Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
0
Helpful
1
Replies

Double the available NAT IP ports in Cisco CSR

julietv9
Level 1
Level 1

‎10-04-2018 01:53 PM - edited ‎03-12-2019 07:25 AM

Hello,

 

I have a Cisco CSR instance that has the following configured:

 

> Two SVTI tunnels that point to interface, Gigabit1

> Both the VTIs are "inside" NAT interfaces

> Gigabit1 is an "outside" NAT interface

> Route: ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.31.96.1

 

This configuration works as expected. It NATs all requests coming through the VTI to the Gigabit1 IP as it leaves the CSR.

 

However, since I have only 1 outside NAT interface, my NAT ports are limited to 65k. I expect much more traffic through the SVTIs and therefore would like to double the number of available NAT ports.

 

How do I do that? I tried using a NAT pool (with 2 random private IPs) and was able to see the pool IPs in "sh ip nat translations" when I did a curl to a public service from the remote host. But the remote host did not get any response and the curl request timed out.

 

Any help/advice is appreciated.

 

Current config:
 
interface Tunnel5
ip address 169.254.47.6 255.255.255.252
ip nat inside
ip tcp adjust-mss 1379
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 34.198.115.214
tunnel protection ipsec profile ipsec-vpn-097566dab48a2cb79-0
ip virtual-reassembly
!
interface VirtualPortGroup0
ip address 192.168.35.1 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip flow monitor PUBLIC_GigabitEthernet_Monitor input
ip flow monitor PUBLIC_GigabitEthernet_Monitor output
ip address 172.31.107.230 255.255.240.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
 
!
router bgp 65001
bgp log-neighbor-changes
neighbor 169.254.47.5 remote-as 7224
neighbor 169.254.47.5 timers 10 30 30
!
address-family ipv4
  network 0.0.0.0
  neighbor 169.254.47.5 activate
  neighbor 169.254.47.5 default-originate
  neighbor 169.254.47.5 soft-reconfiguration inbound
exit-address-family
!
!
 
ip nat pool nat-pool 172.31.96.2 172.31.96.2 prefix-length 20
ip nat inside source list GS_NAT_ACL pool nat-pool overload
ip nat inside source list IP_Whitelist pool nat-pool overload
 
ip nat outside source static 18.214.135.244 207.171.165.150
ip nat outside source static 18.233.218.226 207.171.165.149
 
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.31.96.1
!
 
ip access-list extended IP_Whitelist
permit ip any host 18.204.60.31
 
ip access-list standard GS_NAT_ACL
permit 192.0.0.0 0.255.255.255
permit 10.0.0.0 0.0.255.255
!
 
Output of “sh ip route”:
 
Gateway of last resort is 172.31.96.1 to network 0.0.0.0
 
S*    0.0.0.0/0 [1/0] via 172.31.96.1, GigabitEthernet1
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
B        10.0.0.0/16 [20/100] via 169.254.47.5, 00:25:22
      169.254.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        169.254.47.4/30 is directly connected, Tunnel5
L        169.254.47.6/32 is directly connected, Tunnel5
      172.31.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.31.96.0/20 is directly connected, GigabitEthernet1
L        172.31.96.2/32 is directly connected, GigabitEthernet1
L        172.31.107.230/32 is directly connected, GigabitEthernet1
      192.168.35.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.35.0/24 is directly connected, VirtualPortGroup0
L        192.168.35.1/32 is directly connected, VirtualPortGroup0
 
Output of “sh ip nat translations”:
 
Pro  Inside global         Inside local          Outside local         Outside global
---  ---                   ---                   207.171.165.150       18.214.135.244       
---  ---                   ---                   207.171.165.149       18.233.218.226       
tcp  172.31.96.2:516       10.0.185.235:23       156.194.177.198:23392 156.194.177.198:23392
tcp  172.31.96.2:8088      10.0.185.235:8088     94.177.247.154:57956  94.177.247.154:57956
udp  172.31.96.2:512       10.0.185.235:123      74.82.59.149:123      74.82.59.149:123
udp  172.31.96.2:512       10.0.185.235:123      74.122.204.3:123      74.122.204.3:123
tcp  172.31.96.2:517       10.0.185.235:143      122.228.10.51:34429   122.228.10.51:34429
tcp  172.31.96.2:52678     10.0.185.235:52678    18.204.60.31:80       18.204.60.31:80
tcp  172.31.96.2:515       10.0.185.235:22       185.143.223.202:56029 185.143.223.202:56029
tcp  172.31.96.2:14009     10.0.185.235:14009    5.101.40.252:40474    5.101.40.252:40474
tcp  172.31.96.2:8088      10.0.185.235:8088     205.185.122.121:49583 205.185.122.121:49583
udp  172.31.96.2:512       10.0.185.235:123      184.105.182.16:123    184.105.182.16:123
Total number of translations: 12

 

Thanks,

Juliet

Labels:
0 Helpful
1 Reply 1

Alex Pfeil
Level 7
Level 7

‎10-04-2018 06:49 PM - edited ‎10-04-2018 06:57 PM

You have To use some of the public IP addresses on the outside interface.

 

I believe this will fix the issue.

Please mark helpful posts.

0 Helpful
Customers Also Viewed These Support Documents