Guest

IP Addressing Services

How to Change the Dynamic NAT Configuration

Document ID: 13779

Updated: Aug 10, 2005

   Print

Introduction

Sometimes you receive these messages when you change the Network Address Translation (NAT) configuration:

  • Dynamic mapping in use, cannot remove

  • Dynamic mapping in use, do you want to delete all entries?

  • %Pool outpool in use, cannot destroy

This document demonstrates how to change the NAT configuration if you receive these messages on the console.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Problem Description

Dynamic NAT creates active translation entries in a table when a packet crosses from an IP NAT inside interface to an IP NAT outside interface, or vice versa. This dynamic NAT entry can be seen using the show ip nat translation command. Cisco IOS® software checks for any existing active NAT translations in the translations table when either of these existing dynamic NAT configurations is removed:

  • no ip nat pool name

  • no ip nat {inside | outside}source {list {access-list-number | name} pool name [overload] | static local-ip global-ip}

    R2(config) #no ip nat inside source route-map NAT interface serial 2/0 overload
    Dynamic mapping in use, do you want to delete all entries? [no]: yes

If a translation entry matches, then the %Dynamic Mapping in Use, Cannot remove message or the %Pool outpool in use, cannot destroy message are respectively echoed on the console.

Solutions

The reason you receive these error messages is because you are trying to change part of a NAT configuration that is responsible for creating dynamic translations that still exist in the translation table. In order to change the NAT configuration in this situation, you need to clear the table of translations that are being used before the change is accepted. Sometimes this is not easy because the router configured with NAT may be continuously receiving packets that create translations in the table; this can happen so quickly that you don't have time to change the configuration.

Using the clear ip nat translation Command

This solution involves clearing the IP NAT translations using the clear ip nat translation command, and then replacing the NAT configuration quickly, before any new NAT entries are populated into the translation table due to active NAT traffic. To do this, create a script with the configuration commands written in a text format. For example:

clear ip nat translation *
config terminal
no ip nat pool old pool name

ip nat pool new pool
 ....... 

Once you have the script, cut and paste the script into the router enable mode (Router#).

Note: This may take more than one try since it is still possible that the router will create a translation after the translation has been cleared.

Disabling NAT on the Router

This solution involves disabling NAT on the router so that it cannot create any more NAT translations. Do this by removing the ip nat inside or ip nat outside commands on the interfaces. Then clear the translation table and change the configuration.

Follow these steps to use this solution:

  1. Use the no ip nat {inside | outside}command to disable future translations from taking place.

  2. Use the clear ip nat translation command to clear IP NAT translations.

  3. Change the NAT configuration.

  4. Restore the NAT {inside | outside} arguments with the ip nat {inside | outside} configuration command.

Stopping Traffic that Causes Translations

This solution involves stopping the traffic that is causing the NAT router to create translations. Do this by either accessing the device that is sending the packets and disabling it, or by creating inbound access lists on the NAT router, denying traffic from sources that are sending the packets. Refer to Configuring IP Services for more information on filtering packets.

Summary

This Tech Note has demonstrated a few ways to work around the problem of not being able to change the NAT configuration due to active dynamic NAT translations in the translation table. There may be other ways, but in any case, the NAT translation table must be clear of any dynamic translations that resulted from the NAT configuration before the NAT configuration can be changed. Refer to Verifying NAT Operation and Basic NAT Troubleshooting for more troubleshoot information on NAT related issues.

Related Information

Updated: Aug 10, 2005
Document ID: 13779