Cisco IOS Software Releases 12.3 T

Table Of Contents

NAT Virtual Interface

Contents

Restrictions for NAT Virtual Interface

Information About NAT Virtual Interface

NAT Virtual Interface Feature Design

How to Configure NAT Virtual Interface

Enabling a Dynamic NAT Virtual Interface

Enabling a Static NAT Virtual Interface

Configuration Examples for NAT Virtual Interface

Enabling NAT Virtual Interface: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip nat enable

ip nat pool

ip nat source

NAT Virtual Interface

---

The NAT Virtual Interface (NVI) feature removes the requirement to configure an interface as either Network Address Translation (NAT) inside or NAT outside. An interface can be configured to use NAT or not use NAT.

NVI allows traffic between overlapped VPN routing/forwarding (VRFs) in the same Provider Edge (PE) router, and traffic from inside to inside between overlapping networks.

History for the NAT Virtual Interface Feature

Release	Modification
12.3(14)T	This feature was introduced.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Restrictions for NAT Virtual Interface

•Information About NAT Virtual Interface

•How to Configure NAT Virtual Interface

•Configuration Examples for NAT Virtual Interface

•Additional References

•Command Reference

Restrictions for NAT Virtual Interface

•Routemaps are not supported.

•Stateful Network Address Translation (SNAT) is not supported.

Information About NAT Virtual Interface

Before you configure the NAT Virtual Interface feature, you should understand the following concepts:

•NAT Virtual Interface Feature Design

NAT Virtual Interface Feature Design

The NAT Virtual Interface feature allows all NAT traffic flows on the virtual interface, eliminating the need to specify inside and outside domains. When a domain is specified, the translation rules are applied either before or after route decisions depending on the traffic flow from inside to outside or outside to inside. The translation rules are applied only after the route decision for an NVI.

When a NAT pool is shared for translating packets from multiple networks connected to a NAT router, an NVI is created and a static route is configured that forwards all packets addressed to the NAT pool to the NVI. The standard interfaces connected to various networks will be configured to identify that the traffic originating and receiving on the interfaces needs to be translated.

---

Note NVI is not a new way of doing NAT; it's a new feature to resolve NAT restriction.

---

Figure 1 shows a typical NAT virtual interface configuration.

Figure 1 NAT Virtual Interface Typical Configuration

How to Configure NAT Virtual Interface

This section contains the following procedures:

•Enabling a Dynamic NAT Virtual Interface

•Enabling a Static NAT Virtual Interface

Enabling a Dynamic NAT Virtual Interface

Perform this task to enable a dynamic NAT virtual interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip nat enable

5. exit

6. ip nat pool name start-ip end-ip netmask netmask add-route

7. ip nat source list access-list- number pool name vrf name

8. ip nat source list access-list- number pool name vrf name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface type number Example: Router(config)# interface FastEthernet l	Configures an interface type and enters interface configuration mode.
Step 4	ip nat enable Example: Router(config-if)# ip nat enable	Configures an interface connecting VPNs and the Internet for NAT translation.
Step 5	exit Example: Router(config-if)# exit	Returns to global configuration mode.
Step 6	ip nat pool name start-ip end-ip netmask netmask add-route Example: Router(config)# ip nat pool pool1 200.1.1.1 200.1.1.20 netmask 255.255.255.0 add-route	Configures a NAT pool and associated mappings.
Step 7	ip nat source list access-list-number pool number vrf name Example: Router(config)# ip nat source list 1 pool 1 vrf shop	Configures a NAT virtual interface without inside or outside specification for VPN customer shop.
Step 8	ip nat source list access-list-number pool number vrf name overload Example: Router(config)# ip nat source list 1 pool 1 vrf bank overload	Configures a NAT virtual interface without inside or outside specification for VPN customer bank.

Enabling a Static NAT Virtual Interface

Perform this task to enable a static NAT virtual interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip nat enable

5. exit

6. ip nat source static local-ip global-ip vrf name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface type number Example: Router(config)# interface FastEthernet l	Configures an interface type and enters interface configuration mode.
Step 4	ip nat enable Example: Router(config-if)# ip nat enable	Configures an interface connecting VPNs and the Internet for NAT translation.
Step 5	exit Example: Router(config-if)# exit	Returns to global configuration mode.
Step 6	ip nat source static local-ip global-ip vrf name Example: Router(config)# ip nat source static 192.168.123.1 192.168.125.10 vrf bank	Configures a static NVI.

Configuration Examples for NAT Virtual Interface

This section provides the following configuration example:

•Enabling NAT Virtual Interface: Example

Enabling NAT Virtual Interface: Example

The following example shows how to configure NAT virtual interfaces without the use of inside or outside source addresses.

interface Ethernet0/0

 ip vrf forwarding bank

 ip address 192.168.122.1 255.255.255.0

 ip nat enable

!

interface Ethernet1/0

 ip vrf forwarding park

 ip address 192.168.122.2 255.255.255.0

 ip nat enable

!

interface Serial2/0

 ip vrf forwarding services

 ip address 192.168.123.2 255.255.255.0

ip nat enable

!

ip nat pool NAT 192.168.25.20 192.168.25.30 netmask 255.255.255.0 add-route

ip nat source list 1 pool NAT vrf bank overload

ip nat source list 1 pool NAT vrf park overload

ip nat source static 192.168.123.1 192.168.125.10 vrf services

! 

access-list 1 permit 192.168.122.20

access-list 1 permit 192.168.122.0 0.0.0.255

!

Additional References

The following sections provide references related to the NAT Virtual Interface feature.

Related Documents

Related Topic	Document Title
IP NAT commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples	Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3T
IP NAT configuration tasks	"Configuring Network Address Translation" section of Part 1 of the Cisco IOS IP Configuration Guide, Release 12.3

Standards

Standards	Title
No new or modified standards are supported by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature.	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents new and modified commands only.

•ip nat enable

•ip nat pool

•ip nat source

ip nat enable

To configure an interface connecting VPNs and the Internet for Network Address Translation (NAT), use the ip nat enable command in interface configuration mode. To remove the interface configuration, use the no form of this command.

ip nat enable

no ip nat enable

Syntax Description

This command has no arguments or keywords.

Command Modes

Interface configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example show how to configure an interface connecting VPNs and the Internet for NAT translation:

interface Ethernet0/0

 ip vrf forwarding bank

 ip address 192.168.122.1 255.255.255.0

 ip nat enable

Related Commands

Command	Description
ip nat pool	Defines a pool of IP addresses for Network Address Translation.
ip nat source	Enables Network Address Translation on a virtual interface without inside or outside specification.

ip nat pool

To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool command in global configuration mode. To remove one or more addresses from the pool, use the no form of this command.

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [add-route] [type {match-host | rotary}] [accounting list-name]

no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [add-route] [type {match-host | rotary}] [accounting list-name]

Syntax Description

name	Name of the pool.
start-ip	Starting IP address that defines the range of addresses in the address pool.
end-ip	Ending IP address that defines the range of addresses in the address pool.
netmask netmask	Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong.
prefix-length prefix-length	Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong.
add-route	(Optional) Specifies that a route has been added to the NVI interface for the global address.
type	(Optional) Indicates the type of pool.
match-host	(Optional) Specifies that the host number is to remain the same after translation.
rotary	(Optional) Indicates that the range of addresses in the address pool identifies real, inside hosts among which TCP load distribution will occur.
accounting list-name	(Optional) Indicates the RADIUS profile name that matches the RADIUS configuration in the router.

Defaults

No pool of addresses is defined.

Command Modes

Global configuration

Command History

Release	Modification
11.2	This command was introduced.
12.3(2)XE	The accounting keyword and list-name argument were added.
12.3(7)T	This command was integrated into Cisco IOS Release 12.3(7)T.
12.3(14)T	The add-route keyword was added.

Usage Guidelines

This command defines a pool of addresses using start address, end address, and either netmask or prefix length. The pool could define an inside global pool, an outside local pool, or a rotary pool.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28

ip nat inside source list 1 pool net-208

!

interface ethernet 0

 ip address 171.69.232.182 255.255.255.240

 ip nat outside

!

interface ethernet 1

 ip address 192.168.1.94 255.255.255.0

 ip nat inside

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

The following example shows that a route has been added to the NVI interface for the global address:

ip nat pool NAT 192.168.25.20 192.168.25.30 netmask 255.255.255.0 add-route

ip nat source list 1 pool NAT vrf bank overload

Related Commands

Command	Description
clear ip nat translation	Clears dynamic NAT translations from the translation table.
debug ip nat	Displays information about IP packets translated by NAT.
ip nat	Designates that traffic originating from or destined for the interface is subject to NAT.
ip nat inside source	Enables NAT of the inside destination address.
ip nat outside source	Enables NAT of the outside source address.
ip nat service	Enables a port other than the default port.
ip nat source	Enables Network Address Translation on a virtual interface without inside or outside specification.
show ip nat statistics	Displays NAT statistics.
show ip nat translations	Displays active NAT translations.

ip nat source

To enable Network Address Translation (NAT) on a virtual interface without inside or outside specification, use the ip nat source command in global configuration mode. To remove NAT on a virtual interface without inside or outside specification, use the no form of this command.

Dynamic NAT

ip nat source {list {access-list-number | access-list-name} interface type number | pool name} [overload | vrf name]

no ip nat source {list {access-list-number | access-list-name} interface type number | pool name} overload | vrf name]

Static NAT

ip nat source {static {esp local-ip interface type number | local-ip global-ip}} [extendable no-alias | no-payload | vrf name]

no ip nat source {static {esp local-ip interface type number | local-ip global-ip}} [extendable | no-alias | no-payload | vrf name]

Port Static NAT

ip nat source {static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | no-alias | no-payload | vrf name]

no ip nat source {static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | no-alias | no-payload | vrf name]

Network Static NAT

ip nat source static network local-network global-network mask [extendable | no-alias | no-payload | vrf name]

no ip nat source static network local-network global-network mask [extendable | no-alias | no-payload | vrf name]

Syntax Description

list access-list-number	Number of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list access-list-name	Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
interface type	Specifies the interface type for the global address.
interface number	Specifies the interface number for the global address.
pool name	Name of the pool from which global IP addresses are allocated dynamically.
overload	(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or User Datagram Protocol (UDP) port number of each inside host distinguishes between the multiple conversations using the same local IP address.
vrf name	(Optional) Associates the NAT translation rule with a particular VPN routing and forwarding (VRF) instance.
static local-ip	Sets up a single static translation. The local-ip argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from the RFC 1918, or obsolete.
local-port	Sets the local TCP/UDP port in a range from 1 to 65535.
static global-ip	Sets up a single static translation. The local-ip argument establishes the globally unique IP address of an inside host as it appears to the outside network.
global-port	Sets the global TCP/UDP port in the range from 1 to 65535.
extendable	(Optional) Extends the translation.
no-alias	(Optional) Prohibits as alias from being created for the global address.
no-payload	(Optional) Prohibits the translation of an embedded address or port in the payload.
esp local-ip	Establishes IPSec-ESP (tunnel mode) support.
tcp	Establishes the Transmission Control Protocol.
udp	Establishes the User Datagram Protocol.
network local-network	Specified the local subnet translation.
global-network	Specifies the global subnet translation.
mask	Establishes the IP network mask to be used with subnet translations.

Command Modes

Global configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example shows how to configure a virtual interface without inside or outside specification for the global address:

ip nat source list 1 pool NAT vrf bank overload

ip nat source list 1 pool NAT vrf park overload

ip nat source static 192.168.123.1 192.168.125.10 vrf services

Related Commands

Command	Description
ip nat enable	Configures an interface connecting VPNs and the Internet for NAT translation.
ip nat pool	Defines a pool of IP addresses for Network Address Translation.

Copyright © 2005 Cisco Systems, Inc. All rights reserved.