cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


403
Views
0
Helpful
5
Replies
Highlighted

Spreading users across a NAT pool

Hello,

I'm trying to hide an IP range that is allocated to approx 150 users behind a pool of 64 addresses. I'm looking at the following configuration to do this but have a concern:-

hostname(config)# object network my-range-obj

hostname(config-network-object)# range 2.2.2.1 2.2.2.63

hostname(config)# object network my-inside-net

hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0

hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj

My concern is that once all 64 addresses have been allocated, any new connection attempts will fail? Thus leaving more than half of my users without access.

Is there a way to configure the NAT so that all the users are spread evenly across the IP pool?

Thanks

Andy

Everyone's tags (6)
5 REPLIES 5
Participant

Spreading users across a NAT pool

Hello Andy,

If the mapped pool has  fewer addresses than the real group which is your case, you could run out of addresses if  the amount of traffic is more than expected.

Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.

Once the pool is exhausted the users will use PAT to get out to the Internet.

Example:

hostname(config)# object network my-range-obj

hostname(config-network-object)# range 2.2.2.1 2.2.2.63

hostname(config)# object network my-inside-net

hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0

hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj interface

Regards,

Juan Lombana

Please rate helpful posts.

Mentor

Re: Spreading users across a NAT pool

Hi,

If you are configuring this NAT/PAT for Internet access (and just used the above to illustrate the situation) I'd also suggest you only use part of your allocated public IP address range for the NAT Pool and leave some for future use for server which need static IP address.

EDIT: Most customer environment simply use only 1 of their public IP addresses for Internet traffic and reserve the rest for server use. Only situation where I remember using big NAT pools is when some software requires unique source IP address for every host that is connecting. Otherwise PAT translation alone has been enough.

- Jouni

Spreading users across a NAT pool

Hi,

Thanks for the replies.

This access is over a fixed link into a client site and not internet based.

I want to avoid loading the majority of users onto a single IP address:-

The reason for wanting to split the access evenly across all 64 IP addresses is so the client can then make load balancing decissions based on source IP blocks.

Is there a way to assign multiple PAT addresses (a PAT pool of addresses?)

Thanks

Andy

Participant

Spreading users across a NAT pool

Andy,

Automatically the first 64 users will get IP address, this is how it works when you use a pool but when you use a single IP address (PAT) it provides automatically 64,000 translations.

So the answer is not, you cannot assign multiple PAT addresses when using pool. You can configure both at the same time so once the pool is exhausted it will use PAT.

Regards,

Juan Lombana

Please rate helpful posts.

Mentor

Spreading users across a NAT pool

Can you provide some additional information

For example

  • Is the remote end providing some service over web for you? (Even though not going through public network as you stated)
  • Have they assigned the 64 IP address block to you to keep their other customers networks from overlapping?
  • Is the 64 IP addresses the maximum size address block you can use for this link or could it be grown bigger?
    • I assume you are going to use private IP addresses or?
  • What is the subnet size on your side that is going to use the connection? You said 150 users, are they all perhaps in a /24 sized network?
  • Are you configuring this NAT for a L2L VPN perhaps? (example configuration mentions "outside" interface)

At the moment I think IF you are going to use private IP addresses towards the remote end, you should get a bigger address block on that connection to get the to the situation you are after, which is getting every single user their own NAT IP address.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here