Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
5
Helpful
8
Replies

Cisco router dynamic NAT stuck after nearly 133,000 active translation

telesymbol
Level 1
Level 1

‎08-29-2022 10:40 AM

Dear All,

we've installed Cisco 3945 router for internet connection and we did dynamic NAT with a pool of two public IPs but we've observed that the NAT stuck after nearly 133,000 active translations and users are not able to access internet. please advise on the issue.

 

regards

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎08-29-2022 10:59 AM

How Much is your internet bandwidth? and how many clients ?

you need to find out if any devices has malware infected, what is the source, and what destination using frequently.

some NAT Troubleshoot tips :

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/8605-13.html

If you have NetFlow you can also monitor what device using more NAT Translation.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

telesymbol
Level 1
Level 1
In response to balaji.bandi

‎08-29-2022 11:09 AM

Internet speed is 100 mbps and there are nearly 400 internet users. sources are internal users and destination is basic internet access. when we use one public IP address the NAT stuck after nearly 64000 translations and while we use two IP addresses the NAT got stuck when there is around 134000 active translations

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to telesymbol

‎08-29-2022 11:55 AM

are these your broadband users? or corporate users?

you need to get statistics on what is happening with NAT translation.

You may restrict users' connection rate per second basis, rather than overloaded with the connection.

 

or you need to get a modern device which can do the work for you. 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎08-29-2022 11:21 AM - edited ‎08-29-2022 11:23 AM

can I assume you use two public IP for NAT pool ?
each interface have 65000 port and you reach the max port for two IP. 
I think you need adjust timeout of NAT TCP and UDP OR add more public IP.

0 Helpful

telesymbol
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2022 11:33 AM - edited ‎08-29-2022 11:35 AM

yes, we're having two public IPs for dynamic NAT, but we didn't have such issues while internet was terminated on the firewall even with one public IP.  

0 Helpful

MHM Cisco World
VIP
VIP
In response to telesymbol

‎08-29-2022 11:57 AM - edited ‎08-29-2022 12:03 PM

each Public IP give you 65000 TCP/UDP port, 
if you exhaust the dynamic NAT then  you need 
to reduce the timeout of dynamic NAT 
or add one or more public ip to your NAT pool 

check your UDP port timeout I think it more than 30 min.

0 Helpful

paul driver
VIP
VIP

‎08-29-2022 01:21 PM

Hello
Can you share the output of the following, just to makes sure with that many translations you are not maxing out memory/cpu resources, as suggested you can try decrease the nat timeout fro  default 24hrs to a much smaller value - 4hrs (7200)
sh version
sh processes cpu sorted 
sh processes memory
sh ip nat statisitics


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to paul driver

‎08-29-2022 02:11 PM

Like @paul driver and @MHM Cisco World , I would first try reducing how long your NAT entries stay alive.

As others and @balaji.bandi have noted, additional stats would help us better diagnose your issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card