Courseiva
NATCCNA 200-301

NAT Pool Exhausted — New Sessions Failing

Presenting Symptom

New outbound connections from internal hosts to the internet are failing, while existing connections continue to work.

Network Context

A small branch office with a Cisco 4321 ISR router running IOS XE 16.9. The router performs NAT overload (PAT) for approximately 200 internal hosts using a single public IP address. The router is connected to the ISP via a GigabitEthernet WAN interface.

Diagnostic Steps

1

Check NAT translations and pool usage

show ip nat translations
Pro Inside global      Inside local       Outside local
--- 192.0.2.1:1024    10.0.0.10:1024     203.0.113.5:80
--- 192.0.2.1:1025    10.0.0.11:1024     203.0.113.5:80
... (many entries, all using the same inside global IP with different ports)

If the output shows many translations all using the same inside global IP (the single public IP), it indicates PAT is in use. If the number of translations is near the maximum (e.g., 65535 per IP), the pool may be exhausted.

2

Check NAT statistics and pool utilization

show ip nat statistics
Total active translations: 65535 (0 static, 65535 dynamic; 65535 extended)
Outside interfaces: GigabitEthernet0/0/0
Inside interfaces: GigabitEthernet0/0/1
Hits: 100000  Misses: 5000
Expired translations: 2000
Dynamic mappings:
-- Inside Source
[Id] ip nat pool POOL1 192.0.2.1 192.0.2.1 netmask 255.255.255.252
   total addresses: 1, allocated: 1 (100%), misses: 5000

If 'total addresses' is 1 and 'allocated' is 1 (100%), and 'misses' is high, the pool is exhausted. Misses indicate packets that could not be translated because no ports were available.

3

Check for NAT timeouts and port utilization

show ip nat translations verbose | include timeout|idle
timeout 86400, timeout 300, timeout 60

Long timeouts (e.g., 86400 seconds for TCP) can cause translations to linger, consuming ports. If timeouts are too long, ports are held longer than necessary, leading to exhaustion.

4

Check for excessive NAT entries from specific hosts

show ip nat translations | include 10.0.0.10
--- 192.0.2.1:1024    10.0.0.10:1024     203.0.113.5:80
--- 192.0.2.1:1025    10.0.0.10:1025     203.0.113.5:443
... (many entries from the same inside host)

If a single internal host has thousands of translations, it may be generating excessive connections (e.g., due to malware or misconfigured application). This can exhaust the NAT pool quickly.

Root Cause

The NAT pool is exhausted because the router is using a single public IP address for PAT, and the maximum number of simultaneous translations (65535 per IP) has been reached. This is often due to long NAT timeouts or an excessive number of connections from internal hosts, causing all available ports to be consumed.

Resolution

1. Increase the NAT pool size by adding more public IP addresses: ip nat pool POOL1 192.0.2.1 192.0.2.4 netmask 255.255.255.252 (This adds 4 addresses instead of 1) 2. Reduce NAT timeouts to free ports faster: ip nat translation timeout 300 ip nat translation udp-timeout 60 ip nat translation tcp-timeout 600 3. Clear existing translations to free ports immediately: clear ip nat translation * 4. If a single host is causing the issue, apply an access-list to limit its connections or investigate the host.

Verification

Run 'show ip nat statistics' again and verify: - Total active translations: < 65535 (e.g., 500) - Dynamic mappings: total addresses: 4, allocated: 1 (25%), misses: 0 Also test new connections from internal hosts to confirm they succeed.

Prevention

1. Use a pool of multiple public IP addresses to increase the number of available ports (each IP provides 65535 ports). 2. Configure appropriate NAT timeouts to release ports promptly after connections end. 3. Monitor NAT utilization with SNMP or syslog to detect exhaustion before it causes failures.

CCNA Exam Relevance

On the CCNA 200-301 exam, NAT pool exhaustion may appear in troubleshooting scenarios where new connections fail. The exam tests understanding of PAT port limits and the 'show ip nat statistics' command. A candidate must know that PAT uses port numbers to differentiate translations and that the maximum is 65535 per IP address.

Exam Tips

1.

Remember that PAT (overload) uses port numbers; the theoretical maximum translations per IP is 65535, but real-world limits are lower due to reserved ports.

2.

In exam questions, look for 'misses' in 'show ip nat statistics' as a key indicator of pool exhaustion.

3.

Know that 'clear ip nat translation *' is a temporary fix; the permanent solution is to add more public IPs or reduce timeouts.

Commands Used in This Scenario

clear ip nat translation *

Clears all dynamic NAT translations from the translation table, forcing the router to rebuild translations for new traffic.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions