Cisco 1841 and PAT

[AdilM]

Hi. I have a 1800 series router and a provider modem connected through a crossover cable and a network X.X.18.0 netmask of 255.255.255.252. I am given only one IP address that I will use in my router and also for PAT overloading.

My configuration looks correct but it doesn't work. I will paste my full router config below, for sure I missed something and I hope you could figure out what is that. The access list 3 hit count is incrementing.


I can ping from the router using as a source the outside interface (X.X.18.2). From the inside network strangely only the name resolution seems to work for few minutes after reloading the router. When I ping from the LAN, I will get the IP address but the ping times out, at such times when I issue the command "show ip nat trans" I get the following result, (I replaced my real DNS server with 66.218.71.63), 10.0.0.2 is the computer at my LAN configured as 10.0.0.2/24 gateway 10.0.0.1 DNS 66.218.71.63. After two or three mins when I ping from the LAN, name will no longer be resolved.

Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp X.X.18.2:1233 10.0.0.2:1233 66.218.71.63:53 66.218.71.63:53

Thanks.


!
boot-start-marker
boot-end-marker
!
enable secret 5 ########
enable password ########
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
interface FastEthernet0/0
ip address X.X.18.2 255.255.255.252
no ip proxy-arp
ip nat outside
speed 100
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
speed 100
full-duplex
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.18.1
!
no ip http server
ip nat inside source list 3 interface FastEthernet0/0 overload
!
access-list 3 permit 10.0.0.0 0.0.0.255 log
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password ########
login
!
no process cpu extended
no process cpu autoprofile hog
end

 

[plshlpme]

is your pcs default gateway set to 10.0.0.1 ?

are you sure its not a dns issue? can you ping external hosts via ip?

 

[AdilM]

Thanks plshlpme. No my default gateway is not 10.0.0.1, it's the IP address of the modem X.X.18.1 which is not a private IP address, it shares the same network X.X.18.0 255.255.255.252 with my router's external interface. I can ping external hosts by ip from the router.

 

[Minue]

Hi AdilM
What plshlpme was asking.Is if your computer/workstation in the Windows XP tcp/ip setting, has a default gateway of 10.0.0.1,which is the address of the routers FastEthernet0/1.Check also if your crossover cable is good.
Regards

 

[AdilM]

Oh, yes my workstation (10.0.0.2/24) has the default gateway of 10.0.0.1, when I ping from workstation shortly after restarting the router, I get the name resolved, but the ping timed out:

C:\>ping

http://www.yahoo.com

Pinging

http://www.yahoo-ht3.akadns.net

[69.147.114.210] with 32 bytes of data:
Request timed out.
Request timed out.

After few minutes, I get this:

C:\>ping

http://www.yahoo.com

Ping request could not find host

http://www.yahoo.com.

Please check the name and try again.

 

[burtsbees]

Pings are shut off at Yahoo---try Google.

Burt

 

[plshlpme]

are you seeing any errors on your fa0/0 interface?
alot of carrier modems only run at 10 half instead of 100 full...

 

[AdilM]

Hi burtsbees. I did that and still I can't ping. I checked the cable and it's ok, from the router I can ping the modem.

 

[plshlpme]

is this a dsl service?

 

[AdilM]

Well plshlpme, I can't see any errors, it's working fine with 100 full. It's a VSAT service.

I enabled debugging and got some interesting results that might help. Note that after the last line (the deletion of the alias) I will no longer be able to get the resolved IP addresses when I issue the ping command from the workstation.


*Apr 15 19:17:33.183: %SEC-6-IPACCESSLOGNP: list 3 permitted 0 0.0.0.0 -> 10.0.0.2, 1 packet
*Apr 15 19:17:33.183: NAT: address not stolen for 10.0.0.2, proto 17 port 1127
*Apr 15 19:17:33.183: NAT: creating portlist proto 17 globaladdr X.X.18.2
*Apr 15 19:17:33.183: NAT: Allocated Port for SYSTEM prot 17: X.X.18.2, 53
*Apr 15 19:17:33.183: NAT - SYSTEM PORT for X.X.18.2: allocated port 53, refcount 1, localport 4294967295, localaddr 0.0.0.0,

flags 1, syscount 1, proto 17
*Apr 15 19:17:33.183: NAT: Allocated Port for SYSTEM prot 17: X.X.18.2, 69
*Apr 15 19:17:33.183: NAT - SYSTEM PORT for X.X.18.2: allocated port 69, refcount 1, localport 4294967295, localaddr 0.0.0.0,

flags 1, syscount 1, proto 17
*Apr 15 19:17:33.183: NAT: Allocated Port for SYSTEM prot 17: X.X.18.2, 7648
*Apr 15 19:17:33.183: NAT - SYSTEM PORT for X.X.18.2: allocated port 7648, refcount 1, localport 4294967295, localaddr

0.0.0.0, flags 1, syscount 1, proto 17
.
.
.
*Apr 15 19:17:33.187: NAT: Allocated Port for 10.0.0.2 -> X.X.18.2: wanted 1127 got 1127
*Apr 15 19:17:33.187: NAT: i: udp (10.0.0.2, 1127) -> (X.X.0.3, 53) [1063]
*Apr 15 19:17:33.187: NAT: s=10.0.0.2->X.X.18.2, d=X.X.0.3 [1063]
*Apr 15 19:17:33.187: NAT: installing alias for address X.X.18.2
*Apr 15 19:17:33.187: NAT: alias insert failed for X.X.18.2
*Apr 15 19:17:35.179: NAT: i: udp (10.0.0.2, 1127) -> (X.X.0.3, 53) [1065]
*Apr 15 19:17:35.179: NAT: s=10.0.0.2->X.X.18.2, d=X.X.0.3 [1065]
*Apr 15 19:17:35.839: NAT: o: udp (X.X.0.3, 53) -> (X.X.18.2, 1127) [16374]
*Apr 15 19:17:35.839: NAT: s=X.X.0.3, d=X.X.18.2->10.0.0.2 [16374]
.
.
.
*Apr 15 19:12:09.307: -Traceback= 0x60D4B950 0x60D4CFEC 0x60D4E864 0x60D48D08 0x60234380 0x6002A624 0x613F9FD4 0x614000F0

0x613FD778 0x613FD9A8 0x6004C7C8
*Apr 15 19:12:09.707: Find Node in Local Tree: key_len = 320 00000000 C0A80105 00000467 00000011 00000000 563E0003 00000035

00000011 00000000 00000000
*Apr 15 19:12:09.715: -Traceback= 0x60D4B950 0x60D4CF30 0x60D4E864 0x60234C1C 0x6002B768 0x613F9FD4 0x614000F0 0x613FD778

0x613FD9CC 0x6004C7C8
*Apr 15 19:12:09.719: Find Node in Local Tree: key_len = 320 00000000 00000000 00000000 00000000 00000000 563E0003 00000035

00000011 00000000 00000000
*Apr 15 19:12:09.727: -Traceback= 0x60D4B950 0x60D4CF30 0x
*Apr 15 19:23:43.875: NAT: expiring X.X.18.2 (10.0.0.2) udp 1127 (1127)
*Apr 15 19:23:43.875: NAT: deleting alias for X.X.18.2

 

[burtsbees]

When regular name resolution fails from the router, are you still able to ping Ip addresses? For example, you reboot the router...you type
router#ping

http://www.google.com

and it says it is trying

http://www.google.com(xxx.xxx.xxx.xxx),

with Google's IP address in parenthesis, and it is good? Then, after a few minutes, you try the same command, and it comes back to say that it cannot find "

http://www.google.com",

please try the name again? But then you ping the IP address of Google and it can ping that? If this is what you are saying, then try to ping your DNS server Ip address after the name resolution fails. Or, try
router(config)#ip name-server 68.94.157.1
One more thing...why the "no ip dhcp use vrf connected" statement? Here's an interesting link on that...

http://64.233.167.104/search?q=cach...ted&hl=en&ct=clnk&cd=4&gl=us&client=firefox-a

Burt

 

[plshlpme]

now that you mention vsat im thinking it could be a timeout issue because of the extra latency...
i would play around with some of these timeout values and increase them to make sure thats not the case...

router(config)#ip nat translation ?
dns-timeout Specify timeout for NAT DNS flows
finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST
icmp-timeout Specify timeout for NAT ICMP flows
max-entries Specify maximum number of NAT entries
port-timeout Specify timeout for NAT TCP/UDP port specific flows
pptp-timeout Specify timeout for NAT PPTP flows
syn-timeout Specify timeout for NAT TCP flows after a SYN and no further
data
tcp-timeout Specify timeout for NAT TCP flows
timeout Specify timeout for dynamic NAT translations
udp-timeout Specify timeout for NAT UDP flows

the last few lines from your debug is what has me thinking this way.

*Apr 15 19:23:43.875: NAT: EXPIRING X.X.18.2 (10.0.0.2) udp 1127 (1127)
*Apr 15 19:23:43.875: NAT: deleting alias for X.X.18.2
[\quote]

i am curious if you dont mind me asking... what type of modems are you using? is this your only site set up this way?
we will be needing to go to a modem soon that has an ethernet interface rather then V35 and am just curious on what your using.

 

[burtsbees]

That sucks to be able to only have satellite available...

Burt

 

[AdilM]

Oh yes!! It's a timeout problem as you figured it out plshlpme. I tested it this morning. I set all nat translation timeouts to "never" and for the first time I could browse the net from my workstation, but speed was very slow and images not showing on the explorer, then after few minutes it stopped after I got the "NAT: deleting alias for " message. Do you think it could be a problem some buffers or memory? The modem is iDirect 3000. I agree it's too bad to be under the mercy of sat links.

 

[plshlpme]

do you have a router at the other end of the link?
there is rbscp - rate based satellite control protocol...
i foudn with our customer it didn't seem to help a whole lot but it may for you..

the other option .. more expensive is to go with some sort of hardware accelerator.

the problem with satellite links is that due to the very high latency the tcp sessions stay in slow speed mode and its very hard to get good utilization out of your link.

anything that is delay sensitive will suffer alot..

we only use satellite at sites where there is no local facilites.. ie alot of africa, middle east etc..

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801ee18c.html