- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PAT AFTER NAT (confused) [7:66734] posted 04/03/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

I have been following this thread with great interest, for I had
problems with PAT/NAT in IOS recently. It looks to me that many people have
the same confusions (hopes) as I had.

	I have a case where I have many users on private address space
(around 1000 or so) which must be NAT-ed through a pool of 768 "real"
addresses. This are all, mostly, heavy users (xDSL customers).

	I have foolishly hoped that if I configure pool with overload, IOS
will do 1:1 and when it runs out of addresses, it will do PAT. Well, I was
wrong. And that's wrong at a price. Not only that IOS is immediately
performing PAT, but PAT is *much* more CPU intensive than 1:1 NAT. Also, it
is not possible to define multiple address ranges or pools for the same
translation (I would greatly appreciate if someone corrects me here).

	So, from my experience with this matter:

	* it is not easily possible to do NAT and switch to PAT when
addresses run out
	* if you define overload, IOS automatically does PAT, with more CPU

	One way of getting away from running out of NAT addresses is to
lower translation timeout (default is I think 24h). This timeout defines how
long NAT relationship remains between real and private IP. You can lower
this to one hour by doing:

	ip nat translation timeout 3600

	In my experience, this proved to be useful in this, far from 1:1
scenario. Further lowering this to some 15 minutes or so, could cause more
load on router (guesswork), but hugely decrease your chances of running out
of translation addresses.

Kind regards,

Tolvupostur ?essi er fra Margmi?lun hf., Su?urlandsbraut 4, Reykjavik.
Fyrirvara og lei?beiningar til vi?takenda tolvuposts fra Margmi?lun hf. er
a? finna a vefsi?unni

Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx