Shulou(Shulou.com)06/01 Report--

Limit internal address NAT translation entries

When configuring NAT, there is a command to restrict NAT translation entries for hosts, which can restrict NAT translation entries for all hosts, single hosts, and matching ACL hosts respectively. Although theoretically there is no limit to the number of translation entries in the NAT table, in practice memory and CPU or available address ranges or port space have limits on the number of translation entries. Each NAT translation entry uses approximately 160 bytes of memory. In some cases, the number of entries needs to be limited for performance or policy reasons. The command format for restricting NAT translation entries is as follows:

Router(config)#ip nat translation max-entries {all-host | host ip-address | list list- number} number_of_entries

For example, the command ip nat translation max-entries host 192.168.1.2 100 means limiting NAT translation entries to 100 for a host with IP address 192.168.1.2.

The ip nat translation max-entries command is validated with a configuration example.

Figure 8.1. Experimental topology of NAT translation entries restricted to each address.

As shown in Figure 8.1, NAT is configured on router R1. PC1 has an intranet IP address of 10.0.0.7/24 and a gateway of 10.0.0.254/24. PC2 has an off-network address of 222.222.222/24 and a gateway of 222.222.222.1/24.

Configuration information, as follows:

interface FastEthernet0/0

ip address 222.222.222.1 255.255.255.0

ip nat outside

!

interface FastEthernet0/1

ip address 10.0.0.254 255.255.255.0

ip nat inside

!

ip route 0.0.0.0 0.0.0.0 222.222.222.2

!

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 10.0.0.0 0.0.0.255

After configuration is complete, scan ports 1 through 1024 on the PC2 host using port scanning software on PC1 and view NAT translation entries as follows:

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 222.222.222.1:3239 10.0.0.7:3239 222.222.222.2:1 222.222.222.2:1

tcp 222.222.222.1:3240 10.0.0.7:3240 222.222.222.2:2 222.222.222.2:2

tcp 222.222.222.1:3241 10.0.0.7:3241 222.222.222.2:3 222.222.222.2:3

tcp 222.222.222.1:3242 10.0.0.7:3242 222.222.222.2:4 222.222.222.2:4

... omitting...

tcp 222.222.222.1:7368 10.0.0.7:7368 222.222.222.2:1021 222.222.222.2:1021

tcp 222.222.222.1:7369 10.0.0.7:7369 222.222.222.2:1022 222.222.222.2:1022

tcp 222.222.222.1:7370 10.0.0.7:7370 222.222.222.2:1023 222.222.222.2:1023

tcp 222.222.222.1:7371 10.0.0.7:7371 222.222.222.2:1024 222.222.222.2:1024

Now configure the NAT translation entry limit command on the router to limit the NAT translation entries for PC1 to 20:

R1(config)#ip nat translation max-entries host 10.0.0.7 20

Once configured, scan ports 1 to 1024 of the PC2 host again on PC1 using port scanning software, and then check the NAT translation entries. PC1 has only 20 NAT translation entries.

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 222.222.222.1:8428 10.0.0.7:8428 222.222.222.2:1 222.222.222.2:1

tcp 222.222.222.1:8429 10.0.0.7:8429 222.222.222.2:2 222.222.222.2:2

... omitting...

tcp 222.222.222.1:8446 10.0.0.7:8446 222.222.222.2:19 222.222.222.2:19

tcp 222.222.222.1:8447 10.0.0.7:8447 222.222.222.2:20 222.222.222.2:20

In practice, NAT translation entries may be full due to viruses and other reasons, and communication failures occur. The following is an example of how to handle NAT failures.

For example: the company network is in normal use, and suddenly there is no normal Internet access. Since the network has been in normal use before, there should be no problem with the device configuration when the network is normal. You can analyze it from aspects such as changes in device configuration or physical links.

The inspection shall be carried out according to the following methods according to the company situation:

1, check whether the intranet is normal, determine whether the switch is normal;

2. Check the configuration and operation records of the gateway device to see if the configuration has been changed;

3. Check whether the link from the gateway device to the operator is normal;

4. If all of the above are normal, use the show ip nat translations command on the gateway device to check if there is a NAT translation table entry on the device to determine if there is a NAT problem. Check and find that NAT translation table entries are full and one IP address occupies many NAT translation table entries. This may be due to virus, which makes NAT translation impossible when the intranet accesses the external network.

5. Use the clear ip nat translation * command to clear the NAT translation table entry, and the network will return to normal after the fault is cleared.

6. Soon after the network is restored, the fault phenomenon appears again. The phenomenon is the same as that in step 4 by showing ip nat translations, so it is necessary to further check the host.

7. Disconnect the host with virus and disinfect it. Use the clear ip nat translation * command to clear the fault and the network is normal.

8. To prevent this failure from happening again, you can use the ip nat translation max-entries all-host command to limit the number of NAT translation table entries of all hosts. This command also has the function of limiting BT downloads.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.