Guest

Cisco IOS Software Releases 12.3 T

NAT H.245 Tunneling Support

Hierarchical Navigation

Downloads

Table Of Contents

NAT H.245 Tunneling Support

Contents

Information About NAT H.245 Tunneling Support

Overview of H.323 Calls and H.245 Tunneled Messages

Benefits of NAT H.245 Tunneling Support

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

debug ip nat


NAT H.245 Tunneling Support

The NAT H.245 Tunneling Support feature allows H.245 tunneling in H.323 Application Layer Gateways (ALGs).

Feature History for the NAT H.245 Tunneling Support Feature

Release
Modification

12.3(11)T

This feature was introduced.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Information About NAT H.245 Tunneling Support

Additional References

Command Reference

Information About NAT H.245 Tunneling Support

This section describes the following concepts related to the NAT H.245 Tunneling Support feature:

Overview of H.323 Calls and H.245 Tunneled Messages

Benefits of NAT H.245 Tunneling Support

Overview of H.323 Calls and H.245 Tunneled Messages

In order for an H.323 call to take place, an H.225 connection on TCP port 1720 needs to be opened. When the H.225 connection is opened, the H.245 session is initiated and established. This connection can take place on a separate channel from the H.225 or it can be done using H.245 tunneling on the same H.225 channel whereby the H.245 messages are embedded in the H.225 messages and set on the previously established H.225 channel.

If the H.245 tunneled message is not understood, the media address or port is going to be left untranslated by Cisco IOS NAT resulting in failure in media traffic. H.245 FastConnect procedures will not help because FastConnect is terminated as soon as an H.245 tunneled message is sent.

Benefits of NAT H.245 Tunneling Support

The NAT H.245 Tunneling Support feature provides a mechanism for supporting H.245 tunneled messages, which is needed to create a media channel setup.

Additional References

The following sections provide references related to the NAT H.245 Tunneling Support feature.

Related Documents

Related Topic
Document Title

NAT commands: complete command syntax, command mode, defaults, usage guidelines, and examples

The "Addressing and Services Commands" chapter of Cisco IOS IP Command Reference: Volume 1, Addressing and Services, Release 12.3T


Standards

Standards
Title

No new or modified standards are supported by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBS are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents one modified command only.

debug ip nat

debug ip nat

To display information about IP packets translated by the IP Network Address Translation (NAT) feature, use the debug ip nat command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug ip nat [access-list | detailed | h323 | ipsec | port | pptp | route | sip | skinny | vrf | wlan-nat]

no debug ip nat [access-list | detailed | h323 | ipsec | port | pptp | route | sip | skinny | vrf | wlan-nat]

Syntax Description

access-list

(Optional) Standard IP access list number. If the datagram is not permitted by the specified access list, the related debugging output is suppressed.

detailed

(Optional) Displays debug information in a detailed format.

h323

(Optional) Displays H.225, H.245, and H.323 protocol information.

ipsec

(Optional) Displays IP Security (IPSec) packet information.

port

(Optional) Displays port information.

pptp

(Optional) Displays Point-to-Point Tunneling Protocol (PPTP) information.

route

(Optional) Displays route information.

sip

(Optional) Displays Session Initiation Protocol (SIP) information.

skinny

(Optional) Displays debug information in a concise format.

vrf

(Optional) Displays Virtual Private Network (VPN) routing and forwarding (VRF) traffic-related information.

wlan-nat

(Optional) Displays Wireless LAN information.


Command Modes

Privileged EXEC

Command History

Release
Modification

11.2

This command was introduced.

12.1(5)T

The h323 keyword was added.

12.2(8)T

The sip keyword was added.

12.2(13)T

The ipsec and vrf keywords were added.

12.3(2)XE

The wlan-nat keyword was added.

12.3(7)T

The wlan-nat keyword was implemented in Cisco IOS Release 12.3(7)T.

12.3(11)T

The output in the h323 keyword was expanded to include H.245 tunneling.


Usage Guidelines

The NAT feature reduces the need for unique, registered IP addresses. It can also save private network administrators from needing to renumber hosts and routers that do not conform to global IP addressing.

Use the debug ip nat command to verify the operation of the NAT feature by displaying information about each packet that the router translates. The debug ip nat detailed command generates a description of each packet considered for translation. This command also displays information about certain errors or exception conditions, such as the failure to allocate a global address. To display messages related to the processing of H.225 signaling and H.245 messages, use the debug ip nat h323 command. To display messages related to the processing of SIP messages, use the debug ip nat sip command. To display messages related to the processing of VRF messages, use the debug ip nat vrf command.

Caution Because the debug ip nat command generates a substantial amount of output, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected.

Examples

The following is sample output from the debug ip nat command. In this example, the first two lines show the Domain Name System (DNS) request and reply debugging output. The remaining lines show debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. All Telnet packets, except for the first packet, were translated in the fast path, as indicated by the asterisk (*). 

Router# debug ip nat 


NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]

NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] 

NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] 

NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] 

NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] 

NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] 

NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] 

NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]

Table 1 describes the significant fields shown in the display.

Table 1 debug ip nat Field Descriptions 

Field
Description

NAT

Indicates that the packet is being translated by the NAT feature. An asterisk (*) indicates that the translation is occurring in the fast path. The first packet in a conversation always goes through the slow path (that is, it is process switched). The remaining packets go through the fast path if a cache entry exists.

s=192.168.1.95->172.31.233.209

Source address of the packet and how it is being translated.

d=172.31.2.132

Destination address of the packet.

[6825]

IP identification number of the packet. Might be useful in the debugging process to correlate with other packet traces from protocol analyzers.


The following is sample output from the debug ip nat detailed command. In this example, the first two lines show the debugging output produced by a DNS request and reply. The remaining lines show the debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. In this example, the inside host 192.168.1.95 was assigned the global address 172.31.233.193. 

Router# debug ip nat detailed


NAT: i: udp (192.168.1.95, 1493) -> (172.31.2.132, 53) [22399]

NAT: o: udp (172.31.2.132, 53) -> (172.31.233.193, 1493) [63671]

NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, 23) [22400]

NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, 1135) [22002]

NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, 23) [22401]

NAT*: i: tcp (192.168.1.95, 1135) -> (172.31.2.75, 23) [22402]

NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, 1135) [22060]

NAT*: o: tcp (172.31.2.75, 23) -> (172.31.233.193, 1135) [22071]

The following is sample output from the debug ip nat h323 command. In this example, an H.323 call is established between two hosts, one host on the inside and the other host on the outside. The debugging output displays the H.323 message names that NAT recognizes and the embedded IP addresses contained in those messages. 

Router# debug ip nat h323


NAT:H225:[0] processing a Setup message

NAT:H225:[0] found Setup sourceCallSignalling

NAT:H225:[0] fix transportAddress addr=192.168.122.50 port=11140

NAT:H225:[0] found Setup fastStart

NAT:H225:[0] Setup fastStart PDU length:18

NAT:H245:[0] processing OpenLogicalChannel message, forward channel

number 1

NAT:H245:[0] found OLC forward mediaControlChannel

NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16517

NAT:H225:[0] Setup fastStart PDU length:29

NAT:H245:[0] Processing OpenLogicalChannel message, forward channel

number 1

NAT:H245:[0] found OLC reverse mediaChannel

NAT:H245:[0] fix Transportaddress addr=192.168.122.50 port=16516

NAT:H245:[0] found OLC reverse mediaControlChannel

NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=16517

NAT:H225:[1] processing an Alerting message

NAT:H225:[1] found Alerting fastStart

NAT:H225:[1] Alerting fastStart PDU length:25

NAT:H245:[1] processing OpenLogicalChannel message, forward channel

number 1

NAT:H323:[0] received pak, payload_len=46

NAT:H323:[0] processed up to new_payload_len 4

NAT:H323:[0] expecting data len=42--payload_len left 42

NAT:H323:[0] try to process tpkt with len 42, payload_len left 42

NAT:H225:processing a Facility message

NAT:H225:pdu_len :31 msg_IE:28

NAT:H323:choice-value:9

NAT:H225:[0] found h245Tunneling

NAT:H225:[0] found h245Control

NAT:H225:[0] h245control PDU length:20

NAT:H245:[0] processing OpenLogicalChannel message, forward channel 

number 2

NAT:H245:[0] found OLC forward mediaControlChannel

NAT:H245:[0] fix TransportAddress addr=192.168.122.50 port=51001

NAT:H245:[0] TransportAddress addr changed 192.168.122.50->135.25.30.129

NAT:H245:[0] message changed, encoding back

NAT:H245:exit process tpkt with new_len 20

NAT:H225:message changed, encoding back

NAT:H323:[0] processed up to new_payload_len 46

NAT:H323:[0] new pak payload len is 46

Table 2 describes the significant fields shown in the display.

Table 2 debug ip nat h323 Field Descriptions 

Field
Description

NAT

Indicates that the packet is being translated by the NAT feature.

H.225, H.245, and H.323

Protocol of the packet.

[0]

Indicates that the packet is moving from a host outside the network to one host inside the network.

[1]

Indicates that the packet is moving from a host inside the network to one host outside the network.


The following is sample output from the debug ip nat ipsec command: 

Router# debug ip nat ipsec


5d21h:NAT:new IKE going In->Out, source addr 192.168.122.35, destination addr 
192.168.22.20, initiator cookie

0x9C42065D

5d21h:NAT:IPSec:created In->Out ESP translation IL=192.168.122.35 SPI=0xAAE32A0A, 
IG=192.168.22.40, OL=192.168.22.20,

OG=192.168.22.20

5d21h:NAT:IPSec:created Out->In ESP translation OG=192.168.22.20 SPI=0xA64B5BB6, 
OL=192.168.22.20, IG=192.168.22.40,

IL=192.168.122.35


5d21h:NAT:new IKE going In->Out, source addr 192.168.122.20, destination addr 
192.168.22.20, initiator cookie

0xC91738FF

5d21h:NAT:IPSec:created In->Out ESP translation IL=192.168.122.20 SPI=0x3E2E1B92, 
IG=192.168.22.40, OL=192.168.22.20,

OG=192.168.22.20

5d21h:NAT:IPSec:Inside host (IL=192.168.122.20) trying to open an ESP connection to 
Outside host (OG=192.168.22.20),

wait for Out->In reply

5d21h:NAT:IPSec:created Out->In ESP translation OG=192.168.22.20 SPI=0x1B201366, 
OL=192.168.22.20, IG=192.168.22.40,

IL=192.168.122.20

The following is sample output from the debug ip nat sip command. In this example, one IP phone registers with a Cisco SIP proxy and then calls another IP phone. The debug output displays the SIP messages that NAT recognizes and the embedded IP addresses contained in those messages. 

Router# debug ip nat sip


NAT:SIP:[0] processing REGISTER message

NAT:SIP:[0] translated embedded address

192.168.122.3->2.2.2.2

NAT:SIP:[0] translated embedded address

192.168.122.3->2.2.2.2

NAT:SIP:[0] message body found

NAT:SIP:[0] found address/port in SDP body:192.168.122.20

20332

NAT:SIP:[1] processing SIP/2.0 100 Trying reply message

NAT:SIP:[1] translated embedded address

2.2.2.2->192.168.122.3

NAT:SIP:[1] processing SIP/2.0 200 OK reply message

NAT:SIP:[1] translated embedded address

2.2.2.2->192.168.122.3

NAT:SIP:[1] translated embedded address

2.2.2.2->192.168.122.3

NAT:SIP:[1] processing INVITE message

NAT:SIP:[1] translated embedded address

2.2.2.2->192.168.122.3

NAT:SIP:[1] message body found

NAT:SIP:[1] found address/port in SDP body:192.168.22.20

Table 3 describes the significant fields shown in the display.

Table 3 debug ip nat sip Field Descriptions 

Field
Description

NAT

Indicates that the packet is being translated by the NAT feature.

SIP

Protocol of the packet.

[0]

Indicates that the packet is moving from a host outside the network to one host inside the network.

[1]

Indicates that the packet is moving from a host inside the network to one host outside the network.


The following is sample output from the debug ip nat vrf command: 

Router# debug ip nat vrf


6d00h:NAT:address not stolen for 192.168.121.113, proto 1 port 7224

6d00h:NAT:creating portlist proto 1 globaladdr 2.2.2.10

6d00h:NAT:Allocated Port for 192.168.121.113 -> 2.2.2.10:wanted 7224 got 7224

6d00h:NAT:i:icmp (192.168.121.113, 7224) -> (168.58.88.2, 7224) [2460]

6d00h:NAT:s=192.168.121.113->2.2.2.10, d=168.58.88.2 [2460] vrf=> shop


6d00h:NAT*:o:icmp (168.58.88.2, 7224) -> (2.2.2.10, 7224) [2460]      vrf=> shop

6d00h:NAT*:s=168.58.88.2, d=2.2.2.10->192.168.121.113 [2460] vrf=> shop


6d00h:NAT:Allocated Port for 192.168.121.113 -> 2.2.2.10:wanted 7225 got 7225

6d00h:NAT:i:icmp (192.168.121.113, 7225) -> (168.58.88.2, 7225) [2461]

6d00h:NAT:s=192.168.121.113->2.2.2.10, d=168.58.88.2 [2461] vrf=> shop

6d00h:NAT*:o:icmp (168.58.88.2, 7225) -> (2.2.2.10, 7225) [2461]      vrf=> shop

6d00h:NAT*:s=168.58.88.2, d=2.2.2.10->192.168.121.113 [2461] vrf=> shop

6d00h:NAT:Allocated Port for 192.168.121.113 -> 2.2.2.10:wanted 7226 got 7226

6d00h:NAT:i:icmp (192.168.121.113, 7226) -> (168.58.88.2, 7226) [2462]

6d00h:NAT:s=192.168.121.113->2.2.2.10, d=168.58.88.2 [2462] vrf=> shop

Table 4 describes the significant fields shown in the display.

Table 4 debug ip nat vrf Field Descriptions 

Field
Description

NAT

Indicates that the packet is being translated by the NAT feature.

s=192.168.121.113->2.2.2.10

Source address of the packet and how it is being translated.

d=168.58.88.2

Destination address of the packet.

[2460]

IP identification number of the packet.

vrf=>

Indicates that NAT is applied to a particular VPN.


The following is sample output from the debug ip nat wlan-nat command: 

Router# debug ip nat wlan-nat


WLAN-NAT: Creating secure ARP entry (10.1.1.1,0010.7bc2.9ff6)

WLAN-NAT: Triggered Acct Start for (171.1.1.10,0010.7bc2.9ff6)

WLAN-NAT: Extracting addr:171.1.1.10,input_idb:Ethernet1/2 from pak

WLAN-NAT: Saving address:171.1.1.10,input_idb:Ethernet1/2 in pak

After the WLAN entry times out, the following debugs will be seen: 

Router# debug ip nat wlan-nat 


WLAN-NAT: Removing secure arp entry (10.1.1.1,0010.7bc2.9ff6)

WLAN-NAT: triggered Acct Stop for (171.1.1.10,0010.7bc2.9ff6)

Table 5 describes the significant fields shown in the display.

Table 5 debug ip nat wlan-nat Field Descriptions 

Field
Description

WLAN

Indicates that a wireless LAN is being translated.

NAT

Indicates that the packet is being translated using NAT.


Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


Copyright © 2004 Cisco Systems, Inc. All rights reserved.