txsolutions
asked on
%NAT: error activating CNBAR on the interface
Hi there,
i have a fairly urgent problem which i just can't get my head around -
i have a cisco 837 router which is going to connect to a dsl link about 2000kms from where i am, so i can't do any testing before sending it off.
I have configured the router as below, but when starting it up, it comes up with "%NAT: error activating CNBAR on the interface". Is that simply because i haven't got any phone line or ethernet connections into the router on startup, or have i made a mistake in the configuration (quite likely...)
Here's the configuration:
Building configuration...
Current configuration : 3638 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname karratha-gw
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
username cisco password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip tcp synwait-time 10
ip name-server 202.154.79.33
ip name-server 202.154.92.35
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
description LAN Connection
ip address <<internal LAN>> 255.255.255.0
ip access-group 100 in
ip nat inside
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description DSL Connection
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx@swiftdsl.com.au
ppp chap password 7 xxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 2 interface Dialer0 overload
!
!
logging trap debugging
access-list 2 permit <<internal LAN>> 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 deny ip <<internal LAN>> 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any eq www any eq www
access-list 101 permit tcp any eq telnet any eq telnet
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
If anyone could please help me or point me into the right direction!
Thanks so much
i have a fairly urgent problem which i just can't get my head around -
i have a cisco 837 router which is going to connect to a dsl link about 2000kms from where i am, so i can't do any testing before sending it off.
I have configured the router as below, but when starting it up, it comes up with "%NAT: error activating CNBAR on the interface". Is that simply because i haven't got any phone line or ethernet connections into the router on startup, or have i made a mistake in the configuration (quite likely...)
Here's the configuration:
Building configuration...
Current configuration : 3638 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname karratha-gw
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
username cisco password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip tcp synwait-time 10
ip name-server 202.154.79.33
ip name-server 202.154.92.35
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
description LAN Connection
ip address <<internal LAN>> 255.255.255.0
ip access-group 100 in
ip nat inside
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
description DSL Connection
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx@swiftdsl.com.au
ppp chap password 7 xxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 2 interface Dialer0 overload
!
!
logging trap debugging
access-list 2 permit <<internal LAN>> 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 deny ip <<internal LAN>> 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any eq www any eq www
access-list 101 permit tcp any eq telnet any eq telnet
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
If anyone could please help me or point me into the right direction!
Thanks so much
JFrederick29
What IOS version are you running?
ASKER
The IOS version is 12.3(7)T and the system bootstrap is 12.2(8r)
thanks a lot in advance! :)
thanks a lot in advance! :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks! I'll give it a try and post back the outcome...
seems a bit outrageous on cisco's behalf - no testing something as fundamental as nat translation on a IOS release...
seems a bit outrageous on cisco's behalf - no testing something as fundamental as nat translation on a IOS release...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi epylko and jfrederick29,
The 837 is now onsite at the actual dsl connection, and as epylko suggested it worked fine despite that message.
thanks a lot for your replies though! :)
The 837 is now onsite at the actual dsl connection, and as epylko suggested it worked fine despite that message.
thanks a lot for your replies though! :)
With Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(7)T10, RELEASE SOFTWARE (fc2) the effects we have observed on an 837 router configured with a single broadband IP address and a static PAT to an internal SMTP server are:
When the router is initially configured from 'factory defaults' using the SECURITY DEVICE MANAGER (SDM) v 2.11 web application.
When first configured everything works OK, with SMTP packets being routed via port address translation to the SMTP server.
However after a RELOAD command is issued the %NAT: Error activating CNBAR on interface ... appears.
Once the CNBAR error occurs (in our case listing interface ATM{0.1} & Ethernet0):
1) DHCP fails to provide addresses to clients
2) an IP address conflict occurs with the address of the SMTP server
It would appear that Cisco have been introducing "APPLICATION LAYER GATEWAY AND
TRANSLATION TYPE SUPPORT" since 11.3(4) with a lot of CallManager related items added in 12.1(5)T.
In 2004 Cisco introduced "NAT RTSP Support Using NBAR" in release 12.3(7)T ... which included "NAT—Static IP Support" for roaming users. This may explain why the error does not appear in 12.3(8)T ... i.e. the bug was finally fixed!
CAUTION: Because of memory restrictions in your router it may not be possible to upgrade to the 12.3.(8)T image as well as installing SDM on the router.
Hope this helps.
When the router is initially configured from 'factory defaults' using the SECURITY DEVICE MANAGER (SDM) v 2.11 web application.
When first configured everything works OK, with SMTP packets being routed via port address translation to the SMTP server.
However after a RELOAD command is issued the %NAT: Error activating CNBAR on interface ... appears.
Once the CNBAR error occurs (in our case listing interface ATM{0.1} & Ethernet0):
1) DHCP fails to provide addresses to clients
2) an IP address conflict occurs with the address of the SMTP server
It would appear that Cisco have been introducing "APPLICATION LAYER GATEWAY AND
TRANSLATION TYPE SUPPORT" since 11.3(4) with a lot of CallManager related items added in 12.1(5)T.
In 2004 Cisco introduced "NAT RTSP Support Using NBAR" in release 12.3(7)T ... which included "NAT—Static IP Support" for roaming users. This may explain why the error does not appear in 12.3(8)T ... i.e. the bug was finally fixed!
CAUTION: Because of memory restrictions in your router it may not be possible to upgrade to the 12.3.(8)T image as well as installing SDM on the router.
Hope this helps.