I set up Cisco 1811 with multiple static NAT like this ip nat inside source static 10.10.10.13 xx.xx.xx.13 ip nat inside source static 10.10.10.11 xx.xx.xx.11 .....
Once a while when after lot of downloading/uploading, I failed to access all mapped machines except the router. And I have to reload the router to recover the access. When I look at the router's NAT table when it fails, there are hundred's entries like this (same external IP downloading from the server inside the router)
It looks like a NAT overload issue, but I do not understand why it blocks further NAT translation when this happens. And any solution to this? Please help..
In any case clear ip nat translations may avoid a reload.
I think that you can clear some entries of the table with "clear ip nat tr xxxx"
Maybe you have a Denial of Service attack or at least a badly behaved client.
Perhapsyou can set some kind of aging time on the NAT entries? I have never looked at that but it is a possibility.
Here you go:-
adsl(config)#ip nat tr ? arp-ping-timeout Specify timeout for WLAN-NAT ARP-Ping dns-timeout Specify timeout for NAT DNS flows finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST icmp-timeout Specify timeout for NAT ICMP flows max-entries Specify maximum number of NAT entries port-timeout Specify timeout for NAT TCP/UDP port specific flows pptp-timeout Specify timeout for NAT PPTP flows routemap-entry-timeout Specify timeout for routemap created half entry syn-timeout Specify timeout for NAT TCP flows after a SYN and no further data tcp-timeout Specify timeout for NAT TCP flows timeout Specify timeout for dynamic NAT translations udp-timeout Specify timeout for NAT UDP flows
adsl(config)#ip nat tr max-entries ? Number of entries all-host Specify maximum number of NAT entries for each host all-vrf Specify maximum number of NAT entries for each vrf host Specify per-host NAT entry limit list Specify access list based NAT entry limit vrf Specify per-VRF NAT entry limit
As I say I have never used these but timeout Specify timeout for dynamic NAT translations looks like a good place to start.
Please post:-
sh ip nat sta Post the first few lines of sh mem.
adsl#sh ip nat sta Total active translations: 9 (0 static, 9 dynamic; 9 extended) Outside interfaces: Dialer1, Virtual-Access2 Inside interfaces: BVI1, BVI2 Hits: 6679 Misses: 196 CEF Translated packets: 6839, CEF Punted packets: 0 Expired translations: 211 Dynamic mappings:
By my reading of this document extendable can only make it worse.
"The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.
The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable"."
This problem has apparenly /no/ ambiguous static translations.
I am not saying that trying this or that is /never/ or even in this case is not worthwhile but that it /should/ not help. It is I think important to know if a change is some random shot in the dark or the correct solution.
If it is a bug of course anything might help and I have put all kinds of workarounds in place in the past myself.
The interesting thing is that "clear ip nat tr" does not work, only "reload" can make NAT back to normal. It looks like a memery overflow bug in router's NAT function and it can be fixed only after reloading the router OS.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.