Solved: NAT Pool configuration to counter PAT exhaustion on WAN interface

Mark Rigby · ‎03-28-2014

Greetings, we have a very busy guest/byod wireless network which has recently started to exceed 1000 clients on a regular basis, up until now it has worked without issue but have had reports that people are frequently unable to connect to the internet at peak times (Lunchtime etc)

Investigations revealed that the WAN router (Cisco 3825) has started exceededing the maximum number of NAT/PAT translations on the external facing interface >65,000 - At one point it was showing as having 72,000 translations.

As such i have decided to create a NAT pool to make use of additonal public address space that we have on our WAN breakout and to load balance PAT across several external IP addresses to counter the problem, however when i look at the NAT translations it still appears that i'm only overloading on the interface IP address and not load balancing ammougst all 5 external addresses in the NAT pool.

WAN Breakout

213.**.**.32 /27

Interface configuration

interface GigabitEthernet0/0
bandwidth 25000
ip address 213.**.**.33 255.255.255.224
ip nat outside
ip virtual-reassembly in
rate-limit input 25000000 4687500 9375000 conform-action transmit exceed-action drop
rate-limit output 25000000 4687500 9375000 conform-action transmit exceed-action drop
duplex full
speed 100
media-type rj45

NAT configuration

ip nat pool GUEST_WLAN 213.**.**.33 213.**.**.37 prefix-length 27
!
ip nat inside source list NAT pool GUEST_WLAN overload
!
ip access-list extended NAT
permit ip 192.168.16.0 0.0.7.255 any
deny ip any any

Debugs

#sh ip nat translations | include 213.**.**.33
tcp 213.**.**.33:50630    192.168.16.6:50630    31.13.72.112:443      31.13.72.112:443
tcp 213.**.**.33:7309     192.168.16.6:50633    31.13.64.97:443       31.13.64.97:443
tcp 213.**.**.33:18769    192.168.16.6:51052    17.130.254.15:5223    17.130.254.15:5223
tcp 213.**.**.33:18747    192.168.16.6:51233    173.194.34.152:443    173.194.34.152:443
tcp 213.**.**.33:59589    192.168.16.6:51295    173.252.103.16:443    173.252.103.16:443
tcp 213.**.**.33:33720    192.168.16.6:51470    17.172.233.120:443    17.172.233.120:443
tcp 213.**.**.33:47715    192.168.16.6:51477    67.195.236.72:993     67.195.236.72:993
tcp 213.**.**.33:30787    192.168.16.6:51481    206.191.242.230:443   206.191.242.230:443
tcp 213.**.**.33:32230    192.168.16.6:51484    188.125.68.71:993     188.125.68.71:993

sh ip nat translations | include 213.**.**.34
tcp 213.**.**.52:51466    192.168.21.198:51466 17.149.32.57:443      17.149.32.57:443
tcp 213.**.**.34:52574    192.168.21.198:52574 173.252.103.16:443    173.252.103.16:443
--- 213.**.**.34          192.168.21.198        ---                   ---

sh ip nat translations | include 213.**.**.35
--- 213.**.**.35 192.168.16.223 --- ---

sh ip nat translations | include 213.**.**.36
--- 213.**.**.36 192.168.16.195 --- ---

sh ip nat translations | include 213.**.**.37
--- 213.**.**.37 192.168.21.214 --- ---

Really appreciate if someone could validate if this configuration is correct please? Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?

Regards

Jon Marshall · ‎03-29-2014

Mark

Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?

Yes, that is the way it works.

If you wanted to actually use all IPs in the pool then you would need to break down the clients IPs ie. you could map some clients to one IP, some to the next etc.

So you would have multiple acls and map each acl to a different public IP in your NAT statements.

Jon

View solution in original post

Jon Marshall · ‎03-29-2014