cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
49874
Views
61
Helpful
5
Comments
adaguila
Cisco Employee
Cisco Employee

There doesn't seem to be enough information on what the "ip nat translation timeout" command really does in NAT public documentation:

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Cisco IOS Network Address Translation Overview

•  Configuring translation timeouts

ip nat translation timeout <seconds>

Dynamic translations time out after a period of non-use. When port  translation is not configured, translation entries time out after  24 hours. This time can be adjusted with the above command or the  following variations:

ip nat translation udp-timeout <seconds>

ip nat translation dns-timeout <seconds>

ip nat translation tcp-timeout <seconds>

ip nat translation finrst-timeout <seconds>

When port translation is configured, there is finer control over  translation entry timeouts, because each entry contains more context  about the traffic using it. Non-DNS UDP translations time out after 5  minutes; DNS times out in 1 minute. TCP translations time out after 24  hours, unless a RST or FIN is seen on the stream, in which case it times  out in 1 minute.

********************************************************************************************

The command "ip nat translation timeout" only modifies the "half-entry" timeout AND

even if the half entry has timed out, it will NOT get deleted until ALL child entries have expired.

In other words, it does NOT control the more specific TCP, UDP or ICMP timeouts.

A Half-Entry is created when an address of the pool is first used, for example, 
let's take a look at this configuration: access-list 100 permit ip 192.168.1.0 0.0.0.255 any ip nat pool TEST 1.1.1.1 1.1.1.10 netmask 255.255.255.0 ip nat inside source list 100 pool TEST When there's no traffic from the LAN going out to the "Internet" the translation
table looks like this: R3#sh ip nat trans R3# Completely empty. Then, let's initiate a ping from host 192.168.1.2 out to 64.64.64.1 and check the table: R3#sh ip nat trans Pro Inside global      Inside local       Outside local      Outside global icmp 1.1.1.1:3         192.168.1.2:3      64.64.64.1:3       64.64.64.1:3 --- 1.1.1.1            192.168.1.2        ---                --- After that, let's initiate a Telnet session, and check again: R3#sh ip nat trans Pro Inside global      Inside local       Outside local      Outside global icmp 1.1.1.1:3         192.168.1.2:3      64.64.64.1:3       64.64.64.1:3 tcp 1.1.1.1:17895      192.168.1.2:17895  64.64.64.1:23      64.64.64.1:23 --- 1.1.1.1            192.168.1.2        ---                --- The Half-Entry is: --- 1.1.1.1            192.168.1.2        ---                --- And the Child-Entries are: icmp 1.1.1.1:3         192.168.1.2:3      64.64.64.1:3       64.64.64.1:3 tcp 1.1.1.1:17895      192.168.1.2:17895  64.64.64.1:23      64.64.64.1:23 Having said that, the "ip nat translation timeout" command controls the Half-Entry timeout.
Here's the default value: R3#sh ip nat trans verbose Pro Inside global      Inside local       Outside local      Outside global --- 1.1.1.1            192.168.1.2        ---                ---     create 00:02:12, use 00:01:32 timeout: 86400000 , left 23:58:27, Map-Id(In): 1,     flags: none, use_count: 0, entry-id: 9, lc_entries: 0 As you can see, its default timeout is 24 hours:  86400000 . If we were to change it to 900 sec, "ip nat translation timeout 900" it would display
the following: R3#sh ip nat trans verbose Pro Inside global      Inside local       Outside local      Outside global --- 1.1.1.1            192.168.1.2        ---                ---     create 00:00:03, use 00:00:03 timeout:900000, left 00:14:56, Map-Id(In): 1,     flags: none, use_count: 1, entry-id: 12, lc_entries: 0 It changed from  86400000  to 900000. Let's say we initiate a TCP Session and check the timers: R3(config)#do sh ip nat trans verbo Pro Inside global      Inside local       Outside local      Outside global tcp 1.1.1.1:58209      192.168.1.2:58209  64.64.64.1:23      64.64.64.1:23     create 00:00:10, use 00:00:07 timeout: 86400000 , left 00:00:52, Map-Id(In): 1,     flags: extended, timing-out, use_count: 0, entry-id: 15, lc_entries: 0 --- 1.1.1.1            192.168.1.2        ---                ---     create 00:00:10, use 00:00:10 timeout:900000, left 00:14:49, Map-Id(In): 1,     flags: none, use_count: 1, entry-id: 14, lc_entries: 0 As you can see, the Half-Entry Timeout is 900000 while the TCP session timeout is  86400000 . If we were to use the more specific TCP timeout command, we'd  see the TCP timeout change as well. Additionally, a Half-Entry gets created for each Address that gets used from the pool,
here's what the table looks like when we initiate traffic from another LAN host, 192.168.1.3: R3#sh ip nat trans Pro Inside global      Inside local       Outside local      Outside global icmp 1.1.1.1:2         192.168.1.2:2      64.64.64.1:2       64.64.64.1:2 tcp 1.1.1.1:14835      192.168.1.2:14835  64.64.64.1:23      64.64.64.1:23 --- 1.1.1.1            192.168.1.2        ---                --- udp 1.1.1.2:55368      192.168.1.3:55368  64.64.64.1:69      64.64.64.1:69 --- 1.1.1.2            192.168.1.3        ---                --- There's one for 1.1.1.1 and one for 1.1.1.2.

Additionally, if the Half-Entry timeout is "smaller" than the Child-Entry timeout, the "left" field in the "show ip nat translation verbose" output would show "timing-out" when it expires until the child entries disappear.

sh ip nat trans verb
Pro Inside global      Inside local       Outside local      Outside global
icmp 20.20.20.5:1      10.10.10.2:1       20.20.20.2:1       20.20.20.2:1
    create 00:00:40, use 00:00:40 timeout:60000, left 00:00:19, Map-Id(In): 2,
    flags:
extended, use_count: 0, entry-id: 3, lc_entries: 0
icmp 20.20.20.5:2      10.10.10.2:2       20.20.20.2:2       20.20.20.2:2
    create 00:00:10, use 00:00:10 timeout:60000, left 00:00:49, Map-Id(In): 2,
    flags:
extended, use_count: 0, entry-id: 4, lc_entries: 0
--- 20.20.20.5         10.10.10.2         ---                ---
    create 00:00:40, use 00:00:10 timeout:10000, timing-out, Map-Id(In): 2,  <<<<<<
    flags:
none, use_count: 2, entry-id: 2, lc_entries: 0
Comments
Carlos Zeledon Carrera
Cisco Employee
Cisco Employee

Kudos for taking the time to document such information. Very useful and easy to understand.

anbolano
Community Member

Sweet post. Very useful knowledge.

Excellent contribution ! It was of tremendous help and it was exactly what I needed !!!

Very helpful this article.

Thanks for the excellent explanation. Clear and precise!!!

Muchas gracias por el post, muy informativo.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco