May I suggest a quick and dirty lab to test the various theories that have been described in this thread.
1) Take a router, create four loopbacks with /32 masks out of the same /29 range. 2) set up your NAT pool with only two outside addresses. Then set the outside interface. Maybe shorten the timeouts. 3) set each of the loopbacks as inside addresses. 4) do an extended ping to the other router - but use the default number of tries ( 5 ). This will set up the first translation 5) do extended pings from two other loopbacks, but this time with large numbers of repeats, so as to keep the NAT translations active. 6) at some point the first translation will time out when this happens, do an extended ping from the fourth loopback. try to time this so all the pings stop about the same time ( good luck ) when the pings stop, you should be able to do a "show ip nat trans" to see what addresses got what. the outside address used by the fourth loopback provides the answer to the mechanics of NAT/PAT. Cisco documentation cannot be relied upon to be detailed enough provide the actual mechanics of how this works. Nor may the actual mechanics be consistent from IOS to IOS, let alone platform to platform or vendor to vendor. My own opinion is that NAT assigns from the static pool as long as there is an open address, and operates PAT only if there are no open addresses, but just because that is logical doesn't mean that's the way it is. In answer to a different part of the question below, you can create multiple NAT/PAT pools, and assign portions of your inside space to difference source pools via access-lists. access-list 1 permit 100.100.100.0 0.0.0.128 access-list 2 permit 100.100.100.129 0.0.0.128 ip nat pool NAT_1 10.1.1.1 10.1.1.31 netmask 255.255.255.224 ip nat pool NAT_2 10.1.1.33 10.1.1.63 netmask 255.255.255.224 ip nat inside source list 1 pool NAT_1 overload ip nat inside source list 2 pool NAT_2 overload This segments your inside users into groups and each group uses a different NAT pool. This may relieve some of your CPU usage problems. Or you could stop being a cheapskate and buy a real firewall to do the job. :-> -- ------------------------------------------------- Bullwinkle: Hey, Rocky, watch me pull a CCIE out of my hat! Rocky: Bullwinkle, that trick NEVER works.... Bullwinkle: This time FOR SURE!!!!!!! ""ciscoGo2002"" wrote in message news:[EMAIL PROTECTED] > Thanks Symon, > > We really want to know more about the way the overload > works... > Maybe we were not so exactly as we wanted... We want > to know how can we use PAT when any others publics ips > are exhausted after using NAT? > For example, if we configure this: > ip nat inside source list pool > overload > > How does it work?? The router uses NAT with every > public IP in the pool and when the pool is exhausted > the router begins doing PATH with first IP address of > the pool,and so on..?? Can you please respond to this > question??? (be more specific, thx) > > Thanks people... > > > > > > > > > --- Symon Thurlow escribis: > > Yes, this is a typical setup. > > > > Search cisco.com and you will find a sample config. > > > > Symon > > > > -----Original Message----- > > From: ciscoGo2002 [mailto:[EMAIL PROTECTED] > > Sent: 02 April 2003 11:58 > > To: [EMAIL PROTECTED] > > Subject: PAT AFTER NAT...IS IT POSSIBLE??? [7:66672] > > > > > > Hello folks, > > I have question for you, we want to do dynamic NAT > > with a pool of 128 public ip addresses (we haven't > > got > > more public IP addresses :( ). Now, when the router > > does 128 translation no one can access internet... > > We > > would like to do PAT when NAT public addresses are > > exhausted.. is it possible? Can we do a mix of PAT > > and > > NAT configuration? Any ideas? Any configs? > > > > Thanks to all of you clever man and ladyies!!! > > > > > > > > > > ___________________________________________________ > > Yahoo! Messenger - Nueva versisn GRATIS > > Super Webcam, voz, caritas animadas, y mas... > > http://messenger.yahoo.es > > [EMAIL PROTECTED] > > > > ============================================= > > > > This email has been content filtered and > > subject to spam filtering. If you consider > > this email is unsolicited please forward > > the email to [EMAIL PROTECTED] and > > request that the sender's domain be > > blocked from sending any further emails. > > > > ============================================= > > > > > > > > ===================================== > > ___________________________________________________ > Yahoo! Messenger - Nueva versisn GRATIS > Super Webcam, voz, caritas animadas, y mas... > http://messenger.yahoo.es Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66750&t=66672 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
