NAT pool configuration question

Hi all,
I would like to know how can I compute for a wild card mask for this hosts?
10.1.1.5 /24 - 10.1.1.8 /24
I have created a nat pool that translates addresses above to 124.24.34.250/24 - 124.24.34.253/24
R3#show access-list
Extended IP access list traders
10 permit ip 10.1.1.0 0.0.0.5 any
R3#sh run | s nat
ip nat pool my_traders 124.24.34.250 124.24.34.253 prefix-length 24
ip nat inside source list traders pool my_traders
10.1.1.5 to 10.1.1.7 works, it's only .8 that doesn't, how can I cover it?
thanks all,

Hi Seb,
I was able to resolve, although I would like to know if I can further aggregate or summarize acls?
R3#sh run | s users
ip nat pool users 124.24.34.249 124.24.34.249 prefix-length 24
ip nat inside source route-map my_users pool users overload
route-map my_users permit 10
match ip address lan
R3#show access-list lan
Extended IP access list lan
10 permit ip 10.1.1.16 0.0.0.15 any (2 matches)
20 permit ip 10.1.1.32 0.0.0.15 any (1 match)
30 permit ip 10.1.1.64 0.0.0.63 any
40 permit ip 10.1.1.128 0.0.0.127 any
Also should the prefix length in the NAT statement be equal to the subnet mask of the inside local address?
Thanks,
Thanks,

Similar Messages

ACE: Significance of mask in nat-pools configured for Source NAT

Hi guys
If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
What would be the difference between the nat-pools configured with different netmask.
What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
and why?
case1:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
service-policy input clientvips
no shutdown
case2:
interface vlan 7
ip address 10.10.10.100 255.255.255.0
nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
service-policy input clientvips
no shutdown
Thanks in Advance
A.

Gilles
Thanks a lot. It makes more sense now.
I posted another question for an ACE design validation. Could you please validate this
I am planning to deploy ACE module in following manner:
> ACE will be in one arm mode ( Only one vlan connected to the ACE).
> Vips & Rservers (all serverfarms) will be in the same Vlan X.
> Default gateway on the ACE & Real servers will be the upstream router
> There will be Source NAT configured for all Serverfarms.
ACE --- Vlan X -------Router--- internet
.................|
.................|-- Sfarm 1
.................|
.................|-- Sfarm 2
.................|
.................|-- Sfarm n
I am pretty sure that it should work.
Just wanted an expert opinion.
Thanks

NAT Pool question

I have a question on how NAT pools, or sNAT works with ACE in one-arm mode.
As I understand it, when the client sends the request to ACE, it changes the destination IP to a rServer and source IP to the sNAT address. When the rServer responds, it sends traffic back through the ACE via the sNat. How exactly does this work? I can't ping the sNAT address I configured, so how is the sNAT associated with the ACE in any way? How does traffic make it's way back to the ACE when the sNAT doesn't seem to be advertised externally in any way. And one more quick question, should the sNAT be on the rServer subnet or the ACE subnet? Just trying to understand so we can make good design decisions.

Tbone,
When you use SNAT you generally use a nat-pool address that will bring the traffic back to the ACE interface that the traffic left on. In a typical one-armed mode the Nat-pool would be in the same subnet as the ACE interface and rservers.
If the servers are local to the ACE you usually point the servers default gateway to the SVI or FW interface rather than the ACE. If SNAT is not used the client IP enters the ACE destined to the VIP. ACE will change the destination address to the rserver. Since the original client IP will be seen by the server it will reply to the default gateway. If the ACE does not get the server reply it cannot change the SYN ACK back to the VIP address that the client originally sent the connection to. This would result in a connection failure. When you use SNAT with a Nat-pool that is local to the server it will not use it's gateway but will reply directly back to the ACE since it owns this IP.
If the servers are not local to the ACE you would want to configure the nat-pool IPs to be local to the interface vlan the traffic egresses to get to the rserver. This way your routing will bring the server reply back to the ACE.
Let me know if this helps with your understanding or if you have more questions.
Best regards
Jim

Use of client nat pools on the CSM

Hi Guys,
Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
If a client NAT pool such as this is used (16 addresses):
natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
I hope this makes sense!
thanks
Sheldon

the CSM does PAT by default.
Gilles.

ASA single outside IP address to an inbound NAT pool that round robins request to 2 web servers

How do I create a single outside IP address 1.2.3.4 to an inbound NAT pool that round robins request to 2 web servers?
I have 2 web server 10.0.0.1 and 10.0.0.2. They have the exact same content.
I think I start with defining the pool as an object group which contains 2 server 10.0.0.1 and 10.0.0.2
object-group network appservers
network-object host 10.0.0.1
network-object host 10.0.0.2
What to do next?
object-group network appservers
nat (inside,outside) static 1.2.3.4
gives me an error.

No, unfortunately you can't configure round robin static inbound NAT for 2 internal web servers.

High CPU load on msfc sup720 while using nat pool

Hello,
On our 6509-E+switchblades with sup720/pfc3 and CSM module we noticed a considerable cpu load like:
#show processes cpu sorted
CPU utilization for five seconds: 85%/81%; one minute: 82%; five minutes: 41%
after some research i'm able to reproduce it, and basically its:
when sending traffic through the vlans defined on the msfc with nat inside and nat outside it's reproducable.
when unconfiguring NAT the cpu load drops (in lab) to 0%/0%.
we're using nat pools just to fix a internal application/service on 1 IP.
it's configured like:
ip nat pool DMZ-193 1.1.1.1 1.1.1.1 netmask 255.255.255.224
ip nat inside source list DMZ-193 pool DMZ-193 overload
ip access-list extended DMZ-193
<snip>
where the 1.1.1.1 the external (example) source IP is where it's S-natted to.
With this "feature" i can't get a higher rate then about 130Mbit/s (msfc cpu bound)
Has any one an idea why this gets executed in software and not in hardware like what the docu says?
Any idea or workaround is welcome.
additional note: i reviewed document:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml
which gave good ideas, but no solution yet.
Regards,
Arjan Filius

problem solved, there where some empty ACL's which causes to use the cpu instead of hardware.
Regards,

Dynamic IP Nat Pool with 3030 -- 3002 Tunnel

I currently use the 3002 HW Client at several ROBO/SOHO locations in Network Extension mode. This works great. Recently I have the need to establish the same type of connection, but I need to provide a dynamic IP NAT pool for the clients behind the 3002. Is a configuration like this possible using the 3030 & 3002, or will I need some other HW to replace the 3002. If other HW is needed please suggest low end options (i.e. I realize a L2L with another concentrator will work). And I asume the configuration is possible with a 1720(?).
Thanks in advance,
John

Hi,
If I understand you correctly, you want to NAT the ip addresses behind the VPN3002 to specific ip address when they go accross the IPSec tunnel to the VPN Server, so that the source ip address is different when the packet reaches the VPN Server.
This is not possible with the VPN3002 and you can try using PAT but this is only for many to one translation and also if you have a VOIP solution or a speficic reason for using NEM, then PAT will not work for you.
Regards,
Arul

SAP-JEE, SAP_BUILDT, and SAP_JTECHS and Dev Configuration questions

Hi experts,
I am configuring NWDI for our environment and have a few questions that I'm trying to get my arms around.
I've read we need to check-in SAP-JEE, SAP_BUILDT, and SAP_JTECHS as required components, but I'm confused on the whole check-in vs. import thing.
I placed the 3 files in the correct OS directory and checked them in via the check-in tab on CMS.   Next, the files show up in the import queue for the DEV tab. My questions are what do I do next?
1. Do I import them into DEV? If so, what is this actually doing? Is it importing into the actual runtime system (i.e. DEV checkbox and parameters as defined in the landscape configurator for this track)? Or is just importing the file into the DEV buildspace of NWDI system?
2. Same question goes for the Consolidation tab.    Do I import them in here as well?
3. Do I need to import them into the QA and Prod systems too? Or do I remove them from the queue?
Development Configuration questions ***
4. When I download the development configuration, I can select DEV or CON workspace. What is the difference? Does DEV point to the sandbox (or central development) runtime system and CONS points to the configuration runtime system as defined in the landscape configurator? Or is this the DEV an CON workspace/buildspace of the NWDI sytem.
5. Does the selection here dictate the starting point for the development? What is an example scenarios when I would choose DEV vs. CON?
6. I have heard about the concept of a maintenance track and a development track. What is the difference and how do they differ from a setup perspective?   When would a Developer pick one over the over?
Thanks for any advice
-Dave

Hi David,
"Check-In" makes SCA known to CMS, "import" will import the content of the SCAs into CBS/DTR.
1. Yes. For these three SCAs specifically (they only contain buildarchives, no sources, no deployarchives) the build archives are imported into the dev buildspace on CBS. If the SCAs contain deployarchives and you have a runtime system configured for the dev system then those deployarchives should get deployed onto the runtime system.
2. Have you seen /people/marion.schlotte/blog/2006/03/30/best-practices-for-nwdi-track-design-for-ongoing-development ? Sooner or later you will want to.
3. Should be answered indirectly.
4. Dev/Cons correspond to the Dev/Consolidation system in CMS. For each developed SC you have 2 systems with 2 workspaces in DTR for each (inactive/active)
5. You should use dev. I would only use cons for corrections if they can't be done in dev and transported. Note that you will get conflicts in DTR if you do parallel changes in dev and cons.
6. See link in No.2 ?
Regards,
Marc

Convert to Question Pool random questions?

We are updating a course we developed last year (prior to
Captivate 3). This year we want to apply Captivate 3's "Question
Pool random questions" to this course. Is there a way to create the
question pool(s) in this existing quiz, and then add last year's
questions to them without having to re-enter each question into the
Question Pool Manager?
Thank you for any tips!

Hi Jan
Sure thing. Just convert the version 1 or 2 project to a
version 3 project. Then define a Question Pool. Once you have done
that, switch to Storyboard view. Select the question slides you
wish to add to the pool and right-click. You should be presented
with an option to add the selected slides to the pool.
Once you have moved the question slides to a pool, you would
then insert Random slides that point to the pool.
Cheers... Rick

Thread pool configuration for write-behind cache store operation?

Hi,
Does Coherence have a thread pool configuration for the Coherence CacheStore operation?
Or the CacheStore implementation needs to do that?
We're using write-behind and want to use multiple threads to speed up the store operation (storeAll()...)
Thanks in advance for your help.

user621063 wrote:
Hi,
Does Coherence have a thread pool configuration for the Coherence CacheStore operation?
Or the CacheStore implementation needs to do that?
We're using write-behind and want to use multiple threads to speed up the store operation (storeAll()...)
Thanks in advance for your help.Hi,
read/write-through operations are carried out on the worker thread (so if you configured a thread-pool for the service the same thread-pool will be used for the cache-store operation).
for write-behind/read-ahead operations, there is a single dedicated thread per cache above whatever thread-pool is configured, except for remove operations which are synchronous and still carried out on the worker thread (see above).
All above is of course per storage node.
Best regards,
Robert

How to change the connection pool configuration on OC4J?

Hi everybody,
I am developing an application with JDeveloper which is running on an OC4J standalone server, we have 2 enviroments, the develop server and the server of the client, and the data base connection configurations are differents.
The problem is that if we try to deploy the application (we have deploy on the develop server) on the client server and try to change the connection pool configuration the application cannot connect to the data base, we need to re-build the project with the client connection pool configuration.
We tried to change the configuration on the enterprise manager of the OC4J, on "JDBC Resources" panel, and the test the connection is ok, but when try to access to the application we get an Exception. After that we try to do that changing the parameters from the datasources.xml file on the application, but the result is the same.
How can we change the DataBase configuration without re-build the project?
Thanks very much
Tony

Meaning you have created just the empty data-sources.xml and not configured any Connection Pool and DataSource in JDev?
In Oracle AS 10.1.3 you have two ways to do this:
1. Use JDev and configure the data-sources.xml (Context Menu -> Properties)
2. In Oracle AS: Select application -> Administration -> Services -> JDBC Resources -> Create Pool and Create DataSource
--olaf

JCo Pool Configuration

hi all,
We have a new implementation of ERP2005 with EP7 of NW2004s and we will be primarily using ESS/MSS applications. The total number of users will be around 8000
can anyone help me with the JCo Pool Configuration. How much should I set the pool size and Maximum Connections
The default is set as follows
<b>maximun Pool Size: 5
Maximum Connections: 10</b>
For JCo Application Data we are using SSO and for Meta data we are using a generic service user id with USER ID/ Pwd authetication with the needed authorizations at the back end.Is this a good practice?
Thanks in advance
regards
Madhu

Hello,
we have the same problem ERP2005 / EP7 SP9 and ESS/MSS by 8.000 user max but concurrent we think only 500 user using the ESS/MSS services.
If I read your answer, then I think that the application JCO pool can be lower as the Meta-Data Pool ??
I had try to set both (Application and Meta data) for the same value...
maybe wrong for 500 user / most 2 Browser sessions open and have 1/2 webdynpros per page (ESS)...
My urgent's problem reading all manuals about this topic are: is there any different between the METADATA JCO pool parameter and the Application JCO pool parameter ? In some guides was the Meta-JCO's settings less then the application-JCO´s... ??
My assumption for app. 500 concurrent user are at the moment the following:
Maximal Pool Size : 6
Maximum Connections: 1000
Connection Timeout (msec.): 90
Maximum Waiting Time (msec.): 45
Can somebody please check this values ?
THX
Mario

NAT Pool Allocation

I was troubleshooting a connectivity issue for a client and he kept asking me to check the 'NAT pool allocation' on the loadbalancer context. My company uses a ACE module running software version A5(2.2). I could find no command such as show nat or show allocation. Running show xlate does not give me a count but a list of all the translation.
Can someone explain to me what exactly my client is asking for?

Hi,
Perhaps this:
switch/Admin# show np 1 me-stats -vsocm | include NAT
NAT[static mapped]: 0 0
NAT[static real]: 0 0
NAT[xlate alloc fail]: 0 0
NAT[xlate real hit]: 0 0
NAT[xlate mapped hit]: 0 0
NAT[invalid xlate]: 0 0
NAT[dump xlate]: 0 0
NAT[xlate release failed]: 0 0
NAT Pool Alloc [fail]: 0 0
NAT Pool Alloc [addr]: 0 0
NAT Pool Alloc [addr/port]: 0 0
NAT Pool Free [addr]: 0 0
NAT Pool Free [addr/port]: 0 0
NAT Pool Free [orphan IP]: 0 0
Drop [Need NAT IPv4-6]: 0 0
Drop [Need NAT IPv6-4]: 0 0
NAT free no xlate [real addr]: 0 0
NAT free no xlate [mapped addr]: 0 0
NAT Dynamic Xlate GC Reaped: 0 0
NAT Implicit PAT Alloc [fail]: 0 0
NAT Implicit PAT Alloc: 0 0
NAT Implicit PAT Free: 0 0
Based on model, np x can be 1, 2, 3 and 4.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

Configuration question on css11506

Hi
One of our vip with 4 local servers, currently has https. the http is redirected to https.
Now, my client has problem which a seriel directories need use http, not https. some thing like. quistion:
     1. If there is any possible, I can configure the vip to filter the special directories and let them to use http not https. and rest pages and directories redirect to https?
     2. If not, I can make another vip to use same local servers, but, is possible to only limited to special directories? and with wild code? some like the directories are partially wild coded, something like, http://web.domain/casedir*/casenumber?
     3. if not on both option, is any way I can fix this problem?
Any comments will be appreciated
Thanks in advance
Julie

I run my Tangosol cluster with 12 nodes on 3
machines(each machine with 4 cache server nodes). I
have 2 important configuration questions. Appreciate
if you can answer them ASAP.
- My requirement is that I need only 10000 objects to
be in cluster so that the resources can be freed upon
when other caches are loaded. I configured the
<high-units> to be 10000 but I am not sure if this is
per node or for the whole cluster. I see that the
total number of objects in the cluster goes till
15800 objects even when I configured for the 10K as
high-units (there is some free memory on servers in
this case). Can you please explain this?
It is per backing map, which is practically per node in case of distributed caches.
- Is there an easy way to know the memory stats of
the cluster? The memory command on the cluster
doesn't seem to be giving me the correct stats. Is
there any other utility that I can use?
Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
I started all the nodes with the same configuration
as below. Can you please answer the above questions
ASAP?
<distributed-scheme>
<scheme-name>TestScheme</scheme-name>
<service-name>DistributedCache</service-name>
<backing-map-scheme>
<local-scheme>
<high-units>10000</high-units>
<eviction-policy>LRU</eviction-policy>
<expiry-delay>1d</expiry-delay>
<flush-delay>1h</flush-delay>
</local-scheme>
</backing-map-scheme>
</distributed-scheme>
Thanks
RaviBest regards,
Robert

Configuration Question on local-scheme and high-units

I run my Tangosol cluster with 12 nodes on 3 machines(each machine with 4 cache server nodes). I have 2 important configuration questions. Appreciate if you can answer them ASAP.
- My requirement is that I need only 10000 objects to be in cluster so that the resources can be freed upon when other caches are loaded. I configured the <high-units> to be 10000 but I am not sure if this is per node or for the whole cluster. I see that the total number of objects in the cluster goes till 15800 objects even when I configured for the 10K as high-units (there is some free memory on servers in this case). Can you please explain this?
- Is there an easy way to know the memory stats of the cluster? The memory command on the cluster doesn't seem to be giving me the correct stats. Is there any other utility that I can use?
I started all the nodes with the same configuration as below. Can you please answer the above questions ASAP?
<distributed-scheme>
<scheme-name>TestScheme</scheme-name>
<service-name>DistributedCache</service-name>
<backing-map-scheme>
<local-scheme>
<high-units>10000</high-units>
<eviction-policy>LRU</eviction-policy>
<expiry-delay>1d</expiry-delay>
<flush-delay>1h</flush-delay>
</local-scheme>
</backing-map-scheme>
</distributed-scheme>
Thanks
Ravi

I run my Tangosol cluster with 12 nodes on 3
machines(each machine with 4 cache server nodes). I
have 2 important configuration questions. Appreciate
if you can answer them ASAP.
- My requirement is that I need only 10000 objects to
be in cluster so that the resources can be freed upon
when other caches are loaded. I configured the
<high-units> to be 10000 but I am not sure if this is
per node or for the whole cluster. I see that the
total number of objects in the cluster goes till
15800 objects even when I configured for the 10K as
high-units (there is some free memory on servers in
this case). Can you please explain this?
It is per backing map, which is practically per node in case of distributed caches.
- Is there an easy way to know the memory stats of
the cluster? The memory command on the cluster
doesn't seem to be giving me the correct stats. Is
there any other utility that I can use?
Yes, you can get this and quite a number of other information via JMX. Please check this wiki page for more information.
I started all the nodes with the same configuration
as below. Can you please answer the above questions
ASAP?
<distributed-scheme>
<scheme-name>TestScheme</scheme-name>
<service-name>DistributedCache</service-name>
<backing-map-scheme>
<local-scheme>
<high-units>10000</high-units>
<eviction-policy>LRU</eviction-policy>
<expiry-delay>1d</expiry-delay>
<flush-delay>1h</flush-delay>
</local-scheme>
</backing-map-scheme>
</distributed-scheme>
Thanks
RaviBest regards,
Robert

NAT pool configuration question

Similar Messages

Maybe you are looking for