Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3
IP Addressing and Services Commands: ip mask-reply through ip web-cache
Download this chapter
IP Addressing and Services Commands: ip mask-reply through ip web-cacheIP Addressing and Services Commands: ip mask-reply through ip web-cache
Download the complete book
Book-level PDF: Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3 Book-level PDF: Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3 (PDF - 3 MB)
give_us_feedback

Table Of Contents

ip mask-reply

ip mobile arp

ip mtu

ip name-server

ip nat

ip nat inside destination

ip nat inside source

ip nat outside source

ip nat pool

ip nat service

ip nat stateful

ip nat translation

ip netmask-format

ip nhrp authentication

ip nhrp holdtime

ip nhrp interest

ip nhrp map multicast

ip nhrp map multicast dynamic

ip nhrp map

ip nhrp max-send

ip nhrp network-id

ip nhrp nhs

ip nhrp record

ip nhrp registration no-unique

ip nhrp responder

ip nhrp server-only

ip nhrp trigger-svc

ip nhrp use

ip proxy-arp

ip redirects

ip routing

ip slb dfp

ip slb serverfarm

ip slb vserver

ip source-route

ip subnet-zero

ip tcp chunk-size

ip tcp compression-connections

ip tcp header-compression

ip tcp mss

ip tcp path-mtu-discovery

ip tcp queuemax

ip tcp selective-ack

ip tcp synwait-time

ip tcp timestamp

ip tcp window-size

ip unnumbered

ip unreachables

ip vrf (tracking)

ip wccp

ip wccp enable

ip wccp group-listen

ip wccp redirect

ip wccp redirect exclude in

ip wccp redirect-list

ip wccp version

ip web-cache redirect


ip mask-reply

To have the Cisco IOS software respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP mask reply messages, use the ip mask-reply command in interface configuration mode. To disable this function, use the no form of this command.

ip mask-reply

no ip mask-reply

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following example enables the sending of ICMP mask reply messages on Ethernet interface 0: 

interface ethernet 0

 ip address 131.108.1.0 255.255.255.0

 ip mask-reply

ip mobile arp

To enable local-area mobility, use the ip mobile arp command in interface configuration mode. To disable local-area mobility, use the no form of this command.

ip mobile arp [timers keepalive hold-time] [access-group access-list-number | name]

no ip mobile arp [timers keepalive hold-time] [access-group access-list-number | name]

Syntax Description

timers

(Optional) Indicates that you are setting local-area mobility timers.

keepalive

(Optional) Frequency, in minutes, at which the Cisco IOS software sends unicast Address Resolution Protocol (ARP) messages to a relocated host to verify that the host is present and has not moved. The default keepalive time is 5 minutes (300 seconds).

hold-time

(Optional) Hold time, in minutes. This is the length of time the software considers that a relocated host is present without receiving some type of ARP broadcast or unicast from the host. Normally, the hold time should be at least three times greater than the keepalive time. The default hold time is 15 minutes (900 seconds).

access-group

(Optional) Indicates that you are applying an access list. This access list applies only to local-area mobility.

access-list-number

(Optional) Number of a standard IP access list. It is a decimal number from 1 to 99. Only hosts with addresses permitted by this access list are accepted for local-area mobility.

name

(Optional) Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.


Defaults

Local-area mobility is disabled.

If you enable local-area mobility:
keepalive: 5 minutes (300 seconds)
hold-time: 15 minutes (900 seconds)

Command Modes

Interface configuration

Command History

Release
Modification

11.0

This command was introduced.


Usage Guidelines

Local-area mobility is supported on Ethernet, Token Ring, and FDDI interfaces only.

To create larger mobility areas, you must first redistribute the mobile routes into your Interior Gateway Protocol (IGP). The IGP must support host routes. You can use Enhanced IGRP, Open Shortest Path First (OSPF), or Intermediate System-to-Intermediate System (IS-IS); you can also use Routing Information Protocol (RIP), but RIP is not recommended. The mobile area must consist of a contiguous set of subnets.

Using an access list to control the list of possible mobile nodes is strongly encouraged. Without an access list, misconfigured hosts can be taken for mobile nodes and disrupt normal operations.

Examples

The following example configures local-area mobility on Ethernet interface 0: 

access-list 10 permit 198.92.37.114

 interface ethernet 0

 ip mobile arp access-group 10

Related Commands

Command
Description

access-list (IP standard)

Defines a standard IP access list.

default-metric (BGP)

Sets default metric values for the BGP, OSPF, and RIP routing protocols.

default-metric (OSPF)

Sets default metric values for OSPF.

default-metric (RIP)

Sets default metric values for RIP.

network (BGP)

Specifies the list of networks for the BGP routing process.

network (IGRP)

Specifies a list of networks for the IGRP or Enhanced IGRP routing process.

network (RIP)

Specifies a list of networks for the RIP routing process.

redistribute (IP)

Redistributes routes from one routing domain into another routing domain.

router eigrp

Configures the IP Enhanced IGRP routing process.

router isis

Enables the IS-IS routing protocol and specifies an IS-IS process for IP.

router ospf

Configures an OSPF routing process.


ip mtu

To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu command in interface configuration mode. To restore the default MTU size, use the no form of this command.

ip mtu bytes

no ip mtu

Syntax Description

bytes

MTU in bytes.


Defaults

Minimum is 128 bytes; maximum depends on the interface medium.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it.

All devices on a physical medium must have the same protocol MTU in order to operate.

Note Changing the MTU value (with the mtu interface configuration command) can affect the IP MTU value. If the current IP MTU value is the same as the MTU value, and you change the MTU value, the IP MTU value will be modified automatically to match the new MTU. However, the reverse is not true; changing the IP MTU value has no effect on the value for the mtu command.

Examples

The following example sets the maximum IP packet size for the first serial interface to 300 bytes: 

interface serial 0

 ip mtu 300

Related Commands

Command
Description

mtu

Adjusts the maximum packet size or MTU size.


ip name-server

To specify the address of one or more name servers to use for name and address resolution, use the ip name-server command in global configuration command. To remove the addresses specified, use the no form of this command.

ip name-server server-address1 [server-address2...server-address6]

no ip name-server server-address1 [server-address2...server-address6]

Syntax Description

server-address1

IP addresses of name server.

server-address2...server-address6

(Optional) IP addresses of additional name servers (a maximum of six name servers).


Defaults

No name server addresses are specified.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following example specifies the hosts 131.108.1.111 and 131.108.1.2 as name servers: 

ip name-server 131.108.1.111 131.108.1.2

This command will be reflected in the configuration file as follows: 

ip name-server 131.108.1.111

ip name-server 131.108.1.2

Related Commands

Command
Description

ip domain-lookup

Enables the IP DNS-based host name-to-address translation.

ip domain-name

Defines a default domain name to complete unqualified host names (names without a dotted decimal domain name).


ip nat

To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being able to translate, use the no form of this command.

ip nat create flow-entries |{inside | outside} | log {translations syslog}

no ip nat create flow-entries {inside | outside} | log {translations syslog}

Syntax Description

create

Creates flow entries.

flow-entries

NAT flow-based entries.

inside

Indicates that the interface is connected to the inside network (the network subject to NAT translation).

outside

Indicates that the interface is connected to the outside network.

log

Enables NAT logging.

translations

Enables NAT logging translations.

syslog

Enables syslog for NAT logging translations.


Defaults

Traffic leaving or arriving at this interface is not subject to NAT.

Command Modes

Interface configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

Only packets moving between inside and outside interfaces can be translated. You must specify at least one inside interface and outside interface for each border router where you intend to use NAT.

NAT translations logging can be enabled or disabled with the ip nat log translations syslog command.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network: 

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28

ip nat inside source list 1 pool net-208

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat inside destination

To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination command in global configuration mode. To remove the dynamic association to a pool, use the no form of this command.

ip nat inside destination list {access-list-number | name} pool name

no ip nat inside destination list {access-list-number | name}

Syntax Description

list access-list-number

Standard IP access list number. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.

list name

Name of a standard IP access list. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.

pool name

Name of the pool from which global IP addresses are allocated during dynamic translation.


Defaults

No inside destination addresses are translated.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Examples

The following example translates between inside hosts addressed to either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network: 

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28

ip nat inside destination list 1 pool net-208

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat inside source

To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-name | vrf name] [overload]

no ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-name | vrf name] [overload]

Static NAT

ip nat inside source {static {local-ip global-ip} [vrf name] [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name] | {esp local-ip interface type number}}

no ip nat inside source {static {local-ip global-ip} [vrf name] [extendable] [no-alias] [no-payload] [route-map] [redundancy group-name] | {esp local-ip interface type number}}

Port Static NAT

ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

no ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable] [no-alias] [no-payload]

Network Static NAT

ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]

no ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias] [no-payload]

Syntax Description

list access-list-number

Number of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

list access-list-name

Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

route-map name

Specifies the named route map.

interface type

Specifies the interface type for the global address.

interface number

Specifies the interface number for the global address.

pool name

Name of the pool from which global IP addresses are allocated dynamically.

mapping-id map-name

(Optional) Specifies whether the local Stateful NAT Translation (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.

vrf name

(Optional) Associates the NAT translation rule with a particular VPN routing and forwarding (VRF) instance.

overload

(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or User Datagram Protocol (UDP) port number of each inside host distinguishes between the multiple conversations using the same local IP address.

static local-ip

Sets up a single static translation. The local-ip argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.

local-port

Sets the local TCP/UDP port in a range from 1-65535.

static global-ip

Sets up a single static translation. The local-ip argument establishes the globally unique IP address of an inside host as it appears to the outside world.

global-port

Sets the global TCP/UDP port in a range from 1-65535.

extendable

(Optional) Entends the translation.

no-alias

(Optional) Prohibits an alias from being created for the global address.

no-payload

(Optional) Prohibits the tanslation of an embedded address or port in the payload.

redundancy group-name

(Optional) Establishes NAT redundancy.

esp local-ip

Establishes IPSec-ESP (tunnel mode) support.

tcp

Establishes the Transmission Control Protocol.

udp

Establishes the User Datagram Protocol.

network local-network

Specifies the local subnet translation.

global-network

Specifies the global subnet translation.

mask

Established the IP Network mask to be with used with subnet translations.


Defaults

No NAT translation of inside source addresses occurs.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(4)T

This command was modified to include the ability to use route maps with static translations, and the route-map name keyword and argument combination was added. This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy group-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.

12.2(13)T

The interface keyword was added for static translations. The mapping-id map-name keyword and argument combination was added. The vrf name keyword and argument combination was added.


Usage Guidelines

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.

Alternatively, the syntax form with the keyword static establishes a single static translation.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network: 

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28

ip nat inside source list 1 pool net-208

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

The following example translates only traffic local to the providers edge device running NAT (NAT-PE): 

ip nat inside source list 1 interface e 0 vrf shop overload

ip nat inside source list 1 interface e 0 vrf bank overload

!

ip route vrf shop 0.0.0.0 0.0.0.0 192.1.1.1

ip route vrf bank 0.0.0.0 0.0.0.0 192.1.1.1

!

access-list 1 permit 10.1.1.0 0.0.0.255

!

ip nat inside source list 1 interface e 1 vrf shop overload

ip nat inside source list 1 interface e 1 vrf bank overload

!

ip route vrf shop 0.0.0.0 0.0.0.0 172.1.1.1 global

ip route vrf bank 0.0.0.0 0.0.0.0 172.1.1.1 global

access-list 1 permit 10.1.1.0 0.0.0.255

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat outside source

To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static entry or the dynamic association, use the no form of this command.

ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [mapping-id map-name | vrf name] [add-route]

no ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [mapping-id map-name | vrf name] [add-route]

Static NAT

ip nat outside source {static global-ip local-ip} [add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]

no ip nat outside source {static global-ip local-ip} [add-route] [extendable] [no-alias] [no-payload] [redundancy group-name]

Port Static NAT

ip nat outside source {static tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]

no ip nat outside source {static tcp | udp global-ip global-port local-ip local-port} [add-route] [extendable] [no-alias] [no-payload]

Network Static NAT

ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]

no ip nat outside source {static network global-network local-network mask} [add-route] [extendable] [no-alias] [no-payload]

Syntax Description]

list access-list-number

Number of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

list access-list-name

Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

route-map name

Specifies a named route map.

pool pool-name

Name of the pool from which global IP addresses are allocated.

mapping-id map-name

(Optional) Specifies whether the local Stateful NAT Translation (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.

vrf name

(Optional) Associates the NAT translation rule with a particular VPN.

add-route

(Optional) Adds a static route for the outside local address.

static global-ip

Sets up a single static translation. This argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space.

local-ip

Local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918, Address Allocation for Private Internets).

extendable

(Optional) Extends the transmission.

no-alias

(Optional) Prohibits an alias from being created for the local address.

no-payload

(Optional) Prohibits the translation of embedded address or port in the payload.

redundancy group-name

(Optional) Enables the NAT redundancy operation.

tcp

Establishes the Transmission Control Protocol.

udp

Establishes the User Datagram Protocol.


Defaults

No translation of source addresses coming from the outside to the inside network occurs.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(4)T

This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy group-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.

12.2(13)T

The mapping-id map-name keyword and argument combination was added. The vrf name keyword and argument combination was added.


Usage Guidelines

You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Alternatively, the syntax form with the static keyword establishes a single static translation.

Examples

The following example translates between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network. 

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24

ip nat inside source list 1 pool net-208

ip nat outside source list 1 pool net-10

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 9.114.11.39 255.255.255.0

 ip nat inside

!

access-list 1 permit 9.114.11.0 0.0.0.255


The following example shows NAT configured on the Provider Edge (PE) router with a static 
route to the shared service for the gold and silver Virtual Private Networks (VPNs). NAT 
is configured as inside source static 1- to -1 translations.


ip nat pool outside 4.4.4.1 4.4.4.254 netmask 255.255.255.0

ip nat outside source list 1 pool mypool

access-list 1 permit 168.58.18.0 0.0.0.255

ip nat inside source static 192.168.121.33 2.2.2.1 vrf gold

ip nat inside source static 192.169.121.33.2.2.2.2 vrf silver

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat pool

To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool command in global configuration mode. To remove one or more addresses from the pool, use the no form of this command.

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}[type rotary]

no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [type rotary]

Syntax Description

name

Name of the pool.

start-ip

Starting IP address that defines the range of addresses in the address pool.

end-ip

Ending IP address that defines the range of addresses in the address pool.

netmask netmask

Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong.

prefix-length prefix-length

Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong.

type rotary

(Optional) Indicates that the range of address in the address pool identify real, inside hosts among which TCP load distribution will occur.


Defaults

No pool of addresses is defined.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

This command defines a pool of addresses using start address, end address, and either netmask or prefix length. The pool could define either an inside global pool, an outside local pool, or a rotary pool.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network: 

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28

ip nat inside source list 1 pool net-208

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Enables NAT of the outside source address.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat service

To specify a port other than the default port, use the ip nat service command in global configuration mode. To disable the port, use the no form of this command.

ip nat service {fullrange {tcp | udp} port port-number | H225 | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | ras | rtsp port port-number | sip {tcp | udp} port port-number | skinny tcp port port-number}

no ip nat service {H225 | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | ras | rtsp port port-number | sip {tcp | udp} port port-number | skinny tcp port port-number}

Syntax Description

fullrange

Inside local port range from 0 to 65535.

H225

H323-H225 protocol.

list access-list-number

Standard access list number in the range from 1 to 199.

access-list-name

Name of a standard IP access list.

ESP

Security Parameter Index (SPI) matching IPSec pass-through.

spi-match

SPI matching IPSec pass-through. The ESP endpoints must also have SPI matching enabled.

IKE

Preserve Internet Key Exchange (IKE) port, as required by some IPSec servers.

preserve-port

Preserve User Datagram Protocol (UDP) port in IKE packets.

ftp

FTP protocol.

tcp

TCP protocol.

udp

User Datagram Protocol.

port port-number

Port other than the default port in the range from 1 to 65533.

ras

H323-RAS protocol.

rtsp

Real Time Streaming Protocol. This protocol is enabled by default on port 554.

sip

SIP protocol.

skinny

Skinny protocol.


Defaults

Disabled

RTSP is enabled

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.

12.1(5)T

The skinny keyword was added.

12.2(8)T

The sip keyword was added.

12.2(15)T

The ESP and spi-match keywords were added to enable SPI matching on outside IPSec gateways. The ike and preserve-port keywords were added to enable outside IPSec gateways that require IKE source port 500.

12.3(7)T

The rtsp keyword was added.

12.3(10)

The fullrange keyword was added.


Usage Guidelines

A host with an FTP server using a port other than the default port can have an FTP client using the default FTP control port. When a port other than the default port is configured for an FTP server, Network Address Translation (NAT) prevents FTP control sessions that are using port 21 for that particular server. If an FTP server uses the default port and a port other than the default port, both ports need to be configured using the ip nat service command.

NAT listens on the default port of the Cisco CallManager to translate the skinny messages. If the CallManager uses a port other than the default port, that port needs to be configured using the ip nat service command.

Use the no ip nat service H225 command to disable support of H.225 packets by NAT.

Use the no ip nat service rtsp command to disable support of RTSP packets by NAT. RSTP uses port 554.

To change the default range of port groups when enabling Port Address Translation (PAT) on a router running cisco IOS and connecting VPN clients to different VPN gateways, use the ip nat service fullrange command.

Examples

The following example configures the nonstandard port 2021: 

ip nat service list 10 ftp tcp port 2021

access-list 10 permit 10.1.1.1

The following example configures the standard