[j-nsp] NAT

Stefan Fouant sfouant at shortestpathfirst.net
Mon Mar 29 12:11:37 EDT 2010


> -----Original Message-----
> From: Ibariouen Khalid [mailto:ibariouen.khalid at ericsson.com]
> Sent: Sunday, March 28, 2010 2:45 PM
> To: sfouant at shortestpathfirst.net; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] NAT
> 
> 
> Hi again
> Yes it's untrust interface ;
> I'm taking stats every morning and do clear stats;
> This mean that during 24 hours I got around 1977 not nat vector. And
> it's confusing me

Do a 'get interface ethernet1/3 dip detail' and take a look at what your NAT
values are.  Is the status listed as Free?

Also, I would suggest ratcheting down the timers for your more commonly used
protocols (if you've got NSM you can run a report on 'Top FW/VPN Rules' -
you might want to try to identify which rules are being used the most and
check the applications which are being allowed.  Are the timeouts for those
applications set at the default?  Have they been adjusted?  I would suggest
lowering them as it sounds like you have sessions which are remaining open
and holding on to NAT/PAT allocations without releasing them.  

Finally, do you have ALGs enabled?  Take a look at 'get xlate' and try to
identify if there is an issue with failed allocations in an ALG.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D



More information about the juniper-nsp mailing list