A question on NAT timeout options

Unanswered Question
Aug 5th, 2008
User Badges:
  • Bronze, 100 points or more

Hi,


How does routemap-entry-timeout option of ip nat translation command work?


Can it be used with ESP translations?


show ip nat translations verbose shows,


Pro Inside global Inside local Outside local Outside global

--------------------------------------------------

esp 185.0.1.5:0 10.1.1.2:12C 197.20.20.1:0 197.20.20.1:0

create 00:00:05, use 00:00:01 timeout:300000, left 00:04:58, Map-Id(In): 1,

flags:

extended, use_count: 0, entry-id: 14, lc_entries: 0, Entry type : 0


From the above output it appears that by default it is 5 minutes(for ESP).


Could these timeout values be adjusted manually?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rsgamage1 Fri, 08/08/2008 - 05:29
User Badges:
  • Bronze, 100 points or more

So here are the translations related to two unidirectional(inbound/outbound) IPSec tunnels.


Pro Inside global Inside local Outside local Outside global

---------------------------------------------------------------

esp 185.0.1.5:0 10.1.1.2:0 197.20.20.1:0 197.20.20.1:12D

create 00:47:48, use 00:20:20 timeout:0, timing-out,

flags:

extended, esp-notimeout, use_count: 1, entry-id: 49, lc_entries: 0

esp 185.0.1.5:0 10.1.1.2:12C 197.20.20.1:0 197.20.20.1:0

create 00:48:26, use 00:02:35 timeout:300000, left 00:02:24, Map-Id(In): 2,

flags:

extended, use_count: 0, entry-id: 48, lc_entries: 0



I'm using ip nat translation routemap-entry-timeout never with dynamic NAT and a route-map


timeout:0 corresponds to the never option used in translation. However this applies only to a routemap created half entry.

Timeout value of the inbound tunnel is unchanged at 5 minutes(=300000ms).


So, for ESP traffic changing NAT translation timeout has no considerable effect and this seems to be dominated by the inbound translation timeout which is 5 minutes.

Actions

This Discussion