How to Change the Dynamic NAT Configuration
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
Introduction
Sometimes you receive these messages when you change the Network Address Translation (NAT) configuration:
Dynamic mapping in use, cannot remove
Dynamic mapping in use, do you want to delete all entries?
%Pool outpool in use, cannot destroy
This document demonstrates how to change the NAT configuration if you receive these messages on the console.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Problem Description
Dynamic NAT creates active translation entries in a table when a packet crosses from an IP NAT inside interface to an IP NAT outside interface, or vice versa. This dynamic NAT entry can be seen using the show ip nat translation command. Cisco IOS ® software checks for any existing active NAT translations in the translations table when either of these existing dynamic NAT configurations is removed:
no ip nat pool name
no ip nat pool name [overload] | static local-ip global-ip >
If a translation entry matches, then the %Dynamic Mapping in Use, Cannot remove message or the %Pool outpool in use, cannot destroy message are respectively echoed on the console.
Solutions
The reason you receive these error messages is because you are trying to change part of a NAT configuration that is responsible for creating dynamic translations that still exist in the translation table. In order to change the NAT configuration in this situation, you need to clear the table of translations that are being used before the change is accepted. Sometimes this is not easy because the router configured with NAT may be continuously receiving packets that create translations in the table; this can happen so quickly that you don’t have time to change the configuration.
Using the clear ip nat translation Command
This solution involves clearing the IP NAT translations using the clear ip nat translation command, and then replacing the NAT configuration quickly, before any new NAT entries are populated into the translation table due to active NAT traffic. To do this, create a script with the configuration commands written in a text format. For example:
Once you have the script, cut and paste the script into the router enable mode (Router#).
Note: This may take more than one try since it is still possible that the router will create a translation after the translation has been cleared.
Disabling NAT on the Router
This solution involves disabling NAT on the router so that it cannot create any more NAT translations. Do this by removing the ip nat inside or ip nat outside commands on the interfaces. Then clear the translation table and change the configuration.
Follow these steps to use this solution:
Use the no ip nat command to disable future translations from taking place.
Use the clear ip nat translation command to clear IP NAT translations.
Change the NAT configuration.
Restore the NAT arguments with the ip nat configuration command.
Stopping Traffic that Causes Translations
This solution involves stopping the traffic that is causing the NAT router to create translations. Do this by either accessing the device that is sending the packets and disabling it, or by creating inbound access lists on the NAT router, denying traffic from sources that are sending the packets. Refer to Configuring IP Services for more information on filtering packets.
Summary
This Tech Note has demonstrated a few ways to work around the problem of not being able to change the NAT configuration due to active dynamic NAT translations in the translation table. There may be other ways, but in any case, the NAT translation table must be clear of any dynamic translations that resulted from the NAT configuration before the NAT configuration can be changed. Refer to Verifying NAT Operation and Basic NAT Troubleshooting for more troubleshoot information on NAT related issues.
Manoj Reddy’s Reference Guide
To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation EXEC command.
clear ip nat translation protocol inside global-ip global-port local-ip local-port [ outside
local-ip global-ip ]
Syntax Description
* Clears all dynamic translations.
inside Clears the inside translations containing the specified global-ip and local-ip addresses.
global-ip  When used without the arguments protocol , global-port , and local-port , clears a simple translation that also contains the specified local-ip address. When used with the arguments protocol , global-port , and local-port , clears an extended translation.
local-ip  (Optional) Clears an entry that contains this local IP address and the specified global-ip address.
outside Clears the outside translations containing the specified global-ip and local-ip addresses.
protocol  (Optional) Clears an entry that contains this protocol and the specified global-ip address, local-ip address, global-port , and local-port .
global-port  (Optional) Clears an entry that contains this global-port and the specified protocol , global-ip address, local-ip address, and local-port .
local-port  (Optional) Clears an entry that contains this local-port and the specified protocol , global-ip address, local-ip address, and global-port .
Command Modes
Command History
| Release | Modification | 11.2 |
|---|
| Command | Description |
|---|---|
| ip nat | Designates that traffic originating from or destined for the interface is subject to NAT. |
| ip nat inside destination | Enables NAT of the inside destination address. |
| ip nat inside source | Enables NAT of the inside source address. |
| ip nat outside source | Enables NAT of the outside source address. |
| ip nat pool | Defines a pool of IP addresses for NAT. |
| ip nat translation | Changes the amount of time after which NAT translations time out. |
| show ip nat statistics | Displays NAT statistics. |
| show ip nat translations | Displays active NAT translations. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.
Как стереть ip nat с маршрутизатора
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
Introduction
Sometimes you receive these messages when you change the Network Address Translation (NAT) configuration:
Dynamic mapping in use, cannot remove
Dynamic mapping in use, do you want to delete all entries?
%Pool outpool in use, cannot destroy
This document demonstrates how to change the NAT configuration if you receive these messages on the console.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Problem Description
Dynamic NAT creates active translation entries in a table when a packet crosses from an IP NAT inside interface to an IP NAT outside interface, or vice versa. This dynamic NAT entry can be seen using the show ip nat translation command. Cisco IOS ® software checks for any existing active NAT translations in the translations table when either of these existing dynamic NAT configurations is removed:
no ip nat pool name
If a translation entry matches, then the %Dynamic Mapping in Use, Cannot remove message or the %Pool outpool in use, cannot destroy message are respectively echoed on the console.
Solutions
The reason you receive these error messages is because you are trying to change part of a NAT configuration that is responsible for creating dynamic translations that still exist in the translation table. In order to change the NAT configuration in this situation, you need to clear the table of translations that are being used before the change is accepted. Sometimes this is not easy because the router configured with NAT may be continuously receiving packets that create translations in the table; this can happen so quickly that you don’t have time to change the configuration.
Using the clear ip nat translation Command
This solution involves clearing the IP NAT translations using the clear ip nat translation command, and then replacing the NAT configuration quickly, before any new NAT entries are populated into the translation table due to active NAT traffic. To do this, create a script with the configuration commands written in a text format. For example:
Once you have the script, cut and paste the script into the router enable mode (Router#).
Note: This may take more than one try since it is still possible that the router will create a translation after the translation has been cleared.
Disabling NAT on the Router
This solution involves disabling NAT on the router so that it cannot create any more NAT translations. Do this by removing the ip nat inside or ip nat outside commands on the interfaces. Then clear the translation table and change the configuration.
Follow these steps to use this solution:
Use the no ip nat command to disable future translations from taking place.
Use the clear ip nat translation command to clear IP NAT translations.
Change the NAT configuration.
Restore the NAT arguments with the ip nat configuration command.
Stopping Traffic that Causes Translations
This solution involves stopping the traffic that is causing the NAT router to create translations. Do this by either accessing the device that is sending the packets and disabling it, or by creating inbound access lists on the NAT router, denying traffic from sources that are sending the packets. Refer to Configuring IP Services for more information on filtering packets.
Summary
This Tech Note has demonstrated a few ways to work around the problem of not being able to change the NAT configuration due to active dynamic NAT translations in the translation table. There may be other ways, but in any case, the NAT translation table must be clear of any dynamic translations that resulted from the NAT configuration before the NAT configuration can be changed. Refer to Verifying NAT Operation and Basic NAT Troubleshooting for more troubleshoot information on NAT related issues.
How to clear all static NAT entries with just one command?
I am using cisco 2901 Router with IOS version 15M. In the configuration of the router I am using lots of static NAT entries. And I need to change these entries when it is requested.
And a possible solution for this situation are the configuration files that I saved to the flash0: of the cisco 2901 router. However, by using configuration files, I can’t delete existing NAT entries. But on the other hand, I can create a static NAT entry using these configuration files.
Therefore, I am looking for a command that will clear all the static NAT entries. Then I will create static NAT entries using these configuration files.
- I tried the following commands to clear the NAT entries, but these all are for dynamic NAT entries. Thus, they did not work.
clear ip nat translation * clear ip nat translation forced do clear ip nat translation * do clear ip nat translation forced
A possible solution (although it takes too much time): First create a configuration file that does not have any static NAT entry:
copy running-config flash0:config_0_entry
Then copy this configuration to the startup-config and reboot. (These two command will wipe out all the static entries.)
Then after reboot, load your configuration file into the router:
I could use this method, but the reboot takes too much time. I cannot wait that long.
Помогите отключить NAT с минимальным изменением других настроек маршрутизатора.
Прошу помощи сообщества, так как в сетевых технологиях я чайник.
Маршрутизатор D-Link DSL-2600U.
Так как маршрутизатор обладает мастером и у меня были инструкции от провайдера, то даже такой чайник в этом деле как я, смог создать работоспособные настройки.
Но увы, не обошлось без подводных камней. Мне нужно отключить NAT. Сам NAT отключить просто, но видимо вместе с его отключением надо соответствующим образом изменить настройки(подозреваю, что это как-то связано с DHCP), чтобы маршрутизатор продолжал работать правильно.
Я пытался использоваться старый добрый «метод тыка», но положительного результата это не дало.
Сразу скажу, что все настройки, которые необходимы для создания соединения с Интернетом, хранятся на самом маршрутизаторе. То есть, соединение создается «из коробки», без вмешательства в конфигурацию системы. ОС получает все настройки автоматически от маршрутизатора. А сам маршрутизатор получает все настройки(ну, или почти все) автоматически от провайдера.
И все это благолепие рушится, если отключить NAT.
Может быть кто-нибудь подскажет куда копать?
Я также готов предоставить нужную информацию об настройках моего маршрутизатора, если нужно.
Pierky's Blog
Cisco “clear ip nat translation” helper tool
Have you ever had to clear some specific NAT translations while avoiding to drop them all? You have to enter a long and annoying command such this a lot of times:
And you know, you have to do it many times, for every NAT entry you have to clear… and those entries are all there, within a single command output:
Well, I was bored once too often, so I’ve built a little tool: you have just to copy show ip nat translations entries you have to clear, paste them into this tool, and it builds the clear ip nat translation statements for you! ready to be pasted into your telnet/ssh client.
It’s an HTML page with a simple javascript; you can find it online, or here is the source code:
Pier Carlo Chiodi
Latest posts by Pier Carlo Chiodi (see all)
- Good MANRS for IXPs route servers made easier — 11 December 2020
- Route server feature-rich and automatic configuration — 13 February 2017
- Large BGP Communities playground — 15 September 2016
Share this:
8 Comments
briliant! Helped me a lot. Thanks
What’s about icmp translations?
AFAIK you can’t clear a specific ICMP translation.
So, we must exclude from the output icmp translations, static translations and chars copied from terminal by accident (especially configuration commands).
Patch for sanitize entries (it outputs only commands that corresponds tcp and udp static translations):