NAT Configuration III
Clearing Dynamic Translations
clear ip nat translation
- Use to clear dynamic translations from the NAT translation table.
- Use an asterisk (*) in the clear ip nat translation version of this command to clear all dynamic translations from the translation table.
- Use an asterisk (*) in the clear ip nat translation { gre | icmp | tcp | udp } inside insideGlobalIpAddress * insideLocalIpAddress * version of this command to match any global or local port and remove inside source extended GRE, ICMP, TCP, or UDP translations for the specified global IP address and local IP address.
- Example 1—Clear all dynamic translations
host1 #clear ip nat translation*
host1 #clear ip nat translation tcp inside 171.69.68.10 10.1.2.3 55
NAT Configuration Examples
This section contains NAT configuration examples for a single virtual router configuration and NAT translation between two virtual routers.NAPT Example
Figure 6 illustrates a NAPT configuration for a private network with two inside subnetworks, a field office, and a corporate office.Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation).
The address pool consists of three addresses (the number of addresses is small, because NAPT is used). Addresses matching the private address spaces of the corporate and field subnetworks are translated to global addresses from the pool through NAPT.
- Enter the correct virtual router context.
- Mark the inside interfaces.
host1(config)#virtual-router blue
- Mark the field office:
- Mark the two corporate T-3 links:
host1:blue(config)#interface serial 2/1:1/1
host1:blue(config-interface)#ip nat inside
host1:blue(config-interface)#exit
host1:blue(config)#interface serial 1/1
host1:blue(config-interface)#ip nat inside
host1:blue(config-interface)#exit
host1:blue(config)#interface serial 1/2
host1:blue(config-interface)#ip nat inside
host1:blue(config-interface)#exit
- Mark the outside interface.
- Create a static nil-translation for the FTP server on the corporate network.
- Create the address pool for dynamic translations.
- Create the access list for addresses eligible for dynamic translation.
- Create the NAPT dynamic translation rule.
- Configure a default route to the outside interface.
- Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.
host1:blue(config)#interface gigabitEthernet 3/0.1
host1:blue(config-interface)#ip nat outside
host1:blue(config-interface)#exit
host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18
21
host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24
host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255
host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255
host1:blue(config)#ip nat inside source list justcorp pool corpxyz overload
host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1
host1:blue(config)#ip route 192.32.6.0 255.255.255.248 null 0
NOTE: Null route applies to 192.32.6.0-192.32.6.3, which do not exist in the address pool |
All hosts that use private addresses in both the field office and the corporate office must have their addresses translated to one of the three addresses in the pool. Because this example uses NAPT, the interface can use only one pool address, depending on the number of inside hosts attempting to access the outside at any given time.
Bidirectional NAT Example
Figure 7 illustrates how outside hosts can initiate conversations with inside hosts through the use of a DNS server that resides on the inside network.
The inside realm uses basic NAT. The inside network uses a mix of private subnetwork address space (192.168.22/24) and registered public addresses.
- Enter the correct virtual router context.
- Mark the inside interface.
- Mark the outside interface.
- Create the translation for the DNS.
- Create the address pool for dynamic translations.
- Create the access list for addresses eligible for dynamic translation (that is, private addresses).
- Create the dynamic translation rule.
- Configure a default route to the outside interface.
- Configure a null route for the inside global addresses, to prevent routing loops when no matching translation exists.
host1(config)#virtual-router blue
host1:blue(config)#interface serial 1/1:1/1
host1:blue(config-interface)#ip nat inside
host1:blue(config-interface)#exit
host1:blue(config)#interface gigabitEthernet 3/0.1
host1:blue(config-interface)#ip nat outside
host1:blue(config-interface)#exit
host1:blue(config)#ip nat inside source static 192.168.22.2 192.32.6.1
host1:blue(config)#ip nat pool entA192 192.32.6.2 192.32.6.63 prefix-length 24
host1:blue(config)#access-list entA permit 192.168.22.0 0.0.0.255
host1:blue(config)#ip nat inside source list entA pool entA192
host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1
host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0
NOTE: Null route applies to 192.32.6.0 and 192.32.6.1, which do not exist in the address pool. |
Twice NAT Example
Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and you want it to connect to the public network. Inside local addresses need to be translated to legal global addresses. Legal addresses from the outside that overlap those used on the inside network need to be translated to unused and recognizable addresses in the inside network. Both inside source and outside source translations must be configured on the NAT router.
Figure 8 illustrates how the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this subnetwork that want to access the inside network need their global addresses translated.
- Enter the correct virtual router context.
- Mark the inside interface.
- Mark the outside Interface.
- Create the address pool for inside source translations.
- Create the access list for addresses eligible for dynamic translation.
- Create the dynamic translation rule for outbound traffic.
- Create the address pool for outside source translations.
host1(config)#virtual-router blue
host1:blue(config)#interface fast-ethernet 6/1
host1:blue(config-interface)#ip nat inside
host1:blue(config-interface)#exit
host1:blue(config)#interface atm 3/0.20
host1:blue(config-interface)#ip nat outside
host1:blue(config-interface)#exit
host1:blue(config)#ip nat pool entAoutpool 12.220.1.0 12.220.255.255
prefix-length 16
NOTE: This pool is purposely smaller than the size of the company network because not all private hosts are likely to access the public network at the same time. |
host1:blue(config)#access-list entAout permit 15.12.0.0 0.0.255.255
host1:blue(config)#ip nat inside source list entAout pool entAoutpool
Using an address range of 10.1.32.0/8 prevents any overlap with the private network (15.12.0.0/16).
host1:blue(config)#ip nat pool entAinpool 10.1.32.1 10.1.32.255
prefix-length 16
NOTE: This pool is purposely small, allowing for only a few connections. |
- Configure the access list for global addresses that overlap with inside addresses.
- Create the dynamic translation rule for inbound traffic.
- Create one of the following:
host1:blue(config)#access-list entAin permit 15.12.0.0 0.0.255.255
host1:blue(config)#ip nat outside source list entAin pool entAinpool
- A route to the outside interface for inside hosts to access outside hosts that have overlapping addresses.
host1:blue(config)#ip route 10.1.32.0 255.255.255.0 atm 3/0.1
host1:blue(config)#ip route 0.0.0.0 0.0.0.0 atm 3/0.1
- Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.
host1:blue(config)#ip route 12.220.1.0 255.255.0.0 null 0
Cross-VRF Example
In MPLS VPN configurations, you might want to offer public Internet access to VPN subscribers. MPLS VPNs are enabled through the use of VRFs. If a VPN is using a private or overlapping address space, you can use NAT to enable access to the public network because the NAT implementation is both VR and VRF aware.Figure 9 illustrates how the subscriber interface feature of the router is used in conjunction with NAT to connect the VPNs to the public network.
VRF11 is the local (this PE) representation of the MPLS VPN and connects enterpriseA to the VPN. Enterprise A communicates to VRFs in other PE devices (the rest of the VPN) through RFC2547bis (MPLS VPNs). VR1, of which the VRF is administratively a member, represents the public network. The interface to EnterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A subscriber interface is created off the uplink to the core network and anchored in the VRF. A DA-based demultiplexer matching the inside global address range is configured on the subscriber interface. The subscriber interface is marked as an outside interface.
- Enter the correct virtual routing and forwarding instance.
- Mark the inside interfaces.
- Set the primary interface to DA-type demultiplexer (for subsequent shared interfaces).
- Create the address pool for dynamic translations.
- Create the access list for addresses eligible for dynamic translation.
- Create the dynamic translation rule.
- Create the subscriber interface off the uplink.
- Configure a group of destination prefixes with which the device can communicate on the public network.
- Mark the subscriber interface as outside.
- Point the default route to the shared interface.
- Install a null route to avoid routing loops to the inside global address.
- Last
dynamic allocation failure—Completion level of any dynamic allocation
failures; the number of times the router attempted dynamic allocation
but reached the dynamic allocation entry limit - Current static translation entries
- Inside Source Simple—Number of inside source simple static translations
- Outside Source Simple—Number of outside source simple static translations
- Inside Source Extended—Number of inside source extended static translations
- Outside Source Extended—Number of outside source extended static translations
- Dynamic Translation Type—Type of dynamic translation (inside source simple, outside source simple, inside source extended)
- Current—Current number of dynamic translations of the associated translation type
- Peak—Peak number of dynamic translations of the associated translation type
- Accumulated—Accumulated
number of dynamic translations of the associated type; this value
reflects the accumulation of dynamic translations since the last router
reboot operation - Failed—Total number of installation attempts that failed for an associated translation type
- Forwarding statistics for packets received on inside or outside interfaces
- forwarded directly—Number of packets forwarded directly (that is, without the need of translation)
- forwarded through translator—Number of packets forwarded through the NAT translator
- discarded—Number of packets discarded immediately upon receipt
- discarded by translator—Number of packets discarded by the NAT translator when no matching translation could be located
- Prot—Protocol (TCP, UDP, ICMP, or GRE) for this translation entry; this field appears only for extended table entries
- Inside
local—Inside local IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries - Inside
global—Inside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries - Outside
global—Outside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries - Outside
local—Outside local IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries - Time since creation—Amount of time elapsed since the translation entry appeared in the translation table
- Time since last use—Amount of time elapsed since the translation entry was used
- pool—Name of the address pool
- netmask—Network prefix associated with the NAT address pool
- prefix length—Prefix length associated with the NAT address pool
- range—Address ranges used by this NAT address pool
- Example 2
- Use to display NAT access list and pool usage information for inside source translation rules.
- Field descriptions
- access list name—Name of the access list
- pool name—Name of the address pool
- rule type—Type of rule assigned
- Use to display NAT access list and pool usage information for outside source translation rules.
- Field descriptions
- access list name—Name of the access list
- pool name—Name of the address pool
- rule type—Type of rule assigned
host1(config)#virtual-router vr1:vrf11
host1:vr1:vrf11(config)#interface fast-ethernet 6/1
host1:vr1:vrf11 (config-interface)#ip nat inside
host1:vr1:vrf11 (config-interface)#exit
host1:vr1(config)#interface atm 12/0.101
host1:vr1(config-interface)#ip demux-type da-prefix
host1:vr1(config-interface)#exit
host1:vr1(config)#virtual-router vr1:vrf11
host1:vr1:vrf11(config)#ip nat pool entApool 128.13.44.0 128.13.44.255
prefix-length 24
host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255
host1:vr1:vrf11(config)#ip nat inside source list entA pool entApool
host1:vr1:vrf11(config)#interface ip vrf11vr1
host1:vr1:vrf11(config-interface)#ip share-interface atm 12/0.101
host1:vr1:vrf11(config-interface)#ip unnumbered loopback 1
host1:vr1:vrf11(config-interface)#ip destination-prefix 128.13.44.0
255.255.255.0
host1:vr1:vrf11(config-interface)#ip nat outside
host1:vr1:vrf11(config-interface)#exit
host1:vr1:vrf11(config)#ip route 0.0.0.0 0.0.0.0 ip vrf11vr1
host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0
Tunnel Configuration Through NAT Examples
PPTP uses enhanced GRE encapsulation for PPP payloads.
After the PPTP tunnel setup process, PPP packets are exchanged using
GRE encapsulation. It is critical that a NAT device that resides
between PPTP client and PPTP server allow GRE flows.This section contains NAT configuration examples for both inside and outside PPTP tunnel setup through NAT.
Clients on an Inside Network
In this example, a subscriber on
the inside network is initiating PPTP tunnels to a PPTP server located
in the outside network. The PPTP connection to the server traverses an
E-series router that has NAT enabled.The router has installed an inside source static simple translation in its translation table as follows:
The PPTP client initiates its
tunnels to the server at 11.11.11.1. The E-series router translates the
SA from inside local 13.1.2.3 to inside global SA 20.0.0.1. Because GRE
traffic can pass through NAT, all matching PPTP control packets are
translated and forwarded to the destination.Clients on an Outside Network
In this example, an outside
subscriber initiates PPTP tunnels to a PPTP server located in the
service provider network. The PPTP connection to the server traverses
an E-series router that has NAT enabled.The router has installed an inside source static simple translation in its translation table as follows:
The PPTP client initiates its
tunnels to the inside global address 20.0.0.1. The E-series router
translates packets destined for address 20.0.0.1 and forwards them to
the inside local address of 11.11.11.1. Because GRE traffic can pass
through NAT, all matching PPTP control packets are translated and
forwarded to the destination.
GRE Flows Through NAT
Because PPTP requires the use of GRE flows, the
examples in the previous section also work for any GRE traffic flows
that traverse NAT.GRE flows can terminate at an
E-series router if NAT is or is not enabled. When the router receives
locally terminating inbound GRE packets, the router transmits the
packets to the tunnel server module for GRE processing. If the packets
require translating, they are again sent through the tunnel server
module.
NOTE: Only inner IP headers are translated for terminating GRE flows; outer IP headers are never translated.
For outbound GRE packets, the
process works in reverse. If the packets require translation, the
router transmits the packets to the tunnel server module for
translation. If the packets are destined for a GRE tunnel, they are
again sent through the tunnel server module where an outer header is
prepended to the packet and the packet is then sent to the appropriate GRE tunnel.
Monitoring NAT
to view NAT license
information, NAT statistics, NAT translation entries, NAT address pool
information, and NAT inside and outside rule settings.Displaying the NAT License Key
The show license nat command displays the NAT license key.
show license nat
host1#show license natNat license is nat_licenseDisplaying Translation Statistics
The show ip nat statistics command displays internal statistics that apply to NAT operation.
show ip nat statistics
host1#show ip nat statisticsNAT database statistics for virtual router vr1:--------------------------------------------------------------Last dynamic allocation failure: normal, successful completionDynamic entry limit was reached 10318 timesCurrent static translation entries:-----------------------------------------Inside Source Simple: 10Outside Source Simple: 3Inside Source Extended: 8Outside Source Extended: 12DynamicTranslation Type Current Peak Accumulated Failed---------------------- ---------- ---------- ----------- ----------Inside Source Simple 69999 69999 69999 12568Outside Source Simple 4518 4518 4518 25Inside Source Extended 70000 70000 70000 568Fully Extended 26855 26855 26855 2565Forwarding statistics for virtual router vr1:------------------------------------------------------------------------Packets received on inside interface andforwarded directly 8forwarded through translator 111763104discarded 2discarded by translator 28524565Bytes received on inside interface andforwarded directly 544forwarded through translator 5141098074Packets received on outside interface andforwarded directly 7forwarded through translator 1031624discarded 3discarded by translator 578961Bytes received on outside interface andforwarded directly 476forwarded through translator 47454704Displaying Translation Entries
The show ip nat translations command displays current translations that reside in the translation table.
Simple translation entries
appear with inside/outside and local/global address information.
Extended entries appear with added protocol and port numbers (or query
IDs).Using verbose mode additionally provides the time since creation and time since last use for each translation entry.
show ip nat translations
host1#show ip nat translationsProt Inside local Inside global Outside global Outside local---- --------------- --------------- -------------- ----------------GRE 13.1.2.1:* 20.0.0.1:* --- ---ICMP 13.1.2.2:4 20.0.0.2:4 --- ---TCP 13.1.2.3:20 20.0.0.3:50 --- ---
NOTE: Because they are not NAPT translations, port numbers for GRE translations appear as asterisks (*).
host1#show ip nat translations verboseTime TimeInside Outside Outside since sinceProt Inside local global global local creation last use---- ------------ ----------- ----------- ----------- ------------ ------------20.0.0.3 30.0.0.3 --- --- 00:04:50 00:00:0121.0.0.3 30.208.0.3 --- --- 00:02:12 00:00:0121.0.0.4 30.208.0.4 --- --- 00:02:12 00:00:01--- --- 50.0.0.3 70.0.0.3 00:03:24 Never--- --- 51.0.0.3 70.208.0.3 00:01:44 00:00:01--- --- 51.0.0.4 70.208.0.4 00:01:44 00:00:01UDP --- --- 50.50.0.3:8 70.50.0.3:8 00:03:10 Never7 108UDP 22.0.0.4:63 30.224.0.3: --- --- 00:02:12 00:00:014097UDP 22.0.0.3:63 30.224.0.3: --- --- 00:02:12 00:00:014096TCP --- --- 50.50.0.3:8 70.50.0.3:8 00:03:10 Never0 008UDP 20.50.0.3:87 30.50.0.3:8 --- --- 00:03:35 Never108Displaying Address Pool Information
The show ip nat pool command
displays NAT address pool information. The command output displays
configuration (mask and address ranges) of all address pools, unless
you supply a specific pool name.show ip nat pool
host1#show ip nat poolpool: pool1 netmask: 255.255.255.0 prefix length: 24range: 3.3.3.1 to 3.3.3.255range: 4.4.4.1 to 4.4.4.32pool: pool2 netmask: 255.255.255.0 prefix length: 24range: 1.1.1.1 to 1.1.1.24range: 2.2.2.1 to 2.2.2.55host1#show ip nat pool pool1pool: pool1 netmask: 255.255.255.0 prefix length: 24range: 3.3.3.1 to 3.3.3.255range: 4.4.4.1 to 4.4.4.32Displaying Inside and Outside Rule Settings
The show ip nat inside rule and show ip nat outside rule commands
display access list and pool usage for all dynamic translation rules
configured for the virtual router. If you do not specify an access
list, the output displays address pool associations for each of the
access lists for either inside or outside translation rules in the
virtual router. Specifying an access list filters the output to display
only the address pool associated with the specified list.show ip nat inside rule
host1#show ip nat inside ruleaccess list name: list1 pool name: poolA rule type: inside sourceaccess list name: list2 pool name: poolB rule type: inside sourceaccess list name: list3 pool name: poolC rule type: inside source overloadshow ip nat outside rule
host1#show ip nat outside ruleaccess list name: list4 pool name: poolD rule type: outside sourceThese all about NAT
Comments are open
GM
|