[c-nsp] too much NAT?

Adam Greene maillist at webjogger.net
Mon Sep 19 17:00:28 EDT 2011 

Hi,

I'm running into an odd issue on a CPE router (2911, 15.1(4)M).

Customer has DSL from us as their primary link and a Verizon line for 
backup.

We're doing static NAT on various ports and to get it to work over both 
links, we've configured route maps.

It works fine up to a point (redundant NAT for 3 PC's) but seems to 
choke once we add a fourth. Only the NAT seems to die.

In other words, this works:

==========

ip nat inside source route-map ISP2-NAT interface Multilink1 overload
ip nat inside source route-map ISP1-NAT interface GigabitEthernet0/0 
overload
!
ip nat inside source static tcp 192.168.1.79 3389 x.x.x.x 3389 route-map 
ISP2-PC1 extendable
ip nat inside source static tcp 192.168.1.78 4000 x.x.x.x 4000 route-map 
ISP2-PC3 extendable
ip nat inside source static tcp 192.168.1.63 4001 x.x.x.x 4001 route-map 
ISP2-PC2 extendable
ip nat inside source static tcp 192.168.1.79 3389 y.y.y.y 3389 route-map 
ISP1-PC1 extendable
ip nat inside source static tcp 192.168.1.78 4000 y.y.y.y 4000 route-map 
ISP1-PC3 extendable
ip nat inside source static tcp 192.168.1.63 4001 y.y.y.y 4001 route-map 
ISP1-PC2 extendable
ip route 0.0.0.0 0.0.0.0 216.187.34.1
ip route 0.0.0.0 0.0.0.0 70.107.243.21 100
!
ip access-list standard PC2
  permit 192.168.1.63
ip access-list standard PC1
  permit 192.168.1.79
ip access-list standard PC3
  permit 192.168.1.78
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
route-map ISP2-PC2 permit 10
  match ip address PC2
  match interface GigabitEthernet0/0
!
route-map ISP1-PC2 permit 10
  match ip address PC2
  match interface Multilink1
!
route-map ISP2-PC3 permit 10
  match ip address PC3
  match interface GigabitEthernet0/0
!
route-map ISP1-PC3 permit 10
  match ip address PC3
  match interface Multilink1
!
route-map ISP2-NAT permit 10
  match ip address 1
  match interface GigabitEthernet0/0
!
route-map ISP1-NAT permit 10
  match ip address 1
  match interface Multilink1
!
route-map ISP1-PC1 permit 10
  match ip address PC1
  match interface Multilink1
!
route-map ISP2-PC1 permit 10
  match ip address PC1
  match interface GigabitEthernet0/0

=====

But try to add this and NAT dies:

=====

ip nat inside source static tcp 192.168.1.2 4003 x.x.x.x 4003 route-map 
ISP2-PC4 extendable
ip nat inside source static tcp 192.168.1.2 4003 y.y.y.y 4003 route-map 
ISP1-PC4 extendable

ip access-list standard PC4
  permit 192.168.1.2
!
route-map ISP1-PC4 permit 10
  match ip address PC4
  match interface Multilink1
!
route-map ISP2-PC4 permit 10
  match ip address PC4
  match interface GigabitEthernet0/0

=====

NAT translations seem to be occurring, but customer reports all traffic 
coming to a standstill. Processor remains at normal low levels.

Thanks for any insights!

Thanks,
Adam

More information about the cisco-nsp mailing list