Use the clear ip nat translation command to clear dynamic translations from the NAT translation table. You can remove all dynamic translations from the translation table or restrict the removal of translation entries based on the protocol, address, or port values.

clear ip nat translation

• Use to clear dynamic translations from the NAT translation table.
• Use an asterisk (*) in the clear ip nat translation version of this command to clear all dynamic translations from the translation table.
• Use an asterisk (*) in the clear ip nat translation { gre | icmp | tcp | udp } inside insideGlobalIpAddress * insideLocalIpAddress * version of this command to match any global or local port and remove inside source extended GRE, ICMP, TCP, or UDP translations for the specified global IP address and local IP address.
• Example 1—Clear all dynamic translations

host1 #clear ip nat translation*

• Example 2—Clear a specific port translation

host1 #clear ip nat translation tcp inside 171.69.68.10 10.1.2.3 55

• There is no no version.

NAT Configuration Examples

This section contains NAT configuration examples for a single virtual router configuration and NAT translation between two virtual routers.

NAPT Example

Figure 6 illustrates a NAPT configuration for a private network with two inside subnetworks, a field office, and a corporate office.

Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation).

The address pool consists of three addresses (the number of addresses is small, because NAPT is used). Addresses matching the private address spaces of the corporate and field subnetworks are translated to global addresses from the pool through NAPT.

To configure this example:

1. Enter the correct virtual router context.

host1(config)#virtual-router blue

2. Mark the inside interfaces.

1. Mark the field office:

host1:blue(config)#interface serial 2/1:1/1

host1:blue(config-interface)#ip nat inside

host1:blue(config-interface)#exit

2. Mark the two corporate T-3 links:

host1:blue(config)#interface serial 1/1

host1:blue(config-interface)#ip nat inside

host1:blue(config-interface)#exit

host1:blue(config)#interface serial 1/2

host1:blue(config-interface)#ip nat inside

host1:blue(config-interface)#exit

3. Mark the outside interface.

host1:blue(config)#interface gigabitEthernet 3/0.1

host1:blue(config-interface)#ip nat outside

host1:blue(config-interface)#exit

4. Create a static nil-translation for the FTP server on the corporate network.

host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18 
21

5. Create the address pool for dynamic translations.

host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24

6. Create the access list for addresses eligible for dynamic translation.

host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255

host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255

7. Create the NAPT dynamic translation rule.

host1:blue(config)#ip nat inside source list justcorp pool corpxyz overload

8. Configure a default route to the outside interface.

host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1

9. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.

host1:blue(config)#ip route 192.32.6.0 255.255.255.248 null 0

 NOTE: Null route applies to 192.32.6.0-192.32.6.3, which do not exist in the address pool



 

All hosts that use private addresses in both the field office and the corporate office must have their addresses translated to one of the three addresses in the pool. Because this example uses NAPT, the interface can use only one pool address, depending on the number of inside hosts attempting to access the outside at any given time.

Bidirectional NAT Example

Figure 7 illustrates how outside hosts can initiate conversations with inside hosts through the use of a DNS server that resides on the inside network.

The inside realm uses basic NAT. The inside network uses a mix of private subnetwork address space (192.168.22/24) and registered public addresses.

To configure this example:

1. Enter the correct virtual router context.

host1(config)#virtual-router blue

2. Mark the inside interface.

host1:blue(config)#interface serial 1/1:1/1

host1:blue(config-interface)#ip nat inside

host1:blue(config-interface)#exit

3. Mark the outside interface.

host1:blue(config)#interface gigabitEthernet 3/0.1

host1:blue(config-interface)#ip nat outside

host1:blue(config-interface)#exit

4. Create the translation for the DNS.

host1:blue(config)#ip nat inside source static 192.168.22.2 192.32.6.1

5. Create the address pool for dynamic translations.

host1:blue(config)#ip nat pool entA192 192.32.6.2 192.32.6.63 prefix-length 24

6. Create the access list for addresses eligible for dynamic translation (that is, private addresses).

host1:blue(config)#access-list entA permit 192.168.22.0 0.0.0.255

7. Create the dynamic translation rule.

host1:blue(config)#ip nat inside source list entA pool entA192 

8. Configure a default route to the outside interface.

host1:blue(config)#ip route 0.0.0.0 0.0.0.0 gigabitEthernet 3/0.1

9. Configure a null route for the inside global addresses, to prevent routing loops when no matching translation exists.

host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0

 NOTE: Null route applies to 192.32.6.0 and 192.32.6.1, which do not exist in the address pool.



 

Twice NAT Example

Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and you want it to connect to the public network. Inside local addresses need to be translated to legal global addresses. Legal addresses from the outside that overlap those used on the inside network need to be translated to unused and recognizable addresses in the inside network. Both inside source and outside source translations must be configured on the NAT router.

Figure 8 illustrates how the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this subnetwork that want to access the inside network need their global addresses translated.

To configure this example:

1. Enter the correct virtual router context.

host1(config)#virtual-router blue

2. Mark the inside interface.

host1:blue(config)#interface fast-ethernet 6/1

host1:blue(config-interface)#ip nat inside

host1:blue(config-interface)#exit

3. Mark the outside Interface.

host1:blue(config)#interface atm 3/0.20

host1:blue(config-interface)#ip nat outside

host1:blue(config-interface)#exit

4. Create the address pool for inside source translations.

host1:blue(config)#ip nat pool entAoutpool 12.220.1.0 12.220.255.255 
prefix-length 16

 NOTE: This pool is purposely smaller than the size of the company network because not all private hosts are likely to access the public network at the same time.



 

5. Create the access list for addresses eligible for dynamic translation.

host1:blue(config)#access-list entAout permit 15.12.0.0 0.0.255.255

6. Create the dynamic translation rule for outbound traffic.

host1:blue(config)#ip nat inside source list entAout pool entAoutpool

7. Create the address pool for outside source translations.

Using an address range of 10.1.32.0/8 prevents any overlap with the private network (15.12.0.0/16).

host1:blue(config)#ip nat pool entAinpool 10.1.32.1 10.1.32.255

prefix-length 16

 NOTE: This pool is purposely small, allowing for only a few connections.



 

8. Configure the access list for global addresses that overlap with inside addresses.

host1:blue(config)#access-list entAin permit 15.12.0.0 0.0.255.255

9. Create the dynamic translation rule for inbound traffic.

host1:blue(config)#ip nat outside source list entAin pool entAinpool

10. Create one of the following:

• A route to the outside interface for inside hosts to access outside hosts that have overlapping addresses.

host1:blue(config)#ip route 10.1.32.0 255.255.255.0 atm 3/0.1

 NOTE: An inside host cannot directly access hosts on the outside network that use addresses that overlap with the inside subnetwork. However, by using outside source translation and DNS name resolution, the NAT router can install translations so inside hosts can access these outside hosts by using nonoverlapping addresses.



 

• A default route to the outside interface.

host1:blue(config)#ip route 0.0.0.0 0.0.0.0 atm 3/0.1

11. Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists.

host1:blue(config)#ip route 12.220.1.0 255.255.0.0 null 0

Cross-VRF Example

In MPLS VPN configurations, you might want to offer public Internet access to VPN subscribers. MPLS VPNs are enabled through the use of VRFs. If a VPN is using a private or overlapping address space, you can use NAT to enable access to the public network because the NAT implementation is both VR and VRF aware.Figure 9 illustrates how the subscriber interface feature of the router is used in conjunction with NAT to connect the VPNs to the public network.

VRF11 is the local (this PE) representation of the MPLS VPN and connects enterpriseA to the VPN. Enterprise A communicates to VRFs in other PE devices (the rest of the VPN) through RFC2547bis (MPLS VPNs). VR1, of which the VRF is administratively a member, represents the public network. The interface to EnterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A subscriber interface is created off the uplink to the core network and anchored in the VRF. A DA-based demultiplexer matching the inside global address range is configured on the subscriber interface. The subscriber interface is marked as an outside interface.

To configure this example:

1. Enter the correct virtual routing and forwarding instance.

host1(config)#virtual-router vr1:vrf11

2. Mark the inside interfaces.

host1:vr1:vrf11(config)#interface fast-ethernet 6/1

host1:vr1:vrf11 (config-interface)#ip nat inside

host1:vr1:vrf11 (config-interface)#exit

3. Set the primary interface to DA-type demultiplexer (for subsequent shared interfaces).

host1:vr1(config)#interface atm 12/0.101

host1:vr1(config-interface)#ip demux-type da-prefix

host1:vr1(config-interface)#exit

4. Create the address pool for dynamic translations.

host1:vr1(config)#virtual-router vr1:vrf11

host1:vr1:vrf11(config)#ip nat pool entApool 128.13.44.0 128.13.44.255 
prefix-length 24

5. Create the access list for addresses eligible for dynamic translation.

host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255

6. Create the dynamic translation rule.

host1:vr1:vrf11(config)#ip nat inside source list entA pool entApool 

7. Create the subscriber interface off the uplink.

host1:vr1:vrf11(config)#interface ip vrf11vr1

host1:vr1:vrf11(config-interface)#ip share-interface atm 12/0.101

host1:vr1:vrf11(config-interface)#ip unnumbered loopback 1

8. Configure a group of destination prefixes with which the device can communicate on the public network.

host1:vr1:vrf11(config-interface)#ip destination-prefix 128.13.44.0 
255.255.255.0

9. Mark the subscriber interface as outside.

host1:vr1:vrf11(config-interface)#ip nat outside

host1:vr1:vrf11(config-interface)#exit

10. Point the default route to the shared interface.

host1:vr1:vrf11(config)#ip route 0.0.0.0 0.0.0.0 ip vrf11vr1

11. Install a null route to avoid routing loops to the inside global address.

host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0



Tunnel Configuration Through NAT Examples
 PPTP uses enhanced GRE encapsulation for PPP payloads.
After the PPTP tunnel setup process, PPP packets are exchanged using
GRE encapsulation. It is critical that a NAT device that resides
between PPTP client and PPTP server allow GRE flows.
 This section contains NAT configuration examples for both inside and outside PPTP tunnel setup through NAT.

 Clients on an Inside Network

 In this example, a subscriber on
the inside network is initiating PPTP tunnels to a PPTP server located
in the outside network. The PPTP connection to the server traverses an
E-series router that has NAT enabled.



 Figure 10:  PPTP Tunnels on an Inside Network



 The router has installed an inside source static simple translation in its translation table as follows:

 

 Inside Local Address
 Inside Global Address

 13.1.2.3

 20.0.0.1



 

 The PPTP client initiates its
tunnels to the server at 11.11.11.1. The E-series router translates the
SA from inside local 13.1.2.3 to inside global SA 20.0.0.1. Because GRE
traffic can pass through NAT, all matching PPTP control packets are
translated and forwarded to the destination.

 Clients on an Outside Network

 In this example, an outside
subscriber initiates PPTP tunnels to a PPTP server located in the
service provider network. The PPTP connection to the server traverses
an E-series router that has NAT enabled.



 Figure 11:  PPTP Tunnels on an Outside Network



 The router has installed an inside source static simple translation in its translation table as follows:

 

 Inside Local Address
 Inside Global Address

 11.11.11.1

 20.0.0.1



 

 The PPTP client initiates its
tunnels to the inside global address 20.0.0.1. The E-series router
translates packets destined for address 20.0.0.1 and forwards them to
the inside local address of 11.11.11.1. Because GRE traffic can pass
through NAT, all matching PPTP control packets are translated and
forwarded to the destination.

GRE Flows Through NAT
 
Because PPTP requires the use of GRE flows, the
examples in the previous section also work for any GRE traffic flows
that traverse NAT.
 GRE flows can terminate at an
E-series router if NAT is or is not enabled. When the router receives
locally terminating inbound GRE packets, the router transmits the
packets to the tunnel server module for GRE processing. If the packets
require translating, they are again sent through the tunnel server
module.


 NOTE: Only inner IP headers are translated for terminating GRE flows; outer IP headers are never translated.



 

 For outbound GRE packets, the
process works in reverse. If the packets require translation, the
router transmits the packets to the tunnel server module for
translation. If the packets are destined for a GRE tunnel, they are
again sent through the tunnel server module where an outer header is
prepended to the packet and the packet is then sent to the appropriate GRE tunnel.

Monitoring NAT
to view NAT license
information, NAT statistics, NAT translation entries, NAT address pool
information, and NAT inside and outside rule settings.
 Displaying the NAT License Key

 The show license nat command displays the NAT license key.

 show license nat

 Use to display the NAT license key configured on the router. 
 Example
host1#show license nat
Nat license is nat_license

 Displaying Translation Statistics

 The show ip nat statistics command displays internal statistics that apply to NAT operation.

 show ip nat statistics

 Use to display internal NAT statistics.
 Field descriptions

  
 Last
dynamic allocation failure—Completion level of any dynamic allocation
failures; the number of times the router attempted dynamic allocation
but reached the dynamic allocation entry limit
 Current static translation entries

    
 Inside Source Simple—Number of inside source simple static translations
 Outside Source Simple—Number of outside source simple static translations
 Inside Source Extended—Number of inside source extended static translations
 Outside Source Extended—Number of outside source extended static translations

  
 Dynamic Translation Type—Type of dynamic translation (inside source simple, outside source simple, inside source extended)
 Current—Current number of dynamic translations of the associated translation type
 Peak—Peak number of dynamic translations of the associated translation type
 Accumulated—Accumulated
number of dynamic translations of the associated type; this value
reflects the accumulation of dynamic translations since the last router
reboot operation
 Failed—Total number of installation attempts that failed for an associated translation type
 Forwarding statistics for packets received on inside or outside interfaces

    
 forwarded directly—Number of packets forwarded directly (that is, without the need of translation)
 forwarded through translator—Number of packets forwarded through the NAT translator
 discarded—Number of packets discarded immediately upon receipt
 discarded by translator—Number of packets discarded by the NAT translator when no matching translation could be located

 Example
host1#show ip nat statistics
NAT database statistics for virtual router vr1:
--------------------------------------------------------------
Last dynamic allocation failure: normal, successful completion
Dynamic entry limit was reached 10318 times
 
Current static translation entries:
-----------------------------------------
Inside Source Simple:               10
Outside Source Simple:              3
Inside Source Extended:             8
Outside Source Extended:            12
 
       Dynamic
   Translation Type      Current       Peak     Accumulated    Failed
----------------------  ----------  ----------  -----------  ----------
Inside Source Simple         69999       69999        69999       12568
Outside Source Simple         4518        4518         4518          25
Inside Source Extended       70000       70000        70000         568
Fully Extended               26855       26855        26855        2565
 
 
Forwarding statistics for virtual router vr1:
------------------------------------------------------------------------
Packets received on inside interface and
    forwarded directly             8
    forwarded through translator   111763104
    discarded                      2
    discarded by translator        28524565
 
Bytes received on inside interface and
    forwarded directly             544
    forwarded through translator   5141098074
 
Packets received on outside interface and
    forwarded directly             7
    forwarded through translator   1031624
    discarded                      3
    discarded by translator        578961
 
Bytes received on outside interface and
    forwarded directly             476
    forwarded through translator   47454704

 Displaying Translation Entries

 The show ip nat translations command displays current translations that reside in the translation table.

 Simple translation entries
appear with inside/outside and local/global address information.
Extended entries appear with added protocol and port numbers (or query
IDs).

 Using verbose mode additionally provides the time since creation and time since last use for each translation entry.

 show ip nat translations

 Use to display current translations that reside in the NAT translation table.
 Field descriptions

  
 Prot—Protocol (TCP, UDP, ICMP, or GRE) for this translation entry; this field appears only for extended table entries
 Inside
local—Inside local IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries
 Inside
global—Inside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries
 Outside
global—Outside global IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries
 Outside
local—Outside local IP address for this translation entry; this field
also provides the port number, separated by a colon ( : ) for extended
entries
 Time since creation—Amount of time elapsed since the translation entry appeared in the translation table
 Time since last use—Amount of time elapsed since the translation entry was used

 Example 1

host1#show ip nat translations
Prot    Inside local      Inside global     Outside global     Outside local
----    ---------------     ---------------     --------------     ----------------
GRE       13.1.2.1:*               20.0.0.1:*                       ---                             ---
ICMP       13.1.2.2:4               20.0.0.2:4                       ---                             --- 
TCP         13.1.2.3:20             20.0.0.3:50                     ---                             ---







 NOTE: Because they are not NAPT translations, port numbers for GRE translations appear as asterisks (*).



 

 Example 2

host1#show ip nat translations verbose
                                                          Time         Time
                    Inside      Outside     Outside      since        since
Prot Inside local   global      global       local      creation     last use
---- ------------ ----------- ----------- ----------- ------------ ------------
     20.0.0.3     30.0.0.3    ---         ---         00:04:50     00:00:01
     21.0.0.3     30.208.0.3  ---         ---         00:02:12     00:00:01
     21.0.0.4     30.208.0.4  ---         ---         00:02:12     00:00:01
     ---          ---         50.0.0.3    70.0.0.3    00:03:24     Never
     ---          ---         51.0.0.3    70.208.0.3  00:01:44     00:00:01
     ---          ---         51.0.0.4    70.208.0.4  00:01:44     00:00:01
UDP  ---          ---         50.50.0.3:8 70.50.0.3:8 00:03:10     Never
                              7           108
UDP  22.0.0.4:63  30.224.0.3: ---         ---         00:02:12     00:00:01
                  4097
UDP  22.0.0.3:63  30.224.0.3: ---         ---         00:02:12     00:00:01
                  4096
TCP  ---          ---         50.50.0.3:8 70.50.0.3:8 00:03:10     Never
                              0           008
UDP  20.50.0.3:87 30.50.0.3:8 ---         ---         00:03:35     Never
                  108
 Displaying Address Pool Information

 The show ip nat pool command
displays NAT address pool information. The command output displays
configuration (mask and address ranges) of all address pools, unless
you supply a specific pool name.

 show ip nat pool

 Use to display NAT address pool information.
 Field descriptions

  
 pool—Name of the address pool
 netmask—Network prefix associated with the NAT address pool
 prefix length—Prefix length associated with the NAT address pool
 range—Address ranges used by this NAT address pool

 Example 1
host1#show ip nat pool
 
pool: pool1 netmask: 255.255.255.0  prefix length: 24
   range: 3.3.3.1 to 3.3.3.255
   range: 4.4.4.1 to 4.4.4.32
 
pool: pool2 netmask: 255.255.255.0  prefix length: 24
   range: 1.1.1.1 to 1.1.1.24
   range: 2.2.2.1 to 2.2.2.55

 Example 2
host1#show ip nat pool pool1 
pool: pool1 netmask: 255.255.255.0  prefix length: 24
   range: 3.3.3.1 to 3.3.3.255
   range: 4.4.4.1 to 4.4.4.32

 Displaying Inside and Outside Rule Settings

 The show ip nat inside rule and show ip nat outside rule commands
display access list and pool usage for all dynamic translation rules
configured for the virtual router. If you do not specify an access
list, the output displays address pool associations for each of the
access lists for either inside or outside translation rules in the
virtual router. Specifying an access list filters the output to display
only the address pool associated with the specified list. 

 show ip nat inside rule

 Use to display NAT access list and pool usage information for inside source translation rules.
 Field descriptions

  
 access list name—Name of the access list
 pool name—Name of the address pool
 rule type—Type of rule assigned

 Example
host1#show ip nat inside rule
access list name: list1  pool name: poolA rule type: inside source
access list name: list2  pool name: poolB rule type: inside source
access list name: list3  pool name: poolC rule type: inside source overload

 show ip nat outside rule

 Use to display NAT access list and pool usage information for outside source translation rules.
 Field descriptions

  
 access list name—Name of the access list
 pool name—Name of the address pool
 rule type—Type of rule assigned

 Example
host1#show ip nat outside rule
access list name: list4  pool name: poolD rule type: outside source



These all about NAT

Comments are open
GM