Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

release IP from policy based NAT

I have created a pool of IP's to use with policy based NAT. This creates a 1-1 mapping allowing for certain applications to work over the Internet that do not work with PAT.

The problem I am running into is the IP's don't seem to be getting released back to the pool for use when they are no longer in use. Once a policy based NAT translation occurs, the entry remanins in the xlate table. If I have 5 IP's in the pool, and 5 computers use then at different times over the day, when a 6th one tries connecting, it cannot until I clear xlate. I have verified that there are no open connections using the IP's anymore.

Is there a timeout I can set to release these back to the pool?

1 REPLY
New Member

Re: release IP from policy based NAT

Well, I have found the problem. The NAT translation timeout is never reaching the timeout time, which I currently have set to 00:05. While the firewall is holding this translation for the 5 minute countdown, some random outside sources are pinging our network. Overy time these IP's are pinged, the counter refreshes to 00:00. Since this is happening every minute or so, the timeout is never reached, thus the IP is never released to the pool.

This link explains the problem and possible work arounds:

http://www.securitytracker.com/alerts/2003/Oct/1007878.html

Does anyone know when the fix will be released?

I am running the most current version, assuming the one I got from Cisco yesterday is the most current.

I have also tried creating a deny ICMP rule on the outside interface, this blocks traffic, but at the same time refeshes the NAT timeout.

Dan

263
Views
0
Helpful
1
Replies
CreatePlease login to create content