Nat failing on one address but not others

[tonymullen]

I hope someone can help. We have a third part router installed to allow us to VPN to a remote site. I have no admin rights to this router. We have several different subnets connecting through this and to get arround the issue of having to get the third party to add every subnet access I have installed 2 routers that are doing nat.


192.168.1.0 - router1 - 192.168.2.0 - router2- 192.168.1.0 - 3rdpary router

192.168.1.0 is our internal net range, both router 1 and the third party router have ip 192.168.1.10 and router 2 has IP 192.168.1.50 (same as our firewall).

router 1 has config:
ip default-gateway 192.168.1.50
ip nat pool from_int 192.168.2.100 192.168.2.200 netmask 255.255.255.0
ip nat inside source list 10 pool from_int
ip nat inside source static 192.168.1.5 192.168.2.5
ip nat inside source static 192.168.1.13 192.168.2.13
ip nat inside source static 192.168.1.18 192.168.2.18
ip nat inside source static 192.168.1.17 192.168.2.17
ip classless

router 2 has the opposite:
ip nat translation timeout 600
ip nat pool from_nat 192.168.1.100 192.168.1.200 netmask 255.255.255.0
ip nat inside source list 10 pool from_nat
ip nat inside source static 192.168.2.5 192.168.1.5 extendable
ip nat inside source static 192.168.2.13 192.168.1.13 extendable
ip nat inside source static 192.168.2.17 192.168.1.17 extendable
ip nat inside source static 192.168.2.18 192.168.1.18 extendable
ip classless


This was all working swimmingly until I recently added the 192.168.1.17 address (as shown above). Now everything works OK for a day or so and then just the .17 address stops working. All the others are fine. If I reboot router 2 then 17 starts working again for another day or so.

I tried a clear ip nat t * and clear ip nat s to see if that would make a difference but only rebooting the router seems to work.

routers are both 831 running IOS 12.3

any help much appreciated

thanks a lot

Tony

 

[tonymullen]

After a lot of playing around with configs we have got a bit further on this one. Configuring a new natted address pointing to the same server produces the same results when used with the same dns entry as previous.

Question - what sort of traffic could cause the Nat to break so that only a reboot of the router would fix the issue. And how do I stop it from breaking it.

The traffic that is flowing over this nat should only be ftp and telnet. I'm guessing that something on the other network is sending corrupted packets or the like but not sure how I can find out. Nothing seems to be written to the logs and I can't find any known event that could trigger this.

any help greatly apreciated.

 

[tonymullen]

This has taken some time and a few conversations with Cisco. In the end, they recommended adding a secondary ip address to the interfaces to match that of the natted address.

so router 1 has a secondary ip address on its outside interface of 192.168.2.17 and router 2 has a secondary ip on the interface connecting to this one of 192.168.1.17. This seems to force the connection to be "always on". While not exactly fixing the problem itself, it does work.