cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1510
Views
0
Helpful
8
Replies

Too many NAT Rules created

pnielsen
Level 1
Level 1

I have an issue when I have a game query for servers that it creates a NAT rules for each server in the list i'm assuming. I'm running 2621 connected to a DSL Modem. The router will almost lock up creating and deleting NAT rules. Is there something that sticks out in this config? I had this working will with DHCP parm for fa0/1 and IP ROUTE also with DHCP. Its only with the static ISP that I switched to.

interface FastEthernet0/0

description Local Network

bandwidth 1200

ip address [ROUTERIP] 255.255.255.0

no ip proxy-arp

ip nat inside

duplex auto

speed 100

!

interface FastEthernet0/1

description connected to Internet

ip address [ISPSTATIC] 255.255.255.252

no ip proxy-arp

ip nat outside

duplex auto

speed auto

!

ip nat log translations syslog

ip nat inside source list 7 interface FastEthernet0/1 overload

ip nat inside source static tcp [WEBSERVERIP] 80 interface FastEthernet0/1 80

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 [ISPGATEWAY]

8 Replies 8

michael.leblanc
Level 4
Level 4

Are you sure it isn't the logging of individual translations that is choking the router?

You're not specifying any port numbers in access-list 7 are you?

access-list 7 permit 192.168.1.0 0.0.0.255

This issue didn't happen with the same setup with cable. I watched the debug when I had cable and it didn't create all these NAT rules. I connected the DSL modem to a old netgear with defaults and it works great. I must be missing something.

There doesn't appear to be anything wrong with your NAT configuration.

If you are generating more NAT translations than before (Cisco router/cable ISP), the question may be why is your system connecting to more external hosts? A change in application setup, newer version?

When you say "debug", are you actually referring to CLI debug commands, or that you are logging NAT translations to syslog?

Are you comparing the NetGear's "performance" to the Cisco's performance (with debugging and NAT logging enabled), or are you saying that the NetGear doesn't generate as many NAT translations?

An earlier post (Nov. 2007) shows that you did not have a static NAT to an internal web server.

What portion of the NAT translations relate to connections to that server?

Perhaps you could post a partial output of "sh ip nat translations". If you wish, you can replace the inside-global-ip of each translation for your privacy.

I have the cisco debugging to console. Which I had with cable also. Its pretty easy to reproduce. It happens during a game for explain when it queries for a list of servers. It seems to be creating a NAT rule for each.

I'm not familiar with gaming, or the queries for lists of servers. Is the list that is built, not a list of servers that your application has successfully connected too?

A NAT translation will be built for every server you connect to.

If the number of translations in the table is an issue (as opposed to the rate of new translations), perhaps you should timeout old translations earlier with the following command:

ip nat translation tcp-timeout

As far as the debug goes, it does impose a load on the device, and I hope you don't keep debugging enabled all the time.

I had another test to try since my switch from Dynamic to Static IPs. I tried a Wii and it wouldn't stay connected. I'm not sure why browser based requests and pings work well. I switched to using a belkin router and works great. Wii then worked perfectly and so did all other applications.

That doesn't move us closer to resolving the issue though.

I was hoping you would have responded with the info asked for (sh ip nat translations) so we could determine whether your gaming was tunneled through port 80; whether you were using HTTP inspection (not shown in your partial config), and if so, how it was being used.

Likewise, how many of the translations were attributable to the internal web server, given that you have not indicated whether that port forwarding is also configured on the Belkin router.

access-list 7 permit 192.168.1.0 0.0.0.255

This issue didn't happen with the same setup with cable. I watched the debug when I had cable and it didn't create all these NAT rules. I connected the DSL modem to a old netgear with defaults and it works great. I must be missing something.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco