[ LiB ]When to Use NAT Scenarios

NAT Configuration Task List

To configure NAT, you must know the inside local address and inside global address you will translate. As soon as your NAT translation is configured, you may optionally do the following:

Translating Inside Source Addresses

You can translate your unregistered IP addresses into globally unique IP addresses to communicate outside your network using one of the following methods:

Configuring Static Translation

You can use the following commands to configure static NAT translation.

Use this command to establish static translation between an inside local address and an inside global address:




R2(config)#ip nat inside source {list {access-list number | name} pool name
  [overload] | static local-ip global-ip}

This command establishes static translation of an outside source address:




R2(config)#ip nat outside source {list {access-list number | name} pool name |
  static global-ip local-ip}

Use this command to enter interface configuration mode and specify the inside interface:




R2(config)#interface type number

This command marks the interface as connected to the inside:




R2(config-if)#ip nat inside

To enter interface configuration mode and specify the outside, use this command:




R2(config)#interface type number

This command marks the interface as connected to the outside:




R2(config-if)#ip nat outside

These steps are the minimum you must configure to implement NAT. You can use multiple inside and outside interfaces if you are required to.

Configuring Dynamic Translation

You can use the following commands to configure dynamic inside source address translation.

This command defines a pool of global addresses to be allocated as needed:




R2(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length
  prefix-length}

To define a standard access list permitting addresses that requires translation, use this command:




R2(config)#access-list access-list-number permit source [source-wildcard]

Use this command to establish dynamic source translation, specifying the access list defined in the prior step:




R2(config)#ip nat inside source list access-list-number pool name

Use this command to enter interface configuration mode and specify the inside interface:




R2(config)#interface type number

This command marks the interface as connected to the inside:




R2(config-if)#ip nat inside

To enter interface configuration mode and specify the outside interface, use this command:




R2(config)#interface type number

This command marks the interface as connected to the outside:




R2(config-if)#ip nat outside

Overloading an Inside Global Address

You can overload a single global address to translate many local addresses to conserve addresses in the inside global address pool. This overloading forces the router to maintain enough information from higher-level protocols, such as TCP or UDP port numbers, to allow it to translate the global address back to the correct local address.

You can use the following commands to configure overloading of inside global addresses.

To define a pool of global addresses to be allocated as needed, use this command:




R2(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length
  prefix-length}

To define a standard access list, use this command:




R2(config)#access-list access-list-number permit source [source-wildcard]

This command establishes dynamic source translation, specifying the access list defined in the prior step:




R2(config)#ip nat inside source list access-list-number pool name overload

This command specifies the inside interface:




R2(config)#interface type number

This command marks the interface as connected to the inside:




R2(config-if)#ip nat inside

This command specifies the outside interface:




R2(config)#interface type number

This command marks the interface as connected to the outside:




R2(config-if)#ip nat outside

Translating Overlapping Addresses

In most cases, NAT is used to translate private IP addresses into legal addresses that can be routed on the Internet. It can also be used to connect two networks that are using the same IP addressing on their internal networks. This scenario is called overlapping addresses.

You can use the following commands to configure static SA address translation.

To establish static translation between an outside local address and an outside global address, use this command:




R2(config)#ip nat outside source static global-ip local-ip

This command specifies the inside interface:




R2(config)#interface type number

This command marks the interface as connected to the inside:




R2(config-if)#ip nat inside

This command specifies the outside interface:




R2(config)#interface type number

This command marks the interface as connected to the outside:




R2(config-if)#ip nat outside

You can use the following commands to configure dynamic outside source address translation.

To define a pool of local addresses to be allocated as needed, use this command:




R2(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length
  prefix-length}

This command defines a standard access list:




R2(config)#access-list access-list-number permit source [source-wildcard]

To establish dynamic outside source translation, specifying the access list defined in the prior step, use this command:




R2(config)#ip nat outside source list access-list-number pool name

This command specifies the inside interface:




R2(config)#interface type number

This command marks the interface as connected to the inside:




R2(config-if)#ip nat inside

This command specifies the outside interface:




R2(config)#interface type number

This command marks the interface as connected to the outside:




R2(config-if)#ip nat outside

Providing TCP Load Distribution

When NAT comes up in everyday conversation, you probably think of it as a translation mechanism that allows your company to access the Internet. NAT has another function that is unrelated to this feature. If your company has multiple hosts that communicate with a heavily used host or server, you can use NAT to establish a virtual host on the inside network that coordinates load sharing among multiple real hosts. Allocation is done on a round-robin basis from a rotary pool of real addresses when a new connection is opened from the outside to the inside. Any non-TCP traffic is still passed without translation, unless other translations are in effect.

Use the following commands to configure destination address rotary translation to allow you to map one virtual host to many real hosts.

To define a pool of addresses containing the addresses of the real hosts, use this command:




R2(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length
  prefix-length} type rotary

To define an access list permitting the address of the virtual host, use this command:




R2(config)#access-list access-list-number permit source [source-wildcard]

Use this command to establish dynamic inside destination translation, specifying the access list defined in the prior step:




R2(config)#ip nat inside destination list access-list-number pool name

This command specifies the inside interface:




R2(config)#interface type number

This command marks the interface as connected to the inside:




R2(config-if)#ip nat inside

This command specifies the outside interface:




R2(config)#interface type number

This command marks the interface as connected to the outside:




R2(config-if)#ip nat outside

Changing Translation Timeouts

If left to the default value, a dynamic address translation times out after some period of nonuse. When overloading is not in use, simple translation entries time out after 24 hours. You can use the following command to change this value:




R2(config)#ip nat translation timeout seconds

Overloading gives you more control over translation entry timeout, because each entry contains more context about the traffic using it. You can use the following commands to change timeouts on extended entries.

This command changes the UDP timeout value from 5 minutes:




R2(config)#ip nat translation udp-timeout seconds

This command changes the DNS timeout value from 1 minute:




R2(config)#ip nat translation dns-timeout seconds

This command changes the TCP timeout value from 24 hours:




R2(config)#ip nat translation tcp-timeout seconds

This command changes the finish and reset timeout value from 1 minute:




R2(config)#ip nat translation finrst-timeout seconds

This command changes the ICMP timeout value from 1 minute:




R2(config)#ip nat translation icmp-timeout seconds

This command changes the synchronous (SYN) timeout value from 1 minute:




R2(config)#ip nat translation syn-timeout seconds

Deploying NAT Between an IP Phone and Cisco CallManager

Communication and registration between a Cisco IP phone and the Cisco CallManager (CCM) use the Selsius Skinny Station protocol. The Skinny protocol allows messages to flow back and forth between the devices that include IP address and port information used to identify other IP phone users with which a call can be placed.

When you use NAT with CCM and IP phones, NAT needs to be able to identify and understand the information passed within the Skinny protocol. When an IP phone attempts to make a connection with CCM and its IP address matches your NAT translation rules, NAT translates the original source IP address and replaces it with one from the configured pool. This new address is used to represent the IP phone to CCM as well as other IP phone users.

To specify the port number on which the CCM is listening for skinny messages, use this command:




R2(config)#ip nat service skinny tcp port number

Monitoring and Maintaining NAT

By default, dynamic address translations time out from the NAT translation table after a set amount of time. You can use the following commands to clear the entries before the configured timeout.

To clear all dynamic address translation entries from the NAT translation table, use this command:




R2#clear ip nat translation *

To clear a simple dynamic translation entry containing an inside translation, or both inside and outside translation, use this command:




R2#clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]

This command clears a simple dynamic translation entry containing an outside translation:




R2#clear ip nat translation outside local-ip global-ip

This command clears an extended dynamic translation entry:




R2#clear ip nat translation protocol inside global-ip global-port local-ip
  local-port [outside local-ip local-port global-ip global-port]

You can use one of the following commands to display translation information:

This command displays active translations:




R2#show ip nat translations [verbose]

This command displays translation statistics:




R2#show ip nat statistics

[ LiB ]When to Use NAT Scenarios