Re: Load balancing & NAT [7:60663] posted 01/10/2003
""Peter Walker"" wrote in message
> This does NOT match my previous experience. My experience has been that
> IOS seems to use NAT (not overloaded) until all pool addresses are used
> then start overloading the last one. I dont know what happens once all
> when this address gets maxed out.
when doing PAT ( NAT overload ) there is a theoretical possibility of 65000
connections ( i.e. the number of TCP ports ) obviously, this would not be
practical because of the numbers of well known ports in use.
The NAT engine would add the dimension of TCP source port to the state
So if I am at address 184.108.40.206 and my source port is 9999, the NAT
engine might translate this to public IP 220.127.116.11 with a source port
The next guy out, source address 18.104.22.168 with a source port of 9999
( same app ) might be translated ast public IP 22.214.171.124 with a source
port of 8881
The destination application doesn't care what the source port is ( in
theory ) although in this particular case, I wonder if the destination host
might have a problem. I suppose a well behaved application would not, but
you never can tell.
> The only reason we noticed this was due to the fact that we were running
> port sentry on a number of unix hosts and noticed that periodically random
> machines were being port scanned from outside our net (something that
> should not be able to occur if PAT is being used). We finally tracked it
> down to NAT (single outside IP to single inside IP) entries appearing in
> our NAT translations tables on the router.
> The only solution that we (or TAC) could come up with was to reduce the
> pool to a single IP.
> Peter Walker
> CISSP, CCN[NID]P, CSS1, CIPPTS, etc
> --On 09 January 2003 20:15 +0000 Doug S wrote:
> > The way PAT works when overloading multiple addresses is to overload the
> > first address in the pool until ALL port numbers are used up. I can't
> > point you to any publicly available documentation on this, but cut and
> > pasted from Network Academy curriculum:
> > "However, on a Cisco IOS router, NAT will
> > overload the first address in the pool until
> > it's maxed out, and then move on to the
> > second address, and so on."
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx