Cisco IOS Software Releases 12.2 T

Table Of Contents

NAT—Translation of External IP Addresses Only

Feature Overview

Benefits

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Enabling Static NAT

Verifying Static NAT

Configuration Examples

Enabling Static NAT Example

Command Reference

ip nat inside source

ip nat outside source

NAT—Translation of External IP Addresses Only

---

Feature History

Release	Modification
12.2(4)T	This feature was introduced.
12.2(4)T2	Support for the Cisco 7500 series routers was added.
12.2(25)S	This feature was implemented in Cisco IOS Release 12.2(25)S.

This document describes the NAT—Translation of External IP Addresses Only feature. It includes the following sections:

•Feature Overview

•Supported Platforms

•Supported Standards, MIBs, and RFCs

•Configuration Tasks

•Configuration Examples

•Command Reference

Feature Overview

Previous to this feature, the address embedded in the packet payload was translated according to the configured NAT rules and the IP header address for all supported protocols or applications.

In the NAT—Translation of External IP Addresses Only feature, Cisco IOS Network Address Translation (NAT) can be configured to ignore all embedded IP addresses for any application and traffic type. Traffic between a host and the outside world flows through the internal network. A router configured for NAT translates the packet to an address that is routable inside the internal network. If the intended destination is the outside world, the packet gets translated back to an external address and sent out.

Benefits

•Supports public and private network architecture with no specific route updates.

•Gives the end client a usable IP address at the starting point. This address will be the address used for IP Security (IPSec) connections and traffic.

•Allows the use of network architecture that requires only the header translation.

Related Documents

•Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2

•Cisco IOS IP Configuration Guide, Release 12.2.

Supported Platforms

•Cisco 2500 series

•Cisco 2600 series

•Cisco 3620 router

•Cisco 3640 router

•Cisco 3660 router

•Cisco 7100 series

•Cisco 7200 series

•Cisco 7500 series

Determining Platform Support Through Feature Navigator

Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.

To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.

Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. As of May 2001, Feature Navigator supports M, T, E, S, and ST releases. You can access Feature Navigator at the following URL:

http://www.cisco.com/go/fn

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

No new or modified RFCs are supported by this feature.

Configuration Tasks

See the following section for configuration tasks for the NAT—Translation of External IP Addresses Only feature. Each task in the list is identified as either required or optional:

•Enabling Static NAT (required)

•Verifying Static NAT (optional)

Enabling Static NAT

To disable packet translation on the inside host router, use the following commands in global configuration mode, as needed:

Command	Purpose
Router(config)# ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload]| static local-ip global-ip no-payload}	Disables the packet translation on the inside host router.
Router(config)# ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload]| static {tcp | udp} local-port global-port no-payload}	Disables port packet translation on the inside host router.
Router(config)# ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload]| static {network} local-network-mask global-network-mask no-payload}	Disables network packet translation on the inside host router.
Router(config)# ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static local-ip global-ip no-payload}	Disables the packet translation on the outside host router.
Router(config)# ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static {tcp | udp} local-port global-port no-payload}	Disables port packet translation on the outside host router.
Router(config)# ip nat outside source {list {access-list-number| access-list-name} pool pool-name | static {network} local-network-mask global-network-mask no-payload}	Disables network packet translation on the outside host router.

Verifying Static NAT

To verify the static NAT configuration, use the following command in privileged EXEC mode:

Command	Purpose
Router# show ip nat translations [verbose]	Displays active NAT translations.

Configuration Examples

This section provides the following configuration example:

•Enabling Static NAT

Enabling Static NAT Example

The following example translates the packet to an address that is routable inside the internal network.

!

interface ethernet 3

 ip address 10.1.1.1 255.255.255.0

ip nat outside

no ip mroute-cache

media-type 10BaseT

!

interface Ethernet4

 ip address 192.168.15.1 255.255.255.0

 ip nat inside

 no ip mroute-cache

 media-type 10BaseT

!

 router rip

 network 10.0.0.0

 Network 192.168.15.0

!

ip nat outside source static network 10.1.1.1 192.168.251.0/24 no-payload

 ip route 10.1.1.0 255.255.255.0 Ethernet4

 ip route 10.10.1.0 255.255.255.0 Ethernet3

Command Reference

This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

•ip nat inside source

•ip nat outside source

ip nat inside source

To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip}

no ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip}

Static NAT

ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip no-payload}

no ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip no-payload}

Port Static NAT

ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static {tcp | udp} local-port global-port no-payload}

no ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static {tcp | udp} local-port global-port no-payload}

Network Static NAT

ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static {network} local-network-mask global-network-mask no-payload}

no ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static {network} local-network-mask global-network-mask no-payload}

Syntax Description

list access-list-number	Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list name	Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool name	Name of the pool from which global IP addresses are allocated dynamically.
overload	(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or UDP port number of each inside host distinguishes between the multiple conversations using the same local IP address.
static local-ip	Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
global-ip	Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.
tcp | udp local-port	Sets up a local port static translation.
global-port	Sets up a global port static translation.
network local-network-mask	Sets up a local network static translation.
global-network-mask	Sets up a global network static translation.
no-payload	Enables translation of the IP header address only, bypassing the configured NAT rules.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
11.2	This command was introduced.
12.2(4)T	This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.
12.2(25)S	This command was implemented in Cisco IOS Release 12.2(25)S.

Usage Guidelines

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Alternatively, the syntax form with the static keyword establishes a single static translation.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:

ip nat pool net-208 172.16.0.0 172.31.255.255 prefix-length 28

ip nat inside source list 1 pool net-208

!

interface ethernet 0

 ip address 172.16.0.0 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

The following example translates the packet to an address that is routable inside the internal network.

!

interface ethernet 3

 ip address 10.1.1.1 255.255.255.0

ip nat outside

no ip mroute-cache

media-type 10BaseT

!

interface Ethernet4

 ip address 192.168.15.1 255.255.255.0

 ip nat inside

 no ip mroute-cache

 media-type 10BaseT

!

 router rip

 network 10.0.0.0

 Network 192.168.15.0

!

ip nat outside source static network 10.1.1.0 192.168.251.0/24 no-payload

 ip route 10.1.1.0 255.255.255.0 Ethernet4

 ip route 10.2.1.0 255.255.255.0 Ethernet3

Related Commands

Command	Description
clear ip nat translation	Clears dynamic NAT translations from the translation table.
ip nat	Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination	Enables NAT of the inside destination address.
ip nat outside source	Enables NAT of the outside source address.
ip nat pool	Defines a pool of IP addresses for NAT.
show ip nat statistics	Displays NAT statistics.
show ip nat translations	Displays active NAT translations.

ip nat outside source

To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static global-ip local-ip}

no ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static global-ip local-ip}

Static NAT

ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static global-ip local-ip no-payload}

no ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static global-ip local-ip no-payload}

Port Static NAT

ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static {tcp | udp} global-port local-port no-payload}

no ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static {tcp | udp} global-port local-port no-payload}

Network Static NAT

ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static {network} global-network-mask local-network-mask no-payload}

no ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static {network} global-network-mask local-network-mask no-payload}

Syntax Description

list access-list-number	Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list access-list-name	Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool pool-name	Name of the pool from which global IP addresses are allocated.
static global-ip	Sets up a single static translation. The global-ip argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from a globally routable network space.
local-ip	Sets up a single static translation. This argument establishes the local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918, Address Allocation for Private Internets).
tcp | udp global-port	Sets up a global port static translation.
local-port	Sets up a local port static translation.
network global-network-mask	Sets up a global network static translation.
local-network-mask	Sets up a local network static translation.
no-payload	Enables translation of the IP header address only, bypassing the configured NAT rules.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
11.2	This command was introduced.
12.2(4)T	This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.
12.2(25)S	This command was implemented in Cisco IOS Release 12.2(25)S.

Usage Guidelines

You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Alternatively, the syntax form with the static keyword establishes a single static translation.

Examples

The following example translates between inside hosts addressed from the 10.114.11.0 network to the globally unique 172.16.0.0/28 network. Further packets from outside hosts addressed from the 10.114.11.0 network are translated to appear to be from the 10.0.1.0/24 network.

ip nat pool net-208 172.16.0.0 172.69.233.223 prefix-length 28 
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24

ip nat inside source list 1 pool net-208

ip nat outside source list 1 pool net-10

!

interface ethernet 0

 ip address 172.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 10.114.11.39 255.255.255.0

 ip nat inside

!

access-list 1 permit 10.114.11.0 0.0.0.255

The following example translates the packet back to an external address.

!

interface ethernet 3

 ip address 10.1.1.1 255.255.255.0

ip nat outside

no ip mroute-cache

media-type 10BaseT

!

interface Ethernet4

 ip address 192.168.15.1 255.255.255.0

 ip nat inside

 no ip mroute-cache

 media-type 10BaseT

!

 router rip

 network 10.0.0.0

 Network 192.168.15.0

!

ip nat outside source static network 10.1.1.0 192.168.251.0/24 no-payload

 ip route 10.1.1.0 255.255.255.0 Ethernet4

 ip route 10.2.1.0 255.255.255.0 Ethernet3

Related Commands

Command	Description
clear ip nat translation	Clears dynamic NAT translations from the translation table.
ip nat	Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside destination	Enables NAT of the inside destination address.
ip nat inside source	Enables NAT of the inside source address.
ip nat pool	Defines a pool of IP addresses for NAT.
show ip nat statistics	Displays NAT statistics.
show ip nat translations	Displays active NAT translations.

Copyright © 2005 Cisco Systems, Inc. All rights reserved.