11-23-2006 07:13 AM - edited 03-05-2019 12:59 PM
Guys,
Quick one.
With the below configuration, will I always NAT to just one address and never use the other addresses?
ip nat pool My-NAT-Pool 192.168.1.1 192.168.1.30 netmask 255.255.255.224
ip nat inside source list My-Natlist pool My-NAT-Pool overload
!
ip access-list extended My-Natlist
permit ip 132.222.134.0 255.255.255.0 87.11.12.0 255.255.255.0
I see on a router that it does use two addresses out of the range specified in the pool, .1 and .9, but I dont know if there is any logic to this? The other addresses do not get used?
Any ideas?
Thx
Ken
Solved! Go to Solution.
11-23-2006 10:21 AM
It is strange that you see .9 being used.
The way this is suppose to work when you use both pools and overload is that it will use the first address and use port on that address until they are exhausted. It will then go to the second address. This is a little more complex than this in that it has different pools for UDP and TCP ports. It can use the second address when the first is not technically 100% out of ports. I forget the exact point it changes. In most cases unless you are run a huge number of sesssion it will never use anything but the first address.
You can remove the overload but then you run the risk of not having enough addresses as they are allocted 1-1 for private addresses. In effect you can only have as many user active as you have public addressses. It will end up being slightly less because it takes a while for the nat to timeout and be reused by a second user.
Your best solution is to use a combination. Build 2 pools one that you overload and a second you use the normal pool. You would assign session to the second pool that cannot run in a PAT configuration. The number of application is very small that require 1-1 nat translation
11-23-2006 07:29 AM
Have you tried removing the "overload" statement from the ip nat inside statement. I think you overload when you want to allow the users to go out using one single IP i.e PAT.
--Pls rate if it helps--
11-23-2006 10:21 AM
It is strange that you see .9 being used.
The way this is suppose to work when you use both pools and overload is that it will use the first address and use port on that address until they are exhausted. It will then go to the second address. This is a little more complex than this in that it has different pools for UDP and TCP ports. It can use the second address when the first is not technically 100% out of ports. I forget the exact point it changes. In most cases unless you are run a huge number of sesssion it will never use anything but the first address.
You can remove the overload but then you run the risk of not having enough addresses as they are allocted 1-1 for private addresses. In effect you can only have as many user active as you have public addressses. It will end up being slightly less because it takes a while for the nat to timeout and be reused by a second user.
Your best solution is to use a combination. Build 2 pools one that you overload and a second you use the normal pool. You would assign session to the second pool that cannot run in a PAT configuration. The number of application is very small that require 1-1 nat translation
11-24-2006 03:54 AM
Thats cool. looking at the doc it says
"
PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-5111, 512-1023 or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses.
"
But I never get anywhere near 65k translations, ?
The only think I can think of is that if the source port is already in use - it goes to the next ip address, but the docs say, FIRST, it should assign another src port and only if 65K is reached, go to another IP address?
Strange eh?
Thx to all for their replies so far :)
Kind regards,
Ken
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide