IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T
IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T
IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Configuration Examples for Mapping of Address and Port Using Encapsulation 141
Example: Mapping of Address and Port Using Encapsulation Configuration 141
Additional References for Mapping of Address and Port Using Encapsulation 141
Feature Information for Mapping of Address and Port Using Encapsulation 142
CHAPTER 9 Configuring Hosted NAT Traversal for Session Border Controller 155
Finding Feature Information 156
Prerequisites for Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller 156
Restrictions for Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller 156
Information About Configuring Cisco IOS Hosted NAT Traversal for Session Border
Controller 157
Voice and Multimedia over IP Networks 157
Cisco IOS Hosted NAT Traversal for Session Border Controller Overview 157
How to Configure Cisco IOS Hosted NAT for Session Border Controller 158
Configuring Cisco IOS Hosted NAT for Session Border Controller 158
Configuration Examples for Configuring Cisco IOS Hosted NAT for Session Border
Controller 163
Example Configuring Cisco IOS Hosted NAT Traversal for Session Border Controller 163
Additional References 163
Feature Information for Configuring Hosted NAT Traversal for Session Border Controller 164
Access Lists
All access lists that are required for use with the configuration tasks described in this module should be
configured before beginning a configuration task. For information about how to configure an access list, see
the IP Access List EntrySequence Numbering document.
Note If you specify an access list with a NAT command, NAT will not support the permit ip any any command
that is commonly used in an access list.
NAT Requirements
Before configuring NAT in your network, you should know the interfaces on which NAT will be configured
and for what purposes. The following requirements will help you decide how to configure and use NAT:
• Define the NAT inside and outside interfaces if:
• Users exist off multiple interfaces.
• Multiple interfaces connect to the Internet.
From Cisco IOS XE Denali 16.3 release, NAT support is introduced on Bridge Domain Interface (BDI) for
enabling NAT configuration on BDI interface.
• Some applications use embedded IP addresses in such a way that translation by a NAT device is
impractical. These applications may not work transparently or not work at all through a NAT device.
• NAT hides the identity of hosts, which may be an advantage or a disadvantage, depending on the desired
result.
• A device configured with NAT must not advertise the local networks to the outside. However, routing
information that NAT receives from the outside can be advertised in the stub domain as usual.
• If you specify an access list with a NAT command, NAT will not support the permit ip any any command
that is commonly used in the access list.
• NAT configuration is not supported on the access side of the Intelligent Services Gateway (ISG).
• On Cisco Catalyst 6500 Series Switches, if you have a NAT overload configuration, we recommend
that you limit the number of NAT translations to less than 64512, by using the ip nat translation
max-entries command. If the number of NAT translations is 64512 or more, a limited number of ports
are available for use by local applications, which, in turn can cause security issues such as denial-of-service
(DoS) attacks. The port numbers used by local applications can easily be identified by DoS attacks,
leading to security threats. This restriction is specific to all NAT overload configurations (for example,
interface overload or pool overload configurations) that use a logical, loopback, or physical address for
NAT configurations.
• Configuring zone-based policy firewall high availability with NAT and NAT high availability with
zone-based policy firewalls is not recommended.
• If the NAT outside local address matches with any logical interface address, interface IP address, or a
tunnel-configured address; then packets are software-switched.
A significant advantage of NAT is that it can be configured without requiring any changes to hosts or routers
other than to those few routers on which NAT will be configured.
Purpose of NAT
NAT is a feature that allows the IP network of an organization to appear from the outside to use a different
IP address space than what it is actually using. Thus, NAT allows an organization with nonglobally routable
addresses to connect to the Internet by translating those addresses into a globally routable address space. NAT
also allows a graceful renumbering strategy for organizations that are changing service providers or voluntarily
renumbering into classless interdomain routing (CIDR) blocks. NAT is described in RFC 1631.
NAT supports all H.225 and H.245 message types, including FastConnect and Alerting, as part of the H.323
Version 2 specification. Any product that makes use of these message types will be able to pass through a
Cisco NAT configuration without any static configuration. Full support for NetMeeting Directory (Internet
Locator Service) is also provided through NAT.
Uses of NAT
NAT can be used for the following scenarios:
• To connect to the Internet, but not all of your hosts have globally unique IP addresses. Network Address
Translation (NAT) enables private IP internetworks that use nonregistered IP addresses to connect to
the Internet. NAT is configured on a device at the border of a stub domain (referred to as the inside
network) and a public network such as the Internet (referred to as the outside network). NAT translates
internal local addresses to globally unique IP addresses before sending packets to the outside network.
As a solution to the connectivity problem, NAT is practical only when relatively few hosts in a stub
domain communicate outside of the domain at the same time. When this is the case, only a small subset
of the IP addresses in the domain must be translated into globally unique IP addresses when outside
communication is necessary, and these addresses can be reused when they are no longer in use.
• Change your internal addresses. Instead of changing the internal addresses, which can be a considerable
amount of work, you can translate them by using NAT.
• For basic load-sharing of TCP traffic. You can map a single global IP address to many local IP addresses
by using the TCP Load Distribution feature.
In Cisco IOS Release 15.1(3)T and later releases, when you configure the traceroute command, NAT returns
the same inside global IP address for all inside local IP addresses.
The figure below illustrates a device that is translating a source address inside a network to a source address
outside the network.
The following process describes the inside source address translation, as shown in the figure above:
1 The user at host 10.1.1.1 opens a connection to Host B in the outside network.
2 The first packet that the device receives from host 10.1.1.1 causes the device to check its Network Address
Translation (NAT) table. Based on the NAT configuration, the following scenarios are possible:
• If a static translation entry is configured, the device goes to Step 3.
• If no translation entry exists, the device determines that the source address (SA) 10.1.1.1 must be
translated dynamically, selects a legal, global address from the dynamic address pool, and creates a
translation entry in the NAT table. This type of translation entry is called a simple entry.
3 The device replaces the inside local source address of host 10.1.1.1 with the global address of the translation
entry and forwards the packet.
4 Host B receives the packet and responds to host 10.1.1.1 by using the inside global IP destination address
(DA) 203.0.113.2.
5 When the device receives the packet with the inside global IP address, it performs a NAT table lookup by
using the inside global address as a key. It then translates the address to the inside local address of host
10.1.1.1 and forwards the packet to host 10.1.1.1.
Host 10.1.1.1 receives the packet and continues the conversation. The device performs Steps 2 to 5 for each
packet that it receives.
overloading. When overloading is configured, the device maintains enough information from higher-level
protocols (for example, TCP or UDP port numbers) to translate the global address back to the correct local
address. When multiple local addresses map to one global address, the TCP or UDP port numbers of each
inside host distinguish between local addresses.
The figure below illustrates a NAT operation when an inside global address represents multiple inside local
addresses. The TCP port numbers act as differentiators.
The device performs the following process in the overloading of inside global addresses, as shown in the
figure above. Both Host B and Host C believe that they are communicating with a single host at address
203.0.113.2. Where as, they are actually communicating with different hosts; the port number is the
differentiator. In fact, many inside hosts can share the inside global IP address by using many port numbers.
1 The user at host 10.1.1.1 opens a connection to Host B.
2 The first packet that the device receives from host 10.1.1.1 causes the device to check its NAT table. Based
on your NAT configuration the following scenarios are possible:
• If no translation entry exists, the device determines that IP address 10.1.1.1 must be translated, and
translates inside local address 10.1.1.1 to a legal global address.
• If overloading is enabled and another translation is active, the device reuses the global address from
that translation and saves enough information that can be used to translate the global address back,
as an entry in the NAT table. This type of translation entry is called an extended entry.
3 The device replaces inside local source address 10.1.1.1 with the selected global address and forwards the
packet.
4 Host B receives the packet and responds to host 10.1.1.1 by using the inside global IP address 203.0.113.2.
5 When the device receives the packet with the inside global IP address, it performs a NAT table lookup by
using a protocol, the inside global address and port, and the outside address and port as keys; translates
the address to the inside local address 10.1.1.1 and forwards the packet to host 10.1.1.1.
Host 10.1.1.1 receives the packet and continues the conversation. The device performs Steps 2 to 5 for each
packet it receives.
Types of NAT
NAT operates on a router—generally connecting only two networks—and translates the private (inside local)
addresses within the internal network into public (inside global) addresses before any packets are forwarded
to another network. This functionality gives you the option to configure NAT so that it will advertise only a
single address for your entire network to the outside world. Doing this effectively hides the internal network
from the world, giving you some additional security.
The types of NAT include:
• Static address translation (static NAT)—Allows one-to-one mapping between local and global addresses.
• Dynamic address translation (dynamic NAT)—Maps unregistered IP addresses to registered IP addresses
from a pool of registered IP addresses.
• Overloading—Maps multiple unregistered IP addresses to a single registered IP address (many to one)
using different ports. This method is also known as Port Address Translation (PAT). By using overloading,
thousands of users can be connected to the Internet by using only one real global IP address.
The device examines every DNS reply to ensure that the IP address is not in a stub network. If it is, the device
translates the address as described below:
1 Host 10.1.1.1 opens a connection to 172.16.0.3.
2 The device sets up the translation mapping of the inside local and global addresses to each other and the
outside global and local addresses to each other.
3 The device replaces the SA with the inside global address and replaces the DA with the outside global
address.
4 Host C receives the packet and continues the conversation.
5 The device does a lookup, replaces the DA with the inside local address, and replaces the SA with the
outside local address.
6 Host 10.1.1.1 receives the packet and the conversation continues using this translation process.
6 The device will allocate IP address 10.1.1.2 as the inside local address for the next connection request.
The Network Address Translation (NAT) Static IP Address Support feature extends the capabilities of public
wireless LAN providers to support users configured with a static IP address. By configuring a device to support
users with a static IP address, public wireless LAN providers extend their services to a greater number of
users.
Users with static IP addresses can use services of the public wireless LAN provider without changing their
IP address. NAT entries are created for static IP clients and a routable address is provided.
RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access. Communication
between a network access server (NAS) and a RADIUS server is based on UDP. Generally, the RADIUS
protocol is considered a connectionless service. Issues related to server availability, retransmission, and
timeouts are handled by RADIUS-enabled devices rather than the transmission protocol.
The RADIUS client is typically a NAS, and the RADIUS server is usually a daemon process running on a
UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts
on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and
then return the configuration information necessary for the client to deliver the service to the user. A RADIUS
server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Denial-of-Service Attacks
A denial-of-service (DoS) attack typically involves the misuse of standard protocols or connection processes
with the intent to overload and disable a target, such as a device or web server. DoS attacks can come from a
malicious user or from a computer infected with a virus or worm. An attack that comes from many different
sources at once, such as when a virus or worm has infected many computers, is known as a distributed DoS
attack. Such distributed DoS attacks can spread rapidly and involve thousands of systems.
Note You must configure different IP addresses for an interface on which NAT is configured and for inside
addresses that are configured by using the ip nat inside source static command.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip
4. interface type number
5. ip address ip-address mask [secondary]
6. ip nat inside
7. exit
8. interface type number
9. ip address ip-address mask [secondary]
10. ip nat outside
11. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat inside source static local-ip global-ip Establishes static translation between an inside local
address and an inside global address.
Example:
Device(config)# ip nat inside source static
10.10.10.1 172.16.131.1
Step 4 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Step 5 ip address ip-address mask [secondary] Sets a primary IP address for an interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Step 6 ip nat inside Connects the interface to the inside network, which is
subject to NAT.
Example:
Device(config-if)# ip nat inside
Step 8 interface type number Specifies a different interface and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Step 9 ip address ip-address mask [secondary] Sets a primary IP address for an interface.
Example:
Device(config-if)# ip address 172.31.232.182
255.255.255.240
Example:
Device(config-if)# ip nat outside
Note When inside global or outside local addresses belong to a directly connected subnet on a Network Address
Translation (NAT) device, the device adds IP aliases for them so that it can answer Address Resolution
Protocol (ARP) requests. However, a situation can arise where the device answers packets that are not
destined for it, possibly causing a security issue. This can happen when an incoming Internet Control
Message Protocol (ICMP) packet or an UDP packet that is destined for one of the aliased addresses does
not have a corresponding NAT translation in the NAT table, and the device itself runs a corresponding
service, for example, Network Time Protocol (NTP). Such a situation might cause minor security risks.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
4. access-list access-list-number permit source [source-wildcard]
5. ip nat inside source list access-list-number pool name
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat pool name start-ip end-ip {netmask netmask | Defines a pool of global addresses to be allocated as
prefix-length prefix-length} needed.
Example:
Device(config)# ip nat pool net-208 172.16.233.208
172.16.233.223 prefix-length 28
Step 4 access-list access-list-number permit source Defines a standard access list permitting those
[source-wildcard] addresses that are to be translated.
Example:
Device(config)# access-list 1 permit 192.168.34.0
0.0.0.255
Step 5 ip nat inside source list access-list-number pool name Establishes dynamic source translation, specifying the
access list defined in Step 4.
Example:
Device(config)# ip nat inside source list 1 pool
net-208
Step 6 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Step 8 ip nat inside Connects the interface to the inside network, which is
subject to NAT.
Example:
Device(config-if)# ip nat inside
Step 10 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 172.16.232.182
255.255.255.240
Example:
Device(config-if)# ip nat outside
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
4. access-list access-list-number permit source [source-wildcard]
5. ip nat inside source list access-list-number pool name overload
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat pool name start-ip end-ip {netmask netmask | Defines a pool of global addresses to be allocated as
prefix-length prefix-length} needed.
Example:
Device(config)# ip nat pool net-208
192.168.202.129 192.168.202.158 netmask
255.255.255.224
Step 4 access-list access-list-number permit source Defines a standard access list permitting those addresses
[source-wildcard] that are to be translated.
• The access list must permit only those addresses that
Example: are to be translated. (Remember that there is an
Device(config)# access-list 1 permit
192.168.201.30 0.0.0.255 implicit “deny all” at the end of each access list.) Use
of an access list that is too permissive can lead to
unpredictable results.
Example:
Device(config)# ip nat inside source list 1 pool
net-208 overload
Step 6 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.201.1
255.255.255.240
Step 8 ip nat inside Connects the interface to the inside network, which is
subject to NAT.
Example:
Device(config-if)# ip nat inside
Step 10 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.201.29
255.255.255.240
Example:
Device(config-if)# ip nat outside
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat translation seconds
4. ip nat translation udp-timeout seconds
5. ip nat translation dns-timeout seconds
6. ip nat translation tcp-timeout seconds
7. ip nat translation finrst-timeout seconds
8. ip nat translation icmp-timeout seconds
9. ip nat translation syn-timeout seconds
10. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat translation seconds (Optional) Changes the amount of time after which NAT
translations time out.
Example: • The default timeout is 24 hours, and it applies to the aging
Device(config)# ip nat translation 300
time for half-entries.
Step 4 ip nat translation udp-timeout seconds (Optional) Changes the UDP timeout value.
Example:
Device(config)# ip nat translation
udp-timeout 300
Step 5 ip nat translation dns-timeout seconds (Optional) Changes the Domain Name System (DNS) timeout
value.
Example:
Device(config)# ip nat translation
dns-timeout 45
Step 6 ip nat translation tcp-timeout seconds (Optional) Changes the TCP timeout value.
• The default is 24 hours.
Example:
Device(config)# ip nat translation
tcp-timeout 2500
Step 7 ip nat translation finrst-timeout seconds (Optional) Changes the finish and reset timeout value.
• finrst-timeout—The aging time after a TCP session
Example: receives both finish-in (FIN-IN) and finish-out (FIN-OUT)
Device(config)# ip nat translation
finrst-timeout 45 requests or after the reset of a TCP session.
Step 8 ip nat translation icmp-timeout seconds (Optional) Changes the ICMP timeout value.
Example:
Device(config)# ip nat translation
icmp-timeout 45
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip
4. interface type number
5. ip address ip-address mask
6. ip nat inside
7. exit
8. interface type number
9. ip address ip-address mask
10. ip nat outside
11. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat inside source static local-ip global-ip Establishes static translation between an inside local
address and an inside global address.
Example:
Device(config)# ip nat inside source static
192.168.121.33 10.2.2.1
Step 4 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Step 5 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Example:
Device(config-if)# ip nat inside
Step 8 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 9 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 172.16.232.182
255.255.255.240
Example:
Device(config-if)# ip nat outside
What to Do Next
When you have completed the required configuration, go to the “Monitoring and Maintaining NAT” module.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
4. access-list access-list-number permit source [source-wildcard]
5. ip nat outside source list access-list-number pool name
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat pool name start-ip end-ip {netmask netmask | Defines a pool of global addresses to be allocated as
prefix-length prefix-length} needed.
Example:
Device(config)# ip nat pool net-10 10.0.1.0
10.0.1.255 prefix-length 24
Step 4 access-list access-list-number permit source Defines a standard access list permitting those addresses
[source-wildcard] that are to be translated.
• The access list must permit only those addresses that
Example: are to be translated. (Remember that there is an
Device(config)# access-list 1 permit 10.114.11.0
0.0.0.255 implicit “deny all” at the end of each access list.) Use
of an access list that is too permissive can lead to
unpredictable results.
Step 6 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Example:
Device(config-if)# ip nat inside
Step 10 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 172.16.232.182
255.255.255.240
Example:
Device(config-if)# ip nat outside
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat enable
5. exit
6. ip nat pool name start-ip end-ip netmask netmask add-route
7. ip nat source list access-list-number pool name vrf name
8. ip nat source list access-list-number pool name overload
9. end
DETAILED STEPS
Example:
Device# configure terminal
Step 4 ip nat enable Configures an interface that connects VPNs and the
Internet for NAT.
Example:
Device(config-if)# ip nat enable
Step 6 ip nat pool name start-ip end-ip netmask netmask Configures a NAT pool and the associated mappings.
add-route
Example:
Device(config)# ip nat pool pool1 192.168.200.225
192.168.200.254 netmask 255.255.255.0 add-route
Step 7 ip nat source list access-list-number pool name vrf name Configures a dynamic NVI without an inside or outside
specification.
Example:
Device(config)# ip nat source list 1 pool pool1
vrf vrf1
Step 8 ip nat source list access-list-number pool name overload Configures an overloading NVI without an inside or
outside specification.
Example:
Device(config)# ip nat source list 1 pool pool1
overload
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat enable
5. exit
6. ip nat source static local-ip global-ip vrf name
7. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface FastEthernet l
Step 4 ip nat enable Configures an interface that connects VPNs and the
Internet for NAT.
Example:
Device(config-if)# ip nat enable
Step 6 ip nat source static local-ip global-ip vrf name Configures a static NVI.
Example:
Device(config)# ip nat source static
192.168.123.1 192.168.125.10 vrf vrf1
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary
4. access-list access-list-number permit source [source-wildcard]
5. ip nat inside destination-list access-list-number pool name
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ip nat pool real-hosts
192.168.201.2 192.168.201.5 prefix-length 28 type
rotary
Step 4 access-list access-list-number permit source Defines an access list permitting the address of the
[source-wildcard] virtual host.
Example:
Device(config)# access-list 1 permit 192.168.201.30
0.0.0.255
Step 5 ip nat inside destination-list access-list-number pool name Establishes dynamic inside destination translation,
specifying the access list defined in the prior step.
Example:
Device(config)# ip nat inside destination-list 2
pool real-hosts
Step 6 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.201.1
255.255.255.240
Example:
Device(config-if)# ip nat inside
Step 10 interface type number Specifies a different interface and enters interface
configuration mode.
Example:
Device(config)# interface serial 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.15.129
255.255.255.240
Example:
Device(config-if)# ip nat outside
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload]| static
local-ip global-ip [route-map map-name]}
4. exit
5. show ip nat translations [verbose]
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat inside source {list {access-list-number | Enables route mapping with static NAT configured
access-list-name} pool pool-name [overload]| static local-ip on the NAT inside interface.
global-ip [route-map map-name]}
Example:
Device(config)# ip nat inside source static
192.168.201.6 192.168.201.21 route-map isp2
Example:
Device# show ip nat translations
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat pool name start-ip end-ip netmask netmask
5. ip nat inside source route-map name pool name [reversible]
6. ip nat inside source route-map name pool name [reversible]
7. end
DETAILED STEPS
Example:
Device(config)# configure terminal
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-A 192.168.201.4
192.168.201.6 netmask 255.255.255.128
Step 4 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-B 192.168.201.7
192.168.201.9 netmask 255.255.255.128
Step 5 ip nat inside source route-map name pool name [reversible] Enables outside-to-inside initiated sessions to use
route maps for destination-based NAT.
Example:
Device(config)# ip nat inside source route-map MAP-A
pool POOL-A reversible
Step 6 ip nat inside source route-map name pool name [reversible] Enables outside-to-inside initiated sessions to use
route maps for destination-based NAT.
Example:
Device(config)# ip nat inside source route-map MAP-B
pool POOL-B reversible
Note When you configure the ip nat outside source static command to add static routes for outside local
addresses, there is a delay in the translation of packets and packets are dropped. Packets are dropped
because a shortcut is not created for the initial synchronization (SYN) packet when NAT is configured
for static translation. To avoid dropped packets, configure either the ip nat outside source static add-route
command or the ip route command.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static
network local-ip global-ip [no-payload]}
4. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static {tcp
| udp} local-ip local-port global-ip global-port [no-payload]}
5. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static
[network] local-network-mask global-network-mask [no-payload]}
6. ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static local-ip
global-ip [no-payload]}
7. ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static {tcp | udp}
local-ip local-port global-ip global-port [no-payload]}
8. ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static [network]
local-network-mask global-network-mask [no-payload]}
9. exit
10. show ip nat translations [verbose]
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat inside source {list {access-list-number | access-list-name} pool Disables the network packet translation on
pool-name [overload] | static network local-ip global-ip [no-payload]} the inside host device.
Example:
Device(config)# ip nat inside source static network 10.1.1.1
192.168.251.0/24 no-payload
Step 4 ip nat inside source {list {access-list-number | access-list-name} pool Disables port packet translation on the
pool-name [overload] | static {tcp | udp} local-ip local-port global-ip inside host device.
global-port [no-payload]}
Example:
Device(config)# ip nat inside source static tcp 10.1.1.1 2000
192.168.1.1 2000 no-payload
Step 5 ip nat inside source {list {access-list-number | access-list-name} pool Disables packet translation on the inside
pool-name [overload] | static [network] local-network-mask host device.
global-network-mask [no-payload]}
Example:
Device(config)# ip nat inside source static 10.1.1.1
192.168.1.1 no-payload
Step 6 ip nat outside source {list {access-list-number | access-list-name} pool Disables packet translation on the outside
pool-name | static local-ip global-ip [no-payload]} host device.
Example:
Device(config)# ip nat outside source static 10.1.1.1
192.168.1.1 no-payload
Step 7 ip nat outside source {list {access-list-number | access-list-name} pool Disables port packet translation on the
pool-name | static {tcp | udp} local-ip local-port global-ip global-port outside host device.
[no-payload]}
Example:
Device(config)# ip nat outside source static tcp 10.1.1.1
20000 192.168.1.1 20000 no-payload
Step 8 ip nat outside source {list {access-list-number | access-list-name} pool Disables network packet translation on the
pool-name | static [network] local-network-mask global-network-mask outside host device.
[no-payload]}
Example:
Device(config)# ip nat outside source static network 10.1.1.1
192.168.251.0/24 no-payload
Example:
Device# show ip nat translations
Note • You can use this feature to configure gaming devices with an IP address that is different from that
of the PC. To avoid unwanted traffic or DoS attacks, use access lists.
• For traffic going from the PC to the outside, it is better to use a route map so that extended entries
are created.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source static local-ip interface type number
4. ip nat inside source static tcp local-ip local-port interface global-port
5. exit
6. show ip nat translations [verbose]
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat inside source static local-ip interface type number Enables static NAT on the interface.
Example:
Device(config)# ip nat inside source static 10.1.1.1
interface Ethernet 1/1
Step 4 ip nat inside source static tcp local-ip local-port interface (Optional) Enables the use of telnet to the device
global-port from the outside.
Example:
Device(config)# ip nat inside source static tcp
10.1.1.1 23 interface 23
Example:
Device# show ip nat translations
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat inside
5. exit
6. ip nat allow-static-host
7. ip nat pool name start-ip end-ip netmask netmask accounting list-name
8. ip nat inside source list access-list-number pool name
9. access-list access-list-number deny ip source
10. end
11. show ip nat translations verbose
DETAILED STEPS
Example:
Device# configure terminal
Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Example:
Device(config-if)# ip nat inside
Step 7 ip nat pool name start-ip end-ip netmask netmask Specifies an existing RADIUS profile name to be used for
accounting list-name authentication of the static IP host.
Example:
Device(config)# ip nat pool pool1 172.16.0.0
172.16.0.254 netmask 255.255.255.0
accounting WLAN-ACCT
Step 8 ip nat inside source list access-list-number pool Specifies the access list and pool to be used for static IP
name support.
• The specified access list must permit all traffic.
Example:
Device(config)# ip nat inside source list 1
pool net-208
Step 9 access-list access-list-number deny ip source Removes the traffic of the device from NAT.
• The source argument is the IP address of the device that
Example: supports the NAT Static IP Support feature.
Device(config)# access-list 1 deny ip
192.168.196.51
Step 11 show ip nat translations verbose (Optional) Displays active NAT translations and additional
information for each translation table entry, including how
Example: long ago the entry was created and used.
Device# show ip nat translations verbose
Examples
The following is sample output from the show ip nat translations verbose command:
Device# show ip nat translations verbose
create 00:05:59, use 00:03:39, left 23:56:20, Map-Id(In): 1, flags: none wlan-flags: Secure
ARP added, Accounting Start sent Mac-Address:0010.7bc2.9ff6 Input-IDB:Ethernet1/2, use_count:
0, entry-id:7, lc_entries: 0
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip prefix-length prefix-length [accounting method-list-name] [arp-ping]
4. ip nat translation arp-ping-timeout [seconds]
5. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 ip nat pool name start-ip end-ip prefix-length prefix-length Defines a pool of IP addresses for NAT.
[accounting method-list-name] [arp-ping]
Example:
Device(config)# ip nat pool net-208 172.16.233.208
172.16.233.223 prefix-length 28 accounting radius1
arp-ping
Step 4 ip nat translation arp-ping-timeout [seconds] Changes the amount of time after each network
address translation.
Example:
Device(config)# ip nat translation arp-ping-timeout
600
1. enable
2. show ip nat translations
3. configure terminal
4. ip nat translation max-entries {number | all-vrf number | host ip-address number | list listname number
| vrf name number}
5. end
6. show ip nat statistics
DETAILED STEPS
Example:
Device# configure terminal
Step 4 ip nat translation max-entries {number | Configures the maximum number of NAT entries allowed from the
all-vrf number | host ip-address number | specified source.
list listname number | vrf name number}
• The maximum number of allowed NAT entries is 2147483647,
although a typical range for a NAT rate limit is 100 to 300 entries.
Example:
Device(config)# ip nat translation • When you configure a NAT rate limit for all VRF instances, each
max-entries 300
VRF instance is limited to the maximum number of NAT entries
that you specify.
• When you configure a NAT rate limit for a specific VRF instance,
you can specify a maximum number of NAT entries for the named
VRF instance that is greater than or less than that allowed for all
VRF instances.
Example:
Device(config)# end
Step 6 show ip nat statistics (Optional) Displays current NAT usage information, including NAT rate
limit settings.
Example: • After setting a NAT rate limit, use the show ip nat statistics
Device# show ip nat statistics
command to verify the current NAT rate limit settings.
The following example shows NAT configured on the provider edge (PE) device with a static route to the
shared service for the vrf1 and vrf2 VPNs. NAT is configured as inside source static one-to-one translation.
The following example shows how only traffic local to the provider edge (PE) device running NAT is translated:
ip nat inside source list 1 interface gigabitethernet 0/0/0 vrf vrf1 overload
ip nat inside source list 1 interface gigabitethernet 0/0/0 vrf vrf2 overload
!
ip route vrf vrf1 0.0.0.0 0.0.0.0 192.168.1.1
ip route vrf vrf2 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 1 permit 10.1.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface gigabitethernet 1/1/1 vrf vrf1 overload
ip nat inside source list 1 interface gigabitethernet 1/1/1 vrf vrf2 overload
!
ip route vrf vrf1 0.0.0.0 0.0.0.0 172.16.1.1 global
ip route vrf vrf2 0.0.0.0 0.0.0.0 172.16.1.1 global
access-list 1 permit 10.1.1.0 0.0.0.255
!
interface FastEthernet 1
ip nat enable
!
ip nat source static 192.168.123.1 182.168.125.10 vrf vr1
!
interface FastEthernet 1
ip nat enable
!
ip nat pool pool1 192.168.200.225 192.168.200.254 netmask 255.255.255.0 add-route
ip nat source list 1 pool pool1 vrf vrf1
ip nat source list 1 pool 1 vrf vrf2 overload
!
Where to Go Next
• To configure NAT for use with application-level gateways, see the “Using Application Level Gateways
with NAT” module.
• To verify, monitor, and maintain NAT, see the “Monitoring and Maintaining NAT” module.
• To integrate NAT with Multiprotocol Label Switching (MPLS) VPNs, see the “Integrating NAT with
MPLS VPNs” module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
Additional References
Related Documents
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command Reference
command mode command history, defaults,
usage guidelines, and examples
RADIUS attributes overview RADIUS Attributes Overview and RADIUS IETF Attributes
module
Using HSRP and stateful NAT for high Configuring NAT for High Availability module
availability
Using NAT with MPLS VPNs Integrating NAT with MPLS VPNs module
Standard/RFC Title
RFC 1597 Internet Assigned Numbers Authority
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
NAT Default Inside Server 12.3(13)T The NAT Default Inside Server feature enables
forwarding of packets from outside to a
specified inside local address.
NAT RTSP Support Using NBAR 12.3(7)T The NAT RTSP Support Using NBAR feature
is a client/server multimedia presentation control
protocol that supports multimedia application
delivery. Applications that use RTSP include
WMS by Microsoft, QuickTime by Apple
Computer, and RealSystem G2 by
RealNetworks.
NAT Static and Dynamic Route 15.0(1)M The NAT Static and Dynamic Route Map
Map Name-Sharing Name-Sharing feature provides the ability to
configure static and dynamic NAT to share the
same route map name, while enforcing
precedence of static NAT over dynamic NAT.
NAT Static IP Support 12.3(7)T The NAT Static IP Support feature provides
support for users with static IP addresses,
enabling those users to establish an IP session
in a public wireless LAN environment.
Rate Limiting NAT Translation 12.3(4)T The Rate Limiting NAT Translation feature
provides the ability to limit the maximum
15.0(1)S
number of concurrent Network Address
Translation (NAT) operations on a router. In
addition to giving users more control over how
NAT addresses are used, the Rate Limiting NAT
Translation feature can be used to limit the
effects of viruses, worms, and denial-of-service
attacks.
Support for ARP Ping in a Public 12.4(6)T The Support for ARP Ping in a Public Wireless
Wireless LAN LAN feature ensures that the NAT entry and
the secure ARP entry from removal when the
static IP client exists in the network, where the
IP address is unchanged after authentication.
• Before performing the tasks in this module, you should verify that the Session Initiation Protocol (SIP)
and H.323 are not disabled. SIP and H.323 are enabled by default.
IPsec
IPsec is a set of extensions to the IP protocol family in a framework of open standards for ensuring secure
private communications over the Internet. Based on standards developed by the IETF, IPsec ensures
confidentiality, integrity, and authenticity of data communications across the public network and provides
cryptographic security services.
Secure tunnels between two peers, such as two routers, are provided and decisions are made as to which
packets are considered sensitive and should be sent through these secure tunnels, and which parameters should
be used to protect these sensitive packets by specifying characteristics of these tunnels. When the IPsec peer
receives a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to
the remote peer.
IPsec using Encapsulating Security Payload (ESP) can pass through a router running NAT without any specific
support from it as long as Network Address Port Translation (NAPT) or address overloading is not configured.
You can enable IPsec packet processing using ESP with the ip nat service ipsec-esp enable command.
There are a number of factors to consider when attempting an IPsec VPN connection that traverses a NAPT
device that represents multiple private internal IP addresses as a single public external IP address. Such factors
include the capabilities of the VPN server and client, the capabilities of the NAPT device, and whether more
than one simultaneous connection is attempted across the NAPT device.
There are two possible methods for configuring IPsec on a router with NAPT:
• Encapsulate IPsec in a Layer 4 protocol such as TCP or UDP. In this case, IPsec is sneaking through
NAT. The NAT device is unaware of the encapsulation.
• Add IPsec-specific support to NAPT. IPsec works with NAT in this case as opposed to sneaking through
NAT. The NAT Support for IPsec ESP-- Phase II feature provides support for Internet Key Exchange
(IKE) and ESP without encapsulation in tunnel mode through a Cisco IOS router configured with NAPT.
We recommend that TCP and UDP be used when conducting IPsec sessions that traverse a NAPT device.
However, not all VPN servers or clients support TCP or UDP.
SPI Matching
SPI matching is used to establish VPN connections between multiple pairs of destinations. NAT entries will
immediately be placed in the translation table for endpoints matching the configured access list..
Note By default support for SIP is enabled on port 5060. Therefore, NAT-enabled devices interpret all packets
on this port as SIP call messages. If other applications in the system use port 5060 to send packets, the
NAT service may corrupt the packet as it attempts to interpret the packet as a SIP call message.
Restrictions
The NAT Segmentation with Layer 4 Forwarding feature does not work when:
• Firewalls are configured using the ip inspect name command. (Context-Based Access Control (CBAC)
firewalls are not supported. Zone-based firewalls are supported.)
• H.323, SCCP, or TCP DNS messages are larger than 18 KB.
• Multiprotocol Label Switching (MPLS) is configured.
• NAT and the Cisco Unified CallManager are configured on the same device. In this case, a colocated
solution in Call Manager Express is used.
• NAT Virtual Interface (NVI) is configured.
• Stateful Network Address Translation (SNAT) is enabled.
Note Effective January 31, 2014, Stateful NAT is not available in Cisco IOS software. For
more information, see End-of-Sale and End-of-Life Announcement for the Cisco IOS
Stateful Failover of Network Address Translation (SNAT).
• The match-in-vrf keyword is configured along with the ip nat inside source command for packet
translation.
• The packets are IPv6 packets.
Note IPsec can be configured for any NAT configuration, not just static NAT configurations.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat [inside | outside] source static local-ip global-ip [vrf vrf-name]
4. exit
5. show ip nat translations
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat [inside | outside] source static local-ip global-ip [vrf Enables static NAT.
vrf-name]
Example:
Router(config)# ip nat inside source static
10.10.10.10 192.168.30.30
Example:
Router(config)# exit
Example:
Router# show ip nat translations
Note This task is required by certain VPN concentrators. Cisco VPN devices generally do not use this feature.
>
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service list access-list-number IKE preserve-port
DETAILED STEPS
Example:
Router# configure terminal
Security parameter index (SPI) matching is used to establish VPN connections between multiple pairs of
destinations. NAT entries are immediately placed in the translation table for endpoints matching the configured
access list. SPI matching is available only for endpoints that choose SPIs according to the predictive algorithm
implemented in Cisco IOS Release 12.2(15)T.
The generation of SPIs that are predictable and symmetric is enabled. SPI matching should be used in
conjunction with NAT devices when multiple ESP connections across a NAT device are desired.
Note SPI matching must be configured on the NAT device and both endpoint devices.
>
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service list access-list-number ESP spi-match
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat service list access-list-number ESP Specifies an access list to enable SPI matching.
spi-match
• This example shows how to enter ESP traffic matching list
10 into the NAT table, making the assumption that both
Example: devices are Cisco devices and are configured to provide
Router(config)# ip nat service list 10 ESP matchable SPIs.
spi-match
Note Security parameter index (SPI) matching must be configured on the Network Address Translation (NAT)
device and on both endpoint devices.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec nat-transparency spi-matching
4. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# crypto ipsec nat-transparency
spi-matching
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service allow-multipart
4. exit
5. show ip nat translations
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ip nat service allow-multipart
Example:
Device# show ip nat translations
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service skinny tcp port number
DETAILED STEPS
Example:
Router# configure terminal
Where to Go Next
• To learn about NAT and configure NAT for IP address conservation, see the “Configuring NAT for IP
Address Conservation” module.
• To verify monitor, and maintain NAT, see the “Monitoring and Maintaining NAT” module.
• To integrate NAT with MPLS VPNs, see the “Integrating NAT with MPLS VPNs” module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
Additional References
Related Documents
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command
command mode, defaults, usage guidelines, and Reference
examples
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
NAT H.245 Tunneling Support 12.3(11)T The NAT H.245 Tunneling Support feature allows
H.245 tunneling in H.323 Application-Level
Gateways (ALGs).
NAT Support for H.323 v2 RAS 12.2(2)T NAT supports all H.225 and H.245 message types,
feature including those sent in the RAS protocol.
15.0(1)S
NAT Support for H.323 v3 and v4 12.3(2)T The NAT Support for H.323 v3 and v4 in v2
in v2 Compatibility Mode Compatibility Mode feature enables NAT routers
to support messages coded in H.323 Version 3
and Version 4 when these messages contain fields
that are compatible with H.323 Version 2. This
feature does not add support for H.323 capabilities
introduced in H.323 Version 3 and Version 4, such
as new message types or new fields that require
address translation.
NAT Support for IPsec 12.2(15)T The NAT Support for IPsec ESP—Phase II feature
ESP—Phase II provides support for Internet Key Exchange (IKE)
and ESP without encapsulation in tunnel mode
through a router configured with NAPT.
NAT Support for SIP 12.2(8)T NAT Support for SIP adds the ability to configure
NAT on VoIP solutions based on SIP.
Support for applications that do not 12.2(33)XNC NAT with an ALG will translate packets from
use H.323 applications that do not use H.323, as long as these
applications use port 1720.
Support for IPsec ESP Through 12.2(13)T The IPsec ESP Through NAT feature provides
NAT the ability to support multiple concurrent IPsec
Encapsulating Security Payload (ESP) tunnels or
connections through a NAT device configured in
Overload or Port Address Translation (PAT)
mode.
Note We recommend that you disable all other ALGs using the no ip nat service command,
when using this feature.
translator to take over as the active translator in the event of any failures to the active translator. Therefore,
the application traffic flow continues unaffected as the translations tables are backed up in a stateful manner
across the active and standby translators.
The NAT Box-to-Box High-Availability Support feature supports active-standby high-availability failover
and asymmetric routing. The NAT Box-to-Box High-Availability Support feature supports the following NAT
features:
• Simple Static NAT configuration
• Extended Static NAT configuration
• Network Static NAT configuration
• Dynamic NAT and Port Address Translation (PAT) configuration
• NAT inside source, outside source, and inside destination rules
• NAT rules for Virtual Routing and Forwarding (VRF) instances to IP
• NAT rules for VRF-VRF (within same VRF)
• RG on an active device is reloaded using the redundancy application reload group command in
privileged EXEC mode.
• RG on an active device is shut down using the group command in redundancy application configuration
mode.
belong to the RG are active only on the device on which the RG is active. On all other devices, applications
that belong to the RG are in the standby mode.
Note In a group of RG peers, only one peer can be active for a specific RG. Currently, the NAT Box-to-Box
High-Availability Support feature supports only two peers in an RG and one RG in the RG infrastructure.
Note Failover is caused by only those failures that the RG infrastructure listens to.
infrastructure. However, WAN interfaces may be configured in such a way that any failure on the WAN
interfaces reduces the priority for the RG that is configured on that node, thereby triggering a failover.
Each routing device has an asymmetric routing (AR) module, which forwards the traffic received by the
standby redundancy group (RG) using the module’s AR interface. In the above illustration, the standby RG
is RG1, on Router 1 with the Redundancy Interface Identifier (RII) configured as RII-1. The packet traffic
that is received by RG1 is forwarded over the AR interface configured on Router 1 towards Router 2. This
traffic is received by the AR module for RII-1 on Router 2 and is forwarded to RG1, which is active on Router
2.
• A unique redundancy interface identifier (RII) must be configured for each interface on a device that is
part of the RG infrastructure.
• An RG ID and virtual IP address must be configured on each interface on a LAN.
• An RG ID and mapping ID must be configured for each Network Address Translation (NAT) statement.
• After configuring all NAT statements, you must enable RG.
1. enable
2. configure terminal
3. redundancy
4. application redundancy
5. group id
6. name group-name
7. shutdown
8. priority value [failover threshold value]
9. preempt
10. track object-number {decrement value | shutdown}
11. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# redundancy
Example:
Device(config-red)# application redundancy
Example:
Device(config-red-app)# group 1
Step 6 name group-name (Optional) Specifies an optional alias for the protocol
instance.
Example:
Device(config-red-app-grp)# name group1
Example:
Device(config-red-app-grp)# shutdown
Step 8 priority value [failover threshold value] (Optional) Specifies the initial priority and failover
threshold for a redundancy group.
Example:
Device(config-red-app-grp)# priority 100
failover threshold 50
Step 9 preempt Enables preemption on the group and enables the standby
device to preempt the active device regardless of the
Example: priority.
Device(config-red-app-grp)# preempt
Step 10 track object-number {decrement value | shutdown} Specifies the priority value of a redundancy group that will
be decremented if an event occurs.
Example:
Device(config-red-app-grp)# track 200 decrement
200
Note Asymmetric routing, data, and control must be configured on separate interfaces for zone-based firewall.
However, for Network Address Translation (NAT), asymmetric routing, data, and control can be configured
on the same interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. redundancy
4. application redundancy
5. group id
6. data interface-type interface-number
7. control interface-type interface-number protocol id
8. timers delay seconds [reload seconds]
9. asymmetric-routing interface type number
10. asymmetric-routing always-divert enable
11. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# redundancy
Example:
Device(config-red-app-grp)# data GigabitEthernet
0/0/1
Step 7 control interface-type interface-number protocol id Specifies the control interface that is used by the RG.
• The control interface is also associated with an
Example: instance of the control interface protocol.
Device(config-red-app-grp)# control
GigabitEthernet 1/0/0 protocol 1
Step 8 timers delay seconds [reload seconds] Specifies the time required for an RG to delay role
negotiations that start after a fault occurs or the system is
Example: reloaded.
Device(config-red-app-grp)# timers delay 100
reload 400
Step 9 asymmetric-routing interface type number Specifies the asymmetric routing interface that is used by
the RG.
Example:
Device(config-red-app-grp)# asymmetric-routing
interface GigabitEthernet 0/1/1
Step 10 asymmetric-routing always-divert enable Always diverts packets received from the standby RG to
the active RG.
Example:
Device(config-red-app-grp)# asymmetric-routing
always-divert enable
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. no shutdown
6. exit
7. interface type number
8. ip address ip-address mask
9. no shutdown
10. exit
11. interface type number
12. ip address ip-address mask
13. no shutdown
14. exit
DETAILED STEPS
Example:
Device# configure terminal
Step 3 interface type number Enters interface configuration mode for the data
interface.
Example:
Device(config)# interface GigabitEthernet 0/0/1
Step 4 ip address ip-address mask Assigns an IP address for the data interface.
Example:
Device(config-if)# ip address 10.2.3.2
255.255.255.0
Example:
Device(config-if)# no shutdown
Step 7 interface type number Enters interface configuration mode for the control
interface.
Example:
Device(config)# interface gigabitethernet 1/0/0
Example:
Device(config-if)# ip address 10.10.2.5
255.255.255.255.0
Example:
Device(config-if)# no shutdown
Step 11 interface type number (Optional) Enters interface configuration mode for the
asymmetric routing (AR) interface.
Example:
Device(config)# interface gigabitethernet 0/1/1
Example:
Device(config-if)# ip address 10.5.1.5
255.255.255.255.0
Example:
Device(config-if)# no shutdown
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. ip nat inside
6. redundancy rii id
7. redundancy group id ip virtual-ip [exclusive] [decrement value]
8. exit
9. interface type number
10. ip address ip-address mask
11. ip nat outside
12. redundancy rii id [decrement number]
13. redundancy group id ip virtual-ip [exclusive] [decrement value]
14. exit
15. ip nat inside source static local-ip global-ip [redundancy rg-id mapping-id map-id]
16. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface gigabitethernet 2/0/2
Step 4 ip address ip-address mask Assigns a virtual IP (VIP) address on the interface.
Example:
Device(config-if)# ip address 192.168.1.27
255.255.255.0
Step 5 ip nat inside Designates that traffic originating from the interface is
subject to Network Address Translation (NAT).
Example:
Device(config-if)# ip nat inside
Step 7 redundancy group id ip virtual-ip [exclusive] Enables the redundancy group (RG) traffic interface
[decrement value] configuration.
Example:
Device(config-if)# redundancy group 1 ip
192.168.1.20 exclusive decrement 100
Step 9 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Step 10 ip address ip-address mask Assigns a virtual IP (VIP) address on the interface.
Example:
Device(config-if)# ip address 192.168.5.54
255.255.255.255.0
Step 12 redundancy rii id [decrement number] Configures an RII for redundancy group-protected traffic
interfaces.
Example:
Device(config-if)# redundancy rii 101
Step 13 redundancy group id ip virtual-ip [exclusive] Enables the redundancy group (RG) traffic interface
[decrement value] configuration and specifies the decrement value number
that is decremented from the priority when the state of the
Example: interface goes down.
Device(config-if)# redundancy group 1 ip
192.168.5.10 exclusive decrement 100
Step 15 ip nat inside source static local-ip global-ip Enables NAT redundancy of the inside source and
[redundancy rg-id mapping-id map-id] associates the mapping ID to NAT high-availability
redundancy.
Example:
Device(config)# ip nat inside source static
10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. ip nat outside
6. redundancy rii id [decrement number]
7. redundancy asymmetric routing enable
8. exit
9. ip nat inside source static local-ip global-ip [redundancy RG-id mapping-id map-id]
10. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface serial 0/0/1
Step 4 ip address ip-address mask Assigns a virtual IP (VIP) address on the interface.
Example:
Device(config-if)# ip address 192.168.1.27
255.255.255.0
Step 5 ip nat outside Designates that traffic destined for the interface is subject
to Network Address Translation (NAT).
Example:
Device(config-if)# ip nat outside
Step 6 redundancy rii id [decrement number] Configures a Redundancy Interface Identifier (RII) for
redundancy group-protected traffic interfaces.
Example:
Device(config-if)# redundancy rii 101
Step 9 ip nat inside source static local-ip global-ip Enables NAT redundancy of the inside source and
[redundancy RG-id mapping-id map-id] associates the mapping ID to NAT high-availability
redundancy.
Example:
Device(config)# ip nat inside source static
10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
Device(config-red-app)# group 1
Device(config-red-app-grp)# data GigabitEthernet 0/0/1
Device(config-red-app-grp)# control GigabitEthernet 1/0/0 protocol 1
Device(config-red-app-grp)# timers delay 100 reload 400
Device(config-red-app-grp)# asymmetric-routing interface GigabitEthernet 0/1/1
Device(config-red-app-grp)# asymmetric-routing always-divert enable
Device(config-red-app-grp)# end
Example:ConfiguringAsymmetricRoutingforNATBox-to-BoxHigh-Availability
Support
Device> enable
Device# configure terminal
Device(config)# interface serial 0/0/1
Device(config-if)# ip address 192.168.1.27 255.255.255.0
Device(config-if)# ip nat outside
Device(config-if)# redundancy rii 101
Device(config-if)# exit
Device(config)# ip nat inside source static 10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
Device(config-if)# end
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Prefixes Format
A set of bits at the start of an IPv6 address is called the format prefix. Prefix length is a decimal value that
specifies how many of the leftmost contiguous bits of an address comprise the prefix.
An embedded IPv4 address is used to construct IPv4 addresses from the IPv6 packet. The Stateless NAT64
translator has to derive the IPv4 addresses that are embedded in the IPv6-translatable address by using the
prefix length. The translator has to construct an IPv6-translatable address based on the prefix and prefix length
and embed the IPv4 address based on the algorithm.
The prefix lengths of 32, 40, 48, 56, 64, or 96 are supported for Stateless NAT64 translation. The Well Known
Prefix (WKP) is not supported. When traffic flows from the IPv4-to-IPv6 direction, either a WKP or a
configured prefix can be added only in stateful translation.
The figure below shows stateless translation for scenarios 1 and 2. An IPv6-only network communicates with
the IPv4 Internet.
Scenario 1 is an IPv6 initiated connection and scenario 2 is an IPv4 initiated connection. Stateless NAT64
translates these two scenarios only if the IPv6 addresses are IPv4 translatable. In these two scenarios, the
Stateless NAT64 feature does not help with IPv4 address depletion, because each IPv6 host that communicates
with the IPv4 Internet is a globally routable IPv4 address. This consumption is similar to the IPv4 consumption
rate as a dual-stack. The savings, however, is that the internal network is 100 percent IPv6, which eases
management (Access Control Lists, routing tables), and IPv4 exists only at the edge where the Stateless
translators live.
The figure below shows stateless translation for scenarios 5 and 6. The IPv4 network and IPv6 network are
within the same organization.
The IPv4 addresses used are either public IPv4 addresses or RFC 1918 addresses. The IPv6 addresses used
are either public IPv6 addresses or Unique Local Addresses (ULAs).
Both these scenarios consist of an IPv6 network that communicates with an IPv4 network. Scenario 5 is an
IPv6 initiated connection and scenario 6 is an IPv4 initiated connection. The IPv4 and IPv6 addresses may
not be public addresses. These scenarios are similar to the scenarios 1 and 2. The Stateless NAT64 feature
supports these scenarios if the IPv6 addresses are IPv4 translatable.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
10. interface type number
11. description string
12. ip address ip-address mask
13. nat64 enable
14. exit
15. nat64 prefix stateless ipv6-prefix/length
16. nat64 route ipv4-prefix/mask interface-type interface-number
17. ipv6 route ipv4-prefix/length interface-type interface-number
18. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ipv6 unicast-routing
Example:
Device(config-if)# description interface facing
ipv6
Example:
Device(config-if)# ipv6 enable
Step 7 ipv6 address {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general
sub-bits/prefix-length} prefix and enables IPv6 processing on an interface.
Example:
Device(config-if)# ipv6 address 2001:DB8::1/128
Example:
Device(config-if)# nat64 enable
Step 10 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 1/2/0
Example:
Device(config-if)# description interface facing
ipv4
Example:
Device(config-if)# ip address 198.51.100.1
255.255.255.0
Example:
Device(config-if)# nat64 enable
Step 15 nat64 prefix stateless ipv6-prefix/length Defines the Stateless NAT64 prefix to be added to the
IPv4 hosts to translate the IPv4 address into an IPv6
Example: address.
Device(config)# nat64 prefix stateless • The command also identifies the prefix that must be
2001:0db8:0:1::/96 used to create the IPv4-translatable addresses for the
IPv6 hosts.
Step 16 nat64 route ipv4-prefix/mask interface-type Routes the IPv4 traffic towards the correct IPv6 interface.
interface-number
Example:
Device(config)# nat64 route 203.0.113.0/24
gigabitethernet 0/0/0
Step 17 ipv6 route ipv4-prefix/length interface-type Routes the translated packets to the IPv4 address.
interface-number
• You must configure the ipv6 route command if your
network is not running IPv6 routing protocols.
Example:
Device(config)# ipv6 route
2001:DB8:0:1::CB00:7100/120 gigabitethernet
0/0/0
SUMMARY STEPS
DETAILED STEPS
Example:
Device# show nat64 statistics
NAT64 Statistics
Global Stats:
Packets translated (IPv4 -> IPv6): 21
Packets translated (IPv6 -> IPv4): 15
GigabitEthernet0/0/1 (IPv4 configured, IPv6 configured):
Packets translated (IPv4 -> IPv6): 5
Packets translated (IPv6 -> IPv4): 0
Packets dropped: 0
GigabitEthernet1/2/0 (IPv4 configured, IPv6 configured):
Packets translated (IPv4 -> IPv6): 0
Packets translated (IPv6 -> IPv4): 5
Packets dropped: 0
Example:
Device# show ipv6 route
Example:
Device# show ip route
Step 4 debug nat64 {all | ha {all | info | trace | warn} | id-manager | info | issu {all | message | trace} | memory | statistics
| trace | warn}
This command enables Stateless NAT64 debugging.
Example:
Device# debug nat64 statistics
Example:
Device# ping 198.168.0.2
ipv6 unicast-routing
!
interface gigabitethernet 0/0/0
description interface facing ipv6
ipv6 enable
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Glossary
ALG—application-layer gateway or application-level gateway.
FP—Forward Processor.
IPv4-converted address—IPv6 addresses used to represent the IPv4 hosts. These have an explicit mapping
relationship to the IPv4 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6
address. Both stateless and stateful translators use IPv4-converted IPv6 addresses to represent the IPv4 hosts.
IPv6-converted address—IPv6 addresses that are assigned to the IPv6 hosts for the stateless translator. These
IPv6-converted addresses have an explicit mapping relationship to the IPv4 addresses. This relationship is
self-described by mapping the IPv4 address in the IPv6 address. The stateless translator uses the corresponding
IPv4 addresses to represent the IPv6 hosts. The stateful translator does not use IPv6-converted addresses,
because the IPv6 hosts are represented by the IPv4 address pool in the translator via dynamic states.
NAT—Network Address Translation.
RP—Route Processor.
stateful translation—In stateful translation a per-flow state is created when the first packet in a flow is
received. A translation algorithm is said to be stateful if the transmission or reception of a packet creates or
modifies a data structure in the relevant network element. Stateful translation allows the use of multiple
translators interchangeably and also some level of scalability. Stateful translation is defined to enable the IPv6
clients and peers without mapped IPv4 addresses to connect to the IPv4-only servers and peers.
stateless translation—A translation algorithm that is not stateful is called stateless. A stateless translation
requires configuring a static translation table, or may derive information algorithmically from the messages
it is translating. Stateless translation requires less computational overhead than stateful translation. It also
requires less memory to maintain the state, because the translation tables and the associated methods and
processes exist in a stateful algorithm and do not exist in a stateless one. Stateless translation enables the
IPv4-only clients and peers to initiate connections to the IPv6-only servers or peers that are equipped with
IPv4-embedded IPv6 addresses. It also enables scalable coordination of IPv4-only stub networks or ISP
IPv6-only networks. Because the source port in an IPv6-to-IPv4 translation may have to be changed to provide
adequate flow identification, the source port in the IPv4-to-IPv6 direction need not be changed.
When an incoming packet is stateful (if a state exists for an incoming packet), NAT64 identifies the state and
uses the state to translate the packet.
Scenario 1
An IPv6-only network that communicates with a global IPv4 Internet. This type of network is also called a
green-field network. In a green-field enterprise network only the the border between its network and the IPv4
Internet can be modified.
Translation is performed between IPv4 and IPv6 packets in unidirectional or bidirectional flows that are
initiated from an IPv6 host towards an IPv4 host. Port translation is necessary on the IPv4 side for efficient
IPv4 address usage. The stateful translator can service an IPv6 network of any size.
Both Stateful NAT64 and Stateless NAT64 support Scenario 1.
Scenario 3
Scenario 3 shows a legacy IPv4 network that provide services to IPv6 hosts. IPv6-initiated communication
can be achieved through stateful translation in this scenario.
Translation is preformed between IPv4 and IPv6 packets in unidirectional or bidirectional flows that are
initiated from an IPv6 host towards an IPv4 host. The stateful translator can service an IPv4 network using
either private or public IPv4 addresses.
Note Do not use the Well-Known Prefix (WKP) for Scenario 3, because it would lead to using the WKP with
non-global IPv4 addresses. Use a network-specific prefix (example, /96 prefix) in Scenario 3. For more
information, see RFC 6052, section "3.4 Choice of Prefix for Stateful Translation Deployments"
Scenario 5
This scenario has an IPv4 and IPv6 network within the same organization. The IPv4 addresses used are either
public IPv4 addresses or RFC 1918-compliant addresses. IPv6 addresses are either public IPv6 addresses or
Unique Local Addresses (ULAs) as specified by RFC 4193.
Translation is performed between IPv6 and IPv4 packets in unidirectional or bidirectional flows that are
initiated from an IPv6 host towards an IPv4 host. The stateful translator can service both IPv6 and IPv4
networks of any size; however neither networks should not be the Internet.
Both Stateful NAT64 and Stateless NAT64 support Scenario 5.
All subsequent IPv4-initiated packets are translated based on the previously created session.
• A new NAT64 translation is created in the session database and in the bind database. The pool and port
databases are updated depending on the configuration. The return traffic and the subsequent traffic of
the IPv6 packet flow will use this session database entry for translation.
IP Packet Filtering
Stateful Network Address Translation 64 (NAT64) filters IPv6 and IPv4 packets. All IPv6 packets that are
transmitted into the stateful translator are filtered because statefully translated IPv6 packets consume resources
in the translator. These packets consume processor resources for packet processing, memory resources (always
session memory) for static configuration, IPv4 address resources for dynamic configuration, and IPv4 address
and port resources for Port Address Translation (PAT).
Stateful NAT64 utilizes configured access control lists (ACLs) and prefix lists to filter IPv6-initiated traffic
flows that are allowed to create the NAT64 state. Filtering of IPv6 packets is done in the IPv6-to-IPv4 direction
because dynamic allocation of mapping between an IPv6 host and an IPv4 address can be done only in this
direction.
Stateful NAT64 supports endpoint-dependent filtering for the IPv4-to-IPv6 packet flow with PAT configuration.
In a Stateful NAT64 PAT configuration, the packet flow must have originated from the IPv6 realm and created
the state information in NAT64 state tables. Packets from the IPv4 side that do not have a previously created
state are dropped. Endpoint-independent filtering is supported with static Network Address Translation (NAT)
and non-PAT configurations.
Note You need to configure at least one of the configurations described in the following tasks for Stateful
NAT64 to work.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
10. interface type number
11. description string
12. ip address ip-address mask
13. nat64 enable
14. exit
15. nat64 prefix stateful ipv6-prefix/length
16. nat64 v6v4 static ipv6-address ipv4-address
17. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ipv6 unicast-routing
Step 4 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Example:
Device(config-if)# description interface facing
ipv6
Example:
Device(config-if)# ipv6 enable
Step 7 ipv6 address {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general
sub-bits/prefix-length} prefix and enables IPv6 processing on an interface.
Example:
Device(config-if)# ipv6 address
2001:DB8:1::1/96
Example:
Device(config-if)# nat64 enable
Step 10 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface gigabitethernet 1/2/0
Example:
Device(config-if)# description interface facing
ipv4
Example:
Device(config-if)# ip address 209.165.201.1
255.255.255.0
Example:
Device(config-if)# nat64 enable
Step 15 nat64 prefix stateful ipv6-prefix/length Defines the Stateful NAT64 prefix to be added to IPv4
hosts to translate the IPv4 address into an IPv6 address.
Example: • The Stateful NAT64 prefix can be configured at the
Device(config)# nat64 prefix stateful
2001:DB8:1::1/96 global configuration level or at the interface level.
Step 16 nat64 v6v4 static ipv6-address ipv4-address Enables NAT64 IPv6-to-IPv4 static address mapping.
Example:
Device(config)# nat64 v6v4 static
2001:DB8:1::FFFE 209.165.201.1
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
10. interface type number
11. description string
12. ip address ip-address mask
13. nat64 enable
14. exit
15. ipv6 access-list access-list-name
16. permit ipv6 ipv6-address any
17. exit
18. nat64 prefix stateful ipv6-prefix/length
19. nat64 v4 pool pool-name start-ip-address end-ip-address
20. nat64 v6v4 list access-list-name pool pool-name
21. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ipv6 unicast-routing
Example:
Device(config-if)# description interface facing
ipv6
Example:
Device(config-if)# ipv6 enable
Step 7 ipv6 {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general
sub-bits/prefix-length} prefix and enables IPv6 processing on an interface.
Example:
Device(config-if)# ipv6 2001:DB8:1::1/96
Example:
Device(config-if)# nat64 enable
Step 10 interface type number Configures an interface type and enters interface
configuration mode
Example:
Device(config)# interface gigabitethernet 1/2/0
Example:
Device(config-if)# description interface facing
ipv4
Example:
Device(config-if)# ip address 209.165.201.24
255.255.255.0
Example:
Device(config-if)# nat64 enable
Step 15 ipv6 access-list access-list-name Defines an IPv6 access list and enters IPv6 access list
configuration mode.
Example:
Device(config)# ipv6 access-list nat64-acl
Step 16 permit ipv6 ipv6-address any Sets permit conditions for an IPv6 access list.
Example:
Device(config-ipv6-acl)# permit ipv6
2001:DB8:2::/96 any
Step 17 exit Exits IPv6 access list configuration mode and enters
global configuration mode.
Example:
Device(config-ipv6-acl# exit
Step 18 nat64 prefix stateful ipv6-prefix/length Enables NAT64 IPv6-to-IPv4 address mapping.
Example:
Device(config)# nat64 prefix stateful
2001:DB8:1::1/96
Step 19 nat64 v4 pool pool-name start-ip-address end-ip-address Defines the Stateful NAT64 IPv4 address pool.
Example:
Device(config)# nat64 v4 pool pool1
209.165.201.1 209.165.201.254
Step 20 nat64 v6v4 list access-list-name pool pool-name Dynamically translates an IPv6 source address to an IPv6
source address and an IPv6 destination address to an
Example: IPv4 destination address for NAT64.
Device(config)# nat64 v6v4 list nat64-acl pool
pool1
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
10. interface type number
11. description string
12. ip address ip-address mask
13. nat64 enable
14. exit
15. ipv6 access-list access-list-name
16. permit ipv6 ipv6-address any
17. exit
18. nat64 prefix stateful ipv6-prefix/length
19. nat64 v4 pool pool-name start-ip-address end-ip-address
20. nat64 v6v4 list access-list-name pool pool-name overload
21. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ipv6 unicast-routing
Step 4 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Example:
Device(config-if)# description interface facing
ipv6
Example:
Device(config-if)# ipv6 enable
Step 7 ipv6 {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general
sub-bits/prefix-length} prefix and enables IPv6 processing on an interface.
Example:
Device(config-if)# ipv6 2001:DB8:1::1/96
Step 10 interface type number Configures an interface type and enters interface
configuration mode
Example:
Device(config)# interface gigabitethernet 1/2/0
Example:
Device(config-if)# description interface facing
ipv4
Example:
Device(config-if)# ip address 209.165.201.24
255.255.255.0
Step 15 ipv6 access-list access-list-name Defines an IPv6 access list and places the device in
IPv6 access list configuration mode.
Example:
Device(config)# ipv6 access-list nat64-acl
Step 16 permit ipv6 ipv6-address any Sets permit conditions for an IPv6 access list.
Example:
Device(config-ipv6-acl)# permit ipv6
2001:db8:2::/96 any
Step 17 exit Exits IPv6 access list configuration mode and enters
global configuration mode.
Example:
Device(config-ipv6-acl)# exit
Step 18 nat64 prefix stateful ipv6-prefix/length Enables NAT64 IPv6-to-IPv4 address mapping.
Example:
Device(config)# nat64 prefix stateful
2001:db8:1::1/96
Step 19 nat64 v4 pool pool-name start-ip-address end-ip-address Defines the Stateful NAT64 IPv4 address pool.
Example:
Device(config)# nat64 v4 pool pool1 209.165.201.1
209.165.201.254
Example:
Device(config)# nat64 v6v4 list nat64-acl pool
pool1 overload
SUMMARY STEPS
DETAILED STEPS
Example:
Device# show nat64 aliases
Aliases configured: 1
Address Table ID Inserted Flags Send ARP Reconcilable Stale Ref-Count
10.1.1.1 0 FALSE 0x0030 FALSE TRUE FALSE 1
Example:
Device# show nat64 logging
translation
flow export UDP 10.1.1.1 5000 60087
Step 3 show nat64 prefix stateful {global | {interfaces | static-routes} [prefix ipv6-address/prefix-length]}
This command displays information about NAT64 stateful prefixes.
Example:
Device# show nat64 prefix stateful interfaces
Stateful Prefixes
Example:
Device# show nat64 timeouts
NAT64 Timeout
Additional References
Related Documents
Standard/RFC Title
RFC 4291 IP Version 6 Addressing Architecture
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
• Restrictions for Mapping of Address and Port Using Translation, page 125
• Information About Mapping of Address and Port Using Translation, page 126
• How to Configure Mapping of Address and Port Using Translation, page 130
• Configuration Examples for Mapping of Address and Port Using Translation, page 132
• Additional References for Mapping of Address and Port Using Translation, page 133
• Feature Information for Mapping of Address and Port Using Translation, page 134
• Glossary, page 134
• A BMR configures the MAP IPv6 address or prefix. The basic mapping rule is configured for the source
address prefix. You can configure only one basic mapping rule per IPv6 prefix. The basic mapping rule
is used by the MAP-T CE to configure itself with an IPv4 address, an IPv4 prefix, or a shared IPv4
address from an IPv6 prefix. The basic mapping rule can also be used for forwarding packets, where an
IPv4 destination address and a destination port are mapped into an IPv6 address/prefix. Every MAP-T
node (a CE device is a MAP-T node) must be provisioned with a basic mapping rule. You can use the
port-parameters command to configure port parameters for the MAP-T BMR.
• A DMR is a mandatory rule that is used for mapping IPv4 information to IPv6 addresses for destinations
outside a MAP-T domain. A 0.0.0.0/0 entry is automatically configured in the MAP rule table (MRT)
for this rule.
• An FMR is used for forwarding packets. Each FMR results in an entry in the MRT for the rule IPv4
prefix. FMR is an optional rule for mapping IPv4 and IPv6 destinations within a MAP-T domain.
Note FMR is not supported by the Mapping of Address and Port Using Translation feature.
Note Forwarding mapping rule (FMR) is not supported by the Mapping of Address and Port Using Translation
feature.
The figure below shows the mapped CE address format as defined in MAP-T configuration. This address
format is used in basic mapping rule (BMR) and FMR operations.
The figure below shows the address format used by the MAP-T default mapping rule (DMR), an IPv4-translated
address that is specific to MAP-T configuration.
Note The Mapping of Address and Port Using Translation feature does not support the MAP-T customer edge
(CE) functionality. The CE functionality is provided by third-party devices.
on the IPv4 packet, and the IPv4 packet is forwarded to the IPv4 egress interface for processing and
transmission.
SUMMARY STEPS
1. enable
2. configure terminal
3. nat64 map-t domain number
4. default-mapping-rule ipv6-prefix/prefix-length
5. basic-mapping-rule
6. ipv6-prefix prefix/length
7. ipv4-prefix prefix/length
8. port-parameters share-ratio ratio [start-port port-number]
9. end
10. show nat64 map-t domain number
DETAILED STEPS
Example:
Device# configure terminal
Step 4 default-mapping-rule ipv6-prefix/prefix-length Configures the default domain mapping rule for the
MAP-T domain.
Example:
Device(config-nat64-mapt)# default-mapping-rule
2001:DA8:B001:FFFF::/64
Step 5 basic-mapping-rule Configures the basic mapping rule (BMR) for the MAP-T
domain and enters NAT64 MAP-T BMR configuration
Example: mode.
Device(config-nat64-mapt)# basic-mapping-rule
Step 6 ipv6-prefix prefix/length Configures an IPv6 address and prefix for the MAP-T
BMR.
Example:
Device(config-nat64-mapt-bmr)# ipv6-prefix
2001:DA8:B001::/56
Step 7 ipv4-prefix prefix/length Configures an IPv4 address and prefix for the MAP-T
BMR.
Example:
Device(config-nat64-mapt-bmr)# ipv4-prefix
202.1.0.128/28
Step 8 port-parameters share-ratio ratio [start-port Configures port parameters for the MAP-T BMR.
port-number]
Example:
Device(config-nat64-mapt-bmr)# port-parameters
share-ratio 16 start-port 1024
Step 10 show nat64 map-t domain number Displays MAP-T domain information.
Example:
Device# show nat64 map-t domain 1
Example:
The following is sample output from the show nat64 map-t domain command:
Device# show nat64 map-t domain 1
MAP-T Domain 1
Mode MAP-T
Default-mapping-rule
Ip-v6-prefix 2001:DA8:B001:FFFF::/64
Basic-mapping-rule
Ip-v6-prefix 2001:DA8:B001::/56
Ip-v4-prefix 202.1.0.128/28
Port-parameters
Share-ratio 16 Contiguous-ports 64 Start-port 1024
Share-ratio-bits 4 Contiguous-ports-bits 6 Port-offset-bits 6
Standard/RFC Title
MAP Mapping of Address and Port (MAP)
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 6: Feature Information for Mapping of Address and Port Using Translation
Glossary
EA bits—Embedded address bits. The IPv4 EA bits in the IPv6 address identify an IPv4 prefix/address (or
part thereof) or a shared IPv4 address (or part thereof) and a port-set identifier.
IP fragmentation—The process of breaking a datagram into a number of pieces that can be reassembled
later. The IP source, destination, identification, total length, and fragment offset fields, along with the More
fragments and Don't Fragment (DF) flags in the IP header, are used for IP fragmentation and reassembly. A
DF bit is a bit within the IP header that determines whether a device is allowed to fragment a packet.
IPv4-translatable address—IPv6 addresses that are used to represent IPv4 hosts. These addresses have an
explicit mapping relationship to IPv6 addresses. This relationship is self-described by mapping the IPv4
address in the IPv6 address. Both stateless and stateful translators use IPv4-translatable (also called
IPv4-converted) IPv6 addresses to represent IPv4 hosts.
IPv6-translatable address—IPv6 addresses that are assigned to IPv6 hosts for stateless translation. These
IPv6-translatable addresses (also called IPv6-converted addresses) have an explicit mapping relationship to
IPv4 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6 address. The
stateless translator uses corresponding IPv4 addresses to represent IPv6 hosts. The stateful translator does not
use IPv6-translatable addresses because IPv6 hosts are represented by the IPv4 address pool in the translator
via dynamic states.
MAP rule—A set of parameters that define the mapping between an IPv4 prefix, an IPv4 address or a shared
IPv4 address, and an IPv6 prefix or address. Each MAP domain uses a different mapping rule set.
MAP-T border router—A mapping of address and port using translation (MAP-T)-enabled router or translator
at the edge of a MAP domain that provides connectivity to the MAP-T domain. A border relay router has at
least one IPv6-enabled interface and one IPv4 interface connected to the native IPv4 network, and this router
can serve multiple MAP-T domains.
MAP-T CE—A device that functions as a customer edge (CE) router in a MAP-T deployment. A typical
MAP-T CE device that adopts MAP rules serves a residential site with one WAN-side interface and one or
more LAN-side interfaces. A MAP-T CE device can also be referred to as a “CE” within the context of a
MAP-T domain.
MAP-T domain—Mapping of address and port using translation (MAP-T) domain. One or more customer
edge (CE) devices and a border router, all connected to the same IPv6 network. A service provider may deploy
a single MAP-T domain or use multiple MAP domains.
MRT—MAP rule table. Address and port-aware data structure that supports the longest match lookups. The
MRT is used by the MAP-T forwarding function.
path MTU—Path maximum transmission unit (MTU) discovery prevents fragmentation in the path between
endpoints. Path MTU discovery is used to dynamically determine the lowest MTU along the path from a
packet’s source to its destination. Path MTU discovery is supported only by TCP and UDP. Path MTU discovery
is mandatory in IPv6, but it is optional in IPv4. IPv6 devices never fragment a packet—only the sender can
fragment packets.
stateful translation—Creates a per-flow state when the first packet in a flow is received. A translation
algorithm is said to be stateful if the transmission or reception of a packet creates or modifies a data structure
in the relevant network element. Stateful translation allows the use of multiple translators interchangeably
and also some level of scalability. Stateful translation enables IPv6 clients and peers without mapped IPv4
addresses to connect to IPv4-only servers and peers.
stateless translation—A translation algorithm that is not stateful. A stateless translation requires configuring
a static translation table or may derive information algorithmically from the messages that it is translating.
Stateless translation requires less computational overhead than stateful translation. It also requires less memory
to maintain the state because the translation tables and the associated methods and processes exist in a stateful
algorithm and do not exist in a stateless one. Stateless translation enables IPv4-only clients and peers to initiate
connections to IPv6-only servers or peers that are equipped with IPv4-embedded IPv6 addresses. It also
enables scalable coordination of IPv4-only stub networks or ISP IPv6-only networks. Because the source port
in an IPv6-to-IPv4 translation may have to be changed to provide adequate flow identification, the source
port in the IPv4-to-IPv6 direction need not be changed.
• This feature does not BMR prefix length of 64, fragmentation, and local packet generation.
1. enable
2. configure terminal
3. nat64 map-e domain number
4. basic-mapping-rule
5. ipv4-prefix ipv4-prefix/length
6. ipv6-prefix ipv6-prefix/length
7. port-parameters share-ratio number port-offset-bits number| start-port port-number| no-eabits number
8. exit
9. default-mapping-rule ipv6 prefix/length
10. mode map-e
11. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 nat64 map-e domain number Specifies the nat64 MAP-E domain and enters the MAP-E
configuration mode.
Example: • The range is from 1 to 128.
Device(config)# nat64 map-e domain 1
Step 4 basic-mapping-rule Specifies the MAP-E mapping rule and enters the basic mapping
rule configuration mode.
Example:
Device(config-nat64-mape)# basic-mapping-rule
Step 5 ipv4-prefix ipv4-prefix/length Specifies the IPv4 prefix and length for translation.
Example:
Device(config-nat64-mape-bmr)# ipv4-prefix
10.1.1.0/24
Step 6 ipv6-prefix ipv6-prefix/length Specifies the IPv6 prefix and length for translation.
Example:
Device(config-nat64-mape-bmr)# ipv6-prefix
2001:100::0/64
Step 7 port-parameters share-ratio number Specifies the values for port-parameters share-ratio, contiguous
port-offset-bits number| start-port port-number| ports and start-port for MAP-E Basic Mapping Rule (BMR).
no-eabits number
• If the share ratio is greater than 1, the configuration throws
an error if the startport value is incorrect. The calculation
Example: is based on the share-ratio and port-offset bits. The
Device(config-nat64-mape-bmr)#
port-parameters share-ratio 2 configuration throws error and displays the value to be
port-offset-bits 5 start-port 1024 configured.
• If the share ratio is 1, there are no port-offset bits as the
values is automatically set to 6 and the start port is set to
1024.
Step 8 exit Exits basic mapping rule configuration mode and returns to
MAP-E configuration mode.
Example:
Device(config-nat64-mape-bmr)# exit
Example:
Device(config-nat64-MAP-E)# mode map-e
1. enable
2. show nat64 MAP-E [domain number]
DETAILED STEPS
Step 1 enable
Example:
Device> enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device# show nat64 MAP-E domain 1
MAP-E Domain 1
Mode MAP-E
Default-mapping-rule
Ip-v6-prefix 2001:22::/128
Basic-mapping-rule
Ip-v6-prefix 2001:100::/64
Ip-v4-prefix 10.1.1.0/24
Port-parameters
Share-ratio 2 Contiguous-ports 1024 Start-port 1024
Share-ratio-bits 1 Contiguous-ports-bits 10 Port-offset-bits 5
Displays MAP-E configuration.
Standard/RFC Title
MAP Mapping of Address and Port (MAP)
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fsaclseq.htm
Note If you specify an access list to use with a NAT command, NAT does not support the commonly used
permit ip any any command in the access list.
• NAT interface--The shared access gateway interface most often is configured as the outside interface
of NAT. The inside interface of NAT can be either the PE-CE interface of a VPN, the interface to the
MPLS backbone, or both. The shared access gateway interface can also be configured as the inside
interface.
• Routing type--Common service can be Internet connectivity or a common server. For Internet connectivity,
a default route should be propagated to all the VPN customers that use the service. For common server
access, a static or dynamically learned route should be propagated to the VPN customers.
• NAT configuration--NAT can have different configurations: static, dynamic, pool/interface overloading,
and route-map.
The figure below shows a typical NAT integration with MPLS VPNs. The PE router connected to the internet
and centralized mail service is employed to do the address translation.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat [inside | outside] source [list {access-list-number | access-list-name} | route-map name] [interface
type number | pool pool-name] vrf vrf-name[overload]
5. Repeat Step 4 for each VPN being configured
6. ip route vrf vrf-name prefix mask interface-type interface-number next-hop-address
7. Repeat Step 6 for each VPN being configured.
8. exit
9. show ip nat translations vrf vrf-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of IP addresses for NAT.
Example:
Router(config)# ip nat pool inside 2.2.2.10 2.2.2.10
netmask 255.255.255.0
Step 4 ip nat [inside | outside] source [list {access-list-number | Allows NAT to be configured on a particular
access-list-name} | route-map name] [interface type number | VPN.
pool pool-name] vrf vrf-name[overload]
Example:
Router(config)# ip nat inside source list 1 pool mypool
vrf shop overload
Step 6 ip route vrf vrf-name prefix mask interface-type Allows NAT to be configured on a particular
interface-number next-hop-address VPN.
Example:
Router(config)#
ip route vrf shop 0.0.0.0 0.0.0.0 ethernet 0 168.58.88.2
Example:
Router(config)# exit
Step 9 show ip nat translations vrf vrf-name (Optional) Displays the settings used by virtual
routing/forwarding (VRF) table translations.
Example:
Router# show ip nat translations vrf shop
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source {static {esp local-ip interface type number | local-ip global-ip}} [extendable |
mapping-id map-id| no-alias | no-payload | redundancy group-name | route-map | vrf name]
4. Repeat Step 3 for each VPN being configured.
5. ip route vrf vrf-name prefix prefix mask next-hop-address global
6. Repeat Step 5 for each VPN being configured.
7. exit
8. show ip nat translations vrf vrf-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat inside source {static {esp local-ip interface type number Enables inside static translation on the VRF.
| local-ip global-ip}} [extendable | mapping-id map-id| no-alias
| no-payload | redundancy group-name | route-map | vrf name]
Example:
Router(config)#
ip nat inside source static 192.168.121.113 2.2.2.1 vrf
shop
Step 5 ip route vrf vrf-name prefix prefix mask next-hop-address Allows the route to be shared by several
global customers.
Example:
Router(config)#
ip route vrf shop 0.0.0.0 0.0.0.0 168.58.88.2 global
Example:
Router(config)# exit
Step 8 show ip nat translations vrf vrf-name (Optional) Displays the settings used by VRF
translations.
Example:
Router# show ip nat translations vrf shop
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool outside global-ip local-ip netmask netmask
4. ip nat inside source static local-ip global-ip vrf vrf-name
5. Repeat Step 4 for each VRF being configured.
6. ip nat outside source static global-ip local-ip vrf vrf-name
7. exit
8. show ip nat translations vrf vrf-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat pool outside global-ip local-ip netmask netmask Allows the configured VRF to be associated with
the NAT translation rule.
Example:
Router(config)#
ip nat pool outside 4.4.4.1 4.4.4.254 netmask
255.255.255.00
Step 4 ip nat inside source static local-ip global-ip vrf vrf-name Allows the route to be shared by several customers.
Example:
Router(config)#
ip nat inside source static 192.168.121.113 2.2.2.1
vrf shop
Step 5 Repeat Step 4 for each VRF being configured. Allows the route to be shared by several customers.
Example:
Router(config)#
ip nat outside source static 168.58.88.2 4.4.4.1 vrf
shop
Example:
Router(config)# exit
Step 8 show ip nat translations vrf vrf-name (Optional) Displays the settings used by VRF
translations.
Example:
Router# show ip nat translations vrf shop
SUMMARY STEPS
1. enable
2. configure {terminal | memory | network}
3. ip nat pool inside global-ip local-ip netmask netmask
4. Repeat Step 3 for each pool being configured.
5. ip nat inside source list access-list-number pool pool-name vrf vrf-name
6. Repeat Step 5 for each pool being configured.
7. ip nat outside source static global-ip local-ip vrf vrf-name
8. Repeat Step 7 for all VPNs being configured.
9. exit
10. show ip nat translations vrf vrf-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat pool inside global-ip local-ip netmask netmask Allows the configured VRF to be associated with
the NAT translation rule.
Example:
Router(config)# ip nat pool inside1 2.2.1.1 2.2.1.254
netmask 255.255.255.0
Step 5 ip nat inside source list access-list-number pool pool-name Allows the route to be shared by several
vrf vrf-name customers.
Example:
Router(config)#
ip nat inside source list 1 pool inside2 vrf shop
Step 6 Repeat Step 5 for each pool being configured. Defines the access list.
Step 7 ip nat outside source static global-ip local-ip vrf vrf-name Allows the route to be shared by several
customers.
Example:
Router(config)#
ip nat outside source static 168.58.88.2 4.4.4.1 vrf
shop
Example:
Router(config)# exit
Step 10 show ip nat translations vrf vrf-name (Optional) Displays the settings used by VRF
translations.
Example:
Router# show ip nat translations vrf shop
!
ip nat pool inside 2.2.2.10 2.2.2.10 netmask 255.255.255.0
ip nat inside source list 1 pool inside vrf bank overload
ip nat inside source list 1 pool inside vrf park overload
ip nat inside source list 1 pool inside vrf shop overload
!
ip route vrf shop 0.0.0.0 0.0.0.0 Ethernet1/3 168.58.88.2
ip route vrf bank 0.0.0.0 0.0.0.0 Ethernet1/3 168.58.88.2
ip route vrf park 0.0.0.0 0.0.0.0 Ethernet1/3 168.58.88.2
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
ip nat inside source static 192.168.121.113 2.2.2.1 vrf shop
ip nat inside source static 192.168.122.49 2.2.2.2 vrf shop
ip nat inside source static 192.168.121.113 2.2.2.3 vrf bank
ip nat inside source static 192.168.22.49 2.2.2.4 vrf bank
ip nat inside source static 192.168.121.113 2.2.2.5 vrf park
ip nat inside source static 192.168.22.49 2.2.2.6 vrf park
ip nat inside source static 192.168.11.1 2.2.2.11 vrf shop
ip nat inside source static 192.168.11.3 2.2.2.12 vrf shop
ip nat inside source static 140.48.5.20 2.2.2.13 vrf shop
!
ip route 2.2.2.1 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.2 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.3 255.255.255.255 Serial2/1.1 192.168.121.113
ip route 2.2.2.4 255.255.255.255 Serial2/1.1 192.168.121.113
ip route 2.2.2.5 255.255.255.255 FastEthernet0/0 192.168.121.113
ip route 2.2.2.6 255.255.255.255 FastEthernet0/0 192.168.121.113
ip route 2.2.2.11 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.12 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.13 255.255.255.255 Ethernet1/0 192.168.121.113
!
ip nat pool outside 4.4.4.1 4.4.4.254 netmask 255.255.255.0
ip nat inside source static 192.168.121.113 2.2.2.1 vrf shop
ip nat inside source static 192.168.122.49 2.2.2.2 vrf shop
ip nat inside source static 192.168.121.113 2.2.2.3 vrf bank
ip nat inside source static 192.168.22.49 2.2.2.4 vrf bank
ip nat inside source static 192.168.121.113 2.2.2.5 vrf park
!
ip default-gateway 10.1.15.1
ip nat pool inside1 2.2.1.1 2.2.1.254 netmask 255.255.255.0
ip nat pool inside2 2.2.2.1 2.2.2.254 netmask 255.255.255.0
ip nat pool inside3 2.2.3.1 2.2.3.254 netmask 255.255.255.0
ip nat inside source list 1 pool inside2 vrf bank
ip nat inside source list 1 pool inside3 vrf park
ip nat inside source list 1 pool inside1 vrf shop
ip nat outside source static 168.58.88.2 4.4.4.1 vrf bank
ip nat outside source static 18.68.58.1 4.4.4.2 vrf park
ip nat outside source static 168.58.88.1 4.4.4.3 vrf shop
ip classless
ip route 192.170.10.0 255.255.255.0 Ethernet1/0 192.168.121.113
ip route 192.170.11.0 255.255.255.0 Serial2/1.1 192.168.121.113
ip route 192.170.12.0 255.255.255.0 FastEthernet0/0 192.168.121.113
ip route vrf shop 0.0.0.0 0.0.0.0 168.58.88.2 global
ip route vrf bank 0.0.0.0 0.0.0.0 168.58.88.2 global
ip route vrf park 0.0.0.0 0.0.0.0 168.58.88.2 global
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
Where to Go Next
• To learn about Network Address Translation and configure NAT for IP address conservation, see the
“Configuring NAT for IP Address Conservation” module.
• To verify, monitor, and maintain NAT, see the “Monitoring and Maintaining NAT” module.
• To use NAT with application level gateways, see the “Using Application Level Gateways with NAT”
module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Note Effective January 31, 2014, Stateful NAT is not available in Cisco IOS software. For more information,
see End-of-Sale and End-of-Life Announcement for the Cisco IOS Stateful Failover of Network Address
Translation (SNAT).
Cisco IOS Hosted NAT Traversal for Session Border Controller Overview
Private IP addresses and ports inserted in the packet payload by client devices, such as IP phones and video
conferencing stations, are not routable in public networks using NAT. In addition, intermediate routers between
the inside phones and the NAT SBC can have the non-ALG functionality. The hosted NAT traversal handles
the signaling and the media streams involved in the setting up, conducting, and tearing down of calls that
traverse these intermediate routers.
The figure below illustrates how the NAT SBC handles embedded SIP/SDP information for the address and
port allocation by differentiating the overlapped embedded information.
The inside phones have the proxy configured as the NAT SBC’s preconfigured address and port. NAT SBC
has the Softswitch’s address and port preconfigured as the proxy. The NAT SBC intercepts the packets destined
from the inside phones to itself and translates the inside hosts and other information in the SIP/SDP payload
and the IP/UDP destination address or port to the Softswitch’s address and port, and vice versa.
SIP/SDP information is either a NAT or a PAT in order for the Real-Time Transport Protocol (RTP) flow to
be directly between the phones in the NAT SBC inside domain.
The address-only fields are not translated by the NAT SIP ALG. The address-only fields are handled by the
NAT SBC, except for the proxy-authorization and authorization translation, because these will break the
authentication.
If the intermediate routers between the inside phones and the NAT SBC are configured to do a PAT, the user
agents (phones and proxy) must support symmetric signaling and symmetric and early media. You must
configure the override port on the NAT SBC router. In the absence of support for symmetric signaling and
symmetric and early media, the intermediate routers must be configured without PAT and the override address
should be configured in the NAT SBC.
The registration throttling support enables you to define the parameters in the Expires: header and the expires=
parameter. It allows you to elect to not forward certain registration messages to the Softswitch.
Note When you use the NAT SBC feature and you want the call IDs to be translated, you must configure two
address pools in such a way that the pool for SBC is accessed before the pool for the call IDs. Use the ip
nat pool command to configure the address pools. Access lists are chosen in ascending order, so you
should assign the list associated with the SBC pool a lower number than the list associated with the call
ID pool.
Note The proxy of the inside phones must be set to 200.1.1.1. The VPN routing and forwarding (VRF) instance
configuration as shown is optional.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat inside
5. exit
6. interface type number
7. ip nat outside
8. exit
9. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
10. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
11. ip nat inside source list access-list-number pool name [vrf vrf-name] [overload]
12. ip nat outside source list access-list-number pool name
13. ip nat sip-sbc
14. proxy inside-address inside-port outside-address outside-port protocol udp
15. vrf-list
16. vrf-name vrf - name
17. exit
18. ip nat sip-sbc
19. call-id-pool call -id-pool
20. session -timeout seconds
21. mode allow -flow-around
22. override address
23. end
DETAILED STEPS
Example:
Router# configure terminal
Step 4 ip nat inside Connects the interface to the inside network (the network
subject to NAT translation).
Example:
Router(config-if)# ip nat inside
Step 6 interface type number Specifies an interface and enters interface configuration mode.
Example:
Router(config)# interface ethernet 1/3
Example:
Router(config-if)# ip nat outside
Step 9 ip nat pool name start-ip end-ip {netmask Defines a pool of global addresses to be allocated for the inside
netmask | prefix-length prefix-length} network.
Note You must configure two address pools when you are
Example: using the NAT SBC feature and you want to translate
Router(config)# ip nat pool inside-pool-A the call IDs. In this step you are configuring the first
172.16.0.1 172.16.0.10 prefix-length 16 address pool.
Step 10 ip nat pool name start-ip end-ip {netmask Defines a pool of global addresses to be allocated for the outside
netmask | prefix-length prefix-length} network.
Note You must configure two address pools when you are
Example: using the NAT SBC feature and you want to translate
Router(config)# ip nat pool outside-pool the call IDs. In this step, you are configuring the
203.0.113.1 203.0.113.10 prefix-length 24 second address pool.
Example:
Router(config)# ip nat inside source list 1
pool inside-pool-A vrf vrfA overload
Step 12 ip nat outside source list access-list-number Enables NAT of the outside source address and configures the
pool name access list for translation.
Example:
Router(config)# ip nat outside source list
3 pool outside-pool
Example:
Router(config)# ip nat sip-sbc
Step 14 proxy inside-address inside-port outside-address Configures the address or port that the inside phones will be
outside-port protocol udp referring to, and the outside proxy’s address and port to which
the NAT SBC translates the destination IP address and port.
Example:
Router(config-ipnat-sbc)# proxy 200.1.1.1
5060 192.0.2.2 5060 protocol udp
Example:
Router(config-ipnat-sbc)# vrf-list
Step 16 vrf-name vrf - name (Optional) Defines SBC VRF list names.
Example:
Router(config-ipnat-sbc-vrf)# vrf-name vrf1
Step 17 exit Exits IP NAT SBC VRF configuration mode and enters global
configuration mode.
Example:
Router(config-ipnat-sbc-vrf)# exit
Example:
Router(config)# ip nat sip-sbc
Step 20 session -timeout seconds Configures the timeout duration for NAT entries pertaining to
SIP signaling flows.
Example: • The default is 5 minutes.
Router(config-ipnat-sbc)# session-timeout
300
Step 22 override address Allows the NAT SBC to override the out to in traffic’s
destination IP during signaling or RTP traffic, or to override
Example: the address and port.
Step 23 end Exits IP NAT SBC configuration mode and enters privileged
EXEC mode.
Example:
Router(config-ipnat-sbc)# end
Example Configuring Cisco IOS Hosted NAT Traversal for Session Border
Controller
The following example shows how to configure the Cisco IOS Hosted NAT Traversal as Session Border
Controller feature:
interface ethernet1/1
ip nat inside
!
interface ethernet1/2
ip nat inside
!
interface ethernet1/3
ip nat outside
!
ip nat pool inside-pool-A 172.16.0.1 172.16.0.10 prefix-length 16
ip nat pool inside-pool-B 192.168.0.1 192.168.0.10 prefix-length 24
ip nat pool outside-pool 203.0.113.1 203.0.113.10 prefix-length 24
ip nat inside source list 1 pool inside-pool-A vrf vrfA overload
ip nat inside source list 2 pool inside-pool-B vrf vrfB overload
ip nat outside source list 3 pool outside-pool
!
! Access-list for VRF-A inside phones
access-list 1 permit 172.16.0.0 255.255.0.0
!
! Access-list for VRF-B inside phones
access-list 2 permit 192.0.2.0 255.255.255.0
!
access-list 3 permit 203.0.113.0 255.255.255.0
ip nat sip-sbc
proxy 200.1.1.1 5060 192.0.2.2 5060 protocol udp
vrf-list
vrf-name vrfA
vrf-name vrfB
exit
call-id-pool pool-name
session-timeout 300
mode allow-flow-around
override address
Additional References
Related Documents
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command
command mode, command history, defaults, usage Reference
guidelines, and examples
Standards
Standards Title
None --
MIBs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 9: Feature Information for Configuring Hosted NAT Traversal for Session Border Controller
Hosted NAT Support for Session 12.4(15)T The Hosted NAT Support for Session Border
Border Controller Phase-2 Controller Phase-2 feature provides registration
throttling, media flow-through, and SNAT support.
Note Effective January 31, 2014, Stateful NAT is
not available in Cisco IOS software. For more
information, see End-of-Sale and End-of-Life
Announcement for the Cisco IOS Stateful
Failover of Network Address Translation
(SNAT).
NAT as SIP Session Border 12.4(9)T The NAT as SIP Session Border Controller Media
Controller Media Flow Flow feature provides support for media flow-around
for RTP or RTCP exchanges between phones on the
inside domain of the SBC.
NAT as SIP Session Border 12.4(9)T The NAT as SIP Session Border Controller Support
Controller Support for for Address-Only Fields feature provides support for
Address-Only Fields the translation of SIP address-only fields.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat portmap mapname application application startport startport size size
4. ip nat inside source list list - name pool pool - name overload portmap portmap - name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat portmap mapname application application startport Defines the port map.
startport size size
Example:
Router(config)# ip nat portmap NAT-1 application sip-rtp
startport 32128 size 128
Step 4 ip nat inside source list list - name pool pool - name Associates the port map to the NAT
overload portmap portmap - name configuration.
Example:
Router(config)# ip nat inside source list 1 pool A overload
portmap NAT-1
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service allow-h323-even-rtp-ports | allow-sip-even-rtp-ports| allow-skinny-even-rtp-ports
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat service allow-h323-even-rtp-ports | Establishes even port parity for H323, the SIP
allow-sip-even-rtp-ports| allow-skinny-even-rtp-ports protocol, or the skinny protocol.
Example:
Router(config)# ip nat service
allow-h323-even-rtp-ports
Additional References
Related Documents
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command
command mode, defaults, usage guidelines, and Reference
examples
Standards
Standards Title
None --
MIBs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 11: Feature Information for User Defined Source Port Ranges for PAT
means that the port is available. A new entry is added to the NAT Port database, and to the existing NAT
database, allocating the port to the requesting computer, and the packet is sent.
If no matching entry in the NAT Port database is found, it means that the port is busy, or otherwise unavailable.
The next available port is found, which is allocated to the requesting computer. An entry is added to the NAT
Port database with the requesting computer and the available port. An entry is added to the Symmetric Port
database, with the requesting computer, the allocated port and the requested port and the packet is sent.
This feature is only required if you need to configure NAT with pool overload or interface overload. This
feature is not applicable for other NAT configurations.
Note This feature must be enabled by the user. It should be enabled before NAT is enabled. If it is enabled later,
it will not translate the previously established connection. When this feature is disabled, it will not be seen
in the output of the show running-configcommand.
>
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface name
4. ip nat inside
5. exit
6. access list 1 permit ip address mask
7. ip nat inside source list 1 interface interface name
8. ip nat service enable-sym-port
9. exit
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router (config)# interface Ethernet 0/0
Step 4 ip nat inside Enables Network Address Translation (NAT) for the
inside address.
Example:
Router (config-if)# ip nat inside
Example:
Router (config-if)# exit
Step 6 access list 1 permit ip address mask Creates an access list called 1.
Example:
Router (config)# access list 1 permit
172.18.192.0.0.0.0.255
Step 7 ip nat inside source list 1 interface interface name Enables NAT for the inside source for access list 1
which is attached to the Ethernet interface.
Example:
Router (config)# ip nat inside source list 1
interface Ethernet 0/0
Example:
Router (config)# ip nat service enable-sym-port
Example:
Router(config)# exit
SUMMARY STEPS
DETAILED STEPS
Example:
Router# show ip nat translations
Additional References
Related Documents
Standards
Standard Title
No new or modified standards are supported by this _
feature, and support for existing standards has not
been modified by this feature.
MIBs
RFCs
RFC Title
No new or modified RFCs are supported by this _
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 12: Feature Information for NAT Endpoint Agnostic Port Allocation
• More control of voice policy is possible because the media path is closer to the customer domain and
not deep within the service provider cloud.
• Processes all packets sent through the NAT-enabled router, even those without the Session Description
Protocol (SDP).
Configuring a NAT Optimized SIP Media Path Without SDP Messages Including
MD5 Authentication
Perform this task to configure messages with a NAT optimized SIP Media path including MD5 authentication.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg all-messages router router-id [md5-authentication
md5-authentication-key]
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# ip nat piggyback-support sip-alg
all-messages router 100 md5-authentication md5-key
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg all-messages router router-id
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat piggyback-support sip-alg all-messages router Enables messages with a NAT optimized SIP Media
router-id path without MD5 authentication.
Example:
Router(config)# ip nat piggyback-support sip-alg
all-messages router 100
Configuring a NAT Optimized SIP Media Path Without SDP Including MD5
Authentication Example
The following example shows how to configure a NAT optimized SIP media path without SDP including
MD5 authentication:
Additional References
Related Documents
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command Reference
command mode command history, defaults,
usage guidelines, and examples
RADIUS attributes overview RADIUS Attributes Overview and RADIUS IETF Attributes
module
Using NAT with MPLS VPNs Integrating NAT with MPLS VPNs module
Standard/RFC Title
RFC 1597 Internet Assigned Numbers Authority
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 13: Feature Information for NAT Optimized SIP Media Path Without SDP
Information About the NAT Optimized SIP Media Path with SDP
Feature
Configuring a NAT Optimized SIP Media Path with SDP Messages Including
MD5 Authentication
Perform this task to configure SDP messages with a NAT optimized SIP Media path including MD5
authentication.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg sdp-only router router-id md5 -authentication
md5-authentication-key
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat piggyback-support sip-alg sdp-only router router-id Enables SDP messages with a NAT optimized SIP
md5 -authentication md5-authentication-key Media path including MD5 authentication.
Example:
Router(config)# ip nat piggyback-support sip-alg
sdp-only router 100 md5-authentication md5-key
Configuring a NAT Optimized SIP Media Path with SDP Messages Without
MD5 Authentication
Perform this task to configure SDP messages with a NAT optimized SIP Media path without MD5
authentication.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg sdp-only router router-id
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip nat piggyback-support sip-alg sdp-only router Enables SDP messages with a NAT optimized SIP
router-id Media path without MD5 authentication.
Example:
Router(config)# ip nat piggyback-support sip-alg
sdp-only router 100
Configuring a NAT Optimized SIP Media Path with SDP Including MD5
Authentication Example
The following example shows how to configure a NAT optimized SIP media path with SDP including MD5
authentication:
Configuring a NAT Optimized SIP Media Path with SDP Without MD5
Authentication Example
The following example shows how to configure a NAT optimized SIP media path with SDP without MD5
authentication:
Additional References
Related Documents
NAT Optimized SIP Media Path without SDP “NAT - Optimized SIP Media without SPD” module
configuration tasks and conceptual information
Standards
Standard Title
None --
MIBs
RFCs
RFC Title
None --
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Translation Entries
Translation entry information includes the following:
• The protocol of the port identifying the address.
• The legitimate IP address that represents one or more inside local IP addresses to the outside world.
• The IP address assigned to a host on the inside network; probably not a legitimate address assigned by
the NIC or service provider.
• The IP address of an outside host as it appears to the inside network; probably not a legitimate address
assigned by the NIC or service provider.
• The IP address assigned to a host on the outside network by its owner.
• The time since the entry was created (in hours:minutes:seconds).
• The time since the entry was last used (in hours:minutes:seconds).
• Flags indicating the type of translation. Possible flags are:
• extended—Extended translation.
• static—Static translation.
• destination—Rotary translation.
• outside—Outside translation.
• timing out—Translation will no longer be used, due to a TCP finish (FIN) or reset (RST) flag.
Statistical Information
Statistical information includes the following:
• The total number of translations active in the system. This number is incremented each time a translation
is created and is decremented each time a translation is cleared or times out.
• A list of interfaces marked as outside with the ip nat outside command.
• A list of interfaces marked as inside with the ip nat inside command.
• The number of times the software does a translations table lookup and finds an entry.
• The number of times the software does a translations table lookup, fails to find an entry, and must try
to create one.
• A cumulative count of translations that have expired since the router was booted.
• Information about dynamic mappings.
• Information about an inside source translation.
• The access list number being used for the translation.
• The name of the pool.
• The number of translations using this pool.
• The IP network mask being used in the pool.
• The starting IP address in the pool range.
• The ending IP address in the pool range.
• The type of pool. Possible types are generic or rotary.
• The number of addresses in the pool available for translation.
• The number of addresses being used.
• The number of failed allocations from the pool.
NAT does not support access control lists (ACLs) with the log option. The same functionality can be achieved
by using one of the following options:
• By having a physical interface or virtual LAN (VLAN) with the logging option
• By using NetFlow
1. enable
2. show ip nat translations [verbose]
3. show ip nat statistics
DETAILED STEPS
Step 2 show ip nat translations [verbose] (Optional) Displays active NAT translations.
Example:
Device# show ip nat translations
Step 3 show ip nat statistics (Optional) Displays active NAT translation statistics.
Example:
Device# show ip nat statistics
Example:
The following is sample output from the show ip nat translations command:
Device# show ip nat translations
SUMMARY STEPS
1. enable
2. clear ip nat translation inside global-ip local-ip outside local-ip global-ip
3. clear ip nat translation outside global-ip local-ip
4. clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip
local-port global-ip global-port
5. clear ip nat translation {* | [forced] | [inside global-ip local-ip] [outside local-ip global-ip]}
6. clear ip nat translation inside global-ip local-ip [forced]
7. clear ip nat translation outside local-ip global-ip [forced]
DETAILED STEPS
Step 3 clear ip nat translation outside global-ip local-ip (Optional) Clears a single dynamic half-entry containing an
outside translation created in a dynamic configuration.
Example: • A dynamic half-entry is cleared only if it does not have any
Device# clear ip nat translation outside
192.168.2.100 192.168.2.80 child translations.
Step 4 clear ip nat translation protocol inside global-ip (Optional) Clears a UDP translation entry.
global-port local-ip local-port outside local-ip
local-port global-ip global-port
Example:
Device # clear ip nat translation udp inside
192.168.2.209 1220 192.168.2.195 1220 outside
192.168.2.13 53 192.168.2.132 53
Step 5 clear ip nat translation {* | [forced] | [inside (Optional) Clears either all dynamic translations (with the * or
global-ip local-ip] [outside local-ip global-ip]} forced keyword), a single dynamic half-entry containing an inside
translation, or a single dynamic half-entry containing an outside
Example: translation.
Device# clear ip nat translation *
• A single dynamic half-entry is cleared only if it does not
have any child translations.
Step 6 clear ip nat translation inside global-ip local-ip (Optional) Forces the clearing of a single dynamic half-entry and
[forced] its child translations containing an inside translation created in a
dynamic configuration, with or without its corresponding outside
Example: translation.
Device# clear ip nat translation inside
192.168.2.209 192.168.2.195 forced • A dynamic half-entry is always cleared, regardless of
whether it has any child translations.
Step 7 clear ip nat translation outside local-ip global-ip (Optional) Forces the clearing of a single dynamic half-entry and
[forced] its child translations containing an outside translation created in
a dynamic configuration.
Example: • A dynamic half-entry is always cleared, regardless of
Device# clear ip nat translation outside
192.168.2.100 192.168.2.80 forced whether it has any child translations.
Where to Go Next
• To configure NAT for use with application level gateways, see the “Using Application Level Gateways
with NAT” module.
• To integrate NAT with MPLS VPNs, see the “Integrating NAT with MPLS VPNs” module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command
command mode, command history, defaults, usage Reference
guidelines, and examples
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
NAT-PT Overview
Network Address Translation (NAT)-Port Translation (PT) for Cisco software based on RFC 2766 and RFC
2765 is a migration tool that helps customers transition their IPv4 networks to IPv6 networks. Using a protocol
translator between IPv6 and IPv4 allows direct communication between hosts that use different network
protocols. You can use static, dynamic, port address translation, IPv4-mapped definitions for NAT-PT operation.
The figure below shows that NAT-PT runs on a device that is configured between an IPv6 network and an
IPv4 network that helps connect an IPv6-only node with an IPv4-only node.
NAT-PT allows direct communication between IPv6-only networks and IPv4-only networks. Dual-stack
networks (networks that have IPv4 and IPv6) can have some IPv6-only hosts configured to take advantage
of the IPv6 autoconfiguration, global addressing, and simpler management features, and these hosts can use
NAT-PT to communicate with existing IPv4-only networks in the same organization.
One of the benefits of NAT-PT is that no changes are required to existing hosts if NAT-PT is configured,
because all NAT-PT configurations are performed at the NAT-PT device. Stable IPv4 networks can introduce
an IPv6 network and use NAT-PT to communicate between these networks without disrupting the network.
For a seamless transition, you can use FTP between IPv4 and IPv6 hosts.
When you configure IPv6, packet fragmentation is enabled by default, to allow IPv4 and IPv6 networks to
resolve fragmentation problems. Without the ability to resolve fragmentation, connectivity can be intermittent
when fragmented packets are dropped or not interpreted correctly.
We do not recommend the use of NAT-PT to communicate between a dual-stack host and an IPv6-only or
IPv4-only host. We do not recommend the use of NAT-PT in a scenario in which an IPv6-only network tries
to communicate with another IPv6-only network via an IPv4 backbone or vice versa, because NAT-PT requires
a double translation. You can use tunneling techniques for communication in these scenarios.
You can configure one the following operations for NAT-PT, but not all four.
identified, NAT-PT uses the configured mapping rules and assigns a temporary IPv4 address from the configured
pool of IPv4 addresses.
Dynamic NAT-PT translation operation requires at least one static mapping for the IPv4 Domain Name System
(DNS) server.
After the IPv6 to IPv4 connection is established, reply packets going from IPv4 to IPv6 uses the previously
established dynamic mapping to translate back from IPv4 to IPv6 and vice versa for an IPv4-only host.
IPv4-Mapped Operation
You can send traffic from your IPv6 network to an IPv4 network without configuring the IPv6 destination
address mapping. A packet that arrives at an interface is checked to discover if it has a NAT-PT prefix that
was configured with the ipv6 nat prefix v4-mapped command. If the prefix matches, then an access-list
check is performed to discover if the source address matches the access list or prefix list. If the prefix does
not match, the packet is dropped. If the prefix matches, the source address translation is performed.
If a rule is configured for the source address translation, the last 32 bits of the destination IPv6 address is used
as the IPv4 destination and a flow entry is created.
With an IPv4-mapping configuration on a device, when the Domain Name System (DNS) application-level
gateway (ALG) IPv4 address is converted to an IPv6 address, the IPv6 address is processed and ALGs of the
DNS packets from IPv4 network is translated into the IPv6 network.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 nat prefix ipv6-prefix / prefix-length
4. interface type number
5. ipv6 address ipv6-address {/prefix-length | link-local}
6. ipv6 nat
7. exit
8. interface type number
9. ip address ip-address mask [secondary]
10. ipv6 nat
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ipv6 nat prefix ipv6-prefix / prefix-length Assigns an IPv6 prefix as a global NAT-PT prefix.
• Matching destination prefixes in IPv6 packets are
Example: translated by NAT-PT.
Router# ipv6 nat prefix 2001:DB8::/96
• The only prefix length supported is 96.
Step 4 interface type number Specifies an interface type and number, and places the router
in interface configuration mode.
Example:
Router(config)# interface ethernet 3/1
Step 5 ipv6 address ipv6-address {/prefix-length | Specifies an IPv6 address assigned to the interface and
link-local} enables IPv6 processing on the interface.
Example:
Router(config-if)# ipv6 address
2001:DB8:yyyy:1::9/64
Example:
Router(config-if)# ipv6 nat
Step 7 exit Exits interface configuration mode, and returns the router to
global configuration mode.
Example:
Router(config-if)# exit
Step 8 interface type number Specifies an interface type and number, and places the router
in interface configuration mode.
Example:
Router(config)# interface ethernet 3/3
Example:
Router(config-if)# ipv6 nat
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ipv6 nat prefix ipv6-prefix v4-mapped {access-list-name | ipv6-prefix}
DETAILED STEPS
Example:
Router# configure terminal
Step 4 ipv6 nat prefix ipv6-prefix v4-mapped Enables customers to send traffic from their IPv6 network
{access-list-name | ipv6-prefix} to an IPv4 network without configuring IPv6 destination
address mapping.
Example:
Router(config-if)# ipv6 nat prefix 2001::/96
v4-mapped v4mapacl
SUMMARY STEPS
1. enable
2. configure terminal
3. Configure one of the following commands:
• ipv6 nat v6v4 source ipv6-address ipv4-address
• ipv6 nat v6v4 source {list access-list-name | route-map map-name} pool name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Configure one of the following commands: Enables a static IPv6 to IPv4 address mapping using
NAT-PT.
• ipv6 nat v6v4 source ipv6-address ipv4-address
or
• ipv6 nat v6v4 source {list access-list-name |
route-map map-name} pool name Enables a dynamic IPv6 to IPv4 address mapping using
NAT-PT.
Example:
Device(config)# ipv6 nat v6v4 source
2001:DB8:yyyy:1::1 10.21.8.10
Device(config)# ipv6 nat v6v4 source list pt-list1
pool v4pool
Step 4 ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length Specifies a pool of IPv4 addresses to be used by NAT-PT
prefix-length for dynamic address mapping.
Example:
Device(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1
10.21.8.10 prefix-length 24
Step 5 ipv6 nat translation [max-entries number] {timeout | (Optional) Specifies the time after which NAT-PT
udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | translations time out.
icmp-timeout} {seconds | never}
Example:
Device(config)# ipv6 nat translation udp-timeout
600
Step 6 ipv6 access-list access-list-name (Optional) Defines an IPv6 access list and enters IPv6
access list configuration mode.
Example: • The access-list name argument specifies the name
Device(config)# ipv6 access-list pt-list1
of the IPv6 access control list (ACL). IPv6 ACL
names cannot contain a space or quotation mark, or
begin with a numeral.
Step 7 permit protocol {source-ipv6-prefix/prefix-length | any | (Optional) Specifies permit conditions for an IPv6 ACL.
host source-ipv6-address} [operator [port-number]]
Example:
Device(config-ipv6-acl)# permit ipv6
2001:DB8:bbbb:1::/64 any
Step 8 end Exits IPv6 access list configuration mode, and returns to
privileged EXEC mode.
Example:
Device(config-ipv6-acl)# end
Step 9 show ipv6 nat translations [icmp | tcp | udp] [verbose] (Optional) Displays active NAT-PT translations.
• Use the optional icmp, tcp, and udp keywords to
Example: display detailed information about the NAT-PT
Device# show ipv6 nat translations verbose
translation events for the specified protocol.
• Use the optional verbose keyword to display more
detailed information about the active translations.
Example:
Device# show ipv6 nat statistics
SUMMARY STEPS
1. enable
2. configure terminal
3. Configure one of the following commands:
• ipv6 nat v4v6 source ipv6-address ipv4-address
• ipv6 nat v4v6 source list {access-list-number | name} pool name
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Configure one of the following commands: Enables a static IPv4 to IPv6 address mapping using
NAT-PT.
• ipv6 nat v4v6 source ipv6-address ipv4-address
or
• ipv6 nat v4v6 source list {access-list-number | name}
pool name Enables a dynamic IPv4 to IPv6 address mapping
using NAT-PT.
Example:
Device(config)# ipv6 nat v4v6 source 10.21.8.11
2001:DB8:yyyy::2
Device(config)# ipv6 nat v4v6 source list 1 pool v6pool
Step 4 ipv6 nat v4v6 pool name start-ipv6 end-ipv6 prefix-length Specifies a pool of IPv6 addresses to be used by
prefix-length NAT-PT for dynamic address mapping.
Example:
Device(config)# ipv6 nat v4v6 pool v6pool
2001:DB8:yyyy::1 2001:DB8:yyyy::2 prefix-length 128
Step 5 access-list {access-list-name | number}{deny | permit} [source Specifies an entry in a standard IPv4 access list.
source-wildcard] [log]
Example:
Device(config)# access-list 1 permit 192.168.30.0
0.0.0.255
SUMMARY STEPS
1. enable
2. configure terminal
3. Configure one of the following commands:
• ipv6 nat v6v4 source {list access-list-name | route-map map-name} pool name overload
• ipv6 nat v6v4 source {list access-list-name | route-map map-name} interface interface name
overload
DETAILED STEPS
Example:
Device# configure terminal
Step 3 Configure one of the following commands: Enables a dynamic IPv6 to IPv4 address overload
mapping using a pool address.
• ipv6 nat v6v4 source {list access-list-name | route-map
map-name} pool name overload or
• ipv6 nat v6v4 source {list access-list-name | route-map Enables a dynamic IPv6 to IPv4 address overload
map-name} interface interface name overload mapping using an interface address.
Example:
Device(config)# ipv6 nat v6v4 source 2001:DB8:yyyy:1::1
10.21.8.10
Device(config)# ipv6 nat v6v4 source list pt-list1 pool
v4pool overload
Step 4 ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length Specifies a pool of IPv4 addresses to be used by
prefix-length NAT-PT for dynamic address mapping.
Example:
Device(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1
10.21.8.10 prefix-length 24
Step 5 ipv6 nat translation [max-entries number] {timeout | (Optional) Specifies the time after which NAT-PT
udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | translations time out.
icmp-timeout} {seconds | never}
Example:
Device(config)# ipv6 nat translation udp-timeout 600
Step 6 ipv6 access-list access-list-name (Optional) Defines an IPv6 access list and enters
IPv6 access list configuration mode.
Example: • IPv6 ACL names cannot contain a space or
Device(config)# ipv6 access-list pt-list1
quotation mark, or begin with a numeral.
Step 7 permit protocol {source-ipv6-prefix/prefix-length | any | host (Optional) Specifies permit conditions for an IPv6
source-ipv6-address} [operator [port-number]] ACL.
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address}
Example:
Device(config-ipv6-acl)# permit ipv6
2001:DB8:bbbb:1::/64 any
Step 8 end Exits IPv6 access list configuration mode and returns
to privileged EXEC mode.
Example:
Device(config-ipv6-acl)# end
SUMMARY STEPS
1. enable
2. clear ipv6 nat translation *
3. debug ipv6 nat [detailed | port]
DETAILED STEPS
Step 2 clear ipv6 nat translation * Clears dynamic Network Address Translation (NAT)-Port Translation
(PT) entries from the dynamic translation state table.
Example: • Use the * keyword to clear all dynamic NAT-PT translations.
Device# clear ipv6 nat translation *
Example:
Device# debug ipv6 nat detail
interface Ethernet3/1
ipv6 address 2001:DB8:3002::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source 192.168.30.1 2001:DB8:0::2
ipv6 nat v6v4 source 2001:DB8:bbbb:1::1 10.21.8.10
ipv6 nat prefix 2001:DB8:0::/96
Example: Dynamic NAT-PT Configuration for IPv6 Hosts Accessing IPv4 Hosts
The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and
configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT
mapping is also configured to map IPv6 addresses to IPv4 addresses using a pool of IPv4 addresses named
v4pool. The packets to be translated by NAT-PT are filtered using an IPv6 access list named pt-list1. The
User Datagram Protocol (UDP) translation entries are configured to time out after 10 minutes. Ethernet
interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
interface Ethernet3/1
ipv6 address 2001:DB8:bbbb:1::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source 192.168.30.1 2001:DB8:0::2
ipv6 nat v6v4 source list pt-list1 pool v4pool
ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24
ipv6 nat translation udp-timeout 600
ipv6 nat prefix 2001:DB8:1::/96
!
ipv6 access-list pt-list1
permit ipv6 2001:DB8:bbbb:1::/64 any
Example: Dynamic NAT-PT Configuration for IPv4 Hosts Accessing IPv6 Hosts
The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and
configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT
mapping is also configured to map IPv4 addresses to IPv6 addresses using a pool of IPv6 addresses named
v6pool. The packets to be translated by NAT-PT are filtered using an access list named pt-list2. Ethernet
interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
interface Ethernet3/1
ipv6 address 2001:DB8:bbbb:1::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source list 72 pool v6pool
ipv6 nat v4v6 pool v6pool 2001:DB8:0::1 2001:DB8:0::2 prefix-length 128
Additional References
Related Documents
Standard/RFC Title
RFCs for IPv6 IPv6 RFCs
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
NAT-PT: Support for FTP ALG 12.3(2)T IPv6 provides FTP ALG support.
NAT-PT: Support for Overload 12.3(2)T This feature allows a single IPv4
address to be used among multiple
sessions by multiplexing on the
port number to associate several
IPv6 users with a single IPv4
address.
SIP Messages
Entities that are present in a Session Initiation Protocol (SIP) deployment communicate with each other by
using well-defined SIP messages that take the form of requests and responses. These SIP messages can contain
embedded IP address or port information that might belong to a private domain, and such messages must be
fixed up when they pass through a Network Address Translation (NAT) device. Fixup denotes the writing of
the translated IP address back into the packet. This fixup is normally performed by an application-layer gateway
(also called an application-level gateway) (ALG) module that resides on the NAT device.
By default, support for SIP is enabled on the standard TCP port 5060 to exchange SIP messages. You can
also configure nonstandard ports for SIP to operate. NAT ALG accepts and attempts fixup operations on all
TCP segments that originate from or are destined to the configured SIP port. SIP message processing involves
performing the fixup operation on a complete SIP message. A TCP segment may carry multiple SIP messages.
It is also possible that a SIP message is segmented and carried in two different TCP segments.
SIP messages are text based. Any adjustment that is made to the message as part of the ALG fixup can result
in the message to increase or decrease in size. A change in the message size means that the ALG must make
adjustments to the TCP sequence or acknowledgment numbers and keep track of the same. There are cases
where the ALG must perform spoof acknowledgments and complete TCP retransmission.
TCP proxy is an essential component that terminates a TCP connection passing through NAT ALG and
regenerates the TCP connection. This connection allows NAT ALG to modify the TCP payload without any
TCP session handling issues.
The table below identifies the six available SIP request messages.
CANCEL Sent to end a call that has not yet been connected.
2xx (Successful)
• 200 = OK
SIP Functionality
Users in a SIP network are identified by unique SIP addresses. A SIP address is similar to an e-mail address
and is in the format sip:[email protected]. The userID can be either a username or an E.164 address. The
gateway can be either a domain (with or without a hostname) or a specific internet IP address.
Note An E.164 address is a telephone number with a string of decimal digits, which uniquely indicates the
public network termination point. This address contains all information that is necessary to route a call to
a termination point.
Users register with a registrar server using their assigned SIP addresses. The registrar server provides SIP
addresses to the location server on request. The registrar server processes requests from user-agent clients
(UACs) for registration of their current locations.
When a user initiates a call, a SIP request is sent to a SIP server (either a proxy or a redirect server). The
request includes the address of the caller (in the From header field) and the address of the intended called
party (in the To header field).
A SIP end user might move between end systems. The location of the end user can be dynamically registered
with the SIP server. The location server can use one or more protocols (including Finger, RWhois, and
Lightweight Directory Access Protocol [LDAP]) to locate the end user. Because the end user can be logged
in at more than one station and the location server can sometimes have inaccurate information, the location
server might return more than one address for the end user. If the request is coming through a SIP proxy
server, the proxy server tries each of the returned addresses until it locates the end user. If the request is coming
through a SIP redirect server, the redirect server forwards all the addresses to the caller available in the Contact
header field of the invitation response.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service sip tcp port port-number
4. end
5. debug ip nat sip
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# ip nat service sip tcp port
8000
Step 5 debug ip nat sip Displays SIP messages that NAT recognizes and the
embedded IP addresses contained in those messages.
Example:
Device# debug ip nat sip
The following is sample output from the debug ip nat sip command:
Device# debug ip nat sip
May 23 14:11:17.243 IST: NAT-L4F:setting ALG_NEEDED flag in subblock for SIP message
May 23 14:11:17.243 IST: NAT-ALG: lookup=0 l7_bytes_recd=509 appl_type=7
May 23 14:11:17.243 IST: NAT-ALG: Complete SIP Message header of size: 376
May 23 14:11:17.243 IST: NAT: SIP: Translated global m=(192.168.122.3, 6000) -> (10.1.1.1,
6000)
May 23 14:11:17.243 IST: NAT: SIP: old_sdp_len:133 new_sdp_len :130
May 23 14:11:17.243 IST: l4f_send returns 497 bytes
May 23 14:11:17.243 IST: Complete buffer written to proxy
Standard/RFC Title
RFC 2543 SIP: Session Initiation Protocol
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 19: Feature Information for NAT TCP SIP ALG Support
When route maps are used to allocate global addresses, the global address can allow return traffic, and the
return traffic is allowed only if the return traffic matches the defined route map in the reverse direction. The
outside-to-inside functionality remains unchanged (by not creating additional entries to allow the return traffic
for a route-map-based dynamic entry) unless you configure the reversible keyword with the ip nat inside
source command.
Note • Access lists with reversible route maps must be configured to match the inside-to-outside traffic.
• Only IP hosts that are part of the route-map configuration will allow outside sessions.
• Outside-to-inside support is not available with PAT.
• Outside sessions must use an access list.
• The match interface and match ip next-hop commands are not supported for reversible route
maps.
• Reversible route maps are not supported for static NAT.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat inside source route-map name pool name reversible
5. exit
DETAILED STEPS
Example:
Router(config)# configure terminal
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Router(config)# ip nat pool POOL-A 192.168.201.4
192.168.201.6 netmask 255.255.255.128
Example:
Router(config)# ip nat inside source route-map MAP-A
pool POOL-A reversible
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat pool name start-ip end-ip netmask netmask
5. ip nat inside source route-map name pool name [reversible]
6. ip nat inside source route-map name pool name [reversible]
7. end
DETAILED STEPS
Example:
Device(config)# configure terminal
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-A 192.168.201.4
192.168.201.6 netmask 255.255.255.128
Step 4 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-B 192.168.201.7
192.168.201.9 netmask 255.255.255.128
Step 5 ip nat inside source route-map name pool name [reversible] Enables outside-to-inside initiated sessions to use
route maps for destination-based NAT.
Example:
Device(config)# ip nat inside source route-map MAP-A
pool POOL-A reversible
Step 6 ip nat inside source route-map name pool name [reversible] Enables outside-to-inside initiated sessions to use
route maps for destination-based NAT.
Example:
Device(config)# ip nat inside source route-map MAP-B
pool POOL-B reversible
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Table 20: Feature Information for NAT Route Maps Outside-to-Inside Support