NAT Impelmentation in Enterpise Network

Learnercisco · ‎08-24-2022

Hi Tech People,

I have deployed the ASR1000 as a internet facing edge facing Router. I implemented the dynamic NAT with PAT to allow the Local users to the internet. I am facing performance issue in the router due to large number of entries in the NAT Table and it will grow more in the Future. I want to know if there any study guide or Solution, if i can limit the NAT entries per host or refresh the NAT Table entries after sometime, i see the large numbers of Application is connecting using tcp/udp enteries initited by single users.

Thanks in advance.

balaji.bandi · ‎08-24-2022

ASR support very large numbers - are you going beyond that :

how does your : show ip nat stat (show in peak hours ?)

Security

Up to:

● IPSec tunnel protection: 8,000 tunnels

● Firewall: 6,000,000 sessions and 220,000 sessions-per-sec setup rate

● NAT: 6,000,000 sessions and 300,000 sessions-per-sec setup rate

● Carrier-Grade NAT: 12,000,000 sessions

you can do NAT rate limiting - never tested myself, worth looking if that fit your needs :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-7/nat-xe-16-7-book/iadnat-addr-consv.html#GUID-F9A960CC-D9CB-40CA-B5F1-466803E0E801

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Learnercisco · ‎08-24-2022

Hi Balaji,

Thanks for the reply,

This is a new deployment, I observed the NAT translations for few users and it goes beyond 1500 translations. In practical i will have more than 800 wireless and Wired users in future and the entries will go beyond millions. I want to use some best practices incase i face performance issue in the Internet and in the Router.

Thanks in advance.

balaji.bandi · ‎08-24-2022

We need to understand the issue here, is the NAT Translation the issue, what kind of bandwidth you have, is the ISP kind of setup or enterprise?

as per the number of concerns of devices not matter at I can see ASR can handle, but again what License you have on ASR is also important.

800 users that should work in normal situations, the best practice is, that we need to see your config, what is your concern here ?

incase i face performance issue in the Internet and in the Router.

Performance - what kind of performance, as per product you are good position, the performance needs to be monitored and address what area you will be facing the problem. or this should have considered on the design level.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎08-24-2022

"I am facing performance issue in the router due to large number of entries in the NAT Table and it will grow more in the Future."

Are you sure your "performance issues" are solely due to your NAT/PAT table size?

What model ASR are we discussing (and its IOS, feature licenses, installed RAM, etc.)?

What's the LAN and WAN connections to the router, and on what ports?

What stats have you looked at, and what are they showing?

paul driver · ‎08-25-2022

Hello
Can you elaborate on how you have NAT currently set up, are you using just a single or pool of public addressing for translation and are you overloading on them, meaning the pool of addressing can be reused?

Do know what traffic is being used for the internet, do you have any monitoring or filtering policies to capture/negate any unwarranted/scavenger traffic.

As this is an internet facing rtr you may have a default route, which means you could be incurring unwarranted rtr arp lookups if you are not defining a specific next-hop interface and ip address.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Learnercisco · ‎08-25-2022

Hi Paul,

Thanks for the reply,

I am using single public addresses and defined once access-list which is carrying my private ip addresses to the internet.

Some time internet stops and i just clear the ip nat transalation entries and internet start working. There is a firewall behind this router which is in route mode and i allowed all the traffic.

show ip nat statistics
Total active translations: 155 (0 static, 155 dynamic; 155 extended)
Outside interfaces:
GigabitEthernet0/0/2
Inside interfaces:
TenGigabitEthernet0/1/0.1, TenGigabitEthernet0/1/0.2
Hits: 45895446 Misses: 229201
Expired translations: 216095
Dynamic mappings:
-- Inside Source
[Id: 4] access-list 1 interface GigabitEthernet0/0/2 refcount 155
nat-limit statistics:
max entry: max allowed 2147483647, used 155, missed 0
In-to-out drops: 158783 Out-to-in drops: 16671
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 80245
IP alias add fail: 0

Router Information

System image file is "bootflash:asr1000-universalk9.16.09.05.SPA.bin"
Last reload reason: PowerOn

cisco ASR1001-HX (1SR) processor (revision 1SR) with 6925044K/6147K bytes of memory.

MHM Cisco World · ‎08-25-2022

NAT gatekeeper
check this feature in ASR
read it many time before decide apply this feature or not

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/210869-ASR1k-NAT-intermittently-fails-to-transl.html