Guest

Preview Tool

Cisco Bug: CSCsg37136 - Destination NAT does not apply after source NAT through VRF 123-14.T7

Last Modified

Feb 04, 2017

Products (25)

  • Cisco IOS
  • Cisco VG224 Analog Voice Gateway
  • Cisco AS5400XM Universal Gateway
  • Cisco Catalyst 6500 Series Communication Media Module
  • Cisco 7206 Router
  • Cisco 7301 Router
  • Cisco AS5350XM Universal Gateway
  • Cisco 7206VXR Router
  • Cisco IAD2430 Integrated Access Device
  • Cisco 2821 Integrated Services Router
View all products in Bug Search Tool Login Required

Known Affected Releases

12.3(14)T7

Description (partial)

Symptom:

We are currently running c7200-js-mz.123-4.T2.bin image on Cisco 
7206VRX G1 router. We use VRF Lite and apply dynamic source NAT 
(vrf NAT) on each ingress customer VRF interface. After packets 
have been source NATed they are forwarded into global space. 
Static destination NAT is applied on global egress interface. 
This static destination NAT does not work with the image c7200-js-mz.123-14.T7.bin.

This problem is not seen in the latest release IOS 12.4(10)

Conditions:
 
packet enters router on interface gig0/1 (src: 10.2.1.55 dest: 22.22.22.75) enters on:

interface GigabitEthernet0/1
 ip vrf forwarding myvrf
 ip address 192.168.200.9 255.255.255.248
 ip nat inside
 no ip route-cache
!

Source address gets NATed (src: 10.2.1.55  -> src: 10.10.10.107) as configured:

ip nat pool mypool 10.10.10.64 10.10.10.127 netmask 255.255.255.0
ip nat inside source list 10 pool mypool vrf myvrf

access-list 10 deny   0.0.0.0
access-list 10 permit any

 
Packet is then passed into global space and forwarded to egress interface:


interface GigabitEthernet0/2
 ip address 192.168.175.10 255.255.255.248
 ip nat outside
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!


This is where the destination NAT is applied as per configuration statement (supposed to be: dest: 22.22.22.75  ->  dest: 10.86.114.20):

ip nat outside source static 10.86.114.20 22.22.22.75 extendable

 
new image: c7200-js-mz.123-14.T7.bin - FAILS
--------------------------------------------
 

The destination (static) NAT fails on all traffic (not only SIP) - In this example it was DNS:


Sep 18 14:33:54.258 AEST: NAT: i: udp (10.2.1.55, 1032) -> (22.22.22.75, 53) [52604] 
Sep 18 14:33:54.258 AEST: NAT: s=10.2.1.55->10.10.10.107, d=22.22.22.75 [52604]

No destination NAT applied above (source NAT only) - next hop device recieves the packet with destination: 22.22.22.75

 
old image: c7200-js-mz.123-4.T2.bin - OK
----------------------------------------
 

Oct 13 14:16:34.125 AEST: NAT: s=10.2.1.55->10.10.10.107, d=22.22.22.75 [16471]
Oct 13 14:16:34.125 AEST: NAT: s=10.10.10.107, d=22.22.22.75->10.86.113.20 [16471]

Both source and destination NAT applied above

Oct 13 14:16:34.129 AEST: NAT: s=10.86.113.20->22.22.22.75, d=10.10.10.107 [33456]
Oct 13 14:16:34.129 AEST: NAT: s=22.22.22.75, d=10.10.10.107->10.2.1.55 [33456]

Return packets also correctly NATed back (source and destination)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.