11-29-2012 04:22 AM - edited 03-11-2019 05:30 PM
Hello,
I'm trying to hide an IP range that is allocated to approx 150 users behind a pool of 64 addresses. I'm looking at the following configuration to do this but have a concern:-
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 2.2.2.1 2.2.2.63
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
My concern is that once all 64 addresses have been allocated, any new connection attempts will fail? Thus leaving more than half of my users without access.
Is there a way to configure the NAT so that all the users are spread evenly across the IP pool?
Thanks
Andy
11-29-2012 05:34 AM
Hello Andy,
If the mapped pool has fewer addresses than the real group which is your case, you could run out of addresses if the amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.
Once the pool is exhausted the users will use PAT to get out to the Internet.
Example:
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 2.2.2.1 2.2.2.63
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj interface
Regards,
Juan Lombana
Please rate helpful posts.
11-29-2012 05:39 AM
Hi,
If you are configuring this NAT/PAT for Internet access (and just used the above to illustrate the situation) I'd also suggest you only use part of your allocated public IP address range for the NAT Pool and leave some for future use for server which need static IP address.
EDIT: Most customer environment simply use only 1 of their public IP addresses for Internet traffic and reserve the rest for server use. Only situation where I remember using big NAT pools is when some software requires unique source IP address for every host that is connecting. Otherwise PAT translation alone has been enough.
- Jouni
11-29-2012 06:37 AM
Hi,
Thanks for the replies.
This access is over a fixed link into a client site and not internet based.
I want to avoid loading the majority of users onto a single IP address:-
The reason for wanting to split the access evenly across all 64 IP addresses is so the client can then make load balancing decissions based on source IP blocks.
Is there a way to assign multiple PAT addresses (a PAT pool of addresses?)
Thanks
Andy
11-29-2012 08:52 AM
Andy,
Automatically the first 64 users will get IP address, this is how it works when you use a pool but when you use a single IP address (PAT) it provides automatically 64,000 translations.
So the answer is not, you cannot assign multiple PAT addresses when using pool. You can configure both at the same time so once the pool is exhausted it will use PAT.
Regards,
Juan Lombana
Please rate helpful posts.
11-29-2012 09:34 AM
Can you provide some additional information
For example
At the moment I think IF you are going to use private IP addresses towards the remote end, you should get a bigger address block on that connection to get the to the situation you are after, which is getting every single user their own NAT IP address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide