Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10104
Views
4
Helpful
7
Replies

Limitaion of nat translations

s.lachica
Level 1
Level 1

‎02-09-2016 05:55 PM - edited ‎03-05-2019 03:18 AM

Hi all,

What is the limitation of nat in 2921 or in ios routers in general?

Thanks,

Son

CCIE (R&S) #27666 CCSI HP MASE
Labels:
0 Helpful
7 Replies 7

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-09-2016 05:58 PM

Note that the Cisco 2900 series has been replaced by the 4000 series.

The 2921 can probably manage 250Mb/s if it is only doing NAT with an IMIX spread.  With large packets it should flat line the interface.

With the 4000 series you'll get whatever performance licence you pay for.

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html

s.lachica
Level 1
Level 1
In response to Philip D'Ath

‎02-09-2016 06:10 PM

Hi phillip,

Thanks. This is not an issue with the bandwidth or utilization issue but on the number of translations happening. Show ip nat statistics says about 65k of translations and other translations wont be accepted after this. Is there a document stating limitations on this?

Thanks,

Son

CCIE (R&S) #27666 CCSI HP MASE
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to s.lachica

‎02-09-2016 06:11 PM

Are you doing dynamic NAT to one external NAT or a pool of IP addresses?

0 Helpful

s.lachica
Level 1
Level 1
In response to Philip D'Ath

‎02-09-2016 06:52 PM

Hi phillip,

Thanks for assisting and the info. I tried using the timeout, from 24h to 15 mins. Lets see if this will help, if it is then that's the only solution.

CCIE (R&S) #27666 CCSI HP MASE
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to s.lachica

‎02-09-2016 07:05 PM

If you think it was helpful if would be great if you could rate my answer.  :-)

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to s.lachica

‎02-09-2016 06:21 PM

If you are doing dynamic NAT to one public IP address then are you limited by the number of TCP/UDP ports available, and that limits is around 65000.  Nothing you can do about that, it is a fundamental restriction of TCP/IP.

If fact, if you are NATing anything to one IP address you will face the same restriction.

If you have a pool of IP addresses then the limit increases by the number of addresses in your pool.

You can also limit the number of translations with commands like:

ip nat translation max-entries all-host xxx
ip nat translation max-entries host a.b.c.d xxx

The first one is quite good from stopping run-away hosts eating up all the translation entries.

0 Helpful

bvanary@yahoo.com
Level 1
Level 1
In response to Philip D'Ath

‎05-10-2018 08:54 PM

hi philip,

good altrnatives for limiting, but if user match the limit, what is the impact ? user become stuck to do internet activities ?. Normally if only browsing/email, how much maximum NAT (tcp/udp port) used ?

Thank you.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card