Dynamic NAT (non PAT) pool size vs source size

I did a quick search here and on google but couldn't find an answer to this quick question on dynamic NAT (no overload): can the pool size be smaller than the allowed number of inside sources?

Here's an example:

ip nat pool natpool 170.168.2.100 170.168.2.150 netmask 255.255.255.0
ip nat inside source list 1 pool natpool
access-list 1 permit 10.0.0.0 0.0.0.255

My 3640 allows me to do the above commands and apply NAT to the inside and outside interfaces. But what would happen if the number of simultaneous users exceeds the pool size? Do the "extra" sources get dropped or are they queued?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Plazma

I believe simply once the NAT pool is all depleted, no additional clients will be given a NAT address

AlexMR

I am sure Ive read the for dynamic NAT without overload there has to be one external registered address for every private address(one to one mapping).

Your question and the only answer so far motivated a new practice for me...I am going to try one configuration with 3 global addresses and 5 private addresses to be translated just to see if it works.

GT-Rob

One to One mapping is called Static NAT.

In the OP question, you can have as many as you want inside. You can have a million inside, for only 1 outside. The problem is that as soon as that 1 outside is used, no one else will be able to reach out until that 1 is not in use anymore.

dtlokee

Once the pool is depelted any additional clients will not be able to use the addresses until on of the existing entries in the nat table times out or is closed (due to a TCP fin or reset)

Dynamic nat pools are still considered one to one nat because as long as the translation is active it will map one inside local to one inside gloal address.

iworms

EDIT: the default 24-hour timeout is the culprit here. Using "ip nat translations timeout timeout_in_seconds" can change this behavior. See replies below for details.

dtlokee wrote:

Once the pool is depelted any additional clients will not be able to use the addresses until on of the existing entries in the nat table times out or is closed

I tried it on a 3640 and found that dynamic NAT without overload is not as "dynamic" as we think. An assigned inside global address will not return to the pool. Once an inside local address is translated to an address in the pool, the entry is added to the translation table and stays there. Dynamic NAT is dynamic only in the sense that the router does the initial static mapping for you, in a first-come-first-mapped fashion. After that it is same as static NAT until someone clears the translation table.

So if your pool size is 50 and the number of clients is 60, then after dynamic NAT is configured, the first 50 IP addresses to go through NAT are fine and mapped statically, but the 10 late comers will always receive "destination unreachable."

Here is my test:

Setup:

Process (outputs are from debug ip nat):

First, ping 172.16.0.1 from 192.168.1.97. It gets mapped to first address in pool, 172.16.0.3:
*Aug 11 12:09:44.435: NAT*: s=192.168.1.97->172.16.0.3, d=172.16.0.1 [29214]
*Aug 11 12:09:44.455: NAT*: s=172.16.0.1, d=172.16.0.3->192.168.1.97 [29214]

Then, ping 172.16.0.1 from 192.168.1.80. It gets mapped to second (and last) address in pool, 172.16.0.4:
*Aug 11 12:09:56.919: NAT*: s=192.168.1.80->172.16.0.4, d=172.16.0.1 [19150]
*Aug 11 12:09:56.943: NAT*: s=172.16.0.1, d=172.16.0.4->192.168.1.80 [19150]

After on minute, we see timeout/expiration:
*Aug 11 12:10:47.711: NAT: expiring 172.16.0.3 (192.168.1.97) icmp 1024 (1024)
*Aug 11 12:10:59.999: NAT: expiring 172.16.0.4 (192.168.1.80) icmp 512 (512)

But when we ping 172.16.0.1 from 192.168.1.31, it gets destination unreachable, and here's the debug output from router:
*Aug 11 12:11:39.451: NAT: translation failed (A), dropping packet s=192.168.1.31 d=172.16.0.1

But the first two clients can still get translation:
*Aug 11 12:14:46.007: NAT*: s=192.168.1.80->172.16.0.4, d=172.16.0.1 [19288]
*Aug 11 12:14:46.027: NAT*: s=172.16.0.1, d=172.16.0.4->192.168.1.80 [19288]
(Notice that 192.168.1.80 is not translated to the first address in the pool -- it is stuck with the initial translation.)

Here is the static table that the router has created dynamically. At this point there is nothing dynamic anymore.
R3640#sh ip nat trans

Pro Inside global  Inside local  Outside local  Outside global
---  172.16.0.4   192.168.1.80     ---        ---
---  172.16.0.3   192.168.1.97     ---        ---

dtlokee

Did you eventually exceede the number of addresses in the pool and see what happens?

iworms

dtlokee wrote:

Did you eventually exceede the number of addresses in the pool and see what happens?

Yeah, in the example above, the pool has 2 addresses, but there are 3 clients. The last guy simply gets "destination unreachable." Even when the first 2 guys become inactive for minutes, their mappings remain in the translation table.

GT-Rob

Try setting 'ip nat translations timeout X (seconds)'. Maybe the default is zero? set it to 60 and see if it drops the idle connections

EDIT

Default is 24hrs on the timeout. So either wait or tune it to something shorter

iworms

GT-Rob wrote:

Try setting 'ip nat translations timeout X (seconds)'.

GT-Rob wrote:

Default is 24hrs on the timeout. So either wait or tune it to something shorter

That took care of the problem

. If I set ip nat translations timeout 90 then the entry gets cleared from the translation table after 90 seconds. Dynamic NAT is dynamic after all.

As a side note, if I set ip nat translations timeout x where x<60, the entry gets cleared after 60 seconds because the active translation/connection expires in 60 seconds.

dtlokee

Yeah I think I mentoned the timeout. The translations you listed as "timing out" were the individual pinholes not the dynamic address timout.