Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT Pool configuration to counter PAT exhaustion on WAN interface

Greetings, we have a very busy guest/byod wireless network which has recently started to exceed 1000 clients on a regular basis, up until now it has worked without issue but have had reports that people are frequently unable to connect to the internet at peak times (Lunchtime etc)

Investigations revealed that the WAN router (Cisco 3825) has started exceededing the maximum number of NAT/PAT translations on the external facing interface >65,000 - At one point it was showing as having 72,000 translations.

As such i have decided to create a NAT pool to make use of additonal public address space that we have on our WAN breakout and to load balance PAT across several external IP addresses to counter the problem, however when i look at the NAT translations it still appears that i'm only overloading on the interface IP address and not load balancing ammougst all 5 external addresses in the NAT pool.

WAN Breakout

213.**.**.32 /27

Interface configuration

interface GigabitEthernet0/0
 bandwidth 25000
 ip address 213.**.**.33 255.255.255.224
 ip nat outside
 ip virtual-reassembly in
 rate-limit input 25000000 4687500 9375000 conform-action transmit exceed-action drop
 rate-limit output 25000000 4687500 9375000 conform-action transmit exceed-action drop
 duplex full
 speed 100
 media-type rj45

NAT configuration

ip nat pool GUEST_WLAN 213.**.**.33 213.**.**.37 prefix-length 27
!
ip nat inside source list NAT pool GUEST_WLAN overload
!
ip access-list extended NAT
 permit ip 192.168.16.0 0.0.7.255 any
 deny   ip any any

Debugs

#sh ip nat translations | include 213.**.**.33
tcp 213.**.**.33:50630    192.168.16.6:50630    31.13.72.112:443      31.13.72.112:443
tcp 213.**.**.33:7309     192.168.16.6:50633    31.13.64.97:443       31.13.64.97:443
tcp 213.**.**.33:18769    192.168.16.6:51052    17.130.254.15:5223    17.130.254.15:5223
tcp 213.**.**.33:18747    192.168.16.6:51233    173.194.34.152:443    173.194.34.152:443
tcp 213.**.**.33:59589    192.168.16.6:51295    173.252.103.16:443    173.252.103.16:443
tcp 213.**.**.33:33720    192.168.16.6:51470    17.172.233.120:443    17.172.233.120:443
tcp 213.**.**.33:47715    192.168.16.6:51477    67.195.236.72:993     67.195.236.72:993
tcp 213.**.**.33:30787    192.168.16.6:51481    206.191.242.230:443   206.191.242.230:443
tcp 213.**.**.33:32230    192.168.16.6:51484    188.125.68.71:993     188.125.68.71:993

sh ip nat translations | include 213.**.**.34
tcp 213.**.**.52:51466    192.168.21.198:51466  17.149.32.57:443      17.149.32.57:443
tcp 213.**.**.34:52574    192.168.21.198:52574  173.252.103.16:443    173.252.103.16:443
--- 213.**.**.34          192.168.21.198        ---                   ---


sh ip nat translations | include 213.**.**.35
--- 213.**.**.35          192.168.16.223        ---                   ---


sh ip nat translations | include 213.**.**.36
--- 213.**.**.36          192.168.16.195        ---                   ---


sh ip nat translations | include 213.**.**.37
--- 213.**.**.37          192.168.21.214        ---                   ---


Really appreciate if someone could validate if this configuration is correct please? Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?


Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

MarkWould i be correct in

Mark

Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?

Yes, that is the way it works.

If you wanted to actually use all IPs in the pool then you would need to break down the clients IPs ie. you could map some clients to one IP, some to the next etc.

So you would have multiple acls and map each acl to a different public IP in your NAT statements. 

Jon

2 REPLIES
Hall of Fame Super Blue

MarkWould i be correct in

Mark

Would i be correct in assuming it wont load balance and will only utilise the pool members when the first one is exhausted?

Yes, that is the way it works.

If you wanted to actually use all IPs in the pool then you would need to break down the clients IPs ie. you could map some clients to one IP, some to the next etc.

So you would have multiple acls and map each acl to a different public IP in your NAT statements. 

Jon

New Member

Thank you for your reply Jon,

Thank you for your reply Jon, yes wasnt looking to load balance but ensure that if we do exceed the maximum number of translations on the first IP address it will use the next pool member.

 

Appreciate the validation.

 

Regards

837
Views
0
Helpful
2
Replies
CreatePlease to create content