Re: dhcp and static nat

From: Jens Petter Johansen (jenseike@start.no)
Date: Wed Apr 23 2008 - 08:06:29 ART

Hi...

I am trying to see why the static nat enterys dont get released. Not even
after 24 hours wich are the default timeout.. I tried to set this tcp
timeout to one hour without this helping.

I dont know if dhcp have anything to do with this, but it is the dhcp
clients this happen for .

Some configs:

ip dhcp pool wlan-Lilleakeruncrypt
network 172.17.4.0 255.255.252.0
domain-name statkraft.com
default-router 172.17.4.1
dns-server 193.212.95.25
lease 3

interface GigabitEthernet0/0.50
 encapsulation dot1Q 50
 ip address 172.17.0.1 255.255.252.0
 ip nat inside
!
interface GigabitEthernet0/0.70
 encapsulation dot1Q 70
 ip address 172.17.4.1 255.255.252.0
 ip nat inside

interface GigabitEthernet0/2
 description BBSM
 ip address 193.215.248.15 255.255.255.0
 ip nat outside
 duplex full
 speed 100
 media-type rj45
 no negotiation auto

ip nat translation tcp-timeout 3600
ip nat pool ukryptert 193.215.248.20 193.215.248.250 netmask
255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip nat inside source list 2 pool ukryptert

Some logs:

wlan-glue#sh ip nat sta
Total active translations: 302 (0 static, 302 dynamic; 220 extended)
Outside interfaces:
GigabitEthernet0/2
Inside interfaces:
GigabitEthernet0/0.50, GigabitEthernet0/0.70
Hits: 423697845 Misses: 10040355
Expired translations: 2082904
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/2 refcount 184
[Id: 3] access-list 2 pool ukryptert refcount 118
 pool ukryptert: netmask 255.255.255.0
start 193.215.248.20 end 193.215.248.250
type generic, total addresses 231, allocated 82 (35%), misses 76929

There are now 82 adresses allocated in the nat table, but this goes fast
up to max since it does not release those enterys...

wlan-glue#sh ip nat tra | in 172.17.4.|172.17.5.|172.17.6.|172.17.7.
tcp 193.215.248.250:50957 172.17.6.169:50957 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:51009 172.17.6.169:51009 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:51038 172.17.6.169:51038 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:51271 172.17.6.169:51271 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:51924 172.17.6.169:51924 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:52123 172.17.6.169:52123 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:52321 172.17.6.169:52321 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:52571 172.17.6.169:52571 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:52684 172.17.6.169:52684 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:52918 172.17.6.169:52918 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:53114 172.17.6.169:53114 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.250:53310 172.17.6.169:53310 192.168.0.78:389
192.168.0.78:389
tcp 193.215.248.212:49356 172.17.6.228:49356 150.106.198.11:389
150.106.198.11:389
tcp 193.215.248.212:49359 172.17.6.228:49359 150.106.198.11:389
150.106.198.11:389
tcp 193.215.248.212:49361 172.17.6.228:49361 150.106.198.11:389
150.106.198.11:389
tcp 193.215.248.212:49377 172.17.6.228:49377 150.106.198.11:389
150.106.198.11:389
tcp 193.215.248.212:49378 172.17.6.228:49378 150.106.198.11:389
150.106.198.11:389
tcp 193.215.248.212:49388 172.17.6.228:49388 150.106.198.11:389
150.106.198.11:389
tcp 193.215.248.212:49379 172.17.6.228:49379 150.106.198.113:389
150.106.198.113:389
tcp 193.215.248.212:49386 172.17.6.228:49386 150.106.198.113:389
150.106.198.113:389
tcp 193.215.248.212:49387 172.17.6.228:49387 150.106.198.113:389
150.106.198.113:389
tcp 193.215.248.212:49367 172.17.6.228:49367 150.106.201.106:389
150.106.201.106:389
tcp 193.215.248.212:49383 172.17.6.228:49383 150.106.201.106:389
150.106.201.106:389
tcp 193.215.248.212:49394 172.17.6.228:49394 150.106.201.106:389
150.106.201.106:389
tcp 193.215.248.231:49927 172.17.6.161:49927 150.106.200.252:389
150.106.200.252:389
tcp 193.215.248.222:63563 172.17.6.223:63563 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:63760 172.17.6.223:63760 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:63953 172.17.6.223:63953 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:64156 172.17.6.223:64156 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:64350 172.17.6.223:64350 192.168.0.201:389
192.168.0.201:389
--- 193.215.248.160 172.17.6.247 --- &n
bsp; ---
--- 193.215.248.161 172.17.6.248 --- &n
bsp; ---
--- 193.215.248.162 172.17.6.245 --- &n
bsp; ---
--- 193.215.248.163 172.17.6.246 --- &n
bsp; ---
--- 193.215.248.164 172.17.6.243 --- &n
bsp; ---
--- 193.215.248.165 172.17.6.244 --- &n
bsp; ---
--- 193.215.248.166 172.17.6.241 --- &n
bsp; ---
--- 193.215.248.167 172.17.6.242 --- &n
bsp; ---
--- 193.215.248.168 172.17.6.239 --- &n
bsp; ---
--- 193.215.248.169 172.17.6.240 --- &n
bsp; ---
--- 193.215.248.170 172.17.6.237 --- &n
bsp; ---
--- 193.215.248.171 172.17.6.238 --- &n
bsp; ---
--- 193.215.248.172 172.17.6.236 --- &n
bsp; ---
--- 193.215.248.173 172.17.5.219 --- &n
bsp; ---
--- 193.215.248.174 172.17.6.235 --- &n
bsp; ---
--- 193.215.248.175 172.17.6.109 --- &n
bsp; ---
--- 193.215.248.184 172.17.7.182 --- &n
bsp; ---
tcp 193.215.248.222:64740 172.17.6.223:64740 192.168.0.201:389
192.168.0.201:389
--- 193.215.248.186 172.17.6.180 --- &n
bsp; ---
--- 193.215.248.187 172.17.6.253 --- &n
bsp; ---
--- 193.215.248.188 172.17.6.252 --- &n
bsp; ---
--- 193.215.248.189 172.17.6.178 --- &n
bsp; ---
--- 193.215.248.190 172.17.6.250 --- &n
bsp; ---
--- 193.215.248.191 172.17.6.251 --- &n
bsp; ---
--- 193.215.248.192 172.17.6.170 --- &n
bsp; ---
--- 193.215.248.193 172.17.6.196 --- &n
bsp; ---
--- 193.215.248.194 172.17.6.221 --- &n
bsp; ---
--- 193.215.248.195 172.17.6.222 --- &n
bsp; ---
--- 193.215.248.196 172.17.6.203 --- &n
bsp; ---
--- 193.215.248.197 172.17.6.179 --- &n
bsp; ---
--- 193.215.248.198 172.17.6.219 --- &n
bsp; ---
--- 193.215.248.199 172.17.6.220 --- &n
bsp; ---
--- 193.215.248.200 172.17.6.217 --- &n
bsp; ---
--- 193.215.248.201 172.17.6.218 --- &n
bsp; ---
--- 193.215.248.202 172.17.6.197 --- &n
bsp; ---
--- 193.215.248.203 172.17.5.254 --- &n
bsp; ---
--- 193.215.248.204 172.17.6.216 --- &n
bsp; ---
--- 193.215.248.205 172.17.6.201 --- &n
bsp; ---
--- 193.215.248.206 172.17.6.195 --- &n
bsp; ---
--- 193.215.248.207 172.17.6.94 --- &n
bsp; ---
--- 193.215.248.208 172.17.6.234 --- &n
bsp; ---
--- 193.215.248.209 172.17.4.142 --- &n
bsp; ---
--- 193.215.248.210 172.17.6.230 --- &n
bsp; ---
--- 193.215.248.211 172.17.6.231 --- &n
bsp; ---
--- 193.215.248.212 172.17.6.228 --- &n
bsp; ---
--- 193.215.248.213 172.17.6.229 --- &n
bsp; ---
--- 193.215.248.214 172.17.6.226 --- &n
bsp; ---
--- 193.215.248.215 172.17.6.227 --- &n
bsp; ---
--- 193.215.248.216 172.17.6.193 --- &n
bsp; ---
--- 193.215.248.217 172.17.6.225 --- &n
bsp; ---
--- 193.215.248.218 172.17.6.175 --- &n
bsp; ---
--- 193.215.248.219 172.17.6.224 --- &n
bsp; ---
--- 193.215.248.220 172.17.6.84 --- &n
bsp; ---
--- 193.215.248.221 172.17.6.183 --- &n
bsp; ---
--- 193.215.248.222 172.17.6.223 --- &n
bsp; ---
--- 193.215.248.223 172.17.5.82 --- &n
bsp; ---
--- 193.215.248.224 172.17.6.20 --- &n
bsp; ---
--- 193.215.248.225 172.17.6.194 --- &n
bsp; ---
--- 193.215.248.226 172.17.6.208 --- &n
bsp; ---
--- 193.215.248.227 172.17.6.210 --- &n
bsp; ---
--- 193.215.248.228 172.17.6.187 --- &n
bsp; ---
--- 193.215.248.229 172.17.6.152 --- &n
bsp; ---
--- 193.215.248.230 172.17.4.156 --- &n
bsp; ---
tcp 193.215.248.222:64785 172.17.6.223:64785 192.168.0.201:389
192.168.0.201:389
--- 193.215.248.231 172.17.6.161 --- &n
bsp; ---
--- 193.215.248.232 172.17.6.190 --- &n
bsp; ---
--- 193.215.248.233 172.17.4.29 --- &n
bsp; ---
--- 193.215.248.234 172.17.4.196 --- &n
bsp; ---
--- 193.215.248.235 172.17.6.166 --- &n
bsp; ---
--- 193.215.248.236 172.17.6.163 --- &n
bsp; ---
--- 193.215.248.237 172.17.6.205 --- &n
bsp; ---
--- 193.215.248.238 172.17.5.75 --- &n
bsp; ---
--- 193.215.248.239 172.17.6.206 --- &n
bsp; ---
--- 193.215.248.240 172.17.6.172 --- &n
bsp; ---
--- 193.215.248.241 172.17.6.214 --- &n
bsp; ---
--- 193.215.248.242 172.17.6.168 --- &n
bsp; ---
--- 193.215.248.243 172.17.6.213 --- &n
bsp; ---
--- 193.215.248.244 172.17.5.234 --- &n
bsp; ---
--- 193.215.248.245 172.17.6.184 --- &n
bsp; ---
--- 193.215.248.246 172.17.6.63 --- &n
bsp; ---
--- 193.215.248.247 172.17.6.212 --- &n
bsp; ---
--- 193.215.248.248 172.17.7.183 --- &n
bsp; ---
--- 193.215.248.249 172.17.6.211 --- &n
bsp; ---
--- 193.215.248.250 172.17.6.169 --- &n
bsp; ---
tcp 193.215.248.222:64863 172.17.6.223:64863 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:65282 172.17.6.223:65282 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:65459 172.17.6.223:65459 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:49214 172.17.6.223:49214 192.168.0.201:389
192.168.0.201:389
tcp 193.215.248.222:49296 172.17.6.223:49296 192.168.0.201:389
192.168.0.201:389

wlan-glue#sh ip dhcp bin | in 172.17.4.|172.17.5.|172.17.6.|172.17.7.
172.17.4.29 0100.1de0.3263.1d Apr 26 2008 06:16 AM
Automatic
172.17.4.67 0100.13ce.ea15.e7 Apr 26 2008 04:28 AM
Automatic
172.17.4.142 0100.12f0.3d4d.ce Apr 25 2008 12:17 PM
Automatic
172.17.4.156 0100.166f.80e4.50 Apr 25 2008 08:01 AM
Automatic
172.17.4.196 0100.1de0.3299.81 Apr 26 2008 10:18 AM
Automatic
172.17.5.75 0100.1b77.523b.6e Apr 25 2008 06:05 PM
Automatic
172.17.5.82 0100.1de0.3292.a7 Apr 25 2008 11:34 AM
Automatic
172.17.5.135 0100.0f20.94fc.b9 Apr 24 2008 12:26 PM
Automatic
172.17.5.219 0100.1de0.3263.93 Apr 25 2008 06:56 AM
Automatic
172.17.5.234 0100.1de0.32cc.53 Apr 25 2008 06:36 PM
Automatic
172.17.5.254 0100.13e8.bfbd.35 Apr 25 2008 07:09 AM
Automatic
172.17.6.20 0100.18de.9e33.31 Apr 26 2008 08:39 AM
Automatic
172.17.6.63 0100.904b.2434.66 Apr 26 2008 04:27 AM
Automatic
172.17.6.76 0100.1cbf.3c3b.0f Apr 25 2008 06:45 AM
Automatic
172.17.6.77 0100.19d2.07f0.c1 Apr 23 2008 11:54 AM
Automatic
172.17.6.84 0100.1de0.83f2.7b Apr 26 2008 06:48 AM
Automatic
172.17.6.94 0100.1cbf.0917.5a Apr 26 2008 06:33 AM
Automatic
172.17.6.109 0100.166f.1e1b.3f Apr 26 2008 09:49 AM
Automatic
172.17.6.152 0100.1de0.5dd4.1f Apr 26 2008 10:45 AM
Automatic
172.17.6.157 0100.12f0.3236.fb Apr 26 2008 09:42 AM
Automatic
172.17.6.161 0100.19d2.0838.07 Apr 26 2008 06:36 AM
Automatic
172.17.6.162 0100.19d2.9851.bd Apr 24 2008 04:32 AM
Automatic
172.17.6.163 0100.18de.cac1.0c Apr 25 2008 05:24 AM
Automatic
172.17.6.165 0100.13e8.732f.e3 Apr 24 2008 05:49 AM
Automatic
172.17.6.166 0100.1302.81f5.25 Apr 26 2008 06:56 AM
Automatic
172.17.6.167 0100.1cb3.31ef.3b Apr 24 2008 10:49 AM
Automatic
172.17.6.168 0100.19d2.3924.24 Apr 26 2008 10:52 AM
Automatic
172.17.6.169 0100.1de0.0b9d.e9 Apr 26 2008 10:36 AM
Automatic
172.17.6.170 0100.197e.9a81.7e Apr 25 2008 07:41 AM
Automatic
172.17.6.171 0100.1302.1617.0f Apr 24 2008 03:12 PM
Automatic
172.17.6.172 0100.1b77.0500.e3 Apr 25 2008 06:56 AM
Automatic
172.17.6.174 0100.1e52.21dc.f5 Apr 24 2008 03:09 PM
Automatic
172.17.6.175 0100.1302.3a8f.0c Apr 25 2008 11:12 AM
Automatic
172.17.6.178 0100.19d2.98ec.bd Apr 26 2008 11:02 AM
Automatic
172.17.6.179 0100.19d2.84b7.78 Apr 25 2008 07:29 AM
Automatic
172.17.6.180 0100.1302.4e83.e8 Apr 26 2008 09:27 AM
Automatic
172.17.6.181 0100.13e8.9eca.19 Apr 24 2008 07:11 AM
Automatic
172.17.6.182 0100.13e8.bdb2.93 Apr 24 2008 07:14 AM
Automatic
172.17.6.183 0100.1b77.9674.5a Apr 26 2008 07:15 AM
Automatic
172.17.6.184 0100.13ce.8b34.9d Apr 25 2008 12:27 PM
Automatic
172.17.6.185 0100.13ce.672b.8d Apr 24 2008 07:56 AM
Automatic
172.17.6.187 0100.1b77.5278.11 Apr 25 2008 12:35 PM
Automatic
172.17.6.188 0100.1de0.1a8c.fd Apr 24 2008 08:08 AM
Automatic
172.17.6.190 0100.1de0.8447.bb Apr 26 2008 06:17 AM
Automatic
172.17.6.193 0100.19d2.0b3b.00 Apr 25 2008 08:38 AM
Automatic
172.17.6.194 0100.1302.42b7.e2 Apr 26 2008 06:57 AM
Automatic
172.17.6.195 0100.13e8.e9c7.bd Apr 25 2008 11:44 AM
Automatic
172.17.6.196 0100.1de0.0a9c.09 Apr 26 2008 06:57 AM
Automatic
172.17.6.197 0100.1dd9.4360.ca Apr 26 2008 08:43 AM
Automatic
172.17.6.198 0100.1e52.22b3.09 Apr 24 2008 12:40 PM
Automatic
172.17.6.200 0100.1841.0510.e0 Apr 24 2008 10:47 AM
Automatic
172.17.6.201 0100.13e8.4773.8d Apr 26 2008 07:19 AM
Automatic
172.17.6.202 0100.166f.3a5c.55 Apr 24 2008 03:01 PM
Automatic
172.17.6.203 0100.1b77.51b3.36 Apr 26 2008 06:56 AM
Automatic
172.17.6.205 0100.19d2.17f9.38 Apr 25 2008 03:51 PM
Automatic
172.17.6.206 0100.0e35.b4d1.83 Apr 25 2008 04:33 AM
Automatic
172.17.6.207 0100.19d2.731f.e8 Apr 25 2008 05:48 AM
Automatic
172.17.6.208 0100.166f.7c39.b2 Apr 25 2008 06:14 AM
Automatic
172.17.6.209 0100.1b77.617a.af Apr 25 2008 06:18 AM
Automatic
172.17.6.214 0100.3005.b4b8.e6 Apr 25 2008 06:57 AM
Automatic
172.17.6.216 0100.1cbf.0465.96 Apr 26 2008 05:05 AM
Automatic
172.17.6.220 0100.13e8.ba70.e1 Apr 26 2008 06:00 AM
Automatic
172.17.6.221 0100.1de0.0bab.8d Apr 25 2008 07:35 AM
Automatic
172.17.6.222 0100.13e8.7352.bf Apr 25 2008 07:41 AM
Automatic
172.17.6.223 0100.13e8.764c.2b Apr 26 2008 10:42 AM
Automatic
172.17.6.224 0100.12f0.0065.db Apr 25 2008 08:37 AM
Automatic
172.17.6.225 0100.032d.0d55.d8 Apr 26 2008 07:35 AM
Automatic
172.17.6.226 0100.19d2.06a6.18 Apr 25 2008 09:50 AM
Automatic
172.17.6.227 0100.18de.a82f.32 Apr 25 2008 10:02 AM
Automatic
172.17.6.228 0100.13e8.85b1.4f Apr 26 2008 11:01 AM
Automatic
172.17.6.229 0100.166f.93c1.46 Apr 25 2008 10:37 AM
Automatic
172.17.6.230 0100.1302.30fc.08 Apr 25 2008 10:40 AM
Automatic
172.17.6.231 0100.14a5.b068.ab Apr 26 2008 07:31 AM
Automatic
172.17.6.232 0100.18de.c0fa.04 Apr 25 2008 11:08 AM
Automatic
172.17.6.233 0100.1cbf.740e.c2 Apr 25 2008 12:57 PM
Automatic
172.17.6.234 0100.1ec2.3d7d.56 Apr 25 2008 12:24 PM
Automatic
172.17.6.235 0100.18de.6ff1.d7 Apr 25 2008 12:29 PM
Automatic
172.17.6.236 0100.1cbf.3c55.ba Apr 26 2008 06:01 AM
Automatic
172.17.6.237 0100.1b77.6df6.49 Apr 26 2008 05:41 AM
Automatic
172.17.6.238 0100.19d2.73a2.fc Apr 26 2008 07:57 AM
Automatic
172.17.6.239 0100.1500.4a37.f2 Apr 26 2008 05:52 AM
Automatic
172.17.6.240 0100.13ce.326e.88 Apr 26 2008 06:11 AM
Automatic
172.17.6.241 0100.1302.29c7.fa Apr 26 2008 06:43 AM
Automatic
172.17.6.242 0100.1cbf.9d2f.b2 Apr 26 2008 06:34 AM
Automatic
172.17.6.243 0100.110a.80b8.91 Apr 26 2008 06:38 AM
Automatic
172.17.6.244 0100.19d2.38af.58 Apr 26 2008 06:40 AM
Automatic
172.17.6.245 0100.19d2.96d0.55 Apr 26 2008 06:41 AM
Automatic
172.17.6.246 0100.1302.5eeb.7c Apr 26 2008 07:02 AM
Automatic
172.17.6.247 0100.1302.37b9.7e Apr 26 2008 07:03 AM
Automatic
172.17.6.248 0100.19d2.6313.e3 Apr 26 2008 07:28 AM
Automatic
172.17.6.249 0100.19d2.7458.d0 Apr 26 2008 09:10 AM
Automatic
172.17.6.250 0100.1de0.a652.39 Apr 26 2008 08:05 AM
Automatic
172.17.6.251 0100.1302.3ab4.b3 Apr 26 2008 08:22 AM
Automatic
172.17.6.252 0100.1e4c.1418.de Apr 26 2008 08:33 AM
Automatic
172.17.6.253 0100.1841.4f9f.f0 Apr 26 2008 10:19 AM
Automatic
172.17.7.182 0100.1de0.3263.f9 Apr 26 2008 06:47 AM
Automatic
172.17.7.183 0100.1de0.3293.25 Apr 25 2008 06:38 AM
Automatic

The dhcp server does take back the address leases that are not in use
anymore

On Wed Apr 23 12:24 , 'Sadiq Yakasai' sent:

  Hi Jens,

  I am not sure I have seen what you are trying to do been done in the
  past, but check this out, it might be helpful as an alternative, this
  is NAT for High Availability HSRP though:

  http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide
  /ntbhigha_ps6350_TSD_Products_Configuration_Guide_Chapter.html

  HTH

  Sadiq

  Pass the CCIE in six weeks, Guaranteed!
  http://www.certscience.com/CCIE
  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

-------------------------------------------------------------------------
Fe din egen, gratis e-postadresse pe Start.no

Pass the CCIE in six weeks, Guaranteed!
http://www.certscience.com/CCIE

This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:51 ART