Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1894
Views
0
Helpful
8
Replies

Intermittent NAT Translation Failures. Please help

blazelewis
Level 1
Level 1

‎02-01-2006 03:00 PM - edited ‎03-05-2019 11:46 AM

Hello, I have a complex NAT setup where I have 2 Interfaces on a Cisco 3600. Both of these Interfaces are FastE. I will refer to them as

Fast 0/0 (External) - External IP's

Fast 1/0 (Internal) - Internal IP's

I have MANY subnets on Fast 1/0 and have NAT access lists to route internal subnets to a certain external *overloaded* IP address. We use this to make it a little easier to find out where traffic comes from if required.

We are having issues with this, where we find that customers (Randomly) will just loose connection to the Internet. They are on trusted private IP addresses and others on that same subnet leg will not have issues at the same time. Even though some of the people will possibly have the issue not long after.

The only "fix" we have found is to remove the customers firewall(just a junk linksys), place a laptop on the Internet connection (laptop still doesn't work at this point), then click repair on the Laptop. Everything works from there on, atleast until next time.... I realize what I'm saying makes no sense, but it seems to be the only thing that fixes it. I have attached a dump of the 3600's configuration, CPU stats, NAT stats, and other relevant stats so you can maybe help!!

Thank you in advance!

Blaze Lewis

Labels:
7756-ciscocapture.txt
Preview file
409 KB
0 Helpful
8 Replies 8

pkhatri
Level 11
Level 11

‎02-01-2006 04:21 PM

Hi,

One very obvious thing I see is that your TCP timeout is set way too low...2500 seconds. That is only around 41 minutes... I suspect that is what is potentially causing your problems. I would wind it up to something like 10 hours (to roughly cover a working day). Set it to:

ip nat translation tcp-timeout 36000

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful

groupcisco
Level 1
Level 1

‎02-01-2006 09:59 PM

Please go through th4e output interpreter output for ur show tech, at teh end he says something about the NAT translations.

Also please let me know whether the computer has an IP address and can ping till router when they are facing the issue.

Thanks,

Naveen B

7757-nat.txt
Preview file
59 KB
0 Helpful

blazelewis
Level 1
Level 1

‎02-02-2006 03:10 PM

I have made some changes. I'm not sure what the errors you posted about the NAT mean. Can I get to the Interpreter that you used to make english out of my tech dump? I am using overloading, does it look like it's setup correctly? Here is my new tech-dump

Thank you again in advance!

Blaze

7758-ciscocapture2.TXT
Preview file
299 KB
0 Helpful

pkhatri
Level 11
Level 11
In response to blazelewis

‎02-02-2006 03:51 PM

Hi Blaze,

Your config looks fine. Did increasing the TCP timeout make a difference ?

When the problem occurs again, would you be able to get the output of 'sh ip nat translations' as well as the IP address of the affected PC ? That may give more of a clue as to what is wrong...

Paresh

0 Helpful

blazelewis
Level 1
Level 1
In response to pkhatri

‎02-02-2006 11:04 PM

I'm not sure about the timeout yet and the timeout isn't proven to fix the issue. Will let you know as soon as I can tell. Ther are still issues, but I think it's customer related. Here is the stat dump you requested!

Thanks Again!!

Blaze

7759-IPNat Stat 2-2-06.txt
Preview file
40 KB
0 Helpful

groupcisco
Level 1
Level 1
In response to blazelewis

‎02-02-2006 10:42 PM

Hi,

You need a CCO ID to check the output interpreter. The link is https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

Also one more thing i observed in your configuration. You have so many secondary IP addresses on the outside interfae in the same subnet, which i dont think is required. The NAT should work and as the subnet is mentioned in the NAT pool it should work even if you remove it. You can try it for one and test it before doing it for all. I dont know whether this would be of any help.

thanks,

Naveen B

0 Helpful

blazelewis
Level 1
Level 1
In response to groupcisco

‎02-02-2006 10:48 PM

I am using the ACL to send certain Subnets to certain external IP addresses. This is for future ease of finding customers with issues. Atleast we know what subnet to look at.

Just to verify, Cisco allows to send an internal subnet to an external interface of you choosing?

Right?

Thanks again!

Blaze

0 Helpful

pkhatri
Level 11
Level 11
In response to blazelewis

‎02-02-2006 11:55 PM

Yes, there is no problem with doing that.

Regarding the stats dump you sent me, what was the IP address of the PC experiencing problems at that point ?

Paresh

0 Helpful
Top