Restrict internal address NAT translation entries

Limit Internal addresses NAT Convert Entry

When you configure NAT, you have a command that restricts the NAT translation entries for the host, and you can restrict all hosts, individual hosts, and NAT translation entries that match the ACL host, respectively. In theory, there is no limit to the number of translation entries in the NAT table, but in practice, the memory and CPU or available address range or port space will have a limited number of converted entries. Each NAT translation entry is approximately 160 bytes of memory. In some cases, there is a need to limit the number of entries for performance or policy reasons. The command format for restricting NAT translation entries is as follows:

Router (config) #ip nat translation Max-entries {all-host | host ip-address | list list-number} Numbe R_of_entries

For example, the command IP NAT translation max-entries host 192.168.1.2 100 indicates that the NAT translation entry for a host with an IP address of 192.168.1.2 is limited to 100.

The following is a configuration case to verify the IP NAT translation max-entries command.

650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image002 "border=" 0 "alt=" clip_image002 "src=" http://s3.51cto.com/wyfs02/M01/77/89/ Wkiol1zpedwrktoqaaaweco0lbu708.jpg "" 244 "height="/>

Figure 8.1 Restricting NAT translation entries for each address experimental topology diagram

8.1, on the router R1 configured NAT,PC1 for the intranet IP address 10.0.0.7/24, Gateway 10.0.0.254/24;PC2 out of the network address is 222.222.222.2/24, Gateway 222.222.222.1/24.

The configuration information is as follows:

Interface fastethernet0/0

IP address 222.222.222.1 255.255.255.0

IP Nat Outside

!

Interface FASTETHERNET0/1

IP address 10.0.0.254 255.255.255.0

IP nat Inside

!

IP Route 0.0.0.0 0.0.0.0 222.222.222.2

!

IP nat inside source List 1 interface fastethernet0/0 overload

!

Access-list 1 Permit 10.0.0.0 0.0.0.255

After the configuration is complete, use the port scan software on PC1 to scan Port 1 through 1024 of the PC2 host, and then view the NAT translation entry as follows:

R1#show IP NAT Translations

Pro Inside Global Inside local Outside local Outside global

TCP 222.222.222.1:3239 10.0.0.7:3239 222.222.222.2:1 222.222.222.2:1

TCP 222.222.222.1:3240 10.0.0.7:3240 222.222.222.2:2 222.222.222.2:2

TCP 222.222.222.1:3241 10.0.0.7:3241 222.222.222.2:3 222.222.222.2:3

TCP 222.222.222.1:3242 10.0.0.7:3242 222.222.222.2:4 222.222.222.2:4

... Omitted...

TCP 222.222.222.1:7368 10.0.0.7:7368 222.222.222.2:1021 222.222.222.2:1021

TCP 222.222.222.1:7369 10.0.0.7:7369 222.222.222.2:1022 222.222.222.2:1022

TCP 222.222.222.1:7370 10.0.0.7:7370 222.222.222.2:1023 222.222.222.2:1023

TCP 222.222.222.1:7371 10.0.0.7:7371 222.222.222.2:1024 222.222.222.2:1024

Now configure the NAT translation entry limit command on the router, limiting the NAT translation entry for PC1 to 20:

R1 (config) #ip Nat translation Max-entries host 10.0.0.7 20

After the configuration is complete, use port scanning software on PC1 again to scan the port 1 through 1024 of the PC2 host, and then view the NAT translation entry with only 20 NAT translation entries for PC1.

R1#show IP NAT Translations

Pro Inside Global Inside local Outside local Outside global

TCP 222.222.222.1:8428 10.0.0.7:8428 222.222.222.2:1 222.222.222.2:1

TCP 222.222.222.1:8429 10.0.0.7:8429 222.222.222.2:2 222.222.222.2:2

... Omitted...

TCP 222.222.222.1:8446 10.0.0.7:8446 222.222.222.2:19 222.222.222.2:19

TCP 222.222.222.1:8447 10.0.0.7:8447 222.222.222.2:20 222.222.222.2:20

In the actual work may be caused by the virus and other causes of the NAT translation entry is full, communication failure. The following is an example of a general processing process in the event of a NAT failure.

For example: The company network use Normal, suddenly appear unable to normal internet situation. Since previous network usage has been normal, the device configuration should be OK when the network is normal, and can be analyzed from the aspects of device configuration change or physical link.

Check the following methods according to the company's situation:

1, check whether the network is normal, to determine whether the switch is normal;

2. Check the configuration and operation record of the gateway device to see if the configuration has been changed;

3, check from the gateway device to the operator link is normal;

4. If the above is normal, use the show ip NAT translations command on the gateway device to see if there is a NAT translation table entry on the device to determine if the NAT problem is present. The check found that the NAT translation table entry is full and has an IP address that takes up a lot of NAT translation table entries, which may be due to a virus that causes the NAT conversion table of the device to be full, causing the intranet to be inaccessible for NAT translation;

5. Clear the NAT translation table entry using the clear IP NAT translation * command, and the fault clearing network is back to normal;

6, the network recovery soon after the failure phenomenon again, through the show IP Nat translations view phenomenon and step 4, you need to further check the host;

7, disconnect the host and antivirus virus, using the clear IP NAT translation * command, fault clean up the network is normal;

8, in order to prevent this fault recurrence can use IP NAT translation max-entries all-host <1- 2147483647> The command limits the number of NAT translation table entries for the host, and this command also has the ability to restrict BT downloads;

Restrict internal address NAT translation entries