NAT Global Options¶
The NAT options described here control TNSR NAT behavior independent of interfaces and address pools.
These options cannot be changed while NAT is enabled. Disable NAT before running these commands (Enable NAT).
When NAT is active, it will affect traffic to and from services on TNSR, such as IPsec and BGP. When NAT is enabled in this mode, by default TNSR will drop traffic that doesn’t match an existing NAT session or static NAT rule. To change this behavior, enable NAT forwarding mode:
tnsr(config)# nat global-options nat44 forwarding true
If NAT is active and there are no services present on TNSR which need to communicate using an interface involved with NAT, then it is more secure and efficient to disable forwarding:
tnsr(config)# nat global-options nat44 forwarding false
- nat global-options nat44 out2in-dpo (true|false)
Enables out-to-in DPO. Only compatible with Endpoint-independent NAT mode. When enabled, special routes are added to the FIB for NAT pool addresses and inbound packets on an outside interface do not have NAT applied by default. When TNSR processes inbound packets it performs a route lookup, and if the destination is a NAT pool address the route lookup will find the special NAT route and only then will TNSR apply NAT to the packet.
This allows for increased performance in mixed environments where NAT is not applied to all traffic. It also enables forwarding for routed (non-NAT) packets so that TNSR may have a mix of NAT and routed interfaces attached locally.
- nat global-options nat44 static-mapping-only (true|false)
Static mapping only, disables dynamic translation of connections. Not compatible with NAT pools.
NAT Sizing Options¶
The following commands control the size of various NAT limits:
- nat global-options nat44 max-translations-per-thread <n>
Defines the number of NAT translation entries to allow per worker thread. The default value is
This option is available in Endpoint-dependent and Endpoint-independent NAT mode.
Increasing this value will also increase memory required by the main heap, see NAT.
- nat global-options nat44 max-translations-per-user <n>
Defines the number of NAT translation entries to allow for each IP address. The default value is
10240, but it can be set to any integer value between
1-262144. The ideal value depends entirely on the environment and number of sessions per IP address involved in NAT. This includes traffic sourced from TNSR itself address as well, not only internal source IP addresses. This option is only available in Endpoint-independent NAT mode.
- nat global-options nat44 max-users-per-thread <n>
Defines the number of unique IP addresses in NAT sessions to allow in each worker thread. Default value is
1024. This option is only available in Endpoint-independent NAT mode.
The dataplane automatically tunes the size of the hashes which control memory
available for NAT functions based on the size of
NAT Session Timeout Duration¶
nat global-options timeouts (icmp|tcp_established|tcp_transitory|udp)
<seconds> command controls how long NAT sessions in various states will be
retained while idle (no packets passing which match the session entry).
Longer session idle timeouts are friendlier to user connections, at the expense of resource consumption required to retain the NAT sessions for long periods.
Lower timeouts will allow a greater number of sessions over time without an equivalent increase in maximum sessions (and memory, see NAT). This is because there will be fewer concurrent sessions, as shorter sessions are less likely to overlap than longer sessions.
The following timeout values can be changed:
Idle timeout for ICMP sessions (e.g. Echo/ping). The default value is
Idle timeout for established TCP connections. Established connections should rarely be forced down in most use cases, so a long timeout is best for this value. The default value is
7440seconds (2 hours, 4 minutes). It is common to see this set as high as
86400(24 hours) in deployments with long-lived idle connections.
Idle timeout for TCP connections which are not fully established (being setup or torn down). The default value is
240seconds (4 minutes) which is typically sufficient.
Idle timeout for UDP sessions. Since UDP is technically stateless and has no formal setup/tear-down for sessions, there is no way for TNSR to determine if a UDP “connection” is established or finished. The default value is
300seconds (5 minutes) which, combined with client and server keep-alives, is typically sufficient.
A longer idle timeout may be required in certain cases, such as for VoIP connections passing through which expect to reuse specific source ports.
In deployments with many short-lived UDP connections, such as DNS queries, lowering the timeout will help manage session usage/turnover more efficiently.
show nat config command output includes the current timeout values.
After setting the mode and other global options, NAT must be enabled before the CLI will accept non-global NAT configuration commands.
To enable NAT, run the following command:
tnsr(config)# nat global-options nat44 enabled true
When NAT is disabled, any NAT configuration options present will not be active in the dataplane. This includes NAT interface assignments, pool contents, and static mappings, among others. These settings will be retained in the configuration database on TNSR, and will be restored if NAT is enabled in the future.