[c-nsp] NAT/PAT question

Goran Gajic ggajic at sbb.co.yu
Mon May 2 06:52:54 EDT 2005 

Hi,

We have 7206VXR running IOS 12.3(14)T. It is configured to run
PAT (NAT overload). We have nat pool range from x.y.z.64 to x.y.z.254. But, 
problem I see is that only first address is always used for PAT translations. 
Is there any way to make PAT use all ip address in pool. Here is part from 
running-config:

ip nat translation timeout 600
ip nat translation tcp-timeout 600
ip nat translation pptp-timeout 600
ip nat translation max-entries all-host 800
ip nat pool USERS1 x.y.z.128 x.y.z.159 netmask 255.255.255.224
ip nat pool USERS3 x.y.z.192 x.y.z.223 netmask 255.255.255.224
ip nat pool USERS4 x.y.z.224 x.y.z.254 netmask 255.255.255.224
ip nat pool USERS5 x.y.z.160 x.y.z.167 netmask 255.255.255.248
ip nat pool USERS6 x.y.z.168 x.y.z.175 netmask 255.255.255.248
ip nat pool USERS7 x.y.z.176 x.y.z.183 netmask 255.255.255.248
ip nat pool USERS8 x.y.z.184 x.y.z.191 netmask 255.255.255.248
ip nat pool USR1 x.y.z.64 x.y.z.71 netmask 255.255.255.248
ip nat pool USR2 x.y.z.72 x.y.z.79 netmask 255.255.255.248
ip nat pool USR3 x.y.z.80 x.y.z.87 netmask 255.255.255.248
ip nat pool USR4 x.y.z.88 x.y.z.95 netmask 255.255.255.248
ip nat pool USR5 x.y.z.96 x.y.z.103 netmask 255.255.255.248
ip nat pool USR6 x.y.z.104 x.y.z.111 netmask 255.255.255.248
ip nat pool USR7 x.y.z.112 x.y.z.119 netmask 255.255.255.248
ip nat pool USR8 x.y.z.120 x.y.z.127 netmask 255.255.255.248
ip nat inside source list 6 pool USERS1 overload
ip nat inside source list 8 pool USERS3 overload
ip nat inside source list 9 pool USERS4 overload
ip nat inside source list 10 pool USERS5 overload
ip nat inside source list 11 pool USERS6 overload
ip nat inside source list 12 pool USERS7 overload
ip nat inside source list 13 pool USERS8 overload
ip nat inside source list 14 pool USERS8 overload
ip nat inside source list 22 pool USR1 overload
ip nat inside source list 23 pool USR2 overload
ip nat inside source list 24 pool USR3 overload
ip nat inside source list 25 pool USR4 overload
ip nat inside source list 26 pool USR5 overload
ip nat inside source list 27 pool USR6 overload
ip nat inside source list 28 pool USR7 overload
ip nat inside source list 29 pool USR8 overload
!
access-list 6 permit 10.1.0.0 0.0.63.255
access-list 7 permit 10.1.64.0 0.0.63.255
access-list 8 permit 10.1.128.0 0.0.63.255
access-list 9 permit 10.1.192.0 0.0.63.255
access-list 9 permit 10.3.0.0 0.0.255.255
access-list 10 permit 10.1.64.0 0.0.15.255
access-list 11 permit 10.1.80.0 0.0.15.255
access-list 12 permit 10.1.96.0 0.0.15.255
access-list 13 permit 10.1.112.0 0.0.15.255
access-list 14 permit 10.20.0.0 0.0.255.255
access-list 21 permit 10.2.0.0 0.0.255.255
access-list 22 permit 10.2.0.0 0.0.31.255
access-list 23 permit 10.2.32.0 0.0.31.255
access-list 24 permit 10.2.64.0 0.0.31.255
access-list 25 permit 10.2.96.0 0.0.31.255
access-list 26 permit 10.2.128.0 0.0.31.255
access-list 27 permit 10.2.160.0 0.0.31.255
access-list 28 permit 10.2.192.0 0.0.31.255
access-list 29 permit 10.2.224.0 0.0.31.255
access-list 29 permit 10.15.0.0 0.0.255.255

And sh ip nat statistics show this:
[Id: 1] access-list 6 pool USERS1 refcount 353
  pool USERS1: netmask 255.255.255.224
         start x.y.z.128 end x.y.z.159
         type generic, total addresses 32, allocated 1 (3%), misses 0
[Id: 2] access-list 8 pool USERS3 refcount 13369
  pool USERS3: netmask 255.255.255.224
         start x.y.z.192 end x.y.z.223
         type generic, total addresses 32, allocated 1 (3%), misses 0
[Id: 3] access-list 9 pool USERS4 refcount 4871
etc.

So, my question is: why only one ip address is always allocated?
What can be done to make PAT use all ip address in pool randomly?
I've looked through cisco documentation but couldn't find anything.
Since users are PAT-ed through one ip address in pool it makes quite a big 
problem. There is something like ~10000 cpe's on our 10.1/16, 10.2/16 10.3/16 
and 10.15/16 networks. I know that PAT fills one ip addresses ports and when 
that ip address in pool is filled it starts using another but is there any way 
to make this use of ip addresses in ip pool random? If Cisco can't do this any 
other suggestion for NAT(PAT) box?


Regards,
Goran Gajic

More information about the cisco-nsp mailing list