Help on NAT/PAT setups

Unanswered Question
Feb 27th, 2006
User Badges:


I need some assistance on setting up NAT & PAT on a remote campus router. What we want is to have a pool available to devices for NATting to outside IP addresses, and when that pool is exhausted to have the rest of the devices use PAT to get out. I do know that similar we do this on the main campus on the PIX 525 firewall, but I am not sure whether the same process works on the routers too. Hardware is 3845, running c3845-adventerprisek9-mz.123-11.T7.bin, and the config is something like this :

ip nat pool internet netmask

ip nat pool internet-pat netmask

ip nat inside source list 101 pool internet


access-list 101 deny ip

access-list 101 deny ip

access-list 101 permit ip any

access-list 101 permit ip any

where is the public address range and is the internal DHCP assigned by the 6507 core switch. I tried adding the line:

ip nat inside source list 101 pool internet-PAT overload

but that gives me an error saying that "dynamic mapping in use, cannot change".

The equipment was set up by an outside vendor and I am trying to make sense of what they did so any assistance would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
arvindchari Mon, 02/27/2006 - 07:19
User Badges:
  • Bronze, 100 points or more

The message means that your NAT table is populated currently.

Try the follwoing

clear ip nat translation *

config terminal

no ip nat pool current pool name

ip nat pool new pool

shivaji Mon, 02/27/2006 - 09:50
User Badges:


Thanks for the reponse, and I think that I can do that. My question really is this:

On a 3845 router, is it possible to have two pools in use for translations, one for NAT and one for PAT, so that when the NAT pool is exhausted, we could have all other devices use the "overload" statement to use PAT ?

I know that we do this on our PIX 525 on the main campus using :

global (outside) 8 netmask

global (outside) 8

which does NAT for the first 20 devices addresses from the range to and everything else gets a PAT to

Sorry for the confusion, I am learning this stuff as I go along. We had an outside vendor set up the network and find that things are not working the way we want.


arvindchari Mon, 02/27/2006 - 10:13
User Badges:
  • Bronze, 100 points or more

AFAIK you can definitely have two separate pools for translations, you just have to give the pools unique names.

You will have to first determine what exactly is the objective, the first 20 ips u talk about, are they performing some function that are in some way different than the ones that will be PAT'ed or will the ip's given on a first come first serve basis ?

If the case is such that the 20 ips are to be performing some specific function, then make a static pool with one to one maps for each internal and external ip to aviod any confusion.

Then define another separate pool for the ones that will be PAT'ed and you shud be on your way :)

shivaji Mon, 02/27/2006 - 12:15
User Badges:

Thanks for the response Arvind.

Here is the deal. We could get away with just PAT, but some of the load balanced servers running software we connect to actually use the incoming IP address (not the IP Address:port) to determine which server gets to service the requests. As a result, if a whole bunch of PAT users hit the server farm at the same time, it sends them all to the same server and which at some point stops responding due to an overload situation. The solution we came up that works on the main campus was to use the PIX firewall to give the first 20 users different NAT addresses and then PAT The rest, so that each VLAN would have atleast 21 different outside IP addresses and so would not all hit on the same server. On my remote campus, however, I do not have a PIX to do this and was trying (unsuccessfully) to get the same result with NAT & PAT pools on the 3845.

I understand that if this does not work, or is not possible, I can definitely assign static NATs from a pool and PAT the rest.

arvindchari Mon, 02/27/2006 - 12:45
User Badges:
  • Bronze, 100 points or more

Hi Shivaji

Thank you for clarifying the NLB issue with respect the reason for using NAT.

Im trying to understand the access list you have specified

access-list 101 deny ip

access-list 101 deny ip

access-list 101 permit ip any

access-list 101 permit ip any

If you are using this access list to match traffic for the NAT, why would the first two statements be requiered ?

Also, since you are running this configuration currently, have you tried figuring out why it is not working? What happens when a packet from the designated subnet hits the router. How is it processed? Do entries figure in the NAT table ?

Here is a link that might help

shivaji Mon, 02/27/2006 - 15:09
User Badges:


I will go through the documentation and see if I can make any sense out of it. Regarding your questions about the ACLs, they were set up by the vendor who installed the equipment and I am trying to understand why he did what he did, as things are not working the way we want at the site.

I know networking in general, but do not have any knowledge of CISCO equipment other than basic setups, so I appreciate your help.

arvindchari Mon, 02/27/2006 - 22:24
User Badges:
  • Bronze, 100 points or more

Basically, the access list 101 in your case is used to match the traffic which is intended to be natted. So the deny statements before the permit statements really puzzle me.

Good luck with your problem and do post back if it was solved!


This Discussion