Slow Network Access Due to a Rate Limit for Addresses in the NAT Address Pool

Publication Date:  2015-07-03 Views:  187 Downloads:  0
Issue Description
Networking:



Fault Symptom:

Intranet users connected to the firewall access the Internet at a low speed.
Handling Process
1. Check the firewall configuration. No special configuration is found, except for that NAT is enabled on the interface connecting the firewall to the router.

interface Vlanif1  ///Intranet interface
alias Inside VLAN
ip address 10.1.1.2 255.255.255.0 
#
interface Vlanif15  ///Extranet interface
alias Outside VLAN
ip address 192.168.15.2 255.255.255.0 
nat enable 
detect ftp
#


2. Connect a PC to the router on the Internet and configure the PC to ping a public address. No packet is discarded. However, lots of packets are discarded during a ping from the firewall to a public address, but no packet is discarded during a ping in the reverse direction. It is suspected the router implements rate limit for packets received from the firewall interface IP address.

3. Because NAT is enabled on the firewall interface, the source addresses in the packets sent by intranet users to access the Internet are translated into the interface IP address. The router may implement rate limit for packets received from the firewall interface.

4. Disable NAT on the interface and configure a NAT address pool. Configure 255 addresses for the NAT address pool and ensure that the addresses in the NAT address pool are on the same network segment as the firewall interface IP address.


nat address-group 0 192.168.15.1 192.168.15.254

When internet users access the Internet, the network access speed is greatly increased.
Root Cause
The upstream router of the firewall implements rate limit for each IP address, causing intranet users to access the Internet through the same IP address. As a result, the Internet access speed is low.
Solution
Disable NAT on the interface and increase the number of addresses in the address pool.

END