Nat pool in CSM

Similar Messages

• Use of client nat pools on the CSM

  Hi Guys,
  Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
  If a client NAT pool such as this is used (16 addresses):
  natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
  I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
  I hope this makes sense!
  thanks
  Sheldon

  the CSM does PAT by default.
  Gilles.

• High CPU load on msfc sup720 while using nat pool

  Hello,
  On our 6509-E+switchblades with sup720/pfc3 and CSM module we noticed a considerable cpu load like:
  #show processes cpu sorted
  CPU utilization for five seconds: 85%/81%; one minute: 82%; five minutes: 41%
  after some research i'm able to reproduce it, and basically its:
  when sending traffic through the vlans defined on the msfc with nat inside and nat outside it's reproducable.
  when unconfiguring NAT the cpu load drops (in lab) to 0%/0%.
  we're using nat pools just to fix a internal application/service on 1 IP.
  it's configured like:
  ip nat pool DMZ-193 1.1.1.1 1.1.1.1 netmask 255.255.255.224
  ip nat inside source list DMZ-193 pool DMZ-193 overload
  ip access-list extended DMZ-193
  <snip>
  where the 1.1.1.1 the external (example) source IP is where it's S-natted to.
  With this "feature" i can't get a higher rate then about 130Mbit/s (msfc cpu bound)
  Has any one an idea why this gets executed in software and not in hardware like what the docu says?
  Any idea or workaround is welcome.
  additional note: i reviewed document:
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml
  which gave good ideas, but no solution yet.
  Regards,
  Arjan Filius

  problem solved, there where some empty ACL's which causes to use the cpu instead of hardware.
  Regards,

• NAT Pool question

  I have a question on how NAT pools, or sNAT works with ACE in one-arm mode.
  As I understand it, when the client sends the request to ACE, it changes the destination IP to a rServer and source IP to the sNAT address.  When the rServer responds, it sends traffic back through the ACE via the sNat.  How exactly does this work?  I can't ping the sNAT address I configured, so how is the sNAT associated with the ACE in any way?  How does traffic make it's way back to the ACE when the sNAT doesn't seem to be advertised externally in any way.  And one more quick question, should the sNAT be on the rServer subnet or the ACE subnet?  Just trying to understand so we can make good design decisions.

  Tbone,
  When you use SNAT you generally use a nat-pool address that will bring the traffic back to the ACE interface that the traffic left on. In a typical one-armed mode the Nat-pool would be in the same subnet as the ACE interface and rservers.
  If the servers are local to the ACE you usually point the servers default gateway to the SVI or FW interface rather than the ACE. If SNAT is not used the client IP enters the ACE destined to the VIP. ACE will change the destination address to the rserver. Since the original client IP will be seen by the server it will reply to the default gateway. If the ACE does not get the server reply it cannot change the SYN ACK back to the VIP address that the client originally sent the connection to. This would result in a connection failure. When you use SNAT with a Nat-pool that is local to the server it will not use it's gateway but will reply directly back to the ACE since it owns this IP.
  If the servers are not local to the ACE you would want to configure the nat-pool IPs to be local to the interface vlan the traffic egresses to get to the rserver. This way your routing will bring the server reply back to the ACE.
  Let me know if this helps with your understanding or if you have more questions.
  Best regards
  Jim

• ASA single outside IP address to an inbound NAT pool that round robins request to 2 web servers

  How do I create a single outside IP address 1.2.3.4 to an inbound NAT pool that round robins request to 2 web servers?
  I have 2 web server 10.0.0.1 and 10.0.0.2. They have the exact same content.
  I think I start with defining the pool as an object group which contains 2 server 10.0.0.1 and 10.0.0.2
  object-group network appservers
  network-object host 10.0.0.1
  network-object host 10.0.0.2
  What to do next?
  object-group network appservers
  nat (inside,outside) static 1.2.3.4
  gives me an error.

  No, unfortunately you can't configure round robin static inbound NAT for 2 internal web servers.

• ACE: Significance of mask in nat-pools configured for Source NAT

  Hi guys
  If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
  What would be the difference between the nat-pools configured with different netmask.
  What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
  and why?
  case1:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
  service-policy input clientvips
  no shutdown
  case2:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
  service-policy input clientvips
  no shutdown
  Thanks in Advance
  A.

  Gilles
  Thanks a lot. It makes more sense now.
  I posted another question for an ACE design validation. Could you please validate this
  I am planning to deploy ACE module in following manner:
  > ACE will be in one arm mode ( Only one vlan connected to the ACE).
  > Vips & Rservers (all serverfarms) will be in the same Vlan X.
  > Default gateway on the ACE & Real servers will be the upstream router
  > There will be Source NAT configured for all Serverfarms.
  ACE --- Vlan X -------Router--- internet
  .................|
  .................|-- Sfarm 1
  .................|
  .................|-- Sfarm 2
  .................|
  .................|-- Sfarm n
  I am pretty sure that it should work.
  Just wanted an expert opinion.
  Thanks

• NAT Pool Allocation

  I was troubleshooting a connectivity issue for a client and he kept asking me to check the 'NAT pool allocation' on the loadbalancer context.  My company uses a ACE module running software version A5(2.2).  I could find no command such as show nat or show allocation.  Running show xlate does not give me a count but a list of all the translation.
  Can someone explain to me what exactly my client is asking for?

  Hi,
  Perhaps this:
  switch/Admin# show np 1 me-stats -vsocm | include NAT
  NAT[static mapped]:                               0             0
  NAT[static real]:                                 0             0
  NAT[xlate alloc fail]:                            0             0
  NAT[xlate real hit]:                              0             0
  NAT[xlate mapped hit]:                            0             0
  NAT[invalid xlate]:                               0             0
  NAT[dump xlate]:                                  0             0
  NAT[xlate release failed]:                        0             0
  NAT Pool Alloc [fail]:                            0             0
  NAT Pool Alloc [addr]:                            0             0
  NAT Pool Alloc [addr/port]:                       0             0
  NAT Pool Free [addr]:                             0             0
  NAT Pool Free [addr/port]:                        0             0
  NAT Pool Free [orphan IP]:                        0             0
  Drop [Need NAT IPv4-6]:                           0             0
  Drop [Need NAT IPv6-4]:                           0             0
  NAT free no xlate [real addr]:                    0             0
  NAT free no xlate [mapped addr]:                  0             0
  NAT Dynamic Xlate GC Reaped:                      0             0
  NAT Implicit PAT Alloc [fail]:                    0             0
  NAT Implicit PAT Alloc:                           0             0
  NAT Implicit PAT Free:                            0             0
  Based on model, np x  can be 1, 2, 3 and 4.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Dynamic IP Nat Pool with 3030 -- 3002 Tunnel

  I currently use the 3002 HW Client at several ROBO/SOHO locations in Network Extension mode. This works great. Recently I have the need to establish the same type of connection, but I need to provide a dynamic IP NAT pool for the clients behind the 3002. Is a configuration like this possible using the 3030 & 3002, or will I need some other HW to replace the 3002. If other HW is needed please suggest low end options (i.e. I realize a L2L with another concentrator will work). And I asume the configuration is possible with a 1720(?).
  Thanks in advance,
  John

  Hi,
  If I understand you correctly, you want to NAT the ip addresses behind the VPN3002 to specific ip address when they go accross the IPSec tunnel to the VPN Server, so that the source ip address is different when the packet reaches the VPN Server.
  This is not possible with the VPN3002 and you can try using PAT but this is only for many to one translation and also if you have a VOIP solution or a speficic reason for using NEM, then PAT will not work for you.
  Regards,
  Arul

• Ip nat pool no-overload prefix 22 (just starting out with the cisco training and wanted to know )

  Above is the command ip nat pool no  overload prefix 22
  Does anyone know what the prefix 22 does and why it is added.  I also and new at learning and currently studying and wanted to know any recommendations for taking the CCNA or CCNP and what online routers (emulators) can i play on to learn commands and prepare for exams

  Hi,
  It is just describing the prefix length for the network or Subnet Mask in general terms.
  Check this:-
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i3.html#wp6064781280
  Thanks and Regards,
  Vibhor Amrodia

• Cacti & Allocated IP NAT Pools

  Hey,
  We're using cacti for some monitoring tools. And i can easy get graphs for the Active NAT translations.
  But we would like to have also a view on the allocated ip's for a nat pool. Is there an OID for this? Or do you've got an idea how we can check this?
  OID that i'm using for the active NAT: 1.3.6.1.4.1.9.10.77.1.2.3.0

  Hi Carl
  Do find the different default time out values associated with the translation and also the ways to tweak the same accordingly as per our requirement..
  timeout Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86,400 seconds (24 hours).
  udp-timeout Specifies that the timeout value applies to the User Datagram Protocol (UDP) port. Default is 300 seconds (5 minutes).
  dns-timeout Specifies that the timeout value applies to connections to the Domain Name System (DNS). Default is 60 seconds.
  tcp-timeout Specifies that the timeout value applies to the TCP port. Default is 86,400 seconds (24 hours).
  finrst-timeout Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds.
  icmp-timeout Specifies the timeout value for Internet Control Message Protocol (ICMP) flows. Default is 60 seconds.
  pptp-timeout Specifies the timeout value for NAT Point-to-Point Tunneling Protocol (PPTP) flows. Default is 86,400 seconds (24 hours).
  syn-timeout Specifies the timeout value for TCP flows immediately after a synchronous transmission (SYN) message that consists of digital signals that are sent with precise clocking. The default is 60 seconds.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d09f0.html
  regds

• NAT pool configuration question

  Hi all,
  I would like to know how can I compute for a wild card mask for this hosts?
  10.1.1.5 /24 - 10.1.1.8 /24
  I have created a nat pool that translates addresses above to 124.24.34.250/24 - 124.24.34.253/24
  R3#show access-list
  Extended IP access list traders
      10 permit ip 10.1.1.0 0.0.0.5 any
  R3#sh run | s nat
  ip nat pool my_traders 124.24.34.250 124.24.34.253 prefix-length 24
  ip nat inside source list traders pool my_traders
  10.1.1.5 to 10.1.1.7 works, it's only .8 that doesn't, how can I cover it?
  thanks all,

  Hi Seb,
  I was able to resolve, although I would like to know if I can further aggregate or summarize acls?
  R3#sh run | s users
  ip nat pool users 124.24.34.249 124.24.34.249 prefix-length 24
  ip nat inside source route-map my_users pool users overload
  route-map my_users permit 10
   match ip address lan
  R3#show access-list lan
  Extended IP access list lan
      10 permit ip 10.1.1.16 0.0.0.15 any (2 matches)
      20 permit ip 10.1.1.32 0.0.0.15 any (1 match)
      30 permit ip 10.1.1.64 0.0.0.63 any
      40 permit ip 10.1.1.128 0.0.0.127 any
  Also should the prefix length in the NAT statement be equal to the subnet mask of the inside local address?
  Thanks,
  Thanks,

• Static NAT required but the Outside NAT pool already exhuasted

  Hello Guys,
  I  got a project where I have to provide NATTED addresses to cutomers for  the internal servers and I found out that the outside address range /27  already in use. We are using 5510 with ver 8.1. We cant use PAT here.
  Any other option to acomplish this task, please help
  Thanks

  You may want to post some of your configuration for a better idea of what is going on.  Also check to see if you are using a separate IP for the global PAT outbound or if you are using the interface IP.  This may free up an IP Address for the additional IP needed.
  Thanks,
  Kimberly

• CSM - Client NAT for routable server subnet

  I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

  Thanks. This is now working.
  I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
  no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
  natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
  Noticed that a previous "show mod csm 5 arp" showed:
  10.200.2.100 -->10.200.250.1 0 REAL routed
  10.200.2.101 -->10.200.250.1 0 REAL routed
  10.200.2.102 -->10.200.250.1 0 REAL routed

• Advantage of NAT IP Pool for PAT

  Hi support community,
  would there be any benefits from using a small pool of public IPs (outside global addresses) to perform PAT instead of using a single IP address that is nomally associated with outside interface? We have enough public IPs where I could use 3 or 5 for PAT outside pool, and I was wondering if it would be beneficial or a waste.
  Thank you for any information that you can provide on this.
  Delmiro

  Hi,
  Do you mean using a PAT Pool of a few addresses instead of PAT using the "outside" interface of the ASA?
  I would imagine if you were to use a PAT Pool you would considerably increase the amount of hosts/connections that the ASA could support going from LAN to WAN.
  I would suggest first monitoring the current usage of the interface PAT to determine if there is any need to configure a PAT Pool.
  If you are talking about PAT Pool then you must be using newer software
  You can probably use the
  show nat pool
  Command to determine the usage of the current interface PAT ports.
  Usually the single PAT address is just fine but if you have a large network with a lot of users you might benefit from the change. As I said, you should first see if your current PAT port usage is high.
  If you had reached the PAT port limit then you would be seeing log messages of failed translations.
  - Jouni

• Help with dynamic NAT and CSM 4.4 and ASA 8.3

  Hello
  I currently try to add a dynamic NAT rule into CSM 4.4 for a ASA 8.3 device, but I fails at the deployment with the error message:
  Failed to generate delta config
  The following commands have not been recognized by the Configuration Parser:
  ==========================
  (inside,outside) source dynamic range-192.168.0.0_24 range-100.0.0.1_32 destination static any any
  So let's asume we use the internal IP Range for the users is 192.168.0.0/24 and we received the public IP Address 100.0.0.1/32 from our ISP.
  How do I have to do a normal dynamic NAT in CSM 4.4 for this case?
  Traffic comes from inside and has to leave the outside with the changed source IP.
  I would really appreciate a screenshot from CSM 4.4 which shows the correctly filled fields.
  Thanks
  Patrick

  Matty
  Not familiar with SIP so can't say for sure about that in terms of ports but some comments -
  1) you don't show other interfaces but presumably the LAN interface(s) has "ip nat inside" enabled
  2) the PBX subnet is 10.1.1.0/24 yet your static NATs are referring to 10.18.21.2 ?
  3) following on from 2) your PBX_SUBNET acl is wrong, it should be -
  ip access-list extended PBX_SUBNET
  permit ip 10.1.1.0 0.0.0.255 any      <-- note the last octet of the wildcard mask is 255.
  Edit - also assuming that any internal subnets not directy connected to the router have routes setup for them so you router knows how to get to them.
  Jon