RE: PAT AFTER NAT (confused) [7:66734] posted 04/03/2003
- Subject: RE: PAT AFTER NAT (confused) [7:66734]
- From: "Marko Milivojevic" <markom@xxxxxxxxxxxxx>
- Date: Thu, 3 Apr 2003 11:32:07 GMT
I have been following this thread with great interest, for I had
problems with PAT/NAT in IOS recently. It looks to me that many people have
the same confusions (hopes) as I had.
I have a case where I have many users on private address space
(around 1000 or so) which must be NAT-ed through a pool of 768 "real"
addresses. This are all, mostly, heavy users (xDSL customers).
I have foolishly hoped that if I configure pool with overload, IOS
will do 1:1 and when it runs out of addresses, it will do PAT. Well, I was
wrong. And that's wrong at a price. Not only that IOS is immediately
performing PAT, but PAT is *much* more CPU intensive than 1:1 NAT. Also, it
is not possible to define multiple address ranges or pools for the same
translation (I would greatly appreciate if someone corrects me here).
So, from my experience with this matter:
* it is not easily possible to do NAT and switch to PAT when
addresses run out
* if you define overload, IOS automatically does PAT, with more CPU
One way of getting away from running out of NAT addresses is to
lower translation timeout (default is I think 24h). This timeout defines how
long NAT relationship remains between real and private IP. You can lower
this to one hour by doing:
ip nat translation timeout 3600
In my experience, this proved to be useful in this, far from 1:1
scenario. Further lowering this to some 15 minutes or so, could cause more
load on router (guesswork), but hugely decrease your chances of running out
of translation addresses.
Tolvupostur ?essi er fra Margmi?lun hf., Su?urlandsbraut 4, Reykjavik.
Fyrirvara og lei?beiningar til vi?takenda tolvuposts fra Margmi?lun hf. er
a? finna a vefsi?unni http://www.mi.is/fyrirvari
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx