[c-nsp] NAT/PAT question

Kevin Graham mahargk at gmail.com
Mon May 2 13:29:38 EDT 2005


On 5/2/05, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> > That is reason why I need PAT to use as many address inside pool as
> > it can. Unfotunately design of my network is suck that there is no
> > option to use 1:1 mapping.
> 
> Let me check with some NAT folks if there is anything in the works to
> alter the behavior..

I just closed TAC case requesting that there be some attempt to rotate
the addresses used in NAT pools (got pushed off to the 'Release
Feedback' form when requesting a syswish and didn't feel like fighting
it).

Rather than getting PIX behavior of 1:1 until exhausted, would just
love to see some attempt (hashed, rotate every N connections, etc) to
actually use the available addresses in a pool. Plenty of good reasons
for it and short of architectural limitations, can't think of any
against it...

(On a side note, also fruitlessly persued an override to the
prefix-length check for broadcast addresess when using a NAT pool that
is not associated w/ a physical interface. With the addition of the
NVI features, this type of setup would presumably become more
commonplace and there's no good reason to throw out two addresses per
pool).



More information about the cisco-nsp mailing list