Cisco 7206 - Problem with NAT from 2 external to 1 Internal IP

[AidanMcGoey]

I have a single web server which I need to access by two IPs while moving from one subnet to another. Can anyone explain why it is not possible to ping both outside global addresses with the rules in place, but it is possible to access them via a browser? The 'debug ip nat' command shows both pings getting in.

Router is a Cisco 7206, appropriate Static route for xx.xxx.148.30 is in place. Inside and outside NAT interfaces are defined.

Configuration is simple - relevant lines are:

ip nat inside source static xx.xxx.149.250 xx.xxx.149.250 extendable
ip nat inside source static xx.xxx.149.250 xx.xxx.148.30 extendable

Are ICMP packets treated differently?

Thanks in advance!

Aidan.

 

[lambent]

1) Did you use URL or IP to access the server?
2) From where did you ping to the outside global address?

 

[AidanMcGoey]

I'm using IP, not URL, and I'm pinging from an IP address which is outside the 'ip nat outside' address.

Pings work fine when either nat rule is in place on its own, but not with both together.

Thanks,

Aidan.

 

[lambent]

ip nat inside source static xx.xxx.149.250 xx.xxx.149.250 extendable"

make sure this is not a typo...

 

[AidanMcGoey]

I'm not sure what you mean - do you see a typo that I don't? This line is cut from the configuration. Without it, the NAT address is reachable, but the 'un-natted' one isn't.

thanks.

Aidan.

 

[lambent]

ip nat inside source static xx.xxx.149.250 xx.xxx.149.250 extendable"

I believe this line means a static NAT translation from the NAT inside address xx.xxx.149.250 to the NAT outside address xx.xxx.149.250.

So the NAT inside and NAT outside addresses in this line is the same...

Or...is it actually xx.xxx.149.250 and yy.yyy.149.250 so that the 2 are different?

 

[AidanMcGoey]

No, it is "ip nat inside source static xx.xxx.149.250 xx.xxx.149.250 extendable" - I put this line in because without it there was no response at all from xx.xxx.149.250. I've just removed the line to verify that behaviour.

There's also been a change in the behaviour with the original configuration:
Yesterday I had pings returned from the .148.30 address only, today I get pings from both 149.250 and 148.30, but each with 50% packet loss. ...and there have been no changes.

I'm sure I'm doing something fundamentally wrong here - I can't claim a huge amount of experience. In fact I've just discovered a big error - this is on a Cat6506 (CatOS and IOS) not a 7206! (Doh! Sorry about that!), so the NAT interfaces are Vlans (mls not enabled). Can CEF interfere with NAT?

thanks,

Aidan.

 

[lambent]

50% packet loss"

Is the ping output looks like this?

!.!.!.!.!.

I've experienced this in an OSPF routing issue and finally I found that I got a duplicate router-id in 2 routers (oh god...).

Maybe you should post relevant configurations so we can get a clearer picture on your situation.

 

[AidanMcGoey]

This is the only bit of the configuration I can see as being relevant:

The other router from the HSRP group has not been deployed yet - gateway for the server is xx.xxx.149.1, and this setup *APPEARS* to work fine for web traffic, but of course its easier to see pings going astray.

interface Vlan1
ip address xx.xxx.128.7 255.255.255.192
ip nat outside

interface Vlan305
description
ip address xx.xxx.149.2 255.255.255.0
no ip redirects
ip nat inside
standby ip xx.xxx.149.1
!
!
ip nat translation icmp-timeout 1
ip nat inside source static 82.195.149.250 82.195.149.250 extendable
ip nat inside source static 82.195.149.250 82.195.148.30 extendable

ip route 82.195.148.30 255.255.255.255 Vlan305


Thanks!

Aidan.

 

[lambent]

ip nat translation icmp-timeout 1

According to Cisco:

"Dynamic translations time out after a period of non-use. When port translation is not configured, translation entries time out after 24 hours."

And this command makes the NAT icmp translation to time out after 1 sec of non-use period.

Did you try to remove this command? Or at least set it to say 10 to 15 mins?

 

[AidanMcGoey]

Good suggestion! - I tested this and found that setting this value to anything other 1 second (and that includes '0' and 'never') results in complete packet loss from the 'straight through; nat , ie .149.250 -> .149.250

If this is just a ICMP and NAT interaction oddity, then thats OK - my main concern is that it wouldn't impact on other protocols but I'm not sure how to verify that. Thanks for your help so far.

- Aidan.