-
IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S
-
Configuring NAT for IP Address Conservation
-
Using Application-Level Gateways with NAT
-
Carrier Grade Network Address Translation
-
Configuring NAT for High Availability
-
Configuring Stateful Interchassis Redundancy
-
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
-
Integrating NAT with MPLS VPNs
-
Monitoring and Maintaining NAT
-
Enabling NAT High-Speed Logging per VRF
-
Stateless Network Address Translation 64
-
Stateful Network Address Translation 64
-
Stateful Network Address Translation 64 Interchassis Redundancy
-
Mapping of Address and Port Using Translation
-
MSRPC ALG Support for Firewall and NAT
-
Sun RPC ALG Support for Firewalls and NAT
-
vTCP for ALG Support
-
ALG—H.323 vTCP with High Availability Support for Firewall and NAT
-
SIP ALG Hardening for NAT and Firewall
-
Match-in-VRF Support for NAT
-
IP Multicast Dynamic NAT
-
Paired-Address-Pooling Support in NAT
-
PPTP Port Address Translation
-
Feedback
Contents
- Carrier Grade Network Address Translation
- Finding Feature Information
- Restrictions for Carrier Grade Network Address Translation
- Information About Carrier Grade Network Address Translation
- Carrier Grade NAT Overview
- Carrier Grade NAT Support for Broadband Access Aggregation
- How to Configure Carrier Grade Network Address Translation
- Configuring Static Carrier Grade NAT
- Configuring Dynamic Carrier Grade NAT
- Configuring Dynamic Port Address Carrier Grade NAT
- Configuration Examples for Carrier Grade Network Address Translation
- Example: Configuring Static Carrier Grade NAT
- Example: Configuring Dynamic Carrier Grade NAT
- Example: Configuring Dynamic Port Address Carrier Grade NAT
- Additional References for Carrier Grade Network Address Translation
- Feature Information for Carrier Grade Network Address Translation
Carrier Grade Network Address Translation
Carrier Grade Network Address Translation (CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into fewer public IPv4 addresses.
This module provides an overview of CGN and describes how to configure CGN.
- Finding Feature Information
- Restrictions for Carrier Grade Network Address Translation
- Information About Carrier Grade Network Address Translation
- How to Configure Carrier Grade Network Address Translation
- Configuration Examples for Carrier Grade Network Address Translation
- Additional References for Carrier Grade Network Address Translation
- Feature Information for Carrier Grade Network Address Translation
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Carrier Grade Network Address Translation
- Asymmetric routing with box-to-box (B2B) redundancy is not supported in CGN mode.
- B2B redundancy is not supported on broadband with CGN; B2B is supported on standalone CGN.
- Broadband is not supported with traditional NAT.
- CGN does not support IP sessions.
- IP over Ethernet (IPoE) Intelligent Services Gateway (ISG) sessions are not supported with CGN.
- NAT outside mappings are disabled automatically when CGN operating mode is configured using the ip nat settings mode cgn command.
- CGN does not support integration with Cisco Performance Routing (PfR). Commands with the oer keyword are not supported. For example, the ip nat inside source route-map pool overload oer and the ip nat inside source list pool overload oer commands are not supported.
Information About Carrier Grade Network Address Translation
Carrier Grade NAT Overview
Network Address Translation (NAT) is positioned between a private and public IP network and uses nonglobal, private IP addresses and a public IP address for translation. NAT dynamically maps one or more private IP addresses into one or more public (globally routable) IP addresses that use Network Address and Port Translation (NAPT) techniques. Traditionally, NAT boxes are deployed in residential home gateways (HGWs) to translate multiple private IP addresses that are configured on multiple devices inside the home to a single public IP address that is configured and provisioned on the HGW by the service provider. Service providers deploy NAT in such a way that multiple subscribers can share a single global IP address. The service provider NAT scales to several millions of NAT translations, making it a Carrier Grade NAT (CGN).
In CGN, packets that traverse from inside the network to outside require only the source address port translation; destination address port translation is not required. CGN can be standalone like traditional NAT or you can use it along with broadband access aggregation. CGN coexits with Intelligent Services Gateway (ISG) features such as Layer 4 Redirect and subscriber services such as traffic classes.
You can configure CGN by using the ip nat settings mode cgn command. Use the ip nat settings mode default command to change to the default or traditional NAT operating mode. In the CGN mode, you cannot configure any NAT outside mappings. However, when you change from the default NAT mode to CGN mode, all existing outside mappings have to be removed. Use the no ip nat settings support mapping outside command to remove all outside mappings and to prevent any new outside mappings from being configured. You can also remove outside mappings by using the no form of commands used to configure NAT outside.
CGN increases the scalability of the number of NAT translations that can be supported because destination information is not stored.
CGN supports the following:
- All application-level gateways (ALGs) that are supported by traditional NAT. For more information about supported ALGs, see the Using Application-Level Gateways with NAT module of the IP Addressing: NAT Configuration Guide.
- Endpoint independent mapping and endpoint independent filtering.
- Hairpinning by using VRF-Aware Software Infrastructure (VASI) and policy-based routing (PBR). Hairpinning occurs when two subscribers are behind the same NAT device but can see each other only by using the global IP address.
- Interbox and intrabox redundancy.
- Lawful intercept.
- Logging of NAT high-speed logging (HSL) records. For more information about HSL, see the section “High-Speed Logging for NAT” in the Maintaining and Monitoring NAT module of the IP Addressing: NAT Configuration Guide.
- Multihoming, which is the ability to support multiple outside interfaces to provide connectivity through redundant or standby exit points. Depending on the configured routing topology, any exit interface that is marked as an outside interface can use a translation that was created previously.
- TCP timeout value of 15 minutes.
- VPN routing and forwarding (VRF)-aware NAT.
Carrier Grade NAT Support for Broadband Access Aggregation
You can configure Carrier Grade Network Address Translation (CGN) as an independent feature or use CGN along with broadband access aggregation.
Broadband access aggregation enables connections between multiple technologies such as cable, digital subscriber line (DSL), Ethernet, ISDN, and wireless devices that are connected to corporate VPNs, third-party applications, and the Internet.
PPP over Ethernet (PPPoE) connects hosts on a network over a simple bridging device to a remote aggregation concentrator. PPPoE is the predominant access protocol in broadband networks worldwide.
For PPPoE to work with CGN, virtual templates and the RADIUS server must support the Network Address Translation (NAT) inside configuration. The NAT inside configuration must be downloaded as part of the RADIUS authentication. Configure the ip nat inside command on the virtual template, which gets cloned into a virtual access interface that inherits the ip nat inside configuration. For the RADIUS server to support the NAT inside configuration, configure the aaa policy interface-config allow-subinterface command or configure the Cisco attribute-value pairs (AV pairs) “lcp:allow-subinterface=yes” and “lcp:interface-config=ip nat inside” in the RADIUS profile on a per-subscriber basis.
You can terminate a PPPoE session either in the global routing table or at a VRF instance.
CGN supports dual-stack (IPv4 and IPv6) PPP sessions. However, only IPv4 traffic is subject to NAT. The IPv6 traffic is not translated; it is routed as per the IPv6 routing configuration.
How to Configure Carrier Grade Network Address Translation
Based on your network configuration, you can configure static, dynamic, or dynamic PAT Carrier Grade NAT.
NoteYou must use at least one of the configurations described in the following tasks for Carrier Grade NAT to work.
- Configuring Static Carrier Grade NAT
- Configuring Dynamic Carrier Grade NAT
- Configuring Dynamic Port Address Carrier Grade NAT
Configuring Static Carrier Grade NAT
SUMMARY STEPSStatic address translation (static NAT) allows one-to-one mapping between local and global addresses. Use the ip nat inside source static command to enable static NAT of the inside source address.
1. enable
2. configure terminal
3. ip nat settings mode cgn
4. ip nat inside source static local-ip global-ip
5. interface virtual-template number
6. ip nat inside
7. exit
8. interface type number
9. ip nat outside
10. end
11. show ip nat translations [verbose]
DETAILED STEPSExample
The following is sample output from the show ip nat translations command:
Device# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 10.5.5.1:1025 192.0.2.1:4000 --- --- udp 10.5.5.1:1024 192.0.2.3:4000 --- --- udp 10.5.5.1:1026 192.0.2.2:4000 --- --- Total number of translations: 3The following is sample output from the show ip nat translations verbose command:
Device# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global udp 10.5.5.1:1025 192.0.2.1:4000 --- --- create: 02/15/12 11:38:01, use: 02/15/12 11:39:02, timeout: 00:00:00 Map-Id(In): 1 Mac-Address: 0000.0000.0000 Input-IDB: TenGigabitEthernet1/1/0 entry-id: 0x0, use_count:1 udp 10.5.5.1:1024 192.0.2.3:4000 --- --- create: 02/15/12 11:38:00, use: 02/15/12 11:39:02, timeout: 00:00:00 Map-Id(In): 1 Mac-Address: 0000.0000.0000 Input-IDB: TenGigabitEthernet1/1/0 entry-id: 0x0, use_count:1 udp 10.5.5.1:1026 192.0.2.2:4000 --- --- create: 02/15/12 11:38:00, use: 02/15/12 11:39:02, timeout: 00:00:00 Map-Id(In): 1 Mac-Address: 0000.0000.0000 Input-IDB: TenGigabitEthernet1/1/0 entry-id: 0x0, use_count:1 Total number of translations: 3Configuring Dynamic Carrier Grade NAT
SUMMARY STEPSDynamic address translation (dynamic NAT) maps unregistered IP addresses to registered IP addresses from a pool of registered IP addresses.
1. enable
2. configure terminal
3. ip nat settings mode cgn
4. access-list standard-access-list-number permit source wildcard
5. access-list standard-access-list-number permit source wildcard
6. route-map map-tag
7. match ip address [access-list-number]
8. match ip next-hop [access-list-number]
9. exit
10. ip nat pool name start-ip end-ip prefix-length prefix-length
11. ip nat inside source route-map name pool name
12. interface virtual-template number
13. ip nat inside
14. exit
15. interface type number
16. ip nat outside
17. end
DETAILED STEPSConfiguring Dynamic Port Address Carrier Grade NAT
SUMMARY STEPSPort Address Translation (PAT) or overloading is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one mapping) by using different ports. PAT enables thousands of users to connect to the Internet by using only one real global IP address.
1. enable
2. configure terminal
3. ip nat settings mode cgn
4. ip nat inside source list number pool name [overload]
5. ip nat pool name start-ip end-ip netmask netmask
6. access-list standard-access-list-number permit source wildcard
7. interface virtual-template number
8. ip nat inside
9. exit
10. interface type number
11. ip nat outside
12. end
13. show ip nat statistics
DETAILED STEPSExample
The following is sample output from the show ip nat statistics command:
Device# show ip nat statistics Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: TenGigabitEthernet2/0/0, TenGigabitEthernet2/1/0, TenGigabitEthernet2/2/0 TenGigabitEthernet2/3/0 Inside interfaces: TenGigabitEthernet1/0/0, TenGigabitEthernet1/1/0, TenGigabitEthernet1/2/0 TenGigabitEthernet1/3/0 Hits: 59230465 Misses: 3 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 1] access-list 102 pool mypool refcount 3 pool mypool: netmask 255.255.255.0 start 10.5.5.1 end 10.5.5.5 type generic, total addresses 5, allocated 1 (20%), misses 0 nat-limit statistics: max entry: max allowed 2147483647, used 3, missed 0 Pool stats drop: 0 Mapping stats drop: 0 Port block alloc fail: 0 IP alias add fail: 0 Limit entry add fail: 0Configuration Examples for Carrier Grade Network Address Translation
Example: Configuring Static Carrier Grade NAT
Device# configure terminal Device(config)# ip nat settings mode cgn Device(config)# ip nat inside source static 192.168.2.1 192.168.34.2 Device(config)# interface virtual-template 1 Device(config-if)# ip nat inside Device(config-if)# exit Device(config)# interface gigabitethernet 0/0/0 Device(config-if)# ip nat outside Device(config-if)# endExample: Configuring Dynamic Carrier Grade NAT
Device# configure terminal Device(config)# ip nat settings mode cgn Device(config)# access-list 1 permit 10.1.1.0 0.0.0.255 Device(config)# access-list 2 permit 10.5.5.0 0.0.0.255 Device(config)# route-map nat-route-map Device(config-route-map)# match ip address 1 Device(config-route-map)# match ip next-hop 2 Device(config-route-map)# exit Device(config)# ip nat pool nat-pool 10.1.1.1 10.1.254.254 prefix-length 16 Device(config)# ip nat inside source route-map nat-route-map pool nat-pool Device(config)# interface virtual-template 1 Device(config-if)# ip nat inside Device(config-if)# exit Device(config)# interface gigabitethernet 0/0/1 Device(config-if)# ip nat outside Device(config-if)# endExample: Configuring Dynamic Port Address Carrier Grade NAT
Device# configure terminal Device(config)# ip nat settings mode cgn Device(config)# ip nat inside source list 1 pool nat-pool overload Device(config)# ip nat pool nat-pool 10.1.1.1 10.1.254.254 netmask 255.255.0.0 Device(config)# access-list 1 permit 172.16.0.0 255.255.0.0 Device(config)# interface virtual-template 1 Device(config-if)# ip nat inside Device(config-if)# exit Device(config)# interface gigabitethernet 0/0/3 Device(config-if)# ip nat outside Device(config-if)# endAdditional References for Carrier Grade Network Address Translation
Related Documents
Technical Assistance
Description Link The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
Feature Information for Carrier Grade Network Address Translation
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for Carrier Grade Network Address Translation Feature Name
Releases
Feature Information
Carrier Grade Network Address Translation
Cisco IOS XE Release 3.6S
Carrier Grade Network Address Translation (CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into fewer public IPv4 addresses.
The following commands were introduced or modified: ip nat settings mode and ip nat settings support mapping outside.
