GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Load balancing & NAT [7:60663] posted 01/10/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


""Peter Walker""  wrote in message
news:200301100948.JAA31049@xxxxxxxxxxxxxxxxx
> This does NOT match my previous experience.  My experience has been that
> IOS seems to use NAT (not overloaded) until all pool addresses are used
> then start overloading the last one.  I dont know what happens once all
> when this address gets maxed out.


when doing PAT ( NAT overload ) there is a theoretical possibility of 65000
connections ( i.e. the number of TCP ports ) obviously, this would not be
practical because of the numbers of well known ports in use.

The NAT engine would add the dimension of TCP source port to the state
table.

So if I am at address 111.111.111.111 and my source port is 9999, the NAT
engine might translate  this to public IP 222.222.222.222 with a source port
of 8888

The next guy out, source address 111.111.111.112 with a source port of 9999
( same app ) might be translated ast public IP 222.222.222.222 with a source
port of 8881

Etc.

The destination application doesn't care what the source port is ( in
theory ) although in this particular case, I wonder if the destination host
might have a problem. I suppose a well behaved application would not, but
you never can tell.


>
> The only reason we noticed this was due to the fact that we were running
> port sentry on a number of unix hosts and noticed that periodically random
> machines were being port scanned from outside our net (something that
> should not be able to occur if PAT is being used). We finally tracked it
> down to NAT (single outside IP to single inside IP) entries appearing in
> our NAT translations tables on the router.
>
> The only solution that we (or TAC) could come up with was to reduce the
NAT
> pool to a single IP.








>
> Peter Walker
> CISSP, CCN[NID]P, CSS1, CIPPTS, etc
>
>
> --On 09 January 2003 20:15 +0000 Doug S  wrote:
>
> > The way PAT works when overloading multiple addresses is to overload the
> > first address in the pool until ALL port numbers are used up.  I can't
> > point you to any publicly available documentation on this, but cut and
> > pasted from Network Academy curriculum:
> >
> > "However, on a Cisco IOS router, NAT will
> >  overload the first address in the pool until
> >  it's maxed out, and then move on to the
> >  second address, and so on."




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60820&t=60663
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx