Dynamic NAT becomes a PAT. Why?

mchockalingam · ‎03-04-2009

I have following NAT statements configured.

I have PAT for all web traffic. Any non-web traffic should use the dynamic NAT pool and then a PAT address if dynamic NAT runs out of addresses.

But, I am seeing multiple connections on one single address on the dynamic NAT pool.

access-list Web_Outbound permit tcp 10.0.0.0 255.0.0.0 any eq www

access-list Web_Outbound permit tcp 10.0.0.0 255.0.0.0 any eq https

nat (inside) 10 access-list Web_Outbound

nat (inside) 15 10.0.0.0 255.0.0.0

global (outside) 15 x.x.18.1-x.x.19.254

global (outside) 10 x.x.6.252 netmask 255.255.255.255

global (outside) 10 x.x.6.253 netmask 255.255.255.255

global (outside) 15 x.x.6.254

global (outside) 15 x.x.6.251

global (outside) 15 x.x.6.250

So, any non-web traffic (identified by NAT ID 15) should take the dynamic NAT pool of x.x.18.1 to x.x.19.254 first. When it runs out of addresses it should use x.x.6.254 etc.

But I am seeing a single address on the dynamic NAT pool being used by many hosts and I am not seeing the PAT address of x.x.6.254 being used at all.

Isn't the dynamic NAT a one to one mapping? WHy is it being used as a PAT? Did I miss something on the configuration?

thanks,

Meena

Ivan Martinon · ‎03-04-2009

Meena, your config is defined in such a way that it will always turn into PAT, a pool for dynamic nat is defined like this

global (outside) X -

Since your statements have an ip address per global line this automatically turns into PAT.

mchockalingam · ‎03-04-2009

If you look at the very first line of the global commands, you will see

global (outside) 15 x.x.18.1-x.x.19.254

which is a dynamic NAT range.

Could it be a timeout issue on the xlate? When I do

show xlate x.x.18.1 detail, I see

NAT from inside:10.23.6.103 to outside:x.x.18.1 flags i

NAT from inside:10.10.63.77 to outside:x.x.18.1 flags i

NAT from inside:10.16.7.235 to outside:x.x.18.1 flags i

NAT from inside:10.27.20.19 to outside:x.x.18.1 flags i

NAT from inside:10.28.0.154 to outside:x.x.18.1 flags i

NAT from inside:10.21.27.246 to outside:x.x.18.1 flags i

NAT from inside:10.41.11.252 to outside:x.x.18.1 flags i

NAT from inside:10.32.35.48 to outside:x.x.18.1 flags i

NAT from inside:10.246.15.246 to outside:x.x.18.1 flags i

NAT from inside:10.20.30.244 to outside:x.x.18.1 flags i

NAT from inside:10.19.1.226 to outside:x.x.18.1 flags i

NAT from inside:10.32.31.114 to outside:x.x.18.1 flags i

NAT from inside:10.16.19.45 to outside:x.x.18.1 flags i

So, it is showing up as a NAT. But why is it keeping the stale entries? Does the dynamic NAT entry does not get deleted as soon as the connection closes?

Meena

jan.nielsen · ‎03-04-2009

When using a pool for dynamic nat, instead of a single address it will stay there until the translation itself times out, which is if there is no traffic from that address (which there probably is), default timeout for a nat translation is 3 hours. As far as i recall, only PAT translated connections will be removed from the xlate table when all connections to/from that address are gone. So you should be looking at a "show conn long" instead, to see if there are still sessions idling.

jan.nielsen · ‎03-04-2009

Oh, and i also seriously doubt that you can use an acl for nat'ing to different adresses for different types of traffic when you are using a dynamic nat pool, it's basically the same as doing a static nat, just dynamically assigned, which means that once something matched your acl, all traffic from that source will already have a translation match 1-1, and so your pat addresses won't be used. You can check if i am correct by using the packet tracer, it will show you which nat policy is being hit, when testing with port 80 and then some other port, that should be PAT'ed.

sdoremus33 · ‎03-07-2009

To clear the dynamic NAT statements from trhe XLate table, you can do a clear conn command