Hello,
Does anyone who uses NAT/PAT (nat overload) limit the max number of NAT translations that any one internal IP address can have? We have had issues where people do port scans and utilise a large majority of our NAT pool. We are doing NAT on a ASR 1002 with an ESP5. It can do up to 250,000 NAT translations total and 50,000 new a second.
Now I found out that the ASR in a pool will only use the last available IP to do PAT.. The rest of the IP addresses are used for 1-1 NAT.
Here is our NAT config
> ip nat translation tcp-timeout 1800
> ip nat translation udp-timeout 1800
> ip nat translation max-entries 250000
> ip nat pool Level3Pool some-ip-address some-ip-address netmask 255.255.255.248
> ip nat inside source list NAT pool Level3Pool overload
Any idea about:
ip nat settings mode cgn
ip nat settings mode cgn
Thanks