Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PAT Issues

We have a MPLS network which is having some issues for customers using PAT. The case is if I have a CE configured with public IP address or static NAT they have no problems to navigate or do anything on Internet. But if I configure PAT they simply cannot open some pages like hotmail, etc. in that case if I adjust MTU or MSS they can navigate. There is some solution to avoid this?? or somebody knows why it can be happening? as long as I know the packet size doesnt change with PAT.

Thanks for the help.

4 REPLIES

Re: PAT Issues

Every device in a IP path intercepting TCP, needs to advertise the MSS option. Or if this segment size is not used then segement of any size may be received.

And such packets which upon receipt have DF bit set then you have a problem and you will have be able to browse such packets from content rich websites.

What you can do is:

1) use this command on you ip nat inside and ip nat outside interface

!

interface x/x

ip add x.x.x.x x.x.x.x

ip nat inside

ip tcp adjust-mss 1452

!

!

interface x/x

ip add x.x.x.x x.x.x.x

ip nat outside

ip tcp adjust-mss 1452

!

This should solve your problem without changing any MTU or MSS on the customer CE.

1) Now two questions, you had a problem before beause of the MTU right, now what is this NAT/PAT.

2) Where are you doing this NAT and PAT.

Can u explain the data path, for eg

CE<-->NAT<-->PE<--MPLS-->PE-ASBR<-->Internet.

HTH-Cheers,

Swaroop

Community Member

Re: PAT Issues

Hi Swaroop, thanks for your helpfull answer. The NAT/PAT is being applied on customer CE WAN interface that means:

CE<-->PAT/NAT<-->PE<-->MPLS<-->GW<-->INTER.

Unfortunately, some of my PE?s dont support adjust MSS or MTU change (HUAWEI), thats the reason to apply on every customer it.

I made this question because we realized after to set different MTU on MPLS core the customers begin to work normally except the customers with PAT, almost on all the cases wasnt necessary change MSS only on PAT customers. I guess its necessary get this command on my PEs if I have not other choice.

Thanks a lot.

Community Member

Re: PAT Issues

hi Swaroop,

Per my understanding NAT/PAT do not intercept TCP they just translate IP addresses.Routers would intercept TCP if you enable features such as tcp intercept in which case they might be able to change the mss values.Or would the routers do an ALG functionality in this case?

Thanks

Raju Raghavan

Re: PAT Issues

PAT will not work by IP translation. There has to be port translation as well !!

When I said "TCP intercept" I didnot mean the TCP intercept command/feature available in Cisco which is used for security purposes to avoid DOS attcks.

You cannot set the MSS size using this feature at all.

When your routers translate ports they have to rewrite the TCP Header and maintain state for the transaltion. Is it possible to copy the options flag received for MSS and translate to the rewritten header?

For more details refer to RFC 793 Section 3.1

:-)

HTH-Cheers,

Swaroop

281
Views
6
Helpful
4
Replies
CreatePlease to create content