NATCCNA 200-301

NAT Translation Table Full — Sessions Being Dropped

Presenting Symptom

Users report that new outbound connections to the internet are failing, while existing connections continue to work.

Network Context

A small branch office with 200 internal hosts uses a Cisco 4321 ISR router running IOS XE 16.9 for NAT overload (PAT) to a single public IP address. The router has been operational for months without issues. The problem started gradually over the past hour.

Diagnostic Steps

Check NAT translations count

show ip nat translations

Pro Inside global      Inside local       Outside local
--- 192.0.2.1:1024    10.0.0.10:1024     203.0.113.5:80
... (many entries)
--- 192.0.2.1:65535   10.0.0.200:65535   198.51.100.1:443

If the output shows many entries and the inside global port numbers are high (e.g., 65535), the translation table is full. Normal output would have fewer entries and lower port numbers.

Check NAT translation statistics

show ip nat statistics

Total active translations: 65535 (0 static, 65535 dynamic; 65535 extended)
Peak translations: 65535
Outside interfaces: GigabitEthernet0/0/0
Inside interfaces: GigabitEthernet0/0/1
Hits: 1000000  Misses: 5000
Expired translations: 500000
Dynamic mappings:
-- Inside Source
[Id] ip 10.0.0.0/24 interface GigabitEthernet0/0/0 refcount 65535

If total active translations equals the maximum (65535 for PAT), the table is full. Look for 'Total active translations' and compare to the maximum. Also check 'Misses' which indicate packets that could not be translated.

Check for NAT timeouts and translation expiration

show ip nat translations verbose

Pro Inside global      Inside local       Outside local    Age
--- 192.0.2.1:1024    10.0.0.10:1024     203.0.113.5:80   00:01:00
... (many entries with ages)

Look for entries with very recent ages (e.g., seconds old) indicating many short-lived connections. If many entries have ages less than the default timeout (e.g., 60 seconds for TCP), it suggests excessive short-lived connections filling the table.

Check for NAT translation timeouts configuration

show running-config | include ip nat translation

ip nat translation timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation tcp-timeout 86400
ip nat translation finrst-timeout 60

If timeouts are set to very high values (e.g., 86400 seconds = 24 hours), translations remain in the table longer, increasing the chance of filling the table. Default timeouts are lower (e.g., TCP 86400, UDP 300).

Root Cause

The NAT translation table is full because the default PAT timeout values are too long (e.g., TCP timeout of 86400 seconds) combined with a high volume of short-lived connections (e.g., from web browsing or DNS queries) that do not close gracefully, causing translations to remain in the table for extended periods.

Resolution

Reduce NAT translation timeouts to free up entries faster: 1. Reduce TCP timeout: Router(config)# ip nat translation tcp-timeout 600 (Sets TCP timeout to 10 minutes instead of 24 hours) 2. Reduce UDP timeout: Router(config)# ip nat translation udp-timeout 60 (Sets UDP timeout to 1 minute) 3. Reduce DNS timeout: Router(config)# ip nat translation dns-timeout 30 (Sets DNS timeout to 30 seconds) 4. Reduce FIN/RST timeout: Router(config)# ip nat translation finrst-timeout 10 (Sets timeout after FIN/RST to 10 seconds) 5. Optionally, clear existing translations: Router# clear ip nat translation * (Clears all dynamic translations to immediately free up entries)

Verification

After applying the fix, verify the translation table is no longer full: 1. show ip nat statistics Expected: Total active translations: < 65535 (e.g., 500) 2. show ip nat translations | count Expected: A number less than 65535 3. Test new connections: ping 8.8.8.8 from an internal host should succeed.

Prevention

1. Configure appropriate NAT timeouts based on traffic patterns (e.g., TCP 600, UDP 60). 2. Implement NAT logging to monitor translation usage and detect approaching limits. 3. Consider using multiple public IP addresses for larger deployments to increase translation capacity.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why new connections fail. The exam tests understanding of NAT overload (PAT) and the concept of port exhaustion. Key fact: PAT uses port numbers to differentiate translations, and the maximum is 65535 per public IP.

Exam Tips

Remember that PAT (NAT overload) has a limit of 65535 translations per public IP address due to port number range.

The show ip nat statistics command is crucial to check translation counts and peak usage.

Be aware that reducing NAT timeouts can help but may impact applications that require long-lived connections.

Commands Used in This Scenario

clear ip nat translation *

Clears all dynamic NAT translations from the translation table, forcing the router to rebuild translations for new traffic.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions