8 Replies Latest reply: Nov 28, 2011 8:54 PM by Nancy RSS

    Cisco 2611XM Nat Statistics

    Nancy

      Greetings!

       

      I am attempting to narrow down a performance issue on my router.  Do the staticis below look normal?

       

      Thank you in advance for your great answers.  TheGeekGirl

       

      Gateway#show ip nat stat

      Total active translations: 286 (0 static, 286 dynamic; 285 extended)

      Outside interfaces:

        FastEthernet0/0

      Inside interfaces:

        FastEthernet0/1

      Hits: 2631382344  Misses: 56338058

      Expired translations: 58886021

      Dynamic mappings:

      -- Inside Source

      [Id: 1] access-list 1 pool Client_Pool refcount 286

      pool Client_Pool: netmask 255.255.255.248

              start (wan) end (wan)

              type generic, total addresses 3, allocated 2 (66%), misses 400476

      Gateway#

        • 1. Re: Cisco 2611XM Nat Statistics
          Brian

          It looks like you are getting all the misses because you only allocated a /29 (6 usable) IP address to your NAT pool.

           

          Can you provide the router configuration.

           

          Thanks.

           

          Brian

           

          • 2. Re: Cisco 2611XM Nat Statistics
            Nancy

            Here you go!

             

            Gateway#show run

            Building configuration...

             

            Current configuration : 2785 bytes

            !

            ! Last configuration change at 05:29:38 PST Sun Nov 27 2011

            ! NVRAM config last updated at 05:29:43 PST Sun Nov 27 2011

            !

            version 12.3

            no service pad

            service tcp-keepalives-in

            service tcp-keepalives-out

            service timestamps debug datetime msec localtime show-timezone

            service timestamps log datetime msec localtime show-timezone

            service password-encryption

            service sequence-numbers

            !

            hostname Gateway

            !

            boot-start-marker

            boot-end-marker

            !

            logging buffered 4096 debugging

            no logging console

            no logging monitor

            enable password 7 013234377F5A5056

            !

            username !root password 7 050F050C22

            username cicso privilege 15 password 7 02050D480809

            username NVHS privilege 15 password 7 11282B3633435D55

            clock timezone PST -8

            clock summer-time PDT recurring

            no network-clock-participate slot 1

            no network-clock-participate wic 0

            no aaa new-model

            no ip subnet-zero

            no ip source-route

            ip cef

            ip tcp synwait-time 10

            !

            !

            ip dhcp excluded-address 10.5.1.251 10.5.1.254

            ip dhcp excluded-address 10.5.1.1 10.5.1.29

            !

            ip dhcp pool NV

               network 10.5.1.0 255.255.255.0

               domain-name NVHS.com

               dns-server 10.5.1.10 204.14.138.10

               default-router 10.5.1.1

               lease 0 2

            !

            ip audit po max-events 100

            no ip bootp server

            ip domain retry 5

            ip domain timeout 5

            ip domain name NVHS.com

            ip name-server 204.14.141.218

            ip name-server 204.14.138.10

            ip dhcp-server 10.5.1.1

            no ftp-server write-enable

            !

            !

            !

            !

            !

            !

            !

            interface Null0

            no ip unreachables

            !

            interface FastEthernet0/0

            description $FW_OUTSIDE$

            ip address xxxxxxxxxxx 255.255.255.248

            no ip redirects

            no ip unreachables

            no ip proxy-arp

            ip nat outside

            ip route-cache flow

            speed 100

            full-duplex

            no cdp enable

            no clns route-cache

            !

            interface FastEthernet0/1

            description $FW_INSIDE$

            no ip address

            no ip redirects

            no ip unreachables

            no ip proxy-arp

            ip route-cache flow

            speed 100

            full-duplex

            no cdp enable

            no clns route-cache

            !

            ip nat translation timeout 300

            ip nat translation tcp-timeout 300

            ip nat translation max-entries 20000

            ip nat pool Client_Pool xxxxx.226 xxxx.228 netmask 255.255.255.248

            ip nat inside source list 1 pool Client_Pool overload

            ip classless

            ip route 0.0.0.0 0.0.0.0 xxxxx.225

            no ip http server

            ip http secure-server

            !

            access-list 1 remark NAT Access for Main Subnet

            access-list 1 remark CCP_ACL Category=18

            access-list 1 permit 10.5.1.0 0.0.0.255

            no cdp run

            !

            !

            banner login ^CNevada HighSpeed, LLC.^C

            banner motd ^C

            This Is A Private System

            Unauthorized Access Is Prohibited

            ^C

            !

            line con 0

            exec-timeout 0 0

            login local

            line aux 0

            line vty 0 4

            privilege level 15

            password 7 01522832734F575F711C

            login

            transport input telnet

            !

            scheduler allocate 4000 1000

            ntp clock-period 17208450

            ntp server 169.229.70.64 source FastEthernet0/0 prefer

            ntp server 149.20.68.17 source FastEthernet0/0

            !

            end

            • 3. Re: Cisco 2611XM Nat Statistics
              Brian

              Hi Nancy,

               

              Thanks for the configuration.  So quick question, the IP address configured on the F0/0 (outside interface), is this the same subnet being used for the NAT pool?  And the default GW?

               

              It looks like you are assigning the 10.5.1.0/24 via DHCP to users on F0/1 (inside interface) and are NATting these to three addresses x.x.x.226, x.x.x.227 and x.x.x.228 with overload.  Thus you are using NAT with PAT.  This would explain the output you have in your previous post.

               

              For example, the first three users would be assigned the IP addresses in order

               

              user 1 = x.x.x.226

              user 2 = x.x.x.227

              user 3 = x.x.x.228

               

              Now what about the 4th user?  or the 40th user? or even the 100th user.  As new users are getting NATted, it is the port number that will set them apart with the same IP address.  You can see as the number of users increases, so will the number of misses as two or more users are trying to use the same port.

               

              Hope this helps.

               

              Brian

               

              • 4. Re: Cisco 2611XM Nat Statistics
                Nancy

                I inherited these configurations from the previous tech and there wasn’t any documentation.  I will do my best to answer your questions with the information I have.  I really appreciate your assistance with this.

                 

                 

                 

                The original intent was to have the LAN traffic use and internal server for DNS so we were not using our bandwidth for outside network traffic if it was not required.  The interneral server was never set up.  The bottom line is we are looking at all of the configuration there is on this network.

                 

                 

                 

                Your comments are very helpful.  I need a quick fix to resolve these misses.  I believe a piece of equipment has been removed from the system because of a power spike.  It seems as though we are only seeing part of this equation, but this is all there is.

                 

                 

                 

                “So quick question, the IP address configured on the F0/0 (outside interface), is this the same subnet being used for the NAT pool?  And the default GW?”  I need to answer this question with a question.  I am not seeing the NAT pool in the configuration and this router is the GW.  There aren’t any other devices in this mix. 

                 

                 

                 

                What would be the correct syntax to resolve this for now?  Am I missing a NAT pool statement?  We have 5 public IP and then the LAN 10.5.1.0/24 inside.  I can see now that you have explained why we are having difficulties.  I just don’t know how to repair the issue.

                 

                TheGeekGirl

                • 5. Re: Cisco 2611XM Nat Statistics
                  Nancy

                  Is the NAT pool inside the same as the access list?

                   

                  I think my brain is starting to connect the dots.

                   

                  ip nat pool Client_Pool xxxxx.226 xxxx.228 netmask 255.255.255.248

                  ip nat inside source list 1 pool Client_Pool overload

                   

                  access-list 1 remark NAT Access for Main Subnet

                  access-list 1 remark CCP_ACL Category=18

                  access-list 1 permit 10.5.1.0 0.0.0.255

                  • 6. Re: Cisco 2611XM Nat Statistics
                    Brian

                    You mention in your configuration the following:

                     

                    interface FastEthernet0/0

                    description $FW_OUTSIDE$

                    ip address xxxxxxxxxxx 255.255.255.248

                     

                    ip nat pool Client_Pool xxxxx.226 xxxx.228 netmask 255.255.255.248

                    ip nat inside source list 1 pool Client_Pool overload

                     

                    ip route 0.0.0.0 0.0.0.0 xxxxx.225

                     

                     

                    In the configuration you are "blocking" out the public IP address which is ok.  I understand.  All I want to know is, where the "xxxx" are, is this the same IP address.  For example,

                     

                    Lets just say the public IP address space is 200.200.200.224/29.  This would give you the following 6 usable IP addresses

                     

                    200.200.200.224 = network ID

                    200.200.200.225 = default GW (from the static route)

                    200.200.200.226 = part of NAT pool "Client_Pool"

                    200.200.200.227 = part of NAT pool "Client_Pool"

                    200.200.200.228 = part of NAT pool "Client_Pool"

                    200.200.200.229 = where is this assigned???    --> if unassigned, I would add this to the NAT pool

                    200.200.200.230 = Is this the IP address on F0/0?

                    200.200.200.231 = broadcast address for the subnet

                     

                    Depending on the type of traffic and the source ports being used by the private hosts on the 10.5.1.0/24 network, you will most likely always see some misses because your NAT pool is not large enough.  Misses are attempts to create a mapping.  You have 254 private address being NATted to only 3 public addresses with overload.  That means there are over 60 private hosts for each of the public addresses, so you are bound to see misses as some ports are already in use by other hosts.  NAT will always try and use the same source port and if it is already in use must select a new one.

                     

                    try clearing the NAT translation statistics with the following command, "clear ip nat statistics".

                     

                    then display the current statistics usinf the command "sh ip nat stat".

                     

                    Some of what you are seeing is historical data.

                     

                    Hope this helps.

                     

                    Brian

                     

                    • 7. Re: Cisco 2611XM Nat Statistics
                      Nancy

                      Thank you so much!

                      • 8. Re: Cisco 2611XM Nat Statistics
                        Nancy

                        Brian,

                         

                        The outside xxx are the public IP address.

                        The IP route 0.0.0.0.0.0.0.0 xxx.xxx.xxx.225 public address as well.

                         

                        I looks like I need to change a few things.  Your example was totally helpful.