Nat on cisco router

[azev]

I cant seem to find a solid answer for this this question, do you must have ACL to configure NAT overloading on cisco router ? Configuration samples from cisco website use ACL, but there were no mention that ACL is a must have. I asume it is a must, because "ip nat inside source list " command refer to the access-list, but I just want to be sure.

Thanks

 

[nightowl]

Yes that is correct. It is needed to filter the traffic that is to be NAT'ed.

 

[ScottMac]

The ACL is used to describe which range of addresses to NAT.

It's (usually) a "standard" access list (source spec only). Something like "access-list 1 permit 192.168.1.0 0.0.0.255" will allow the entire host range to NAT going out.

You could also do an "access-list 192.168.1.0 0.0.0.127" and limit the NAT to the lower half of the address range.

For general commercial operation, Cisco recommends doing a NAT with a global outside range, then a PAT to handle the possibility of exhausting the specified range.

So you could do a dynamic NAT pool (each in-going-out user gets a different outside address) for addresses 192.168.1 - 127, then do a PAT (overload - each in-going-out users gets the same outside address) on 192.168.1.128 (or whatever other address is not already specified in the first (outside global) range).

This'll provide a range for the "inside-going-out" people, and leave a range of addresses for specific static mappings (i.e. VPN, Web, FTP ... whatever) inbound.

Doing the ACL is no big deal. Most of the tests ask for a NAT of the entire host range (and don't forget the "overload" keyword if PAT is requested).

FWIW

Scott

 

[polm]

Hey Scott, how would you setup failover between the dynamic NAT pool and the overloaded PAT IP ? Meaning, if the dynamic NAT pool has been exhausted, how would an "inside-going-out" IP be translated via PAT as opposed to NAT ?

 

[azev]

Thanks for the info Scott

 

[ScottMac]

It's my understanding that the "failover" is automatic: If there are no more available dynamic addresses to assign, then additional requests are sent through the PAT.

When a dynamic assignment is available, the next request will get it.

FWIW

Scott

 

[spidey07]

scott's on the money yet again.

Its always good practice to use a pool and have an address or two for overload. Depending on the number of outgoing connections you can exhaust your translations justing just one overload address. So two or three is good. One overload can only support about 63000 connections.

 

[azev]

Originally posted by: spidey07
scott's on the money yet again.

Its always good practice to use a pool and have an address or two for overload. Depending on the number of outgoing connections you can exhaust your translations justing just one overload address. So two or three is good. One overload can only support about 63000 connections.

wow 63000 connections per overload address:Q that is more than what a small office with 50 computers can generate

Does that number applies to most of the consumer NAT router out there such as linksys, dlink, netgear ?

 

[spidey07]

TCP/UDP field is only 2 bytes long, meaning only 65535 ports.

First 1024 ports are reserved as well as some others so for an estimate you can only have around 63000 TCP ports. With a large number of internal hosts you can exhaust that number with the default translation timeout of 4 hours ( I believe). So with a few thousand or more internal hosts it happens.

So the limitation applies to any PAT device.