01-24-2006 03:24 PM - edited 03-05-2019 11:45 AM
We have a new internal network setup, with a few ip addresses assigned by our ISP.
Behind our Cisco 2800, we have a few webservers for which I have designated static NAT rules.
My question is, we also set up one dynamic nat rule for inside to outside with an address pool using some of the ISP given ips. Should we use this dynamic rule, or is there a better way?
Thanks,
Will...
01-24-2006 03:51 PM
Hi Will,
The dynamic pool for your outgoing interface traffic should be fine. However, you need to be careful how you define the dynamic nat translation. If you have more hosts behind your firewall than addresses in the pool, you will run out of addresses very quickly. Therefore, if that is the case, ensure you specify the 'overload' option when configuring the translation:
ip nat inside source list list1 pool NatPool1 overload
This will ensure that source port numbers are translated as well as source addresses, allowing you to support a larger number of hosts ..
Hope that helps - pls rate the post if it does.
Regards,
Paresh.
01-24-2006 04:01 PM
Thanks for your prompt replies!
What about the dynamic nat translation timeouts? Should this be set to 0, 24 hours, or should I set it longer?
Thanks,
Will.
01-24-2006 04:10 PM
Hi William,
The default default timeouts have been carefully chosen and as you may have see, they depend on the type of protocol associated with the translation.
Therefore, I would suggest that you just use the defaults. There are plenty of ports available (it is a 16-bit field, after all) so I can't imagine that you will run out of source ports anytime soon.
Hope that helps,
Paresh
01-24-2006 03:54 PM
Hello,
To make sure there are always enough translations for all user requests use NAT overload (i.e. PAT).
Config could look like this:
ip nat pool MyIPs 1.1.1.2 1.1.1.20 netmask 255.255.255.0
ip nat inside source route-map NATmap pool MyIPs overload
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Serial0
ip address 1.1.1.1 255.255.255.252
ip nat outside
The dynamic rule will be the best choice in case there are more internal hosts than official IPs.
Hope this helps! Please rate all posts.
Regards, Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: