A question on NAT timeout options

rsgamage1 · ‎08-05-2008

Hi,

How does routemap-entry-timeout option of ip nat translation command work?

Can it be used with ESP translations?

show ip nat translations verbose shows,

Pro Inside global Inside local Outside local Outside global

--------------------------------------------------

esp 185.0.1.5:0 10.1.1.2:12C 197.20.20.1:0 197.20.20.1:0

create 00:00:05, use 00:00:01 timeout:300000, left 00:04:58, Map-Id(In): 1,

flags:

extended, use_count: 0, entry-id: 14, lc_entries: 0, Entry type : 0

From the above output it appears that by default it is 5 minutes(for ESP).

Could these timeout values be adjusted manually?

Thanks.

rsgamage1 · ‎08-08-2008

So here are the translations related to two unidirectional(inbound/outbound) IPSec tunnels.

Pro Inside global Inside local Outside local Outside global

---------------------------------------------------------------

esp 185.0.1.5:0 10.1.1.2:0 197.20.20.1:0 197.20.20.1:12D

create 00:47:48, use 00:20:20 timeout:0, timing-out,

flags:

extended, esp-notimeout, use_count: 1, entry-id: 49, lc_entries: 0

esp 185.0.1.5:0 10.1.1.2:12C 197.20.20.1:0 197.20.20.1:0

create 00:48:26, use 00:02:35 timeout:300000, left 00:02:24, Map-Id(In): 2,

flags:

extended, use_count: 0, entry-id: 48, lc_entries: 0

I'm using ip nat translation routemap-entry-timeout never with dynamic NAT and a route-map

timeout:0 corresponds to the never option used in translation. However this applies only to a routemap created half entry.

Timeout value of the inbound tunnel is unchanged at 5 minutes(=300000ms).

So, for ESP traffic changing NAT translation timeout has no considerable effect and this seems to be dominated by the inbound translation timeout which is 5 minutes.

rsgamage1 · ‎08-08-2008

show ip nat translations verbose