Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1202
Views
5
Helpful
6
Replies

Problem with NAT pools

Go to solution
ddmt
Level 1
Level 1

‎06-23-2022 04:20 AM

Hello,

 

Cisco C6816-X-LE Version 15.2(2)SY2.

 

Question about NAT pools.

 

I have a NAT pool of 25 public IP addresses to translate a dozen of internal C subnets.

I analyzed the output of  the "show ip nat translations" command and I see a strange behaviour:

- The first address of the pool is not used

- The second address of the pool has more than 30.000 hits

- The remaing addresses have 15-30 hits each

Is this normal?

Is there a way to balance the translations load between the global addresses without breaking out the pool in smaller pieces?

Thanks in advance and have a nice day.

Dan

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to ddmt

‎06-27-2022 10:10 AM

[Id: 1] access-list 6 pool lan-natpool refcount 59000<<-
pool lan-natpool: netmask 255.255.255.0
start x.y.z.29 end x.y.z.57
type generic, total addresses 29, allocated 28 (96%), misses 0

 

according to doc. below from cisco, 
where the PAT pool move form one to other IP in IP address Pool, 

the first IP address will be use until the traffic port source can not PAT anymore, 
for UDP the range for PAT port available is from 1-1024 
for TCP the range for PAT port available is from 1024-65500


let assume that the traffic is UDP, the router search the and assign port form range 1-1024 if there is not port available the router will go to next IP in PAT POOL and also do same search for PAT port available if not found .........until last IP in PAT POOL.

in your case I think that a lot of your traffic is UDP and UDP port unavailable so the router use many IP address from IP PAT POOL.

 

 

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎06-23-2022 05:12 AM

I think this multi issue not one, 

first are you use net mask or prefix ?? if Yes then check if net mask or prefix include the first IP in Pool

second are you config overload ?? overload meaning the PORT will be translate from inside Local->Inside global, and hence one IP will use until the port is missing then the NAT will select second IP from Pool ......

how I can check this 
you must check the NAT  table entry see the different IP address have same PORT or not. 

 

0 Helpful

Go to solution
ddmt
Level 1
Level 1
In response to MHM Cisco World

‎06-23-2022 06:11 AM

Hello,

thank for your answers.

The netmask includes the first IP in pool:

ip nat pool lan-natpool x.y.z.29 x.y.z.57 netmask 255.255.255.0

Overload is configured:

ip nat inside source list 6 pool lan-natpool overload

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ddmt

‎06-23-2022 06:25 AM

can you share output (note:- please hide the public ip)
show ip nat statistics

0 Helpful

Go to solution
ddmt
Level 1
Level 1
In response to MHM Cisco World

‎06-23-2022 06:47 AM

Total active translations: 72531 (0 static, 72531 dynamic; 72502 extended)
Outside interfaces:
TenGigabitEthernet1/1
Inside interfaces:
TenGigabitEthernet1/8
Hits: 277754825 Misses: 0
CEF Translated packets: 275605073, CEF Punted packets: 2186036
Expired translations: 1221450
Dynamic mappings:
-- Inside Source
[Id: 11] access-list 4 pool natpool-single refcount 23
pool natpool-single: netmask 255.255.255.0
start x.y.z.28 end x.y.z.28
type generic, total addresses 1, allocated 1 (100%), misses 0
[Id: 1] access-list 6 pool lan-natpool refcount 59000
pool lan-natpool: netmask 255.255.255.0
start x.y.z.29 end x.y.z.57
type generic, total addresses 29, allocated 28 (96%), misses 0
[Id: 2] access-list 7 pool natpool-anon refcount 1800
pool natpool-anon: netmask 255.255.255.0
start x.y.z.58 end x.y.z.59
type generic, total addresses 2, allocated 1 (50%), misses 0
[Id: 3] access-list 8 pool natpool-wifi refcount 14711
pool natpool-wifi: netmask 255.255.255.0
start x.y.z.60 end x.y.z.61
type generic, total addresses 2, allocated 1 (50%), misses 0
[Id: 4] access-list 9 pool natpool-dynamics refcount 18325
pool natpool-dynamics: netmask 255.255.255.0
start x.y.z.62 end x.y.z.64
type generic, total addresses 3, allocated 2 (66%), misses 0

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ddmt

‎06-27-2022 10:10 AM

[Id: 1] access-list 6 pool lan-natpool refcount 59000<<-
pool lan-natpool: netmask 255.255.255.0
start x.y.z.29 end x.y.z.57
type generic, total addresses 29, allocated 28 (96%), misses 0

 

according to doc. below from cisco, 
where the PAT pool move form one to other IP in IP address Pool, 

the first IP address will be use until the traffic port source can not PAT anymore, 
for UDP the range for PAT port available is from 1-1024 
for TCP the range for PAT port available is from 1024-65500


let assume that the traffic is UDP, the router search the and assign port form range 1-1024 if there is not port available the router will go to next IP in PAT POOL and also do same search for PAT port available if not found .........until last IP in PAT POOL.

in your case I think that a lot of your traffic is UDP and UDP port unavailable so the router use many IP address from IP PAT POOL.

 

 

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

 

0 Helpful

Go to solution
ddmt
Level 1
Level 1
In response to MHM Cisco World

‎06-28-2022 04:47 AM

Thanks for your explanation

0 Helpful
Customers Also Viewed These Support Documents