cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1736
Views
0
Helpful
4
Replies

PAT Limits??

stevebrockleank
Level 1
Level 1

Hi,

I have a problem at present when trying to migrate an existing A1(6.3a) version configuration to a new A2(3.5) version.

As a bit of background we have an ACE performing a Large Scale NAT solution, users from 10/8 go out to the Internet on a public PAT IP range

At present I have the following configured under a vlan (I've masked some IPs here and changed the public PAT range to a 192.168.x.x)

Existing A1(6.3a) configuration

interface vlan 160
  description Outside_NAT
  ip address x.x.x.x 255.255.255.192
  alias x.x.x.x 255.255.255.192
  peer ip address x.x.x.x 255.255.255.192
  access-group input ALL_IN

  nat-pool 1 192.168.120.1 192.168.120.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.120.33 192.168.120.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.120.65 192.168.120.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.120.97 192.168.120.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.120.129 192.168.120.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.120.161 192.168.120.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.120.193 192.168.120.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.120.225 192.168.120.255 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.1 192.168.121.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.33 192.168.121.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.65 192.168.121.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.97 192.168.121.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.129 192.168.121.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.161 192.168.121.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.193 192.168.121.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.121.225 192.168.121.255 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.1 192.168.122.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.33 192.168.122.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.65 192.168.122.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.97 192.168.122.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.129 192.168.122.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.161 192.168.122.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.193 192.168.122.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.122.225 192.168.122.255 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.1 192.168.123.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.33 192.168.123.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.65 192.168.123.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.97 192.168.123.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.129 192.168.123.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.161 192.168.123.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.193 192.168.123.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.123.225 192.168.123.255 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.1 192.168.124.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.33 192.168.124.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.65 192.168.124.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.97 192.168.124.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.129 192.168.124.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.161 192.168.124.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.193 192.168.124.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.124.225 192.168.124.255 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.1 192.168.125.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.33 192.168.125.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.65 192.168.125.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.97 192.168.125.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.129 192.168.125.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.161 192.168.125.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.193 192.168.125.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.125.225 192.168.125.255 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.1 192.168.126.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.33 192.168.126.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.65 192.168.126.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.97 192.168.126.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.129 192.168.126.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.161 192.168.126.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.193 192.168.126.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.126.225 192.168.126.255 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.1 192.168.127.32 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.33 192.168.127.64 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.65 192.168.127.96 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.97 192.168.127.128 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.129 192.168.127.160 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.161 192.168.127.192 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.193 192.168.127.224 netmask 255.255.255.255 pat
  nat-pool 1 192.168.127.225 192.168.127.255 netmask 255.255.255.255 pat

However when trying to configure this on the A2(3.5) code, I get the following error

(config-if)#   nat-pool 1 192.168.120.1 192.168.120.32 netmask 255.255.255.255 pat

(config-if)#   nat-pool 1 192.168.120.33 192.168.120.64 netmask 255.255.255.255 pat

(config-if)#   nat-pool 1 192.168.120.65 192.168.120.96 netmask 255.255.255.255 pat

Error: Cumulative number of addresses in the pool exceed the limit of 64 for PAT

(config-if)#   nat-pool 1 192.168.120.97 192.168.120.128 netmask 255.255.255.255 pat

Error: Cumulative number of addresses in the pool exceed the limit of 64 for PAT

This seems to refer to the NAT limit of 64 and not the PAT limit which I understood to be 63k

(taken from here Security-Related Limitshttp://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_ACE_Resource_Limits)

If anyone can help point me in the correct direction or a why to get around this error I'd be very grateful as I can't seem to find any documentation that explains any difference in behavior between these two releases.

Thanks

Steve

4 Replies 4

gaursin2
Level 1
Level 1

Hi Steve,

Limit of cumulative IP address per pat-pool is 64 (including continuous and non-continuous IP addresses). for NAT pool it is 63K (reverse then what is mention in document of wiki).

So current solution of your problem can be creating seperate pat-pool with each of size 64 address.

Hi Gaurav,

Thanks for your reply. Do you see a problem with our original A1(6.3a) config version? I'm now wondering if its a bug in the code that allowed us to enter the additional lines, but perhaps they aren't even being used?

After further reading it suggests each PAT ip can support about 63k connections, so even just using 64 ips in a PAT pool could provide use with about 4millions connections (which is the limit on the ACE anyway). It may therefore seem that the original configuration was vastly over specified in terms of the amount of IPs allocated to the PAT pools. Does this seem correct or have I interpreted this wrong?

Thanks again for your assistance

Hi Steve,

your interpretation is correct. Infact i found a BUG which says something like this "CLI not respecting the 64 IP limit in PAT pool" but affected version didn't shown yours (may be because A1 was quite old release)

Anways i am also looking for any documentation BUG to correct for what mention in wiki.

Regards,

Hi Steve,

Here you have this bug:CSCtd23684, in addition that. Your version is very old.

For A4 series, the latest version is: A4(2.3)

For A5 series, the latest version is :A5(1.2)

Your current version is not even on the download software page, anytime when you have an old version, you are more exposed to suffer the presence of bugs, then the recommendations is to have one of the latest which have most of bugs fixed

Hope this helps.

Jorge

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: