- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Load balancing & NAT [7:60663] posted 01/10/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

""Peter Walker""  wrote in message
> This does NOT match my previous experience.  My experience has been that
> IOS seems to use NAT (not overloaded) until all pool addresses are used
> then start overloading the last one.  I dont know what happens once all
> when this address gets maxed out.

when doing PAT ( NAT overload ) there is a theoretical possibility of 65000
connections ( i.e. the number of TCP ports ) obviously, this would not be
practical because of the numbers of well known ports in use.

The NAT engine would add the dimension of TCP source port to the state

So if I am at address and my source port is 9999, the NAT
engine might translate  this to public IP with a source port
of 8888

The next guy out, source address with a source port of 9999
( same app ) might be translated ast public IP with a source
port of 8881


The destination application doesn't care what the source port is ( in
theory ) although in this particular case, I wonder if the destination host
might have a problem. I suppose a well behaved application would not, but
you never can tell.

> The only reason we noticed this was due to the fact that we were running
> port sentry on a number of unix hosts and noticed that periodically random
> machines were being port scanned from outside our net (something that
> should not be able to occur if PAT is being used). We finally tracked it
> down to NAT (single outside IP to single inside IP) entries appearing in
> our NAT translations tables on the router.
> The only solution that we (or TAC) could come up with was to reduce the
> pool to a single IP.

> Peter Walker
> --On 09 January 2003 20:15 +0000 Doug S  wrote:
> > The way PAT works when overloading multiple addresses is to overload the
> > first address in the pool until ALL port numbers are used up.  I can't
> > point you to any publicly available documentation on this, but cut and
> > pasted from Network Academy curriculum:
> >
> > "However, on a Cisco IOS router, NAT will
> >  overload the first address in the pool until
> >  it's maxed out, and then move on to the
> >  second address, and so on."

Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx