03-28-2014 10:07 AM - edited 03-04-2019 10:40 PM
Greetings, we have a very busy guest/byod wireless network which has recently started to exceed 1000 clients on a regular basis, up until now it has worked without issue but have had reports that people are frequently unable to connect to the internet at peak times (Lunchtime etc)
Investigations revealed that the WAN router (Cisco 3825) has started exceededing the maximum number of NAT/PAT translations on the external facing interface >65,000 - At one point it was showing as having 72,000 translations.
As such i have decided to create a NAT pool to make use of additonal public address space that we have on our WAN breakout and to load balance PAT across several external IP addresses to counter the problem, however when i look at the NAT translations it still appears that i'm only overloading on the interface IP address and not load balancing ammougst all 5 external addresses in the NAT pool.
WAN Breakout
213.**.**.32 /27
Interface configuration
interface GigabitEthernet0/0
bandwidth 25000
ip address 213.**.**.33 255.255.255.224
ip nat outside
ip virtual-reassembly in
rate-limit input 25000000 4687500 9375000 conform-action transmit exceed-action drop
rate-limit output 25000000 4687500 9375000 conform-action transmit exceed-action drop
duplex full
speed 100
media-type rj45
NAT configuration
ip nat pool GUEST_WLAN 213.**.**.33 213.**.**.37 prefix-length 27
!
ip nat inside source list NAT pool GUEST_WLAN overload
!
ip access-list extended NAT
permit ip 192.168.16.0 0.0.7.255 any
deny ip any any
Debugs
#sh ip nat translations | include 213.**.**.33
tcp 213.**.**.33:50630 192.168.16.6:50630 31.13.72.112:443 31.13.72.112:443
tcp 213.**.**.33:7309 192.168.16.6:50633 31.13.64.97:443 31.13.64.97:443
tcp 213.**.**.33:18769 192.168.16.6:51052 17.130.254.15:5223 17.130.254.15:5223
tcp 213.**.**.33:18747 192.168.16.6:51233 173.194.34.152:443 173.194.34.152:443
tcp 213.**.**.33:59589 192.168.16.6:51295 173.252.103.16:443 173.252.103.16:443
tcp 213.**.**.33:33720 192.168.16.6:51470 17.172.233.120:443 17.172.233.120:443
tcp 213.**.**.33:47715 192.168.16.6:51477 67.195.236.72:993 67.195.236.72:993
tcp 213.**.**.33:30787 192.168.16.6:51481 206.191.242.230:443 206.191.242.230:443
tcp 213.**.**.33:32230 192.168.16.6:51484 188.125.68.71:993 188.125.68.71:993
sh ip nat translations | include 213.**.**.34
tcp 213.**.**.52:51466 192.168.21.198:51466 17.149.32.57:443 17.149.32.57:443
tcp 213.**.**.34:52574 192.168.21.198:52574 173.252.103.16:443 173.252.103.16:443
--- 213.**.**.34 192.168.21.198 --- ---
sh ip nat translations | include 213.**.**.35
--- 213.**.**.35 192.168.16.223 --- ---
sh ip nat translations | include 213.**.**.36
--- 213.**.**.36 192.168.16.195 --- ---
sh ip nat translations | include 213.**.**.37
--- 213.**.**.37 192.168.21.214 --- ---
Really appreciate if someone could validate if this configuration is correct please? Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?
Regards
Solved! Go to Solution.
03-29-2014 07:17 AM
Mark
Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?
Yes, that is the way it works.
If you wanted to actually use all IPs in the pool then you would need to break down the clients IPs ie. you could map some clients to one IP, some to the next etc.
So you would have multiple acls and map each acl to a different public IP in your NAT statements.
Jon
03-29-2014 07:17 AM
Mark
Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?
Yes, that is the way it works.
If you wanted to actually use all IPs in the pool then you would need to break down the clients IPs ie. you could map some clients to one IP, some to the next etc.
So you would have multiple acls and map each acl to a different public IP in your NAT statements.
Jon
03-31-2014 03:41 AM
Thank you for your reply Jon, yes wasnt looking to load balance but ensure that if we do exceed the maximum number of translations on the first IP address it will use the next pool member.
Appreciate the validation.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide