Did you want to use private IP addresses in a public network? The short recommendation is: “don't”. If you use them in the network core, your customers might have problems with network troubleshooting; if you assign them to your customers and use NAT or PAT, you've just created serious security issues. You can find more details in the Avoiding private IP security risks in public networks article I wrote for SearchTelecom.com.
A month ago I wrote about NAT caveats in Cisco IOS release 12.4 that occur when the outside addresses match IP access list or route map used in ip nat inside command. I recently discovered more caveats: if you have an inbound access-list on the outside interface, the packets dropped by the access-list still generate NAT entries (and might result in a denial-of-service attack when the router runs out of port numbers). You can read the whole NAT caveats article in the CT3 wiki.
If you have upgraded your router from any other IOS release to release 12.4T without changing the NAT configuration (or used NAT configuration known to work into a router running IOS release 12.4T), you might have encountered weird behavior due to the changes in NAT implementation. The unexpected behavior and configuration fixes needed to avoid the NAT-related problems are described in my new NAT Caveats in IOS release 12.4T article.
If you want to deploy high-availability public servers within your network, you should implement proper multi-homing solution including BGP routing with the Service Providers. If you don't have your own public IP address space and your own AS number, you should try to become multihomed to one ISP (or change your ISP if they don't know what you're talking about). If you want to be multi-homed to two ISPs using techniques similar to the ones I've described in the Small-Site Multi-Homing article, you should be using a hosted service (they're probably cheaper than your time), not your own public server.
But if you still insist (like numerous readers of my articles) to deploy public servers on a site multi-homed via NAT, you'll find the design and implementation guidelines in my latest IP Corner article Servers in Small Site Multi-homing.
This article is part of You've asked for it series.
A few days ago I had an “interesting” experience on a router that was running low on memory: when I enabled NAT, it immediately ran out of memory although it had over 4 MB free memory before that (and since I was doing the tests in a lab, I wasn't worried about that … in a production network, 4 MB of free memory is something to worry about).
It took me a while to figure out what was going on: the moment you enable NAT in IOS release 12.4, it activates Network Based Application Recognition (NBAR) even when CEF is disabled (and supposedly NBAR requires CEF to run).
Here's a sample test: the moment I've configured a loopback interface to be NAT inside interface (and it was the only NAT-enabled interface in the box), NBAR consumed 4.5 MB of memory:R2(config)#int loop 0
R2(config-if)#ip nat inside
R2(config-if)#do show ip nbar resources
NBAR memory usage for tracking Stateful sessions
System link age : 30 secs
Initial memory : 4455 KBytes
Max initial memory : 14852 KBytes
Memory expansion : 112 KBytes
Max memory expansion : 112 KBytes
Memory in use : 4455 KBytes
Max memory allowed : 29705 KBytes
Active links : 0
Total links : 39784
