IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S (ASR 1000)
Paired-Address-Pooling Support in NAT
Downloads: This chapterpdf (PDF - 1.3MB) The complete bookPDF (PDF - 5.42MB) | Feedback

Paired-Address-Pooling Support in NAT

Paired-Address-Pooling Support in NAT

The ability of Network Address Translation (NAT) to consistently represent a local IP address as a single global IP address is termed paired address pooling. Paired address pooling is supported only on Port Address Translation (PAT).

Prior to the introduction of the Paired-Address-Pooling Support feature, if you have a PAT configuration, and you need a new global address or port, the next available address in the IP address pool is allocated. There was no mechanism to ensure that a local address is consistently mapped to a single global address. The Paired-Address-Pooling Support feature provides the ability to consistently map a local address to a global address.

This module describes how to configure paired-address-pooling support in NAT.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Paired-Address-Pooling Support in NAT

Paired address pooling uses more memory, and the scaling of translations is much lower than standard Network Address Translation (NAT) configuration due to the following reasons:
  • Use of a new data structure that tracks each local address.
  • Use of the paired-address-pooling limit. When the number of users on a global address reaches the configured limit, the next global address is used for paired address pooling. The paired-address-pooling limit uses more memory and requires more global addresses in the address pool than standard NAT.

Information About Paired-Address-Pooling Support in NAT

Paired-Address-Pooling Support Overview

An IP address pool is a group of IP addresses. You create an IP address pool by assigning a range of IP addresses and a name to it. You allocate or assign addresses in the pool to users.

The ability of Network Address Translation (NAT) to consistently represent a local IP address as a single global IP address is termed paired address pooling. A local address is any address that appears on the inside of a network, and a global address is any address that appears on the outside of the network. You can configure paired address pooling only for Port Address Translation (PAT) because dynamic and static NAT configurations are paired configurations by default. PAT, also called overloading, is a form of dynamic NAT that maps multiple, unregistered IP addresses to a single, registered IP address (many-to-one) by using different ports. Paired address pooling is supported in both classic (default) and carrier-grade NAT (CGN) mode.

In a paired-address-pooling configuration, a local address is consistently represented as a single global address. For example, if User A is paired with the global address G1, that pairing will last as long as there are active sessions for User A. If there are no active sessions, the pairing is removed. When User A has active sessions again, the user may be paired with a different global address.

If a local address initiates new sessions, and resources (ports) are insufficient for its global address, packets are dropped. When the number of users on a global address reaches the configured limit, the next global address is used for paired address pooling. When a user who is associated with a global address through paired address pooling is unable to get a port number, then the packet is dropped, the NAT drop code is incremented, and Internet Control Message Protocol (ICMP) messages are not sent.

Paired-address-pooling uses the fill-it-up method for address selection. The fill-it-up method fits (adds) the maximum possible users into a single global address before going to the next global address.

How to Configure Paired-Address-Pooling Support in NAT

Configuring Paired-Address-Pooling Support in NAT


Note


If you change the Network Address Translation (NAT) configuration mode to paired-address-pooling configuration mode and vice versa, all existing NAT sessions are removed.


To configure NAT paired-address-pooling mode, use the ip nat settings pap command. To remove it, use the no ip nat settings pap command.

After you configure paired-address-pooling mode, all pool-overload mappings will act in the paired-address-pooling manner.

Based on your NAT configuration, you can use NAT static or dynamic rules.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip nat settings pap [limit {1000 | 120 | 250 | 30 | 500 | 60}]

    4.    ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

    5.    access-list access-list-number permit source [source-wildcard]

    6.    ip nat inside source list access-list-number pool name overload

    7.    interface type number

    8.    ip address ip-address mask

    9.    ip nat inside

    10.    exit

    11.    interface type number

    12.    ip address ip-address mask

    13.    ip nat outside

    14.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1enable


    Example:
    Device> enable
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3ip nat settings pap [limit {1000 | 120 | 250 | 30 | 500 | 60}]


    Example:
    Device(config)# ip nat settings pap
     
    Configures NAT paired address pooling configuration mode.
    • Use the limit keyword to limit of the number of local addresses you can use per global address. The default is 120.
     
    Step 4ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}


    Example:
    Device(config)# ip nat pool net-208 192.168.202.129 192.168.202.158 netmask 255.255.255.240
     

    Defines a pool of global addresses to be allocated as needed.

     
    Step 5access-list access-list-number permit source [source-wildcard]


    Example:
    Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255
     

    Defines a standard access list permitting addresses that are to be translated.

     
    Step 6ip nat inside source list access-list-number pool name overload


    Example:
    Device(config)# ip nat inside source list 1 pool net-208 overload
     

    Establishes dynamic Port Address Translation (PAT) or NAT overload and specifies the access list and the IP address pool defined in Step 4 and Step 5.

     
    Step 7interface type number


    Example:
    Device(config)# interface gigabitethernet 0/0/1
     

    Specifies an interface and enters interface configuration mode.

     
    Step 8ip address ip-address mask


    Example:
    Device(config-if)# ip address 10.114.11.39 255.255.255.0
     

    Sets a primary IP address for the interface.

     
    Step 9ip nat inside


    Example:
    Device(config-if)# ip nat inside
     

    Connects the interface to the inside network, which is subject to NAT.

     
    Step 10exit


    Example:
    Device(config-if)# exit
     

    Exits interface configuration mode and returns to global configuration mode.

     
    Step 11interface type number


    Example:
    Device(config)# interface gigabitethernet 0/1/2
     

    Specifies an interface and enters interface configuration mode.

     
    Step 12ip address ip-address mask


    Example:
    Device(config-if)# ip address 172.16.232.182 255.255.255.240
     

    Sets a primary IP address for the interface.

     
    Step 13ip nat outside


    Example:
    Device(config-if)# ip nat outside
     

    Connects the interface to the outside network.

     
    Step 14end


    Example:
    Device(config-if)# end
     

    Exits interface configuration mode and returns to privileged EXEC mode.

     

    Configuration Examples for Paired-Address-Pooling Support in NAT

    Example: Configuring Paired Address Pooling Support in NAT

    The following example shows how to configure paired address pooling along with Network Address Translation (NAT) rules. This example shows a dynamic NAT configuration with access lists and address pools. Based on your NAT configuration, you can configure static or dynamic NAT rules.

    Device# configure terminal
    Device(config)# ip nat settings pap
    Device(config)# ip nat pool net-208 192.168.202.129 192.168.202.158 netmask 255.255.255.240
    Device(config)# access-list 1 permit 192.168.34.0 0.0.0.255
    Device(config)# ip nat inside source list 1 pool net-208 overload
    Device(config)# interface gigabitethernet 0/0/1
    Device(config-if)# ip address 10.114.11.39 255.255.255.0
    Device(config-if)# ip nat inside
    Device(config-if)# exit
    Device(config)# interface gigabitethernet 0/1/2
    Device(config-if)# ip address 172.16.232.182 255.255.255.240
    Device(config-if)# ip nat outside
    Device(config-if)# end

    Additional References for Paired-Address-Pooling Support in NAT

    Related Documents

    Related Topic Document Title

    Cisco IOS Commands

    Cisco IOS Master Command List, All Releases

    NAT commands

    Cisco IOS IP Addressing Services Command Reference

    Technical Assistance

    Description Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​support

    Feature Information for Paired-Address-Pooling Support in NAT

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for Paired-Address-Pooling Support in NAT

    Feature Name

    Releases

    Feature Information

    Paired-Address-Pooling Support in NAT

    Cisco IOS XE Release 3.9S

    The ability of Network Address Translation (NAT) to consistently represent a local IP address as a single global IP address is termed paired address pooling. Paired address pooling is supported only on Port Address Translation (PAT).

    The following command was introduced or modified: ip nat settings pap.