""Peter Walker"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This does NOT match my previous experience. My experience has been that > IOS seems to use NAT (not overloaded) until all pool addresses are used > then start overloading the last one. I dont know what happens once all > when this address gets maxed out.
when doing PAT ( NAT overload ) there is a theoretical possibility of 65000 connections ( i.e. the number of TCP ports ) obviously, this would not be practical because of the numbers of well known ports in use. The NAT engine would add the dimension of TCP source port to the state table. So if I am at address 111.111.111.111 and my source port is 9999, the NAT engine might translate this to public IP 222.222.222.222 with a source port of 8888 The next guy out, source address 111.111.111.112 with a source port of 9999 ( same app ) might be translated ast public IP 222.222.222.222 with a source port of 8881 Etc. The destination application doesn't care what the source port is ( in theory ) although in this particular case, I wonder if the destination host might have a problem. I suppose a well behaved application would not, but you never can tell. > > The only reason we noticed this was due to the fact that we were running > port sentry on a number of unix hosts and noticed that periodically random > machines were being port scanned from outside our net (something that > should not be able to occur if PAT is being used). We finally tracked it > down to NAT (single outside IP to single inside IP) entries appearing in > our NAT translations tables on the router. > > The only solution that we (or TAC) could come up with was to reduce the NAT > pool to a single IP. > > Peter Walker > CISSP, CCN[NID]P, CSS1, CIPPTS, etc > > > --On 09 January 2003 20:15 +0000 Doug S wrote: > > > The way PAT works when overloading multiple addresses is to overload the > > first address in the pool until ALL port numbers are used up. I can't > > point you to any publicly available documentation on this, but cut and > > pasted from Network Academy curriculum: > > > > "However, on a Cisco IOS router, NAT will > > overload the first address in the pool until > > it's maxed out, and then move on to the > > second address, and so on." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60820&t=60663 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
