Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6347
Views
0
Helpful
3
Replies

Nat Overload with NAT Pools

Go to solution
kfarrington
Level 3
Level 3

‎11-23-2006 07:13 AM - edited ‎03-05-2019 12:59 PM

Guys,

Quick one.

With the below configuration, will I always NAT to just one address and never use the other addresses?

ip nat pool My-NAT-Pool 192.168.1.1 192.168.1.30 netmask 255.255.255.224

ip nat inside source list My-Natlist pool My-NAT-Pool overload

!

ip access-list extended My-Natlist

permit ip 132.222.134.0 255.255.255.0 87.11.12.0 255.255.255.0

I see on a router that it does use two addresses out of the range specified in the pool, .1 and .9, but I dont know if there is any logic to this? The other addresses do not get used?

Any ideas?

Thx

Ken

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tdrais
Level 7
Level 7
In response to zubairjalal

‎11-23-2006 10:21 AM

It is strange that you see .9 being used.

The way this is suppose to work when you use both pools and overload is that it will use the first address and use port on that address until they are exhausted. It will then go to the second address. This is a little more complex than this in that it has different pools for UDP and TCP ports. It can use the second address when the first is not technically 100% out of ports. I forget the exact point it changes. In most cases unless you are run a huge number of sesssion it will never use anything but the first address.

You can remove the overload but then you run the risk of not having enough addresses as they are allocted 1-1 for private addresses. In effect you can only have as many user active as you have public addressses. It will end up being slightly less because it takes a while for the nat to timeout and be reused by a second user.

Your best solution is to use a combination. Build 2 pools one that you overload and a second you use the normal pool. You would assign session to the second pool that cannot run in a PAT configuration. The number of application is very small that require 1-1 nat translation

View solution in original post

0 Helpful
3 Replies 3

Go to solution
zubairjalal
Level 1
Level 1

‎11-23-2006 07:29 AM

Have you tried removing the "overload" statement from the ip nat inside statement. I think you overload when you want to allow the users to go out using one single IP i.e PAT.

--Pls rate if it helps--

0 Helpful

Go to solution
tdrais
Level 7
Level 7
In response to zubairjalal

‎11-23-2006 10:21 AM

It is strange that you see .9 being used.

The way this is suppose to work when you use both pools and overload is that it will use the first address and use port on that address until they are exhausted. It will then go to the second address. This is a little more complex than this in that it has different pools for UDP and TCP ports. It can use the second address when the first is not technically 100% out of ports. I forget the exact point it changes. In most cases unless you are run a huge number of sesssion it will never use anything but the first address.

You can remove the overload but then you run the risk of not having enough addresses as they are allocted 1-1 for private addresses. In effect you can only have as many user active as you have public addressses. It will end up being slightly less because it takes a while for the nat to timeout and be reused by a second user.

Your best solution is to use a combination. Build 2 pools one that you overload and a second you use the normal pool. You would assign session to the second pool that cannot run in a PAT configuration. The number of application is very small that require 1-1 nat translation

0 Helpful

Go to solution
kfarrington
Level 3
Level 3
In response to tdrais

‎11-24-2006 03:54 AM

Thats cool. looking at the doc it says

"

PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-5111, 512-1023 or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses.

"

But I never get anywhere near 65k translations, ?

The only think I can think of is that if the source port is already in use - it goes to the next ip address, but the docs say, FIRST, it should assign another src port and only if 65K is reached, go to another IP address?

Strange eh?

Thx to all for their replies so far :)

Kind regards,

Ken

0 Helpful
Customers Also Viewed These Support Documents