When a packet
arrives, a device (for example, Cisco ASR 1000 Series Aggregation Services
Routers) uses the following steps to determine if the packet is subject to a
Network Address Translation (NAT) rule to decide whether to use an existing
translation entry, create a new translation entry, to not translate the packet.
The device first checks the NAT translation table for a matching entry.
-
If a matching
entry is available, this entry is used for translation.
-
If no matching
entry is available, the device uses access control lists (ACLs) to find a
match. A translation entry is created based on the configured match criteria
and the IP address pool.
In the following
sample dynamic Network Address Translation (NAT) configuration, the traffic
that comes from the 172.16.0.0/24 network is translated by NAT and the traffic
destined to 192.0.2.0/24 network is not translated.
Device(config)# ip nat pool NAT-POOL 10.98.198.1 10.98.198.15 netmask 255.255.255.240
Device(config)# ip nat inside source list NAT-ACL pool NAT-POOL overload
Device(config)# ip access-list extended NAT-ACL
Device(config-acl)# deny ip any 209.165.201.1 129.25.0.0 255.255.255.224
Device(config-acl)# deny ip any 192.0.2.0 144.118.0.0 255.255.255.0
Device(config-acl)# deny ip any 198.51.100.0 204.238.76.0 255.255.255.0
Device(config-acl)# deny ip any 10.0.0.0 255.0.0.0
Device(config-acl)# deny ip any 203.0.113.0 172.19.0.0 255.255.255.0
Device(config-acl)# deny ip any 192.168.0.0 255.255.0.0
Device(config-acl)# permit ip 172.16.0.0 255.240.0.0 any
The following is
sample output from the
show
ip
nat
translations
inside command:
Device# show ip nat translations inside 172.16.0.16
Pro Inside global Inside local Outside local Outside global
--- 10.98.198.2 172.16.0.16 --- ---
udp 10.98.198.2:137 172.16.0.16:137 192.0.2.4 192.0.2.4 144.118.38.213:137
tcp 10.98.198.2:59901 172.16.0.16:59901 192.0.2.6 192.0.2.6 144.118.38.109:389
udp 10.98.198.2:123 172.16.0.16:123 206.246.122.250:123 206.246.122.250:123
When the first
packet arrives from 172.16.0.16 to 192.0.2.0 and a translation entry does not
exist for this packet, the packet is matched against the configured ACL, and it
is not translated by NAT. When the next packet arrives from 172.19.0.16 to
192.0.2.0, then that packet is matched against the NAT binding and is
translated.
However, when a
Domain Name System (DNS), Lightweight Directory Access Protocol (LDAP), or
Netbios packet arrives from 172.19.0.16 to one of the permitted hosts, the
application layer gateway (ALG) creates a binding in the translation table.
When an IP address that is neither the source or the destination address is
embedded in a packet payload, and the packet does not have any port numbers
(for example, DNS packet), the response packet also will have an IP address
that is neither the source or the destination IP address. Traffic other than
Internet Control Message Protocol (ICMP), TCP, and UDP can also create NAT
bindings.