The entries showed up in NAT translations and not the NVI translations.

I am running 15.1 as well.

I honestly have no idea how to fix this. It is configured via the documentation from Cisco and yet still doesn't work after reload. I seem to remember having the same issue a while back on my 831 router running a version of 12.4.

If either of you have any Cisco Agreements you should open a TAC case for this. Update if they come up with a solution.

Elton

Sent from Cisco Technical Support iPhone App