When to use nat pool or interface?

phoeneous

As a best practice for connecting an internal lan to the internet, what is the best practice when using nat given a /29 range of public ip's provided by the isp? I've seen two different examples:

• ip nat pool POOL first.ip.in.range last.ip.in.range prefix-length 29
• ip nat inside source list ACL pool POOL overload

OR

• ip nat inside source list ACL interface s0/0 overload

I've seen the nat pool statement written with the same ip as the first and the last in the range, for example:

• ip nat pool POOL 174.133.7.131 174.133.7.131 prefix-length 29

So, between using the source list ACL pool and source list ACL interface commands, which is better if I want all the internal users to be nat'd to a single public ip because I need to use the other public ip's for static translations.

tomaifauchai

I wonder about the real usefulness of using a nat pool for natting. You need much users into your company to really use PAT completly even for a single IP address.

I'd say it's better to keep the IPs for a better use like static translations for servers who really needs it.
So for a /29, overload on wan link and static nat for servers!

Forsaken_GA

I prefer to use a pool, even if I'm only defining a single address in that pool. It does the job both ways, and gives me the flexibility of both options (single address or pool) with the same command, and simplifies administration if I ever need to change from single IP to pool.

phoeneous

So if you use pool overload in a /29 range, what happens with the 7th user when the 6th public ip has been nat'd already? Page cannot be displayed?

I guess I don't see the usefulness or intended purpose of nat pool when you have hundreds of users.

Forsaken_GA

phoeneous wrote: »

So if you use pool overload in a /29 range, what happens with the 7th user when the 6th public ip has been nat'd already? Page cannot be displayed?

I guess I don't see the usefulness or intended purpose of nat pool when you have hundreds of users.

Well, no, if you're overloading like in the OP's original example, the 7th user would just get a different IP in the pool with a different port. It's no different than if you use a single IP, it just gives you multiple IP's to use for the translations.

You can also use pools as a cheap form of load balancing. Ie, you define one IP as your virtual IP, and then NAT translates that a pool of 'real' IP's on the other side.

For alot of your smaller NAT situations, you're not going to see much use of using a pool vs. using an interface for the translations. Pools just give you alot more flexibility, and can handle the same job as using an interface. That's why I prefer to setup a pool - if I need that flexibility, I can implement it with minimal change. Network maintenance is often a matter of small degrees. If you want to shape a bush, you're better off pruning it gently instead of taking a scythe to it.

phoeneous

Forsaken_GA wrote: »

Well, no, if you're overloading like in the OP's original example, the 7th user would just get a different IP in the pool with a different port. It's no different than if you use a single IP, it just gives you multiple IP's to use for the translations.

I meant without overloading.

Forsaken_GA

phoeneous wrote: »

I meant without overloading.

Well that depends. If the other entries have timed out of the translation table, it goes through. If they haven't, then the request gets dropped, and you likely get to have a conversation with folks higher on the food chain about why the network is stupidly designed.