NAT Configuration III
Sign in

NAT Configuration III

Microsoft Technology Specialist

Clearing Dynamic Translations

Use the clear ip nat translation command to clear dynamic translations from the NAT translation table. You can remove all dynamic translations from the translation table or restrict the removal of translation entries based on the protocol, address, or port values.

clear ip nat translation

  • Use to clear dynamic translations from the NAT translation table.
  • Use an asterisk (*) in the clear ip nat translation version of this command to clear all dynamic translations from the translation table.
  • Use an asterisk (*) in the clear ip nat translation { gre | icmp | tcp | udp } inside insideGlobalIpAddress * insideLocalIpAddress * version of this command to match any global or local port and remove inside source extended GRE, ICMP, TCP, or UDP translations for the specified global IP address and local IP address.
  • Example 1—Clear all dynamic translations
  • host1 #clear ip nat translation*

  • Example 2—Clear a specific port translation
  • host1 #clear ip nat translation tcp inside 171.69.68.10 10.1.2.3 55

  • There is no no version.

NAT Configuration Examples

This section contains NAT configuration examples for a single virtual router configuration and NAT translation between two virtual routers.

NAPT Example

Figure 6 illustrates a NAPT configuration for a private network with two inside subnetworks, a field office, and a corporate office.

Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation).


Figure 6: NAPT Example


The address pool consists of three addresses (the number of addresses is small, because NAPT is used). Addresses matching the private address spaces of the corporate and field subnetworks are translated to global addresses from the pool through NAPT.

To configure this example:

  1. Enter the correct virtual router context.
  2. host1(config)#virtual-router blue

  3. Mark the inside interfaces.
  1. Mark the field office:
  2. host1:blue(config)#interface serial 2/1:1/1
    host1:blue(config-interface)#ip nat inside
    host1:blue(config-interface)#exit

  3. Mark the two corporate T-3 links:
  4. host1:blue(config)#interface serial 1/1
    host1:blue(config-interface)#ip nat inside
    host1:blue(config-interface)#exit
    host1:blue(config)#interface serial 1/2
    host1:blue(config-interface)#ip nat inside
    host1:blue(config-interface)#exit

  1. Mark the outside interface.
  2. host1:blue(config)#interface gigabitEthernet 3/0.1
    host1:blue(config-interface)#ip nat outside
    host1:blue(config-interface)#exit

  3. Create a static nil-translation for the FTP server on the corporate network.
  4. host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18 
    21

  5. Create the address pool for dynamic translations.
  6. host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24

  7. Create the access list for addresses eligible for dynamic translation.
  8. host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255
    host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255

  9. Create the NAPT dynamic translation rule.
  10. host1:blue(config)#ip nat inside source list justcorp pool corpxyz overload

  11. Configure a default route to the outside interface.
  12. host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1

  13. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.
  14. host1:blue(config)#ip route 192.32.6.0 255.255.255.248 null 0

    NOTE: Null route applies to 192.32.6.0-192.32.6.3, which do not exist in the address pool




All hosts that use private addresses in both the field office and the corporate office must have their addresses translated to one of the three addresses in the pool. Because this example uses NAPT, the interface can use only one pool address, depending on the number of inside hosts attempting to access the outside at any given time.

Bidirectional NAT Example

Figure 7 illustrates how outside hosts can initiate conversations with inside hosts through the use of a DNS server that resides on the inside network.

The inside realm uses basic NAT. The inside network uses a mix of private subnetwork address space (192.168.22/24) and registered public addresses.


Figure 7: Bidirectional NAT Example


To configure this example:

  1. Enter the correct virtual router context.
  2. host1(config)#virtual-router blue

  3. Mark the inside interface.
  4. host1:blue(config)#interface serial 1/1:1/1
    host1:blue(config-interface)#ip nat inside
    host1:blue(config-interface)#exit

  5. Mark the outside interface.
  6. host1:blue(config)#interface gigabitEthernet 3/0.1
    host1:blue(config-interface)#ip nat outside
    host1:blue(config-interface)#exit

  7. Create the translation for the DNS.
  8. host1:blue(config)#ip nat inside source static 192.168.22.2 192.32.6.1

  9. Create the address pool for dynamic translations.
  10. host1:blue(config)#ip nat pool entA192 192.32.6.2 192.32.6.63 prefix-length 24

  11. Create the access list for addresses eligible for dynamic translation (that is, private addresses).
  12. host1:blue(config)#access-list entA permit 192.168.22.0 0.0.0.255

  13. Create the dynamic translation rule.
  14. host1:blue(config)#ip nat inside source list entA pool entA192 

  15. Configure a default route to the outside interface.
  16. host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1

  17. Configure a null route for the inside global addresses, to prevent routing loops when no matching translation exists.
  18. host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0

    NOTE: Null route applies to 192.32.6.0 and 192.32.6.1, which do not exist in the address pool.




Twice NAT Example

Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and you want it to connect to the public network. Inside local addresses need to be translated to legal global addresses. Legal addresses from the outside that overlap those used on the inside network need to be translated to unused and recognizable addresses in the inside network. Both inside source and outside source translations must be configured on the NAT router.

Figure 8 illustrates how the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this subnetwork that want to access the inside network need their global addresses translated.


Figure 8: Twice NAT Example


To configure this example:

  1. Enter the correct virtual router context.
  2. host1(config)#virtual-router blue

  3. Mark the inside interface.
  4. host1:blue(config)#interface fast-ethernet 6/1
    host1:blue(config-interface)#ip nat inside
    host1:blue(config-interface)#exit

  5. Mark the outside Interface.
  6. host1:blue(config)#interface atm 3/0.20
    host1:blue(config-interface)#ip nat outside
    host1:blue(config-interface)#exit

  7. Create the address pool for inside source translations.
  8. host1:blue(config)#ip nat pool entAoutpool 12.220.1.0 12.220.255.255 
    prefix-length 16

    NOTE: This pool is purposely smaller than the size of the company network because not all private hosts are likely to access the public network at the same time.




  9. Create the access list for addresses eligible for dynamic translation.
  10. host1:blue(config)#access-list entAout permit 15.12.0.0 0.0.255.255

  11. Create the dynamic translation rule for outbound traffic.
  12. host1:blue(config)#ip nat inside source list entAout pool entAoutpool

  13. Create the address pool for outside source translations.

Using an address range of 10.1.32.0/8 prevents any overlap with the private network (15.12.0.0/16).

host1:blue(config)#ip nat pool entAinpool 10.1.32.1 10.1.32.255

prefix-length 16

NOTE: This pool is purposely small, allowing for only a few connections.




  1. Configure the access list for global addresses that overlap with inside addresses.
  2. host1:blue(config)#access-list entAin permit 15.12.0.0 0.0.255.255

  3. Create the dynamic translation rule for inbound traffic.
  4. host1:blue(config)#ip nat outside source list entAin pool entAinpool

  5. Create one of the following:
  • A route to the outside interface for inside hosts to access outside hosts that have overlapping addresses.
  • host1:blue(config)#ip route 10.1.32.0 255.255.255.0 atm 3/0.1

    NOTE: An inside host cannot directly access hosts on the outside network that use addresses that overlap with the inside subnetwork. However, by using outside source translation and DNS name resolution, the NAT router can install translations so inside hosts can access these outside hosts by using nonoverlapping addresses.




  • A default route to the outside interface.
  • host1:blue(config)#ip route 0.0.0.0 0.0.0.0 atm 3/0.1

  1. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.
  2. host1:blue(config)#ip route 12.220.1.0 255.255.0.0 null 0

Cross-VRF Example

In MPLS VPN configurations, you might want to offer public Internet access to VPN subscribers. MPLS VPNs are enabled through the use of VRFs. If a VPN is using a private or overlapping address space, you can use NAT to enable access to the public network because the NAT implementation is both VR and VRF aware.Figure 9 illustrates how the subscriber interface feature of the router is used in conjunction with NAT to connect the VPNs to the public network.


Figure 9: Cross-VRF Example


VRF11 is the local (this PE) representation of the MPLS VPN and connects enterpriseA to the VPN. Enterprise A communicates to VRFs in other PE devices (the rest of the VPN) through RFC2547bis (MPLS VPNs). VR1, of which the VRF is administratively a member, represents the public network. The interface to EnterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A subscriber interface is created off the uplink to the core network and anchored in the VRF. A DA-based demultiplexer matching the inside global address range is configured on the subscriber interface. The subscriber interface is marked as an outside interface.

To configure this example:

  1. Enter the correct virtual routing and forwarding instance.
  2. host1(config)#virtual-router vr1:vrf11

  3. Mark the inside interfaces.
  4. host1:vr1:vrf11(config)#interface fast-ethernet 6/1
    host1:vr1:vrf11 (config-interface)#ip nat inside
    host1:vr1:vrf11 (config-interface)#exit

  5. Set the primary interface to DA-type demultiplexer (for subsequent shared interfaces).
  6. host1:vr1(config)#interface atm 12/0.101
    host1:vr1(config-interface)#ip demux-type da-prefix
    host1:vr1(config-interface)#exit

  7. Create the address pool for dynamic translations.
  8. host1:vr1(config)#virtual-router vr1:vrf11
    host1:vr1:vrf11(config)#ip nat pool entApool 128.13.44.0 128.13.44.255 
    prefix-length 24

  9. Create the access list for addresses eligible for dynamic translation.
  10. host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255

  11. Create the dynamic translation rule.
  12. host1:vr1:vrf11(config)#ip nat inside source list entA pool entApool 

  13. Create the subscriber interface off the uplink.
  14. host1:vr1:vrf11(config)#interface ip vrf11vr1
    host1:vr1:vrf11(config-interface)#ip share-interface atm 12/0.101
    host1:vr1:vrf11(config-interface)#ip unnumbered loopback 1

  15. Configure a group of destination prefixes with which the device can communicate on the public network.
  16. host1:vr1:vrf11(config-interface)#ip destination-prefix 128.13.44.0 
    255.255.255.0

  17. Mark the subscriber interface as outside.
  18. host1:vr1:vrf11(config-interface)#ip nat outside
    host1:vr1:vrf11(config-interface)#exit

  19. Point the default route to the shared interface.
  20. host1:vr1:vrf11(config)#ip route 0.0.0.0 0.0.0.0 ip vrf11vr1

  21. Install a null route to avoid routing loops to the inside global address.
  22. host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0



    Tunnel Configuration Through NAT Examples

    PPTP uses enhanced GRE encapsulation for PPP payloads.
    After the PPTP tunnel setup process, PPP packets are exchanged using
    GRE encapsulation. It is critical that a NAT device that resides
    between PPTP client and PPTP server allow GRE flows.

    This section contains NAT configuration examples for both inside and outside PPTP tunnel setup through NAT.


    Clients on an Inside Network


    In this example, a subscriber on
    the inside network is initiating PPTP tunnels to a PPTP server located
    in the outside network. The PPTP connection to the server traverses an
    E-series router that has NAT enabled.




    Figure 10: PPTP Tunnels on an Inside Network



    The router has installed an inside source static simple translation in its translation table as follows:



    Inside Local Address
    Inside Global Address

    13.1.2.3

    20.0.0.1




    The PPTP client initiates its
    tunnels to the server at 11.11.11.1. The E-series router translates the
    SA from inside local 13.1.2.3 to inside global SA 20.0.0.1. Because GRE
    traffic can pass through NAT, all matching PPTP control packets are
    translated and forwarded to the destination.


    Clients on an Outside Network


    In this example, an outside
    subscriber initiates PPTP tunnels to a PPTP server located in the
    service provider network. The PPTP connection to the server traverses
    an E-series router that has NAT enabled.




    Figure 11: PPTP Tunnels on an Outside Network



    The router has installed an inside source static simple translation in its translation table as follows:



    Inside Local Address
    Inside Global Address

    11.11.11.1

    20.0.0.1




    The PPTP client initiates its
    tunnels to the inside global address 20.0.0.1. The E-series router
    translates packets destined for address 20.0.0.1 and forwards them to
    the inside local address of 11.11.11.1. Because GRE traffic can pass
    through NAT, all matching PPTP control packets are translated and
    forwarded to the destination.


    GRE Flows Through NAT


    Because PPTP requires the use of GRE flows, the
    examples in the previous section also work for any GRE traffic flows
    that traverse NAT.

    GRE flows can terminate at an
    E-series router if NAT is or is not enabled. When the router receives
    locally terminating inbound GRE packets, the router transmits the
    packets to the tunnel server module for GRE processing. If the packets
    require translating, they are again sent through the tunnel server
    module.

    NOTE: Only inner IP headers are translated for terminating GRE flows; outer IP headers are never translated.




    For outbound GRE packets, the
    process works in reverse. If the packets require translation, the
    router transmits the packets to the tunnel server module for
    translation. If the packets are destined for a GRE tunnel, they are
    again sent through the tunnel server module where an outer header is
    prepended to the packet and the packet is then sent to the appropriate GRE tunnel.


    Monitoring NAT

    to view NAT license
    information, NAT statistics, NAT translation entries, NAT address pool
    information, and NAT inside and outside rule settings.

    Displaying the NAT License Key


    The show license nat command displays the NAT license key.


    show license nat


    • Use to display the NAT license key configured on the router.
    • Example
    • host1#show license nat
      Nat license is nat_license

    Displaying Translation Statistics


    The show ip nat statistics command displays internal statistics that apply to NAT operation.


    show ip nat statistics


    • Use to display internal NAT statistics.
    • Field descriptions

    • Last
      dynamic allocation failure—Completion level of any dynamic allocation
      failures; the number of times the router attempted dynamic allocation
      but reached the dynamic allocation entry limit
    • Current static translation entries

    • Inside Source Simple—Number of inside source simple static translations
    • Outside Source Simple—Number of outside source simple static translations
    • Inside Source Extended—Number of inside source extended static translations
    • Outside Source Extended—Number of outside source extended static translations

    • Dynamic Translation Type—Type of dynamic translation (inside source simple, outside source simple, inside source extended)
    • Current—Current number of dynamic translations of the associated translation type
    • Peak—Peak number of dynamic translations of the associated translation type
    • Accumulated—Accumulated
      number of dynamic translations of the associated type; this value
      reflects the accumulation of dynamic translations since the last router
      reboot operation
    • Failed—Total number of installation attempts that failed for an associated translation type
    • Forwarding statistics for packets received on inside or outside interfaces

    • forwarded directly—Number of packets forwarded directly (that is, without the need of translation)
    • forwarded through translator—Number of packets forwarded through the NAT translator
    • discarded—Number of packets discarded immediately upon receipt
    • discarded by translator—Number of packets discarded by the NAT translator when no matching translation could be located

    • Example
    • host1#show ip nat statistics
      NAT database statistics for virtual router vr1:
      --------------------------------------------------------------
      Last dynamic allocation failure: normal, successful completion
      Dynamic entry limit was reached 10318 times
       
      Current static translation entries:
      -----------------------------------------
      Inside Source Simple:               10
      Outside Source Simple:              3
      Inside Source Extended:             8
      Outside Source Extended:            12
       
             Dynamic
         Translation Type      Current       Peak     Accumulated    Failed
      ----------------------  ----------  ----------  -----------  ----------
      Inside Source Simple         69999       69999        69999       12568
      Outside Source Simple         4518        4518         4518          25
      Inside Source Extended       70000       70000        70000         568
      Fully Extended               26855       26855        26855        2565
       
       
      Forwarding statistics for virtual router vr1:
      ------------------------------------------------------------------------
      Packets received on inside interface and
          forwarded directly             8
          forwarded through translator   111763104
          discarded                      2
          discarded by translator        28524565
       
      Bytes received on inside interface and
          forwarded directly             544
          forwarded through translator   5141098074
       
      Packets received on outside interface and
          forwarded directly             7
          forwarded through translator   1031624
          discarded                      3
          discarded by translator        578961
       
      Bytes received on outside interface and
          forwarded directly             476
          forwarded through translator   47454704

    Displaying Translation Entries


    The show ip nat translations command displays current translations that reside in the translation table.


    Simple translation entries
    appear with inside/outside and local/global address information.
    Extended entries appear with added protocol and port numbers (or query
    IDs).


    Using verbose mode additionally provides the time since creation and time since last use for each translation entry.


    show ip nat translations


    • Use to display current translations that reside in the NAT translation table.
    • Field descriptions

    • Prot—Protocol (TCP, UDP, ICMP, or GRE) for this translation entry; this field appears only for extended table entries
    • Inside
      local—Inside local IP address for this translation entry; this field
      also provides the port number, separated by a colon ( : ) for extended
      entries
    • Inside
      global—Inside global IP address for this translation entry; this field
      also provides the port number, separated by a colon ( : ) for extended
      entries
    • Outside
      global—Outside global IP address for this translation entry; this field
      also provides the port number, separated by a colon ( : ) for extended
      entries
    • Outside
      local—Outside local IP address for this translation entry; this field
      also provides the port number, separated by a colon ( : ) for extended
      entries
    • Time since creation—Amount of time elapsed since the translation entry appeared in the translation table
    • Time since last use—Amount of time elapsed since the translation entry was used

    • Example 1

    host1#show ip nat translations
    Prot    Inside local      Inside global     Outside global     Outside local
    ----    ---------------     ---------------     --------------     ----------------
    GRE       13.1.2.1:*               20.0.0.1:*                       ---                             ---
    ICMP       13.1.2.2:4               20.0.0.2:4                       ---                             --- 
    TCP         13.1.2.3:20             20.0.0.3:50                     ---                             ---

    NOTE: Because they are not NAPT translations, port numbers for GRE translations appear as asterisks (*).




    • Example 2

    host1#show ip nat translations verbose
                                                              Time         Time
                        Inside      Outside     Outside      since        since
    Prot Inside local   global      global       local      creation     last use
    ---- ------------ ----------- ----------- ----------- ------------ ------------
         20.0.0.3     30.0.0.3    ---         ---         00:04:50     00:00:01
         21.0.0.3     30.208.0.3  ---         ---         00:02:12     00:00:01
         21.0.0.4     30.208.0.4  ---         ---         00:02:12     00:00:01
         ---          ---         50.0.0.3    70.0.0.3    00:03:24     Never
         ---          ---         51.0.0.3    70.208.0.3  00:01:44     00:00:01
         ---          ---         51.0.0.4    70.208.0.4  00:01:44     00:00:01
    UDP  ---          ---         50.50.0.3:8 70.50.0.3:8 00:03:10     Never
                                  7           108
    UDP  22.0.0.4:63  30.224.0.3: ---         ---         00:02:12     00:00:01
                      4097
    UDP  22.0.0.3:63  30.224.0.3: ---         ---         00:02:12     00:00:01
                      4096
    TCP  ---          ---         50.50.0.3:8 70.50.0.3:8 00:03:10     Never
                                  0           008
    UDP  20.50.0.3:87 30.50.0.3:8 ---         ---         00:03:35     Never
                      108

    Displaying Address Pool Information


    The show ip nat pool command
    displays NAT address pool information. The command output displays
    configuration (mask and address ranges) of all address pools, unless
    you supply a specific pool name.


    show ip nat pool


    • Use to display NAT address pool information.
    • Field descriptions

    • pool—Name of the address pool
    • netmask—Network prefix associated with the NAT address pool
    • prefix length—Prefix length associated with the NAT address pool
    • range—Address ranges used by this NAT address pool

    • Example 1
    • host1#show ip nat pool
       
      pool: pool1 netmask: 255.255.255.0  prefix length: 24
         range: 3.3.3.1 to 3.3.3.255
         range: 4.4.4.1 to 4.4.4.32
       
      pool: pool2 netmask: 255.255.255.0  prefix length: 24
         range: 1.1.1.1 to 1.1.1.24
         range: 2.2.2.1 to 2.2.2.55

    • Example 2
    • host1#show ip nat pool pool1 
      pool: pool1 netmask: 255.255.255.0  prefix length: 24
         range: 3.3.3.1 to 3.3.3.255
         range: 4.4.4.1 to 4.4.4.32

    Displaying Inside and Outside Rule Settings


    The show ip nat inside rule and show ip nat outside rule commands
    display access list and pool usage for all dynamic translation rules
    configured for the virtual router. If you do not specify an access
    list, the output displays address pool associations for each of the
    access lists for either inside or outside translation rules in the
    virtual router. Specifying an access list filters the output to display
    only the address pool associated with the specified list.


    show ip nat inside rule


    • Use to display NAT access list and pool usage information for inside source translation rules.
    • Field descriptions

    • access list name—Name of the access list
    • pool name—Name of the address pool
    • rule type—Type of rule assigned

    • Example
    • host1#show ip nat inside rule
      access list name: list1  pool name: poolA rule type: inside source
      access list name: list2  pool name: poolB rule type: inside source
      access list name: list3  pool name: poolC rule type: inside source overload

    show ip nat outside rule


    • Use to display NAT access list and pool usage information for outside source translation rules.
    • Field descriptions

    • access list name—Name of the access list
    • pool name—Name of the address pool
    • rule type—Type of rule assigned

    • Example
    • host1#show ip nat outside rule
      access list name: list4  pool name: poolD rule type: outside source



    These all about NAT

    Comments are open
    GM





start_blog_img