NAT Global Options

The NAT options described here control TNSR NAT behavior independent of interfaces and address pools.


These options cannot be changed while NAT is enabled. Disable NAT before running these commands (Enable NAT).

NAT Forwarding

When Endpoint-dependent NAT mode is active, it will affect traffic to and from services on TNSR, such as IPsec and BGP. When NAT is enabled in this mode, by default TNSR will drop traffic that doesn’t match an existing NAT session or static NAT rule. To change this behavior, enable NAT forwarding mode:

tnsr(config)# nat global-options nat44 forwarding true

If Endpoint-dependent NAT is active and there are no services present on TNSR which need to communicate using an interface involved with NAT, then it is more secure and efficient to disable forwarding:

tnsr(config)# nat global-options nat44 forwarding false

NAT Behavior

nat global-options nat44 out2in-dpo (true|false)

Enables out-to-in DPO. Only compatible with Endpoint-independent NAT mode. When enabled, special routes are added to the FIB for NAT pool addresses and inbound packets on an outside interface do not have NAT applied by default. When TNSR processes inbound packets it performs a route lookup, and if the destination is a NAT pool address the route lookup will find the special NAT route and only then will TNSR apply NAT to the packet.

This allows for increased performance in mixed environments where NAT is not applied to all traffic. It also enables forwarding for routed (non-NAT) packets so that TNSR may have a mix of NAT and routed interfaces attached locally.

nat global-options nat44 static-mapping-only (true|false)

Static mapping only, disables dynamic translation of connections. Not compatible with NAT pools.

NAT Sizing Options

The following commands control the size of various NAT limits:

nat global-options nat44 max-translations-per-thread <n>

Defines the number of NAT translation entries to allow per worker thread. The default value is 10240. This option is available in Endpoint-dependent and Endpoint-independent NAT mode.

nat global-options nat44 max-translations-per-user <n>

Defines the number of NAT translation entries to allow for each IP address. The default value is 10240, but it can be set to any integer value between 1-262144. The ideal value depends entirely on the environment and number of sessions per IP address involved in NAT. This includes traffic sourced from TNSR itself address as well, not only internal source IP addresses. This option is only available in Endpoint-independent NAT mode.

nat global-options nat44 max-users-per-thread <n>

Defines the number of unique IP addresses in NAT sessions to allow in each worker thread. Default value is 1024. This option is only available in Endpoint-independent NAT mode.

The dataplane automatically tunes the size of the hashes which control memory available for NAT functions based on the size of max-translations-per-thread and max-users-per-thread.

NAT Session Timeout Duration

The nat global-options timeouts (icmp|tcp_established|tcp_transitory|udp) <seconds> command controls how long NAT sessions in various states will be retained while idle (no packets passing which match the session entry).

Longer session idle timeouts are friendlier to user connections, at the expense of resource consumption required to retain the NAT sessions for long periods.

The following timeout values can be changed:


Idle timeout for ICMP sessions (e.g. Echo/ping). The default value is 60 seconds.


Idle timeout for established TCP connections. Established connections should rarely be forced down in most use cases, so a long timeout is best for this value. The default value is 7440 seconds (2 hours, 4 minutes). It is common to see this set as high as 86400 (24 hours) in deployments with long-lived idle connections.


Idle timeout for TCP connections which are not fully established (being setup or torn down). The default value is 240 seconds (4 minutes) which is typically sufficient.


Idle timeout for UDP sessions. Since UDP is technically stateless and has no formal setup/tear-down for sessions, there is no way for TNSR to determine if a UDP “connection” is established or finished. The default value is 300 seconds (5 minutes) which, combined with client and server keep-alives, is typically sufficient.

A longer idle timeout may be required in certain cases, such as for VoIP connections passing through which expect to reuse specific source ports.

In deployments with many short-lived UDP connections, such as DNS queries, lowering the timeout will help manage session usage/turnover more efficiently.

The show nat config command output includes the current timeout values.

Enable NAT

After setting the mode and other global options, NAT must be enabled before the CLI will accept non-global NAT configuration commands.

To enable NAT, run the following command:

tnsr(config)# nat global-options nat44 enabled true

When NAT is disabled, any NAT configuration options present will not be active in the dataplane. This includes NAT interface assignments, pool contents, and static mappings, among others. These settings will be retained in the configuration database on TNSR, and will be restored if NAT is enabled in the future.