01-20-2014 06:41 AM - edited 03-01-2019 05:00 PM
There doesn't seem to be enough information on what the "ip nat translation timeout" command really does in NAT public documentation:
• Configuring translation timeouts
********************************************************************************************
The command "ip nat translation timeout" only modifies the "half-entry" timeout AND
even if the half entry has timed out, it will NOT get deleted until ALL child entries have expired.
In other words, it does NOT control the more specific TCP, UDP or ICMP timeouts.
A Half-Entry is created when an address of the pool is first used, for example,
let's take a look at this configuration: access-list 100 permit ip 192.168.1.0 0.0.0.255 any ip nat pool TEST 1.1.1.1 1.1.1.10 netmask 255.255.255.0 ip nat inside source list 100 pool TEST When there's no traffic from the LAN going out to the "Internet" the translation
table looks like this: R3#sh ip nat trans R3# Completely empty. Then, let's initiate a ping from host 192.168.1.2 out to 64.64.64.1 and check the table: R3#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 1.1.1.1:3 192.168.1.2:3 64.64.64.1:3 64.64.64.1:3 --- 1.1.1.1 192.168.1.2 --- --- After that, let's initiate a Telnet session, and check again: R3#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 1.1.1.1:3 192.168.1.2:3 64.64.64.1:3 64.64.64.1:3 tcp 1.1.1.1:17895 192.168.1.2:17895 64.64.64.1:23 64.64.64.1:23 --- 1.1.1.1 192.168.1.2 --- --- The Half-Entry is: --- 1.1.1.1 192.168.1.2 --- --- And the Child-Entries are: icmp 1.1.1.1:3 192.168.1.2:3 64.64.64.1:3 64.64.64.1:3 tcp 1.1.1.1:17895 192.168.1.2:17895 64.64.64.1:23 64.64.64.1:23 Having said that, the "ip nat translation timeout" command controls the Half-Entry timeout.
Here's the default value: R3#sh ip nat trans verbose Pro Inside global Inside local Outside local Outside global --- 1.1.1.1 192.168.1.2 --- --- create 00:02:12, use 00:01:32 timeout: 86400000 , left 23:58:27, Map-Id(In): 1, flags: none, use_count: 0, entry-id: 9, lc_entries: 0 As you can see, its default timeout is 24 hours: 86400000 . If we were to change it to 900 sec, "ip nat translation timeout 900" it would display
the following: R3#sh ip nat trans verbose Pro Inside global Inside local Outside local Outside global --- 1.1.1.1 192.168.1.2 --- --- create 00:00:03, use 00:00:03 timeout:900000, left 00:14:56, Map-Id(In): 1, flags: none, use_count: 1, entry-id: 12, lc_entries: 0 It changed from 86400000 to 900000. Let's say we initiate a TCP Session and check the timers: R3(config)#do sh ip nat trans verbo Pro Inside global Inside local Outside local Outside global tcp 1.1.1.1:58209 192.168.1.2:58209 64.64.64.1:23 64.64.64.1:23 create 00:00:10, use 00:00:07 timeout: 86400000 , left 00:00:52, Map-Id(In): 1, flags: extended, timing-out, use_count: 0, entry-id: 15, lc_entries: 0 --- 1.1.1.1 192.168.1.2 --- --- create 00:00:10, use 00:00:10 timeout:900000, left 00:14:49, Map-Id(In): 1, flags: none, use_count: 1, entry-id: 14, lc_entries: 0 As you can see, the Half-Entry Timeout is 900000 while the TCP session timeout is 86400000 . If we were to use the more specific TCP timeout command, we'd see the TCP timeout change as well. Additionally, a Half-Entry gets created for each Address that gets used from the pool,
here's what the table looks like when we initiate traffic from another LAN host, 192.168.1.3: R3#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 1.1.1.1:2 192.168.1.2:2 64.64.64.1:2 64.64.64.1:2 tcp 1.1.1.1:14835 192.168.1.2:14835 64.64.64.1:23 64.64.64.1:23 --- 1.1.1.1 192.168.1.2 --- --- udp 1.1.1.2:55368 192.168.1.3:55368 64.64.64.1:69 64.64.64.1:69 --- 1.1.1.2 192.168.1.3 --- --- There's one for 1.1.1.1 and one for 1.1.1.2.
Additionally, if the Half-Entry timeout is "smaller" than the Child-Entry timeout, the "left" field in the "show ip nat translation verbose" output would show "timing-out" when it expires until the child entries disappear.
sh ip nat trans verb Pro Inside global Inside local Outside local Outside global icmp 20.20.20.5:1 10.10.10.2:1 20.20.20.2:1 20.20.20.2:1 create 00:00:40, use 00:00:40 timeout:60000, left 00:00:19, Map-Id(In): 2, flags: extended, use_count: 0, entry-id: 3, lc_entries: 0 icmp 20.20.20.5:2 10.10.10.2:2 20.20.20.2:2 20.20.20.2:2 create 00:00:10, use 00:00:10 timeout:60000, left 00:00:49, Map-Id(In): 2, flags: extended, use_count: 0, entry-id: 4, lc_entries: 0 --- 20.20.20.5 10.10.10.2 --- --- create 00:00:40, use 00:00:10 timeout:10000, timing-out, Map-Id(In): 2, <<<<<< flags: none, use_count: 2, entry-id: 2, lc_entries: 0
Kudos for taking the time to document such information. Very useful and easy to understand.
Sweet post. Very useful knowledge.
Excellent contribution ! It was of tremendous help and it was exactly what I needed !!!
Very helpful this article.
Thanks for the excellent explanation. Clear and precise!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: