Re: NAT -- translations

From: Dale Shaw (dale.shaw@gmail.com)
Date: Thu Apr 24 2008 - 07:57:19 ART

• Next message: Ram Shummoogum: "OT:fwsm cannot locally ping server on DMZ until..."
• Previous message: Paul Cosgrove: "Re: NAT -- translations"
• Maybe in reply to: Aabid Saleem: "NAT -- translations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Aabid,

I don't think I've ever seen a 'nerd knob' in IOS that does exactly
what you describe. That's not to say there isn't one :-)

It doesn't do exactly what you want, but you could consider using the
"ip nat translation max-entries" command for a particular host -- a
reactive measure.

Example: ip nat translation max-entries host 10.200.200.15 50
(where 10.200.200.15 is the inside host creating lots of translations,
and 50 is the per-host translation limit)

The following text is an excerpt from
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

"PAT uses unique source port numbers on the Inside Global IP address
to distinguish between translations. Because the port number is
encoded in 16 bits, the total number could theoretically be as high as
65,536 per IP address. PAT will attempt to preserve the original
source port, if this source port is already allocated PAT will attempt
to find the first available port number starting from the beginning of
the appropriate port group 0-5111, 512-1023 or 1024-65535. If there is
still no port available from the appropriate group and more than one
IP address is configured, PAT will move to the next IP address and try
to allocate the original source port again. This continues until it
runs out of available ports and IP addresses."

There is also some good information here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

cheers,
Dale

On Thu, Apr 24, 2008 at 8:28 PM, Aabid Saleem <aabids@nesma.net.sa> wrote:
>
> Yeah, exactly,
> router always take the first IP in the pool and keep translating on that
> particular IP address, (if this 65,
>
> is there a way to reduce the number of translations and change to next
> available IP address
> the reason to achieve this, sometime infected user sending SPAM and that IP
> address gets blocked by many SPAM Databases
>
> Aabid
>
> Dale Shaw wrote:
>
> > It's not clear (to me at least) what you're asking.
> >
> > Allow me to attempt to paraphrase:
> >
> > When the router is configured with an address pool with >1 address,
> > can you control the way the router uses addresses in the pool?
> >
> > Example:
> >
> > address pool: 192.168.1.10 - 192.168.1.20
> > config: perform source address translation using address pool
> >
> > You want to know how the router chooses addresses, i.e. does it only
> > use 192.168.1.11 after there are ~65,535 active translations using
> > 192.168.1.10.
> >
> > Is that right?
> >
> > cheers,
> > Dale

Pass the CCIE in six weeks, Guaranteed!
http://www.certscience.com/CCIE

• Next message: Ram Shummoogum: "OT:fwsm cannot locally ping server on DMZ until..."
• Previous message: Paul Cosgrove: "Re: NAT -- translations"
• Maybe in reply to: Aabid Saleem: "NAT -- translations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:52 ART