Clear up on pool netmasks

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi guys,

Have tried researching and gathering information regarding the format of netmasks in Dynamic NAT Configurations.

Is this the subnet mask which will be used for the pooled addresses? Or is it just to verify the range of addresses is in the same subnet?

Can you use the network address ? Broadcast address?

I've seen very unclear and conflicting examples and suggestions.

Thanks for any information in advance.

Kyle

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

The mask is used to define the network, the range of addresses you define as the pool is used to determine the viable addresses that can be issued.

Lets use the example of 100.140.1.0 through to 100.140.1.15 with a Mask of 255.255.255.240 of /28

the command:

ip nat pool xxxxx 100.140.1.1 100.140.1.14 netmask 255.255.255.240

It is not advisable or correct to write out the command including the Network and or broadcast like below

ip nat pool xxxxx 100.140.1.0 100.140.1.15 netmask 255.255.255.240 <wrong, in the sense that it is not the best way to do it, but it still works

Although it can be done the system will not issue the network or broadcast address to a client. I have tested this and that seems to be the case. I am aware that there is quite a bit of conflicting info since the cisco device which I used seems to accept the command with the network and broadcast.

I will run a more comprehensive test this week to see if there are any further issues with applying the Network and the Broadcast.

Cheers

Joe

 

An update as promised

I tested this NAT setup and the results were that even if you do use the network address as the first in the range and the broadcast address as the last address in the pool, the NAT process will first of all not complain, and when it comes to assigning addresses it will start assigning from the first "legal" host address and stop at the last, never assigning the broadcast address.

Once all the addresses in the pool have been used and PAT (Overload) has not been enabled no further sessions are allowed to be established through the router.

Tested a pair of 1841's IOS 12.4 advancedsec

Hope this helps

Joe