Help on NAT/PAT setups

Unanswered Question
Feb 27th, 2006
User Badges:

Hi,


I need some assistance on setting up NAT & PAT on a remote campus router. What we want is to have a pool available to devices for NATting to outside IP addresses, and when that pool is exhausted to have the rest of the devices use PAT to get out. I do know that similar we do this on the main campus on the PIX 525 firewall, but I am not sure whether the same process works on the routers too. Hardware is 3845, running c3845-adventerprisek9-mz.123-11.T7.bin, and the config is something like this :


ip nat pool internet 124.106.244.90 124.106.244.242 netmask 255.255.255.0

ip nat pool internet-pat 124.106.244.80 124.106.244.90 netmask 255.255.255.0

ip nat inside source list 101 pool internet

...

access-list 101 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255

access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 172.16.0.0 0.0.255.255 any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any



where 124.106.244.xxx is the public address range and 172.16.xxx.xxx is the internal DHCP assigned by the 6507 core switch. I tried adding the line:


ip nat inside source list 101 pool internet-PAT overload


but that gives me an error saying that "dynamic mapping in use, cannot change".

The equipment was set up by an outside vendor and I am trying to make sense of what they did so any assistance would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
arvindchari Mon, 02/27/2006 - 07:19
User Badges:
  • Bronze, 100 points or more

The message means that your NAT table is populated currently.


Try the follwoing


clear ip nat translation *

config terminal

no ip nat pool current pool name


ip nat pool new pool




shivaji Mon, 02/27/2006 - 09:50
User Badges:

Arvind,


Thanks for the reponse, and I think that I can do that. My question really is this:


On a 3845 router, is it possible to have two pools in use for translations, one for NAT and one for PAT, so that when the NAT pool is exhausted, we could have all other devices use the "overload" statement to use PAT ?


I know that we do this on our PIX 525 on the main campus using :


global (outside) 8 xxx.xxx.241.21-xxx.xxx.241.39 netmask 255.255.255.0

global (outside) 8 xxx.xxx.241.40


which does NAT for the first 20 devices addresses from the range xxx.xxx.241.21 to xxx.xxx.241.39 and everything else gets a PAT to xxx.xxx.241.40.


Sorry for the confusion, I am learning this stuff as I go along. We had an outside vendor set up the network and find that things are not working the way we want.


Shivaji

arvindchari Mon, 02/27/2006 - 10:13
User Badges:
  • Bronze, 100 points or more

AFAIK you can definitely have two separate pools for translations, you just have to give the pools unique names.


You will have to first determine what exactly is the objective, the first 20 ips u talk about, are they performing some function that are in some way different than the ones that will be PAT'ed or will the ip's given on a first come first serve basis ?


If the case is such that the 20 ips are to be performing some specific function, then make a static pool with one to one maps for each internal and external ip to aviod any confusion.


Then define another separate pool for the ones that will be PAT'ed and you shud be on your way :)



shivaji Mon, 02/27/2006 - 12:15
User Badges:

Thanks for the response Arvind.


Here is the deal. We could get away with just PAT, but some of the load balanced servers running software we connect to actually use the incoming IP address (not the IP Address:port) to determine which server gets to service the requests. As a result, if a whole bunch of PAT users hit the server farm at the same time, it sends them all to the same server and which at some point stops responding due to an overload situation. The solution we came up that works on the main campus was to use the PIX firewall to give the first 20 users different NAT addresses and then PAT The rest, so that each VLAN would have atleast 21 different outside IP addresses and so would not all hit on the same server. On my remote campus, however, I do not have a PIX to do this and was trying (unsuccessfully) to get the same result with NAT & PAT pools on the 3845.


I understand that if this does not work, or is not possible, I can definitely assign static NATs from a pool and PAT the rest.

arvindchari Mon, 02/27/2006 - 12:45
User Badges:
  • Bronze, 100 points or more

Hi Shivaji


Thank you for clarifying the NLB issue with respect the reason for using NAT.


Im trying to understand the access list you have specified


access-list 101 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255

access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 172.16.0.0 0.0.255.255 any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any


If you are using this access list to match traffic for the NAT, why would the first two statements be requiered ?


Also, since you are running this configuration currently, have you tried figuring out why it is not working? What happens when a packet from the designated subnet hits the router. How is it processed? Do entries figure in the NAT table ?


Here is a link that might help


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml




shivaji Mon, 02/27/2006 - 15:09
User Badges:

Arvind,


I will go through the documentation and see if I can make any sense out of it. Regarding your questions about the ACLs, they were set up by the vendor who installed the equipment and I am trying to understand why he did what he did, as things are not working the way we want at the site.


I know networking in general, but do not have any knowledge of CISCO equipment other than basic setups, so I appreciate your help.

arvindchari Mon, 02/27/2006 - 22:24
User Badges:
  • Bronze, 100 points or more

Basically, the access list 101 in your case is used to match the traffic which is intended to be natted. So the deny statements before the permit statements really puzzle me.


Good luck with your problem and do post back if it was solved!



Actions

This Discussion