[c-nsp] NAT pool behavior - can't use /32

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Apr 12 04:31:49 EDT 2006


Church, Chuck <> wrote on Wednesday, April 12, 2006 4:16 AM:

> All,
> 
>     Setting up a customer today in an odd type of deployment, I found
> that trying use contiguous addresses each as a nat overload in a pool
> doesn't work, putting a /32 mask on the pool causes IOS to complain
> (yet accept it), and you'll get NAT translation errors on some
> subnets.  I have a 2650 with the serial as the NAT outside, and 4
> subints on the ethernet (dot1q tagged) as NAT inside.  The idea is to
> use one of my 6 routable addresses as a NAT overload for all traffic
> from the 1st subint inside, another routable address for the 2nd
> subint, and so on.  Using loopback interfaces like this seemed to
> work though: 
>[...]
> Can anyone elaborate on why NAT pools can't be
> /32 (even if the start and end addresses are the same), and if what I
> did might end up causing headaches down the road?

you didn't get a warning when you tried to configure a /32 prefix size?
I do:

client(config)#ip nat pool test 1.1.1.1 1.1.1.1 netmask 255.255.255.255
%Pool test mask 255.255.255.255 too small; should be at least
255.255.255.252
client(config)#ip nat pool test 1.1.1.1 1.1.1.1 prefix-length 32       
%Pool test prefix length 32 too large; should be no more than 30
client(config)#

but a general comment about the netmask: By specifiying a netmask, you
tell NAT to exclude the network and broadcast address from the available
addresses. This seems to fail when you speciy a /32. 
Since you only need one address and don't need to worry about
network/broadcast address, just specify an arbitrary prefix-length,
netmask, i.e. a /24 or /16 or /1, whatever..
Or use your current setup with loopbacks, which works as well..

	oli



More information about the cisco-nsp mailing list