Cisco 881 loses NAT NVI mappings after reload - Page 2

joenyland · ‎12-11-2012

I've just purchased a new Cisco 881.

I'm using NAT NVI for my inbound static mappings. However, regardless of the fact that the config is saved to nvram, after a reload of the router, the NAT mappings are setup as traditional inside/outside mappings. This means that inbound connections in to the router on the required services fail, until someone logs on to the router and re-applies the NVI mappings.

Why would this be happening?

Here's a sanitised version of my startup-config:

!
! Last configuration change at 20:20:15 UTC Tue Dec 11 2012 by xxx
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-xxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxx
 revocation-check none
 rsakeypair TP-self-signed-xxx
!
!
crypto pki certificate chain TP-self-signed-xxx
 certificate self-signed 01
  xxx
            quit
ip gratuitous-arps
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip domain list dmz.xxx.local
ip domain list xxx.local
ip domain name dmz.xxx.local
ip name-server 192.168.1.x
ip cef
login block-for 3 attempts 3 within 3
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxx
!
!
username admin privilege 15 secret 4 xxx
username joe secret 4 xxx
!
!
!
!
!
ip ssh time-out 60
! 
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport access vlan 2
 no ip address
!
interface FastEthernet4
 ip address dhcp
 ip nat enable
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.x 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
!
interface Vlan2
 ip address 192.168.0.x 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 2 interface FastEthernet4 overload
ip nat source static tcp 192.168.1.2 993 interface FastEthernet4 993
ip nat source static tcp 192.168.1.2 80 interface FastEthernet4 80
ip nat source static tcp 192.168.1.2 443 interface FastEthernet4 443
ip nat source static tcp 192.168.1.2 25 interface FastEthernet4 25
ip nat source static tcp 192.168.1.2 587 interface FastEthernet4 587
ip nat source static tcp 192.168.1.2 143 interface FastEthernet4 143
ip nat source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
banner motd 
Authorized Access only
!
line con 0
 exec-timeout 15 0
 login authentication local_auth
line aux 0
 exec-timeout 15 0
 login authentication local_auth
line vty 0 4
 access-class 2 in
 login authentication local_auth
 length 0
 transport input all
!
!
end

I'd appreciate any suggestions as to how I can stop this from happening.

Thanks.

sklic · ‎01-04-2013

I've been working with TAC for 2 days now. Still no luck. They said that NVI translation is only for VRF to VRF, not for use in global, so it's not supported that way. In other words, they won't look into the bug. So I put everything into VRFs, but now I'm having issues with the static port-based NAT statements. If you use an interface-based one like we have here, you can't specify a VRF in the command.

It's getting kind of ridiculous.

Elton Babcock · ‎01-04-2013

Wish I could help with that one but I've never done anything with VRF. I think I'm going to move off of NVI on my router as it seems to cause some performance issues on NATed traffic.

Elton

Sent from Cisco Technical Support iPhone App

sklic · ‎01-07-2013

Apparently the issue is related to me using DHCP from my ISP. So when the router reboots, whatever propagates the NAT table doesn't find an outside IP address assigned yet and--BUGGED. TAC was unable to come up with another solution. It doesn't look like it will be fixed any time soon since NVI isn't supported in the global VRF anyway. I found some info here as well: http://tech.jocke.no/2010/09/24/cisco-ios-nat-virtual-interface/.

I'm using the following as a workaround until I can get a static address from my ISP, see this bug fixed, or come up with something else (don't laugh):

event manager applet DHCP_ADDRESS_CHANGE

event syslog pattern "FastEthernet0/1 assigned DHCP address"

action 100 syslog msg "FIXING NVI NAT"

action 125 cli command "enable"

action 150 cli command "config t"

action 200 cli command "ip nat source static tcp 192.168.168.50 8123 interface FastEthernet0/1 8123"

action 201 cli command "ip nat source static tcp 192.168.168.50 80 interface FastEthernet0/1 80"

action 202 cli command "ip nat source static tcp 192.168.168.55 3074 interface FastEthernet0/1 3074"

action 203 cli command "ip nat source static udp 192.168.168.55 3074 interface FastEthernet0/1 3074"

action 204 cli command "ip nat source static udp 192.168.168.55 88 interface FastEthernet0/1 88"

action 205 cli command "ip nat source static tcp 192.168.168.50 25565 interface FastEthernet0/1 25565"

It works 100% of the time, and disgusts me every time. ;-)

Sean

Vittorio Alfieri · ‎01-10-2015

Holy F-ing bug, Batman!

Cisco REALLY, needs to fix this. It's still around!

I had this happen to me across 3 different routers (887, 1841, 2821) where I "upgraded" to using NVI , and the end result is random web services stop working at different points in time whenever that particular router rebooted.

Anyway, I also really like the the NAT hairpinning feature of using NVI, however using NVI also reduces performance. I am curious to know if you ever found out how to perform NAT hairpinning using traditional NAT statements and route-maps as you said in a previous post.

The only other way I can see NAT Hairpinning functioning is with workarounds for this NVI bug:
1. The workaround using a TCL script, like sklic just posted.
2. Placing everything related to the internet interface in a fake_global VRF, because that makes sense to Cisco.

dastrix80 · ‎08-11-2018

I have this issue also...

:/

Elton Babcock · ‎01-07-2013

Thanks for the update Sean.

I moved away for the NVI this weekend and saw a huge speed increase on routed packets.

Using the NVI I was getting around 4.5MBs and after I switched back to traditional NAT I was seeing between 17-20MBs.

Elton

Sent from Cisco Technical Support iPhone App

sklic · ‎01-07-2013

I would love to do the same, however I'm relying on the hairpin-NAT feature of NVI. I've heard that you can use traditional NAT and hairpin it using loopbacks and route-maps, but I've never seen the actual code.

angelcool · ‎02-28-2013

Same problem here . When I reboot my 1721 the static NVI entries are loaded as tradition NAT entries:

"show ip nat nvi translations" do not displays the entries.

"show ip nat translations" displays the entries.

I use the no version of the commands and reenter them again, and all works fine again.

Why I use NVI? ...because I do not limit myself to only one outside interface. I wrote a small tutorial where NVI is useful, http://www.angelcool.net/tutorials/cisco/WebDevelopmentNetwork_NVI.pdf . Anyhow, my router:

router#
router#show ver
Cisco IOS Software, C1700 Software (C1700-ADVENTERPRISEK9-M), Version 12.4(7), RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 01-Mar-06 08:15 by alnguyen

ROM: System Bootstrap, Version 12.2(7r)XM5, RELEASE SOFTWARE (fc1)

router uptime is 5 hours, 37 minutes
System returned to ROM by reload
System image file is "flash:c1700-adventerprisek9-mz.124-7.bin"

Vittorio Alfieri · ‎01-12-2015

Hi, I based myself on sklic's code to read and re-enter the existing configuration as soon the network interface state changes. This is an EEM script, so you have to copy it and "install" it in your router.

It's almost as if it's a patch to the bug. You just have to configure the phrase to trigger the script from the Cisco syslog. This phrase is what your router prints when you want the NAT statements to be re-entered.

With this script enabled and configured, "port forwarding" configured using the ip nat enable command will work across reboots and interface flapping.

You can tell this is happening to you if you have ip nat source static ... statements visibile in the output of show ip nat translations.

The script is available here:

https://github.com/vittorio88/cisco-scripts/blob/master/fix_nvi.tcl

Save it, and copy to the router. Look inside the file for how configure IOS to use the script.

Good Luck!

-Vittorio