Too many NAT Rules created

Unanswered Question

I have an issue when I have a game query for servers that it creates a NAT rules for each server in the list i'm assuming. I'm running 2621 connected to a DSL Modem. The router will almost lock up creating and deleting NAT rules. Is there something that sticks out in this config? I had this working will with DHCP parm for fa0/1 and IP ROUTE also with DHCP. Its only with the static ISP that I switched to.

interface FastEthernet0/0

description Local Network

bandwidth 1200

ip address [ROUTERIP]

no ip proxy-arp

ip nat inside

duplex auto

speed 100


interface FastEthernet0/1

description connected to Internet

ip address [ISPSTATIC]

no ip proxy-arp

ip nat outside

duplex auto

speed auto


ip nat log translations syslog

ip nat inside source list 7 interface FastEthernet0/1 overload

ip nat inside source static tcp [WEBSERVERIP] 80 interface FastEthernet0/1 80

ip http server

ip classless

ip route [ISPGATEWAY]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.leblanc Thu, 05/08/2008 - 16:43
User Badges:
  • Silver, 250 points or more

Are you sure it isn't the logging of individual translations that is choking the router?

You're not specifying any port numbers in access-list 7 are you?

michael.leblanc Fri, 05/09/2008 - 07:03
User Badges:
  • Silver, 250 points or more

There doesn't appear to be anything wrong with your NAT configuration.

If you are generating more NAT translations than before (Cisco router/cable ISP), the question may be why is your system connecting to more external hosts? A change in application setup, newer version?

When you say "debug", are you actually referring to CLI debug commands, or that you are logging NAT translations to syslog?

Are you comparing the NetGear's "performance" to the Cisco's performance (with debugging and NAT logging enabled), or are you saying that the NetGear doesn't generate as many NAT translations?

An earlier post (Nov. 2007) shows that you did not have a static NAT to an internal web server.

What portion of the NAT translations relate to connections to that server?

Perhaps you could post a partial output of "sh ip nat translations". If you wish, you can replace the inside-global-ip of each translation for your privacy.

michael.leblanc Fri, 05/09/2008 - 07:36
User Badges:
  • Silver, 250 points or more

I'm not familiar with gaming, or the queries for lists of servers. Is the list that is built, not a list of servers that your application has successfully connected too?

A NAT translation will be built for every server you connect to.

If the number of translations in the table is an issue (as opposed to the rate of new translations), perhaps you should timeout old translations earlier with the following command:

ip nat translation tcp-timeout

As far as the debug goes, it does impose a load on the device, and I hope you don't keep debugging enabled all the time.

michael.leblanc Sat, 05/10/2008 - 05:08
User Badges:
  • Silver, 250 points or more

That doesn't move us closer to resolving the issue though.

I was hoping you would have responded with the info asked for (sh ip nat translations) so we could determine whether your gaming was tunneled through port 80; whether you were using HTTP inspection (not shown in your partial config), and if so, how it was being used.

Likewise, how many of the translations were attributable to the internal web server, given that you have not indicated whether that port forwarding is also configured on the Belkin router.


This Discussion