this is the current nat setup I have on one of my PIXs:
global (outside) 1 xxx.xxx.223.235-64.172.223.236 global (outside) 1 xxx.xxx.223.237 nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 heres the translations: PAT Global xxx.xxx.223.237(16882) Local 192.168.2.18(2193) PAT Global xxx.xxx.223.237(16914) Local 192.168.2.18(2229) PAT Global xxx.xxx.223.237(4739) Local 192.168.2.18(2228) PAT Global xxx.xxx.223.237(16915) Local 192.168.2.18(2230) Global xxx.xxx.223.236 Local 192.168.2.17 PAT Global xxx.xxx.223.237(16880) Local 192.168.2.18(2190) Global xxx.xxx.223.235 Local 192.168.2.14 PAT Global xxx.xxx.223.237(16913) Local 192.168.2.18(2227) PAT Global xxx.xxx.223.237(16918) Local 192.168.2.18(2233) PAT Global xxx.xxx.223.237(16919) Local 192.168.2.18(2234) PAT Global xxx.xxx.223.237(16916) Local 192.168.2.18(2231) PAT Global xxx.xxx.223.237(16917) Local 192.168.2.18(2232) PAT Global xxx.xxx.223.237(16922) Local 192.168.2.18(2237) PAT Global xxx.xxx.223.237(16923) Local 192.168.2.18(2238) PAT Global xxx.xxx.223.237(16920) Local 192.168.2.18(2235) PAT Global xxx.xxx.223.237(16904) Local 192.168.2.18(2218) PAT Global xxx.xxx.223.237(16921) Local 192.168.2.18(2236) you can see that the two nat IPs are being used already and the rest are being NATed. I can only assume the NATs went through first, since PAT would take like 4000+ to fill up I believe. on another note, whats up with all those xlates for 192.168.1.18!! (I'll ignore that for now) I can't think of a recent nat I have off of a regular router, but I suspect based upon what people are saying that perhaps the PIX's nat works correctly, but the routers is kinda backward. something to setup in a lab I suppose. scott ""Marko Milivojevic"" wrote in message news:[EMAIL PROTECTED] > I have been following this thread with great interest, for I had > problems with PAT/NAT in IOS recently. It looks to me that many people have > the same confusions (hopes) as I had. > > I have a case where I have many users on private address space > (around 1000 or so) which must be NAT-ed through a pool of 768 "real" > addresses. This are all, mostly, heavy users (xDSL customers). > > I have foolishly hoped that if I configure pool with overload, IOS > will do 1:1 and when it runs out of addresses, it will do PAT. Well, I was > wrong. And that's wrong at a price. Not only that IOS is immediately > performing PAT, but PAT is *much* more CPU intensive than 1:1 NAT. Also, it > is not possible to define multiple address ranges or pools for the same > translation (I would greatly appreciate if someone corrects me here). > > So, from my experience with this matter: > > * it is not easily possible to do NAT and switch to PAT when > addresses run out > * if you define overload, IOS automatically does PAT, with more CPU > usage > > One way of getting away from running out of NAT addresses is to > lower translation timeout (default is I think 24h). This timeout defines how > long NAT relationship remains between real and private IP. You can lower > this to one hour by doing: > > ip nat translation timeout 3600 > > In my experience, this proved to be useful in this, far from 1:1 > scenario. Further lowering this to some 15 minutes or so, could cause more > load on router (guesswork), but hugely decrease your chances of running out > of translation addresses. > > > Kind regards, > Marko. > > Tolvupostur ?essi er fra Margmi?lun hf., Su?urlandsbraut 4, Reykjavik. > Fyrirvara og lei?beiningar til vi?takenda tolvuposts fra Margmi?lun hf. er > a? finna a vefsi?unni http://www.mi.is/fyrirvari Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66799&t=66734 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]