Cisco Router locking out traffic on one IP address

[chameleon]

We have a Cisco 1600 programmable router with 5 IP addresses for our business and it seem to be having an issue with one of our IP's no longer accepting traffic that has web, terminal services, and FTP all being routed using NAT to various servers for there respected tasks (Port 21 to server A, Port 80 to server A, Port 3389 to Server B). If I reset the router all will be fine for a few days and then the IP address in question will not longer accept traffic but the other IP address will be routing fine. Hoping someone might have a little insight to this issue.

 

[spidey07]

Sounds like your NAT/PAT table is getting full and the router can't create a new NAT entry. Or a bug. I'd call Cisco support.

 

[drebo]

I've had similar problems that were always caused by an ARP issue.

Next time it occurs, try clearing the ARP table on the 1600.

 

[chameleon]

Thx for the info. I will check those options out. I'm the appointed IT guy here and know just enough cisco language to be dangerous, to myself of course.

 

[chameleon]

I looked at the ARP table and the IP address in question is not there. All the other IP address are showing in the ARP Table but the one that is causing me trouble is missing.

 

[spidey07]

On the inside address or the outside? You should have arp entries for both. You can post the relavent NAT configs in question, changing the addresses of course to not give away confidential info.

If you nat translation table is full I'm pretty sure it will log an error message. You can clear arp and nat tables as well. Clearing arp isn't disruptive, clearing the nat table will break any active conversation.

 

[chameleon]

Here is our current running-config. the xxx.xxx.xxx are all on the same numbers x'd out for obvious reasons. In my mind it looks correct but like I said I know just enough to think its correct. We have a static network as well as a DHCP server, thus the 10.xxx.xxx.xxx numbers. The 10.xxx numbers are reserved. Not my doing some other guy set that before me and it just persisted.


Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxxxx
!
enable password xxxxxxxxx
!
ip subnet-zero
no ip domain-lookup
!
!
!
interface Ethernet0
ip address xxx.xxx.xxx.42 255.255.255.248
no ip directed-broadcast
ip nat outside
!
interface Ethernet1
ip address 192.168.0.254 255.255.255.0 secondary
ip address 10.0.0.254 255.0.0.0
no ip redirects
no ip directed-broadcast
ip nat inside
!
ip nat pool outgoing xxx.xxx.xxx.43 xxx.xxx.xxx.43 netmask 255.255.255.0
ip nat inside source list 5 pool outgoing overload
ip nat inside source static tcp 10.0.0.59 80 xxx.xxx.xxx.44 80 extendable
ip nat inside source static tcp 192.168.0.5 3389 xxx.xxx.xxx.45 3389 extendable
ip nat inside source static tcp 10.0.0.63 1801 xxx.xxx.xxx.44 1801 extendable
ip nat inside source static tcp 10.0.0.63 3389 xxx.xxx.xxx.44 3389 extendable
ip nat inside source static tcp 192.168.0.1 3389 xxx.xxx.xxx.46 3389 extendable
ip nat inside source static tcp 10.0.0.59 21 xxx.xxx.xxx.44 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41
!
access-list 5 permit 10.0.0.0 0.255.255.255
access-list 5 permit 192.0.0.0 0.255.255.255
!
line con 0
transport input none
line vty 0 4
exec-timeout 0 0

 

[sactwnguy]

Can the workstation that is failing ping the gateway? If it can it should show up the arp table on the router. The mac address in the arp table should match up with the workstation. Since you are using dhcp verify the static address is excluded from the pool or it will cause an ip conflict.

 

[drebo]

What is your upstream device from this 1600?

It could be an ARP issue with that.

That said, a Cisco 1600 is ancient. Might look at replacing it with something more current.

 

[chameleon]

The T1 feeds into the E0 router and E1 out to the switches. Is the ARP dynamically built or can you assign directly to the ARP?

 

[drebo]

I'm fully aware which interface is your external interface and which one isn't.

My question was about the type of hardware that your router is connected to.

However, at this point, I'd suspect you're running out of NAT translations, based on the age of your router.

 

[chameleon]

The statistics show 450 static and 6 dynamic.

 

[chameleon]

In light of the router being from the prehistoric era, does any one have a recommendation for a new router? Thanks for everyone's help.

 

[Pheran]

In light of the router being from the prehistoric era, does any one have a recommendation for a new router? Thanks for everyone's help.

Well, you don't give any requirements, so that's difficult to say. Based on the fact that you have two ethernet interfaces in the config, I'm assuming you've got a 1605. The modern equivalent of this is probably a 1921, but performance has increased so much over time that you could also look at the 891 if your requirements are modest. If you care about integrated wireless check the 891W or 1941W.

 

[chameleon]

You are absolutely correct, we have the 1605R. Thanks for the info.

 

[drebo]

Grab an ASA5505. You're not using your router as a router, but rather as a NAT appliance to share an ethernet connection. Thus, while a 1941 or 891 would "work", the more appropriate (and cheaper) solution would be to use a firewall appliance, such as the ASA5505.

 

[Pheran]

Grab an ASA5505. You're not using your router as a router, but rather as a NAT appliance to share an ethernet connection. Thus, while a 1941 or 891 would "work", the more appropriate (and cheaper) solution would be to use a firewall appliance, such as the ASA5505.

The ASA 5505 would also work. The 891 is cheaper than an unlimited-user 5505, but the base 5505 models are cheaper than the 891. The OP never said how many users he has, so the cost benefits are unclear. Also, keep in mind that ASA config is completely different than IOS. I have the impression that the OP isn't all that familiar with these configs. With a router, he could mostly clone what he has onto it, but he'd be starting from scratch with an ASA.

 

[chameleon]

Thanks again for the input. I need a router or firewall appliance that I can control up to 5 IP addresses or more. We have a T1 line that is a cisco based device that routs to our current router and the router as you pointed out basically just NAT's to our 3 domains for remote services, web, and ftp access. I would like to know if one of those Cisco small business routers would work or do I need something with a little more punch.

 

[Pheran]

Thanks again for the input. I need a router or firewall appliance that I can control up to 5 IP addresses or more. We have a T1 line that is a cisco based device that routs to our current router and the router as you pointed out basically just NAT's to our 3 domains for remote services, web, and ftp access. I would like to know if one of those Cisco small business routers would work or do I need something with a little more punch.

So, one clarification here, why in the world do you have 2 Cisco routers back to back? Maybe one of them is CPE (customer premises equipment) provided by your ISP? But that begs the question of why the NAT can't happen there.

I also wonder if you would save money by switching from T1 to a business-class cable/DSL/FIOS service.

 

[drebo]

A lot of times, it isn't beneficial to have your NAT/firewall on the ISP-provided CPE. It can make it difficult to get changes made (took Telepacific 24 hours to add a static route to CPE for me once).

Also, T1s generally offer lower latency and a better quality of service and service-level agreement than even business-class broadband connections. Certainly there is a place for business-class broadband, but T1s ARE desireable in some cases. Additionally, good quality broadband isn't always available in all locations.

 

[chameleon]

That is our issue here. T1 is about the best we can get. Time Warner is available for Cable but they don't have a great track record for reliability. The T1 router we don't have access to so that is why we have a secondary router so we can control the traffic and not have to call our provider every time we need a change. We use a twisted pair cable to connect to our 1605R router.

 

[sactwnguy]

While a 1605R is old it is capable handling so few nat connections. 10 years ago I had 100's of these on a frame-relay network doing all sorts of NATing. There is something else going on that is causing the pc to drop off and putting new hardware is not guaranteed to fix the problem. I would not replace the hardware for this particular problem but would for the fact that I could not have it under Cisco maintenance and run new code.

When the problem is happening check the router cpu "she proc cpu" and free memory "sh mem". It could be a resource problem but i doubt it. You might want to see if you can jump to a newer version of IOS 12.0 code you are running.

My gut still tells me though that the static ip address has not been excluded from the dhcp range and the router is picking up the other workstation in its arp table. The best way to test this is to run a ping to your gateway 192.168.0.254 from the workstation and see if it gets a reply then check the arp table on the router with a sh ip arp.

 

[chameleon]

Basically from what I have seen the xxx.xxx.xxx.44 address drops from the ARP table completely thus stop all traffic on that IP from the outside. There doesn't seem to be a specific time period before it drops but it has seemed to be happening faster like a day instead of a week. I reset the router all is good and then it disappears from the ARP. There is only like 20 entries in the ARP table so I don't think were hitting memory limits. NAT translations don't seem that excessive either. If I could figure what causes something to drop from the ARP table might help.

 

[Pheran]

Basically from what I have seen the xxx.xxx.xxx.44 address drops from the ARP table completely thus stop all traffic on that IP from the outside. There doesn't seem to be a specific time period before it drops but it has seemed to be happening faster like a day instead of a week. I reset the router all is good and then it disappears from the ARP. There is only like 20 entries in the ARP table so I don't think were hitting memory limits. NAT translations don't seem that excessive either. If I could figure what causes something to drop from the ARP table might help.

If you want to explore a fix without a hardware upgrade, upgrading to a newer IOS may help if this is some kind of bug. If you post a "show version" so I can see your current IOS version, feature set and RAM/flash size, I can recommend a version for you.

 

[chameleon]

Here's the version:

Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.0(19a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 11-Feb-02 12:42 by shawnk

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T, RELEASE SOFTWARE (fc1)

The router has always been really solid until we added the FTP line for port 21. Were using zFTPServer I wouldn't think that would cause an IP to get pulled from the ARP table.

Thank again for the assistance. I'm a programmer not a cisco engineer.