Guest

Cisco IOS Software Releases 12.2 T

Stateful Failover of Network Address Translation (SNAT) Phase 1

Hierarchical Navigation

Downloads

Table Of Contents

Stateful Failover of Network Address Translation (SNAT) Phase 1

Contents

Restrictions for Stateful Fail-over of Network Address Translation (SNAT) Phase 1

Information About Stateful Fail-over of Network Address Translation (SNAT) Phase 1

SNAT Feature Design

Interaction with HSRP

How to Configure SNAT

Configuring SNAT with HSRP

Configuring SNAT Primary/Backup

Verifying SNAT Configuration

Configuration Examples for SNAT

Configuring SNAT with HSRP

Configuring SNAT Primary/Backup

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

clear ip snat sessions

clear ip snat translation distributed

clear ip snat translation peer

debug ip snat

ip nat inside source

ip nat outside source

ip nat stateful id

show ip snat

Glossary


Stateful Failover of Network Address Translation (SNAT) Phase 1

There is an increasing need to provide highly resilient IP networks where application connectivity continues unaffected by potential failures to links and routers at the NAT border. The Stateful Fail-over of Network Address Translation (SNAT) Phase 1 feature introduces support for two or more network address translators to function as a translation group. A backup router running NAT provides translation services in the event of failure of the active translator. Protocols that do not need payload translations, such as HTTP and telnet, are supported by SNAT.

Feature Specifications for the NAT Stateful Failover of Network Address Translation Feature

Feature History
 
Release
Modification

12.2(13)T

This feature was introduced.

Supported Platforms

For platforms supported in Cisco IOS Release 12.2(13)T, consult Cisco Feature Navigator.


Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that are supported on specific platforms. To obtain updated information about platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. In the release section, you can compare releases side by side to display both the features unique to each software release and the features that releases have in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://www.cisco.com/go/fn

Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.

Contents

Restrictions for Stateful Fail-over of Network Address Translation (SNAT) Phase 1

Information About Stateful Fail-over of Network Address Translation (SNAT) Phase 1

How to Configure SNAT

Configuration Examples for SNAT

Additional References

Command Reference

Restrictions for Stateful Fail-over of Network Address Translation (SNAT) Phase 1

The following applications and protocols are not supported in Phase I.

Application Level Gateway (ALG)

FTP

NetMeeting Directory (ILS)

RAS

SIP

Skinny

TFTP

Asymmetrical routing

Information About Stateful Fail-over of Network Address Translation (SNAT) Phase 1

Before you configure SNAT, you should understand the following concepts:

SNAT Feature Design

Interaction with HSRP

How to Configure SNAT

SNAT Feature Design

Stateful NAT applies a more global context to the task of forwarding a particular datagram. Consideration is given to understanding the application state along with forwarding. Devices can take action to avoid potential failures that will have less impact on the flow and to the application that is transmitting data. Multiple NAT routers that share stateful context can work cooperatively and thus increase service availability.

Two or more Network Address Translators function as a translation group. One member of the group handles traffic requiring translation of IP address information. It also informs the backup translator of active flows as they occur. The backup translator can then use information from the active translator to prepare duplicate translation table entries, and in the event that the active translator is hindered by a critical failure, the traffic can rapidly be switched to the backup. The traffic flow continues since the same network address translations are used, and the state of those translations has been previously defined.

Only sessions that are statically defined already receive the benefit of redundancy without the need for this feature. In the absence of SNAT, sessions that use dynamic NAT mappings would be severed in the event of a critical failure and would have to be reestablished. Stateful NAT enables continuous service for dynamically mapped NAT sessions.

Interaction with HSRP

SNAT can be configured to operate with the Hot Standby Routing Protocol (HSRP) to provide redundancy. Active and Standby state changes are managed by HSRP.

How to Configure SNAT

This section contains the following procedures:

Configuring SNAT with HSRP (optional)

Configuring SNAT Primary/Backup (optional)

Verifying SNAT Configuration (optional)

Configuring SNAT with HSRP

To configure your HSRP router with SNAT, use the following commands:

SUMMARY STEPS

1. enable

2. configure {terminal | memory | network}

3. interface interface-number port-number

4. standby [group-name ip ip-address [secondary]]

5. exit

6. ip nat stateful id ip-address redundancy group-name mapping-id map-number

7. ip nat pool name start-ip end-ip prefix-length prefix-length

8. ip nat inside source {route-map name pool pool-name mapping-id map-number} [overload]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables higher privilege levels, such as privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure {terminal | memory | network}

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface serial interface-number port-number

Example:

Router(config)# interface serial 4/0

Enters interface configuration mode.

Step 4 

standby group-name ip [ip-address [secondary]]

Example:

Router(config-if)# standby SNATHSRP ip 11.1.1.1 secondary

Enables the HSRP protocol.

Step 5 

exit

Example:

Router(config-if)# exit

Returns to global configuration mode.

Step 6 

ip nat stateful id ip-address redundancy group-name mapping-id map-number

Example:

Router(config)# ip snat stateful id 1 redundancy snathsrp mapping-id 10

Specifies SNAT on routers configured for HSRP.

Step 7 

ip nat pool name start-ip end-ip {prefix-length prefix-length}

Example:

Router(config)# ip nat pool snatpool1 11.1.1.1 11.1.1.9 prefix-length 24


Defines a pool of IP addresses.

Step 8 

ip nat inside source route-map name pool pool-name mapping-id map-number [overload]

Example:

Router(config)# ip nat inside source route-map rm-101 pool snatpool1 mapping-id 10 overload

Enables stateful NAT for the HSRP translation group.


Configuring SNAT Primary/Backup

To manually configure your primary and backup SNAT router, use the following commands:

SUMMARY STEPS

1. enable

2. configure {terminal | memory | network}

3. ip nat stateful id {primary | back-up} ip-address peer ip-address mapping-id map-number}

4. ip nat pool name start-ip end-ip {prefix-length prefix-length}

5. in nat inside source {route-map name pool pool-name mapping-id map-number} [overload]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables higher privilege levels, such as privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure {terminal | memory | network}

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip nat stateful id id-number {{primary | backup} ip-address peer ip-address mapping-id map-number}

Example:

Router(config)# ip nat stateful id 1 primary 1.1.1.1 peer 2.2.2.2 mapping-id 10

Specifies stateful NAT on the primary router.

Step 4 

ip nat pool name start-ip end-ip prefix-length prefix-length}

Example:

Router(config)# ip nat pool SNATPOOL1 11.1.1.1 11.1.1.9 prefix-length 24

Defines a pool of IP addresses.

Step 5 

ip nat inside source route-map name pool pool-name mapping-id mapping-number [overload]

Example:

Router(config)# ip nat inside source route-map rm-101 pool snatpool1 mapping-id 10 overload

Enables stateful NAT for the HSRP translation group.


Verifying SNAT Configuration

To verify your configuration, perform the following optional step:

SUMMARY STEPS

1. enable

2. show ip snat distributed verbose

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables higher privilege levels, such as privileged EXEC mode.

Enter your password if prompted.

Step 2 

show ip snat distributed verbose

Example:

Router# show ip snat distributed verbose

Displays active stateful NAT translations.


Configuration Examples for SNAT

This section provides the following configuration example:

Configuring SNAT with HSRP

Configuring SNAT Primary/Backup

Configuring SNAT with HSRP 

!

ip nat Stateful id 1

redundancy SNATHSRP

mapping-id 10

ip nat pool SNATPOOL1 11.1.1.1 11.1.1.9 prefix-length 24

ip nat inside source route-map rm-101 pool SNATPOOL1 mapping-id 10 overload

ip classless

ip route 11.1.1.0 255.255.255.0 Null0

no ip http server

ip pim bidir-enable

Configuring SNAT Primary/Backup 

!

ip nat Stateful id 1

primary 10.88.194.17

peer 10.88.194.18

mapping-id 10

!

ip nat Stateful id 2

backup 10.88.194.18

peer 10.88.194.17

mapping-id 10

Additional References

For additional information related to Network Address Translation and HSRP, refer to the following references:

Related Documents

Related Topic
Document Title

Additional NAT configuration tasks.

The chapter "Configuring IP Addressing" in the Cisco IOS IP Configuration Guide, Release 12.2

Additional NAT commands

The chapter "IP Addressing Commands" in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2

Additional HSRP configuration tasks

The chapter "Configuring IP Services" in the Cisco IOS IP Configuration Guide, Release 12.2

Additional HSRPcommands

The chapter "IP Services Commands" in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2


Standards

Standards1
Title

None

1 Not all supported standards are listed.


MIBs

MIBs1
MIBs Link

None

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

1 Not all supported MIBs are listed.


To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco  MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco  MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

RFCs1
Title

None

 

1 Not all supported RFCs are listed.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and lots more. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

New Commands

clear ip snat sessions

clear ip snat translation distributed

clear ip snat translation peer

debug ip snat

ip nat stateful id

show ip snat

Modified Commands

ip nat inside source

ip nat outside source

clear ip snat sessions

To clear dynamic Stateful Network Address Translation (SNAT) sessions from the translation table, use the clear ip snat sessions EXEC command.

clear ip snat sessions [* | ip-address-peer]

Syntax Description

*

(Optional) Clears all dynamic translations.

ip-address-peer

(Optional) Clears SNAT sessions of the peer translator.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

Use this command to clear entries from the translation table before they time out.

Examples

The following example shows the SNAT entries before and after using the clear ip snat sessions command. 

Router# show ip snat distributed

SNAT:Mode PRIMARY

    :State READY

    :Local Address 192.168.123.2

    :Local NAT id 100

    :Peer Address 192.168.123.3

    :Peer NAT id 200

    :Mapping List 10


Router# clear ip snat sessions *

Closing TCP session to peer:192.168.123.3

Router# shop ip snat distributed

clear ip snat translation distributed

To clear dynamic Stateful Network Address Translation (SNAT) translations from the translation table, use the clear ip nat translation EXEC command.

clear ip snat translation distributed *

Syntax Description

*

Clears all dynamic SNAT translations.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

Use this command to clear entries from the translation table before they time out.

Examples 

Router# clear ip snat translations distributed

clear ip snat translation peer

To clear peer Stateful Network Address Translation (SNAT) translations from the translation table, use the clear ip snat translation peer EXEC command.

clear ip snat translation peer ip-address-peer [refresh]

Syntax Description

ip-address-peer

Clears all dynamic SNAT translations of the peer translator.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

Use this command to clear peer entries from the translation table before they time out.

Examples

The following examples shows the SNAT entries before and after the peer entry is cleared. 

Router# show ip snat peer 


Pro Inside global      Inside local       Outside local      Outside global

--- 192.168.25.20      192.168.122.20     ---                ---

tcp 192.168.25.20:33528 192.168.122.20:33528 192.168.24.2:21 192.168.24.2:21


Router# clear ip snat translation peer 


Router# show ip snat peer 192.168.123.3


Pro Inside global      Inside local       Outside local      Outside global

Router#

debug ip snat

Use the debug ip snat privileged EXEC command to display information about IP packets translated by the IP stateful network address translation (SNAT) feature. The no form of this command disables debugging output.

debug ip snat [detailed]

no debug ip snat [detailed]

Syntax Description

detailed

(Optional) Displays debug information in a detailed format.


Defaults

Disabled

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

The SNAT feature allows two or more network address translators to function as a translation group. One member of the translation group handles traffic requiring translation of IP address information. It informs the backup translator of active flows as they occur. The backup translator can then use information from the active translator to prepare duplicate translation table entries enabling the backup translator to become the active translator in the event of a critical failure. Traffic continues to flow without interruption since the same network address translations are used and the state of those translation has been previously defined.

Caution Because the debug ip snat command generates a significant amount of output, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.

Examples

The following is sample output from the debug ip snat command. 

Router# debug ip snat detailed


2w6d:SNAT:Establish TCP peers for PRIMARY

2w6d:SNAT (Send):Enqueuing SYNC Message for Router-Id 100

2w6d:SNAT(write2net):192.168.123.2 <---> 192.168.123.3  send message

2w6d:SNAT(write2net):ver 2, id 100, opcode 1, len 68

2w6d:SNAT (Send):Enqueuing DUMP-REQUEST Message for Router-Id 100

2w6d:SNAT(write2net):192.168.123.2 <---> 192.168.123.3  send message

2w6d:SNAT(write2net):ver 2, id 100, opcode 6, len 68

2w6d:SNAT (readfromnet):Enqueuing SYNC Message msg to readQ

2w6d:SNAT (Receive):Processed SYNC Message from Router-Id:0 for Router-Id:200's 
entry/entries

2w6d:SNAT (readfromnet):Enqueuing DUMP-REQUEST Message msg to readQ

2w6d:SNAT (Receive):Processed DUMP-REQUEST Message from Router-Id:200 for Router-Id:200's 
entry/entries

2w6d:SNAT(sense):Send SYNC message

2w6d:SNAT (Send):Enqueuing SYNC Message for Router-Id 100

2w6d:SNAT(write2net):192.168.123.2 <---> 192.168.123.3  send message

2w6d:SNAT(write2net):ver 2, id 100, opcode 1, len 68

2w6d:SNAT (readfromnet):Enqueuing SYNC Message msg to readQ

2w6d:SNAT (Receive):Processed SYNC Message from Router-Id:200 for Router-Id:200's 
entry/entries

Table 1 describes the significant fields shown in the display.

Table 1 debug ip snat Field Descriptions 

Field
Description

SNAT:

Indicates that the packet is being translated by the SNAT feature.

DUMP-REQUEST Message

Requests for entries after the SNAT router is active.


ip nat inside source

To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

ip nat inside source {list {access-list-number | access-list-number} | route-map name} {interface type-number | pool pool-name} [mapping-id map-number [overload]

no ip nat inside source {list {access-list-number | access-list-number} | route-map name} {interface type-number | pool pool-name} [mapping-id map-number [overload]

Static NAT

ip nat inside source {static {local-ip global-ip} [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name]}

no ip nat inside source {static {local-ip global-ip} [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name}

Port Static NAT

ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

no ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

Network Static NAT

ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]

no ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]

Syntax Description

list access-list-number

Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

list access-list-name

Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

route-map name

Specifies the named route map.

interface type

Specifies the interface type for the global address.

interface number

Specifies the interface number for the global address.

pool pool-name

Specifies the name of the pool from which global IP addresses are allocated dynamically.

mapping-id map-number

(Optional) Specifies whether or not the local SNAT router will distribute a particular set of locally created entries to a peer SNAT router.

overload

(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or User Datagram Protocol (UDP) port number of each inside host distinguishes between the multiple conversations

Static local-ip

Sets up a single static translation. The argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.

local-port

Sets the local TCP/UDP port in a range from 1-65535.

static global-ip

Sets up a single static translation. The argument establishes the globally unique IP address of an inside host as it appears to the outside world.

global-port

Sets the global TCP/UDP port in a range from 1-65535.

extendable

(Optional) Extends the translation.

no-alias

(Optional) Prohibits an alias from being created for the global address.

no-payload

(Optional) Prohibits the translation of an embedded address or port in the payload.

redundancy group-name

(Optional) Establishes NAT redundancy.

tcp

Establishes the Transmission Control Protocol.

udp

Establishes the User Datagram Protocol.

network local-network

Specifies the local subnet translation.

network global-network

Specifies the global subnet translation.

mask

Establishes the IP Network mask to be with subnet translations.


Defaults

No NAT translation of inside source addresses occurs.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(4)T

This command was modified to include the ability to use route maps with static translations, and the route-map name keyword and argument combination was added. This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy redundancy-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.

12.2(13)T

The keyword mapping-id and the argument map-number were added.


Related Commands

Usage Guidelines

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.

Alternatively, the syntax form with the static keyword establishes a single static translation.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or the 192.168.2.0 network to the globally unique 171.69.233.208/28 network: 

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28

ip nat inside source list 1 pool net-208

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat outside source

To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static entry or the dynamic association, use the no form of this command.

ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route] [mapping-id map-number]

no ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route] [mapping-id map-number]

Static NAT

ip nat outside source static {global-ip local-ip}[add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]

no ip nat outside source static {global-ip local-ip}[add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]

Port Static NAT

ip nat outside source static {tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]

no ip nat outside source static {tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]

Network Static NAT

ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]

no ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]

Syntax Description

list access-list-number

Standard IP access list number. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

list access-list-name

Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

route-map name

Specifies a named route map.

pool pool-name

Specifies the name of the pool from which global IP addresses are allocated.

mapping-id map-number

Specifies whether or not the local SNAT router will distribute a particular set of locally created entries to a peer SNAT router.

add-route

(Optional) Adds a static route for the outside local address.

static global-ip

Sets up a single static translation. The argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space.


static local-ip

Sets up a single static translation. The argument establishes the local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918, Address Allocation for Private Internets).

extendable

(Optional) Extends the transmission.

no-alias

(Optional) Prohibits an alias from being created for the global address.

no-payload

(Optional) Prohibits the translation of embedded address or port in the payload.

redundancy group-name

(Optional) Enables the NAT redundancy operation.

tcp

Transmission Control Protocol

udp

User Datagram Protocol


Defaults

No translation of source addresses coming from the outside to the inside network occurs.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(4)T

This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy group-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.

12.2(13)T

The keyword mapping-id and the argument map-number were added.


Usage Guidelines

You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Alternatively, the syntax form with the static keyword establishes a single static translation.

Examples

The following example translates between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network. 

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24

ip nat inside source list 1 pool net-208

ip nat outside source list 1 pool net-10

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 9.114.11.39 255.255.255.0

 ip nat inside

access-list 1 permit 9.114.11.0 0.0.0.255

The following example shows NAT configured on the PE with a static route to the shared service for the gold and sliver VPNs. NAT is configured as inside source static 1 to 1 translations. 

ip nat pool outside 4.4.4.1 4.4.4.254 netmask 255.255.255.0

ip nat outside source list 1 pool mypool

access-list 1 permit 168.58.18.0 0.0.0.255

ip nat inside source static 192.168.121.33 2.2.2.1 vrf gold

ip nat inside source static 192.169.121.33 2.2.2.2 vrf silver

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat stateful id

To designate the members of a translation group, use the ip nat stateful id command in global configuration mode.

ip nat stateful id id-number {redundancy name | {primary ip-address-primary} {backup ip-address-backup} peer ip-address-peer} mapping-id map-number}

no ip nat stateful id id-number {redundancy name | {primary ip-address-primary} {backup ip-address-backup} peer ip-address-peer} mapping-id map-number}

Syntax Description

id-number

Unique number given to each router in the stateful translation group.

redundancy name

Establishes Hot Standby Routing Protocol (HSRP) as the method of Redundancy.

mapping-id map-number

Specifies whether or not the local SNAT router will distribute a particular set of locally created entries to a peer SNAT router.

primary ip-address-primary

Manually establishes redundancy for the primary router.

backup ip-address-backup

Manually establishes redundancy for the backup router.

peer ip-address-peer

Specifies the ip-address of the peer router in the translation group.


Command Modes

Global configuration

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

This command has two forms: HSRP stateful NAT translation and manual stateful NAT translation. The form that uses the keyword redundancy establishes the HSRP redundancy method. When HSRP mode is set, the primary and backup NAT routers are elected according to the HSRP standby state. To enable stateful NAT manually, configure the primary router and backup router.

Examples

The following example show how to configure SNAT with HSRP: 

Router# ip nat stateful id 1

redundancy SNATHSRP

mapping-id 10

!

ip nat stateful id 2

redundancy SNATHSRP

mapping-id 10

The following example show how to manually configure SNAT: 

Router# ip nat stateful id 1primary 10.88.194.17

peer 10.88.194.18

mapping-id 10



Router# ip nat stateful id 2

backup 10-88-194.18

peer 10.88.194.17

mapping-id 10

show ip snat

To display active Stateful Network Address Translation (SNAT) translations, use the show ip snat command in EXEC mode.

show ip snat [distributed [verbose] | peer ip-address]

Syntax Description

distributed

(Optional) Displays information about the distributed NAT including its peers and status.

verbose

(Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used.

peer ip-address

(Optional) Displays TCP connection information between peer routers.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Examples

The following is sample output from the show ip snat distributed for stateful NAT connected peers command. 

Router# show ip snat distributed

Stateful NAT Connected Peers


SNAT: Mode PRIMARY

:State READY

:Local Address 192.168.123.2

:Local NAT id 100

:Peer Address 192.168.123.3

:Peer NAT id 200

:Mapping List 10



The following is sample output from the show ip snat distributed verbose command for stateful NAT 
connected peers.


SNAT: Mode PRIMARY

Stateful NAT Connected Peers


:State READY

:Local Address 192.168.123.2

:Local NAT id 100

:Peer Address 192.168.123.3

:Peer NAT id 200

:Mapping List 10

:InMsgs 7, OutMsgs 7, tcb 0x63EBA408, listener 0x0

Glossary

Active—active HSRP router

Backup—NAT router that acts as the Primary when the Primary router fails

Distributed—shared responsibilities among routers in a stateful group

Peer—NAT router participating in exchange of NAT entries in a distributed environment

Primary—NAT router that creates translations for a flow

SNAT—stateful NAT

Standby—standby HSRP router

Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.