Solved: Re: PAT issues on ISR4331

Ernesto1 · ‎02-19-2019

Team

I have some issues with a PAT on a cisco ISR4331, the PAT is changing the port # to a lower port from inside local to inside global, and that is causing that the traffic is not passing correctly, I just can ping from sourece to destination but nothing else.

Actual configuration :

------------------------------------

interface GigabitEthernet0/0/0
description LAN
ip address 10.84.248.242 255.255.255.252
ip nat outside

-----------------------

ip nat pool hide-nat 10.84.248.242 10.84.248.242 netmask 255.255.255.252
ip nat inside source list 1 pool hide-nat overload

-----------------------

access-list 1 permit 20.136.39.32 0.0.0.7

-----------------------

Results inside local port 56986 changing to global port 1026

sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.84.248.242:1026 20.136.39.34:56986 162.246.77.1:443 162.246.77.1:443
icmp 10.84.248.242:1 20.136.39.34:1 162.246.78.171:1 162.246.78.171:1
tcp 10.84.248.242:1024 20.136.39.34:56849 162.246.78.171:443 162.246.78.171:443
tcp 10.84.248.242:1025 20.136.39.34:56878 162.246.78.171:443 162.246.78.171:443
udp 10.84.248.242:1024 20.136.39.34:1483 162.246.78.174:4172 162.246.78.174:4172
udp 10.84.248.242:1025 20.136.39.34:50002 162.246.77.11:4172 162.246.77.11:4172
Total number of translations: 6

Now if I change to a 1 to 1 static PAT then the port is not changing and all the traffic pass with no issues as follow:

------------------------------------------------

ip nat inside source static 20.136.39.34 10.84.248.242

------------------------------------------------

Results

sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 10.84.248.242 20.136.39.34 --- ---
tcp 10.84.248.242:56963 20.136.39.34:56963 162.246.78.171:443 162.246.78.171:443
tcp 10.84.248.242:57092 20.136.39.34:57092 162.246.77.1:443 162.246.77.1:443
tcp 10.84.248.242:57089 20.136.39.34:57089 162.246.77.1:443 162.246.77.1:443
tcp 10.84.248.242:56964 20.136.39.34:56964 162.246.77.1:443 162.246.77.1:443
tcp 10.84.248.242:57070 20.136.39.34:57070 162.246.77.1:443 162.246.77.1:443
tcp 10.84.248.242:57095 20.136.39.34:57095 162.246.77.11:4172 162.246.77.11:4172
tcp 10.84.248.242:57093 20.136.39.34:57093 162.246.77.1:443 162.246.77.1:443

------------------------------------------------------

The issue is that I have 2 source ips then I can not use 1 to 1.

I have the same configuration on a cisco 2600 and it is working correct not changing the port.

Have you seen something like this on an ISR? could be a bug?

The actual IOS is isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

Thank you so much in advance

Ernesto1 · ‎03-22-2019

Finally I got the answer, it is a bug on the IOS-XE

I was able to confirm from engineering that there was a change in behavior (code wise) where starting in 15.5(3)S5 and above, it should preserve the port. According to them, this was tracked under “bug” ID of CSCva10214 which is only internally visible.

Nonetheless, they state it’s “fixed” in the following trains/versions:

16.9.X

16.6.X

16.5.1

16.3.3+

15.5(3)S5+

15.4(3)S7+

Since you are on version 15.5(3)S4b, you should consider upgrading to the newer release in the train which is currently 15.5(3)S9 (just released today) or move to a different train such as 16.6.5, etc:

https://software.cisco.com/download/home/285018115/type/282046477/release/3.16.9S

After upgrading, this should preserve the source port #’s

View solution in original post

Reza Sharifi · ‎02-19-2019

Hi,

You seem to be using the same IP address for both the starting and the end.

10.84.248.242 10.84.248.242

HTH

Ernesto1 · ‎02-20-2019

Reza Sharif That is correct that is my pool I am doing PAT, the point is why is changing the port #.

Thank you

Jon Marshall · ‎02-20-2019

That is how PAT works ie. it changes the source port to a different port.

Jon

Ernesto1 · ‎02-21-2019

Thank you!

But it is strange because I have the same PAT configuration in 5 routers C3825 (c3825-advipservicesk9-mz.124-15.T10.bin) and are not changing the port #, they keep the same just this ISR4331 is changing the port wit hte same config.

C3825 config:

interface GigabitEthernet0/0
ip address 10.54.254.18 255.255.255.252
ip nat outside
-------------------------------------------------

ip nat pool hide-nat 10.54.254.18 10.54.254.18 netmask 255.255.255.252
ip nat inside source list 1 pool hide-nat overload

-------------------------------------------------

access-list 1 permit 20.136.39.32 0.0.0.7

-------------------------------------------------

Pro Inside global Inside local Outside local Outside global
tcp 10.54.254.18:50819 20.136.39.34:50819 162.246.77.11:8443 162.246.77.11:8443
tcp 10.54.254.18:51914 20.136.39.34:51914 162.246.78.174:8443 162.246.78.174:8443
tcp 10.54.254.18:52278 20.136.39.34:52278 162.246.78.174:8443 162.246.78.174:8443
tcp 10.54.254.18:53387 20.136.39.34:53387 162.246.78.174:8443 162.246.78.174:8443
tcp 10.54.254.18:53453 20.136.39.34:53453 162.246.78.174:8443 162.246.78.174:8443
tcp 10.54.254.18:54326 20.136.39.34:54326 162.246.77.11:8443 162.246.77.11:8443
tcp 10.54.254.18:55415 20.136.39.34:55415 162.246.78.174:8443 162.246.78.174:8443
tcp 10.54.254.18:55839 20.136.39.34:55839 162.246.77.11:8443 162.246.77.11:8443
tcp 10.54.254.18:55909 20.136.39.34:55909 162.246.77.11:8443 162.246.77.11:8443
tcp 10.54.254.18:55932 20.136.39.34:55932 162.246.77.11:8443 162.246.77.11:8443
tcp 10.54.254.18:56331 20.136.39.34:56331 162.246.77.11:8443 162.246.77.11:8443
tcp 10.54.254.18:57054 20.136.39.34:57054 162.246.78.174:8443 162.246.78.174:8443
tcp 10.54.254.18:57155 20.136.39.34:57155 162.246.77.11:8443 162.246.77.11:8443

Thank you so much your colaboration

Jon Marshall · ‎02-21-2019

It may just be different behaviour ie. if the port is not already used then it should just leave as is but it looks like the ISR is changing it even if it is not in use.

I have not used those ISRs but I keep seeing questions on the forums about NAT and these routers as they seem to behave differently to other routers.

Could also be a bug of course.

Jon

Georg Pauwen · ‎02-21-2019

Hello,

on a side note, I found the below in the restrictions for NAT in XE 3S releases, which seem to suggest that you cannot use the physical address of an interface in a pool. If possible, try to use interface overloading and check if the behavior changes:

Using any IP address that is configured of a device as an address pool or in a NAT static rule is not supported. NAT can share the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-addr-consv.html

Ernesto1 · ‎02-21-2019

Good point, I Will try to use the interface instead the ip, I Will request to the customer a test window and I Will return here with the results. thank you!

Ernesto1 · ‎03-22-2019

Finally I got the answer, it is a bug on the IOS-XE

I was able to confirm from engineering that there was a change in behavior (code wise) where starting in 15.5(3)S5 and above, it should preserve the port. According to them, this was tracked under “bug” ID of CSCva10214 which is only internally visible.

Nonetheless, they state it’s “fixed” in the following trains/versions:

16.9.X

16.6.X

16.5.1

16.3.3+

15.5(3)S5+

15.4(3)S7+

Since you are on version 15.5(3)S4b, you should consider upgrading to the newer release in the train which is currently 15.5(3)S9 (just released today) or move to a different train such as 16.6.5, etc:

https://software.cisco.com/download/home/285018115/type/282046477/release/3.16.9S

After upgrading, this should preserve the source port #’s