Cisco IOS IP Addressing Services Command Reference
NAT Commands

Table Of Contents

NAT Commands

clear ip nat translation

clear ip snat sessions

clear ip snat translation distributed

clear ip snat translation peer

ip nat

ip nat create flow-entries

ip nat enable

ip nat inside destination

ip nat inside source

ip nat log

ip nat outside source

ip nat piggyback-support

ip nat pool

ip nat service

ip nat service enable-sym-port

ip nat sip-sbc

ip nat source

ip nat stateful id

ip nat translation

ip nat translation (timeout)

ip nat translation max-entries

show ip nat nvi statistics

show ip nat nvi translations

show ip nat statistics

show ip nat translations

show ip snat


NAT Commands


clear ip nat translation

To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation command in EXEC mode.

clear ip nat translation {* | forced | [esp | tcp | udp] [inside global-ip [global-port] local-ip [local-port]] [outside local-ip global-ip] | [inside global-ip local-ip [forced]] | [outside local-ip global-ip [forced]]}

Syntax Description

*

Clears all dynamic translations.

forced

(Optional) Forces the clearing of either:

all dynamic entries, whether or not there are any child translations.

a single dynamic half-entry and any existing child translations, whether or not there are any child translations.

inside

(Optional) Clears the inside translations containing the specified global-ip and local-ip addresses. If used without the forced keyword, clears only those entries that do not have child translations.

global-ip

(Optional) Global IP address.

global-port

(Optional) Global port.

local-ip

(Optional) Local IP address.

local-port

(Optional) Local port.

outside

(Optional) Clears the outside translations containing the specified global and local addresses. If used without the forced keyword, clears only those entries that do not have child translations.

piggyback-internal

(Optional) Clears translations created off of piggyback data.

esp

(Optional) Clears Encapsulating Security Payload (ESP) entries from the translation table.

tcp

(Optional) Clears the TCP entries from the translation table.

udp

(Optional) Clears the User Datagram Protocol (UDP) entries from the translation table.


Command Modes

EXEC

Command History

Release
Modification

11.2

This command was introduced.

12.2(15)T

The esp keyword was added.

12.4(2)T

The piggyback-internal keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

XE 2.4.2

The forced keyword was extended to support the removal a half entry regardless of whether it has any child translations.


Usage Guidelines

Use this command to clear entries from the translation table before they time out.

Examples

The following example shows the NAT entries before and after the User Datagram Protocol (UDP) entry is cleared:

Router> show ip nat translations

Pro    Inside global        Inside local       Outside local      Outside global
udp    10.69.233.209:1220  10.168.1.95:1220   10.69.2.132:53     10.69.2.132:53
tcp    10.69.233.208       10.168.1.94 
tcp    10.69.233.209:11012 10.168.1.89:11012  10.69.1.220:23     10.69.1.220:23
tcp    10.69.233.209:1067  10.168.1.95:1067   10.69.1.161:23     10.69.1.161:23

Router# clear ip nat translation udp inside 10.69.233.209 1220 10.168.1.95 1220
10.69.2.132 53 10.69.2.132 53

Router# show ip nat translations
Pro     Inside global       Inside local       Outside local      Outside global
tcp     10.69.233.208       10.168.1.94 
tcp     10.69.233.209:11012 10.168.1.89:11012  10.69.1.220:23     10.69.1.220:23
tcp     10.69.233.209:1067  10.168.1.95:1067   10.69.1.161:23     10.69.1.161:23

Router# clear ip nat translation inside 10.69.233.208 10.168.1.94 forced

Router# show ip nat translations
Pro     Inside global       Inside local       Outside local      Outside global
tcp     10.69.233.209:11012 10.168.1.89:11012  10.69.1.220:23     10.69.1.220:23
tcp     10.69.233.209:1067  10.168.1.95:1067   10.69.1.161:23     10.69.1.161:23

Related Commands

Command
Description

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


clear ip snat sessions

To clear dynamic Stateful Network Address Translation (SNAT) sessions from the translation table, use the clear ip snat sessions command in EXEC mode.

clear ip snat sessions * [ip-address-peer]

Syntax Description

*

Removes all dynamic entries.

ip-address-peer

(Optional) Removes SNAT entries of the peer translator.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

Use this command to clear entries from the translation table before they time out.

Examples

The following example shows the SNAT entries before and after using the clear ip snat sessions command:

Router> show ip snat distributed

SNAT:Mode PRIMARY
    :State READY
    :Local Address 10.168.123.2
    :Local NAT id 100
    :Peer Address 10.168.123.3
    :Peer NAT id 200
    :Mapping List 10

Router> clear ip snat sessions *
Closing TCP session to peer:10.168.123.3

Router> show ip snat distributed

clear ip snat translation distributed

To clear dynamic Stateful Network Address Translation (SNAT) translations from the translation table, use the clear ip snat translation distributed command in EXEC mode.

clear ip snat translation distributed *

Syntax Description

*

Removes all dynamic SNAT entries.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

Use this command to clear entries from the translation table before they time out.

Examples

The following example clears all dynamic SNAT translations from the translation table:

Router# clear ip snat translation distributed *

clear ip snat translation peer

To clear peer Stateful Network Address Translation (SNAT) translations from the translation table, use the clear ip snat translation peer command in EXEC mode.

clear ip snat translation peer ip-address-peer [refresh]

Syntax Description

ip-address-peer

IP address of the peer translator.

refresh

(Optional) Provides a fresh dump of the NAT table from the peer.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Usage Guidelines

Use this command to clear peer entries from the translation table before they time out.

Examples

The following example shows the SNAT entries before and after the peer entry is cleared:

Router# show ip snat peer 

Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.25.20      192.168.122.20     ---                ---
tcp 192.168.25.20:33528 192.168.122.20:33528 192.168.24.2:21 192.168.24.2:21

Router# clear ip snat translation peer 192.168.122.20

ip nat

To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), to enable NAT logging, or to enable static IP address support, use the ip nat command in interface configuration mode. To prevent the interface from being able to translate or log, use the no form of this command.

ip nat [inside | outside | Stateful | create | piggyback-support | pool | portmap | service | sip-sbc | source | log | translations | syslog | allow-static-host]

no ip nat [inside | outside | Stateful | create | piggyback-support | pool | portmap | service | sip-sbc | source | log | translations | syslog | allow-static-host]

Syntax Description

allow-static-host

(Optional) Enables static IP address support for NAT translation.

create

(Optional) Creates NAT flow entries.

inside

(Optional) Indicates that the interface is connected to the inside network (the network subject to NAT translation).

log

(Optional) Enables NAT logging.

outside

(Optional) Indicates that the interface is connected to the outside network.

piggyback-support

(Optional) Enables NAT Piggybacking support.

pool

(Optional) Defines pool of addresses.

portmap

(Optional)Defines portmap of portranges.

service

(Optional) Indicates special translation for application using non-standard port.

sip-sbc

(Optional) Indicates SIP Session Border Controller commands.

source

(Optional)

Stateful

(Optional)

syslog

(Optional) Enables syslog for NAT logging translations.

translations

(Optional) Enables NAT logging translations.


Command Default

Traffic leaving or arriving at this interface is not subject to NAT.

Command Modes

Interface configuration

Command History

Release
Modification

11.2

This command was introduced.

12.3(2)XE

The allow-static-host keyword was added.

12.3(7)T

This command was implemented in Cisco IOS Release 12.3(7)T.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(22)T

This command is integrated into the Cisco IOS Release 12.2(22)T. The allow-static-host keyword was removed.


ip nat create flow-entries

To create Network Address Translation (NAT) flow entries, use the ip nat create command in global configuration mode. To disable the flow cache, use the no form of this command.

ip nat create flow-entries

no ip nat create flow-entries

Syntax Description

This command has no arguments or keywords.

Command Default

Flow entries are created.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.3(4)T

This command was introduced.


Usage Guidelines

To scale the performance of NAT, an enhancement is created that allows for a flow table for NAT entries.

Examples

The following example shows how to create NAT flow entries:

Router(config)# no ip nat create flow-entries 

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

debug ip nat

Displays information about IP packets translated by NAT.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Enables NAT of the outside source address.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translation

Displays active NAT translations.


ip nat enable

To configure an interface connecting Virtual Private Networks (VPNs) and the Internet for Network Address Translation (NAT), use the ip nat enable command in interface configuration mode.

ip nat enable

no ip nat enable

Syntax Description

This command has no arguments or keywords.

Command Modes

Interface configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Examples

The following example show how to configure an interface connecting VPNs and the Internet for NAT translation:

interface Ethernet0/0
 ip vrf forwarding vrf1
 ip address 192.168.122.1 255.255.255.0
 ip nat enable

Related Commands

Command
Description

ip nat pool

Defines a pool of IP addresses for Network Address Translation.

ip nat source

Enables Network Address Translation on a virtual interface without inside or outside specification.


ip nat inside destination

To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination command in global configuration mode. To remove the dynamic association to a pool, use the no form of this command.

ip nat inside destination list {access-list-number | name} pool name [mapping-id map-id]

no ip nat inside destination list {access-list-number | name} pool name [mapping-id map-id]

Syntax Description

list access-list-number

Standard IP access list number. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.

list name

Name of a standard IP access list. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.

pool name

Name of the pool from which global IP addresses are allocated during dynamic translation.

mapping-id map-id

(Optional) Specifies whether the local Stateful NAT Translation (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.


Defaults

No inside destination addresses are translated.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.3(7)T

The mapping-id map-id keyword and argument combination was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Examples

The following example shows how to translate between inside hosts addressed to either the 192.168.1.0 or 192.168.2.0 network to the globally unique 10.69.233.208/28 network:

ip nat pool net-208 10.69.233.208 10.69.233.223 prefix-length 28
ip nat inside destination list 1 pool net-208
!
interface ethernet 0
 ip address 10.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat inside source

To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

Dynamic NAT

ip nat inside source list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-id | overload | reversible | vrf name] [match-in-vrf] [oer]

no ip nat inside source list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-id | overload | reversible | vrf name] [match-in-vrf] [oer]

Static NAT

ip nat inside source static {esp local-ip interface type number | local-ip global-ip} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | reversible | vrf name] [match-in-vrf]

no ip nat inside source static {esp local-ip interface type number | local-ip global-ip} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | reversible | vrf name] [match-in-vrf]

Port Static NAT

ip nat inside source static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | reversible | vrf name] [match-in-vrf]

no ip nat inside source static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | reversible | vrf name] [match-in-vrf]

Network Static NAT

ip nat inside source static network local-network global-network mask [extendable | no-alias | no-payload | mapping-id map-id | redundancy group-name | vrf name]

no ip nat inside source static network local-network global-network mask [extendable | no-alias | no-payload | mapping-id map-id | redundancy group-name | vrf name]

Syntax Description

list access-list-number

Number of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

list access-list-name

Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

route-map name

Specifies the named route map.

interface type

Specifies the interface type for the global address.

interface number

Specifies the interface number for the global address.

pool name

Name of the pool from which global IP addresses are allocated dynamically.

mapping-id map-id

(Optional) Specifies whether the local Stateful NAT Translation (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.

overload

(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or User Datagram Protocol (UDP) port number of each inside host distinguishes between the multiple conversations using the same local IP address.

reversible

(Optional) Enables outside-to-inside initiated sessions to use route maps for destination-based NAT.

vrf name

(Optional) Associates the NAT translation rule with a particular virtual routing and forwarding (VRF) instance.

match-in-vrf

(Optional) Enables NAT inside and outside traffic in the same VRF.

oer

(Optional) Allows Optimized Edge Routing (OER) to operate with NAT and control traffic class routing.

static local-ip

Sets up a single static translation. The local-ip argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.

local-port

Sets the local TCP/UDP port in a range from 1 to 65535.

static global-ip

Sets up a single static translation. The global-ip argument establishes the globally unique IP address of an inside host as it appears to the outside network.

global-port

Sets the global TCP/UDP port in a range from 1 to 65535.

extendable

(Optional) Extends the translation.

no-alias

(Optional) Prohibits an alias from being created for the global address.

no-payload

(Optional) Prohibits the translation of an embedded address or port in the payload.

redundancy group-name

(Optional) Establishes NAT redundancy.

esp local-ip

Establishes IPSec-ESP (tunnel mode) support.

tcp

Establishes the Transmission Control Protocol.

udp

Establishes the User Datagram Protocol.

network local-network

Specifies the local subnet translation.

global-network

Specifies the global subnet translation.

mask

Established the IP Network mask to be used with subnet translations.


Defaults

No NAT translation of inside source addresses occurs.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(4)T

This command was modified to include the ability to use route maps with static translations, and the route-map name keyword and argument combination was added. This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy group-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.

12.2(13)T

The interface keyword was added for static translations. The mapping-id map-id keyword and argument combination was added for dynamic translations. The vrf name keyword and argument combination was added.

12.3(7)T

The static mapping-id map-id keyword and argument combination was added.

12.3(14)T

The reversible keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(15)T

The oer keyword was added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Packets that enter the router through the inside interface and packets sourced from the router are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.

Alternatively, the syntax form with the static keyword establishes a single static translation.


Note When a session is initiated from outside with the source IP as the outside global address, the router is unable to determine the destination VRF of the packet. Use the match-in-vrf keyword to enable the ip alias installation to work correctly when routing NAT inside and outside traffic in the same VRF.


Examples

The following example shows how to translate between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 10.69.233.208/28 network:

ip nat pool net-208 10.69.233.208 192.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
 ip address 10.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

The following example shows how to translate only traffic local to the providers edge device running NAT (NAT-PE):

ip nat inside source list 1 interface e 0 vrf host1 overload
ip nat inside source list 1 interface e 0 vrf host2 overload
!
ip route vrf host1 0.0.0.0 0.0.0.0 192.1.1.1
ip route vrf host20.0.0.0 0.0.0.0 192.1.1.1
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface e 1 vrf host1 overload
ip nat inside source list 1 interface e 1 vrf host2 overload
!
ip route vrf host1 0.0.0.0 0.0.0.0 10.1.1.1 global
ip route vrf host2 0.0.0.0 0.0.0.0 10.1.1.1 global
access-list 1 permit 10.1.1.0 0.0.0.255

The following example shows how to translate sessions from outside-to-inside.

ip nat pool POOL-A 30.1.10.1 30.1.10.126 255.255.255.128
ip nat pool POOL-B 30.1.20.1 30.1.20.126 255.255.255.128

ip nat inside source route-map MAP-A pool POOL-A reversible
ip nat inside source route-map MAP-B pool POOL-B reversible
!
ip access-list extended ACL-A
 permit ip any 30.1.10.128 0.0.0.127
ip access-list extended ACL-B
 permit ip any 30.1.20.128 0.0.0.127
!
MAP-A permit 10
 match ip address ACL-A
!
route-map MAP-B permit 10
 match ip address ACL-B
!

The following example shows how to configure routemap R1 to allow outside-to-inside translation for static NAT:

ip nat inside source static 1.1.1.1 2.2.2.2 route-map R1 reversible
!
ip access-list extended ACL-A
 permit ip any 30.1.10.128 0.0.0.127

route-map R1 permit 10
 match ip address ACL-A

The following example shows how to configure NAT inside and outside traffice in the same VRF:

interface Loopback1
 ip vrf forwarding blue
 ip address 192.168.199.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet0/0
 ip vrf forwarding blue
 ip address 192.168.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly

ip nat pool MYPOOL 192.168.1.5 192.168.1.5 prefix-length 24
ip nat inside source list acl-nat pool MYPOOL vrf blue overload
!
!
ip access-list extended acl-nat
 permit ip 192.168.199.0 0.0.0.255 any

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat log

To define a set of log translations for Network Address Translation (NAT), use the ip nat log command in global configuration mode. To remove one or more translations from the log, use the no form of this command.

ip nat log translations syslog

no ip nat log translations syslog

Syntax Description

translations

Enables the NAT logging translations.

syslog

Enables the writing of NAT log to syslog.


Command Default

No pool of addresses is defined.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.4(2)T

This command was introduced.


Examples

The following example shows how to define a set of log translations.

Router(config)# ip nat log translations syslog

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

debug ip nat

Displays information about IP packets translated by NAT.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Enables NAT of the outside source address.

show ip nat translations

Displays active NAT translations.


ip nat outside source

To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static entry or the dynamic association, use the no form of this command.

Dynamic NAT

ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route | mapping-id map-id | vrf name]

no ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route | mapping-id map-id | vrf name]

Static NAT

ip nat outside source static global-ip local-ip [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]

no ip nat outside source static global-ip local-ip [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]

Port Static NAT

ip nat outside source static {tcp | udp} global-ip global-port local-ip local-port [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]

no ip nat outside source static {tcp | udp} global-ip global-port local-ip local-port [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | vrf name]

Network Static NAT

ip nat outside source static network global-network local-network mask [add-route | extendable | mapping-id map-id | no-alias | no-payload | redundancy | vrf name]

no ip nat outside source static network global-network local-network mask [add-route | extendable | mapping-id map-id no-alias | no-payload | redundancy | vrf name]

Syntax Description

list access-list-number

Number of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

list access-list-name

Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

route-map name

Specifies a named route map.

pool pool-name

Name of the pool from which global IP addresses are allocated.

mapping-id map-id

(Optional) Specifies whether the local Stateful NAT Translation (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.

vrf name

(Optional) Associates the NAT translation rule with a particular VPN.

add-route

(Optional) Adds a static route for the outside local address.

static global-ip

Sets up a single static translation. This argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space.

local-ip

Local IP address of an outside host as it appears to the inside network. The address was allocated from address space routable on the inside (RFC 1918, Address Allocation for Private Internets).

extendable

(Optional) Extends the transmission.

no-alias

(Optional) Prohibits an alias from being created for the local address.

no-payload

(Optional) Prohibits the translation of embedded address or port in the payload.

redundancy group-name

(Optional) Enables the NAT redundancy operation.

tcp

Establishes the Transmission Control Protocol.

udp

Establishes the User Datagram Protocol.


Defaults

No translation of source addresses coming from the outside to the inside network occurs.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(4)T

This command was modified to include static translation with Hot Standby Routing Protocol (HSRP), and the redundancy group-name keyword and argument combination was added. This command was modified to enable the translation of the IP header address only, and the no-payload keyword was added.

12.2(13)T

The mapping-id map-id keyword and argument combination was added for dynamic translations. The vrf name keyword and argument combination was added.

12.3(7)T

The mapping-id map-id keyword and argument combination was added for static translations.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this command if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Alternatively, the syntax form with the static keyword establishes a single static translation.

Examples

The following example shows how to translate between inside hosts addressed from the 10.114.11.0 network to the globally unique 10.69.233.208/28 network. Further packets from outside hosts addressed from the 10.114.11.0 network (the true 10.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network.

ip nat pool net-208 10.69.233.208 10.69.233.223 prefix-length 28 
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24
ip nat inside source list 1 pool net-208
ip nat outside source list 1 pool net-10
!
interface ethernet 0
 ip address 10.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 10.114.11.39 255.255.255.0
 ip nat inside
!
access-list 1 permit 10.114.11.0 0.0.0.255

The following example shows NAT configured on the Provider Edge (PE) router with a static route to the shared service for the gold and silver Virtual Private Networks (VPNs). NAT is configured as inside source static one-to-one translations.

ip nat pool outside 10.4.4.1 4.4.4.254 netmask 255.255.255.0
ip nat outside source list 1 pool mypool
access-list 1 permit 10.58.18.0 0.0.0.255
ip nat inside source static 192.168.121.33 10.2.2.1 vrf group1
ip nat inside source static 192.169.121.33 10.2.2.2 vrf group2

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat piggyback-support

To enable a NAT optimized SIP media path, use the ip nat piggyback-support command in global configuration mode. To disable a NAT optimized SIP media path, use the no form of this command.

ip nat log piggyback-support sip-alg {sdp-only | all-messages} router router-id md5-authentication [md5-authentication-key]

no ip nat log piggyback-support sip-alg {sdp-only | all-messages} router router-id md5-authentication [md5-authentication-key]

Syntax Description

sip

Indicates Session Initiation Protocol (SIP) commands.

sdp-only

Establishes piggybacking in SDP only.

all-messages

Establishes piggybacking in all messages except SDP.

router router-id

Piggyback router ID number.

md5-authentication md5-authentication key

(Optional) MD5 authentication key.


Command Default

Nomessages are defined.

Command Modes

Global configuration

Command History

Release
Modification

12.4(2)T

This command was introduced.

12.4(22)T

This command was integrated into Cisco IOS Release 12.4(22)T.


Examples

The following example shows how to enable a NAT optimized message including MD5 authentication.

Router(config)#ip nat piggyback-support sip-alg sdp-only router 100 authentication md5-key
!

Related Commands

Command
Description

ip nat inside destination

Enables NAT of the inside destination address.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Enables NAT of the outside source address.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat pool

To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool command in global configuration mode. To remove one or more addresses from the pool, use the no form of this command.

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [add-route] [type {match-host | rotary}] [accounting list-name] [arp-ping]

no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [add-route] [type {match-host | rotary}] [accounting list-name] [arp-ping]

Syntax Description

name

Name of the pool.

start-ip

Starting IP address that defines the range of addresses in the address pool.

end-ip

Ending IP address that defines the range of addresses in the address pool.

netmask netmask

Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong.

prefix-length prefix-length

Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong.

add-route

(Optional) Specifies that a route has been added to the NVI interface for the global address.

type

(Optional) Indicates the type of pool.

match-host

(Optional) Specifies that the host number is to remain the same after translation.

rotary

(Optional) Indicates that the range of addresses in the address pool identifies real, inside hosts among which TCP load distribution will occur.

accounting list-name

(Optional) Indicates the RADIUS profile name that matches the RADIUS configuration in the router.

arp-ping

(Optional) Determines static IP client instances and restarts the NAT entry timer.


Defaults

No pool of addresses is defined.

Command Modes

Global configuration(Config)

Command History

Release
Modification

11.2

This command was introduced.

12.3(2)XE

The accounting keyword and list-name argument were added.

12.3(7)T

This command was integrated into Cisco IOS Release 12.3(7)T.

12.3(14)T

The add-route keyword was added.

12.4(6)T

The arp-ping keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command defines a pool of addresses using start address, end address, and either netmask or prefix length. The pool could define an inside global pool, an outside local pool, or a rotary pool.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 10.69.233.208/28 network:

ip nat pool net-208 10.69.233.208 10.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
 ip address 10.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

The following example shows that a route has been added to the NVI interface for the global address:

ip nat pool NAT 192.168.25.20 192.168.25.30 netmask 255.255.255.0 add-route
ip nat source list 1 pool NAT vrf group1 overload

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

debug ip nat

Displays information about IP packets translated by NAT.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Enables NAT of the outside source address.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat service

To specify a port other than the default port, use the ip nat service command in global configuration mode. To disable the port, use the no form of this command.

ip nat service {H225 | allow-h323-even-rtp-ports | allow-h323-keepalive | allow-sip-even-rtp-ports | allow-skinny-even-rtp-ports | fullrange {tcp | udp} port port-number | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | mgcp | nbar | ras | rtsp | sip {tcp | udp} port port-number | skinny tcp port port-number | allow-multipart}

no ip nat service {H225 | allow-h323-even-rtp-ports | allow-h323-keepalive | allow-sip-even-rtp-ports | allow-skinny-even-rtp-ports | fullrange {tcp | udp} port port-number | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | mgcp | nbar | ras | rtsp | sip {tcp | udp} port port-number | skinny tcp port port-number | allow-multipart}

Syntax Description

H225

H323-H225 protocol.

allow-h323-even-rtp-ports

Even numbered RTP ports for the H323 protocol.

allow-h323-keepalive

H323 KeepAlive.

allow-sip-even-rtp-ports

Even numbered RTP ports for the Session Initiation Protocol (SIP).

allow-skinny-even-rtp-ports

Even numbered RTP ports for the skinny protocol.

fullrange

All available ports. The range is from 1 to 65535.

list access-list-number

Standard access list number in the range from 1 to 199.

access-list-name

Name of a standard IP access list.

ESP

Security Parameter Index (SPI) matching IPsec pass-through.

spi-match

SPI matching IPsec pass-through. The ESP endpoints must also have SPI matching enabled.

IKE

Preserve Internet Key Exchange (IKE) port, as required by some IPsec servers.

preserve-port

Preserve User Datagram Protocol (UDP) port in IKE packets.

ftp

FTP protocol.

tcp

TCP protocol.

udp

User Datagram Protocol.

port port-number

Port other than the default port in the range from 1 to 65533.

mgcp

Media gateway control protocol.

nbar

Network-Based Application Recognition.

ras

H323-RAS protocol.

rtsp

Real Time Streaming Protocol. This protocol is enabled by default on port 554 and requires NBAR.

sip

SIP protocol.

skinny

Skinny protocol.

allow-multipart

SIP multipart processing.


Command Default

RTSP is enabled and requires NBAR
H323 even numbered RTP port allocation is enabled
NAT support for SIP is enabled
SIP even numbered RTP port allocation is enabled
Skinny even numbered RTP port allocation is enabled
Allow-multipart is disabled by default

Command Modes

Global configuration (config)

Command History

Release
Modification

11.3

This command was introduced.

12.1(5)T

The skinny keyword was added.

12.2(8)T

The sip keyword was added.

12.2(15)T

The ESP and spi-match keywords were added to enable SPI matching on outside IPsec gateways. The ike and preserve-port keywords were added to enable outside IPsec gateways that require IKE source port 500.

12.3(7)T

The rtsp and mgcp keywords were added.

12.3(11)T

The allow-sip-even-rtp-ports keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4

The nbar keyword was added.

15.0(1)M

The allow-multipart keyword was added.


Usage Guidelines

A host with an FTP server using a port other than the default port can have an FTP client using the default FTP control port. When a port other than the default port is configured for an FTP server, Network Address Translation (NAT) prevents FTP control sessions that are using port 21 for that particular server. If an FTP server uses the default port and a port other than the default port, both ports need to be configured using the ip nat service command.

NAT listens on the default port of the Cisco CallManager to translate the skinny messages. If the CallManager uses a port other than the default port, that port needs to be configured using the ip nat service command.

Use the no ip nat service H225 command to disable support of H.225 packets by NAT.

Use the no ip nat service allow-h323-even-rtp-ports command to force odd numbered RTP port allocation for H323.

Use the no ip nat service allow-sip-even-rtp-ports command to force odd numbered RTP port allocation for SIP.

Use the no ip nat service allow-skinny-even-rtp-ports command to force odd numbered RTP port allocation for the skinny protocol.

Use the no ip nat service rtsp command to disable support of RTSP packets by NAT. RSTP uses port 554.

Use the ip nat service allow-multipart command to enable the processing of SIP multipart Session Description Protocol (SDP) packets.

A NAT-enabled Cisco device that is running Cisco IOS Release 12.3(7)T or a later release may experience an increase in CPU usage when upgrading from a previous release. RTSP and MGCP NAT ALG support was added in Release 12.3(7)T, which requires NBAR. You can use the no ip nat service nbar command to disable NBAR processing, which can decrease the CPU utilization rate.

Examples

The following example configures the nonstandard port 2021:

ip nat service list 10 ftp tcp port 2021
access-list 10 permit 10.1.1.1

The following example configures the standard FTP port 21 and the nonstandard port 2021:

ip nat service list 10 ftp tcp port 21
ip nat service list 10 ftp tcp port 2021
access-list 10 permit 10.1.1.1

The following example configures the 20002 port of the CallManager:

ip nat service skinny tcp port 20002

The following example configures TCP port 500 of the third-party concentrator:

ip nat service list 10 IKE preserve-port

The following example configures SPI matching on the endpoint routers:

ip nat service list 10 ESP spi-match

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat service enable-sym-port

To enable the endpoint agnostic port allocation, use the ip nat service enable-sym-port command in global configuration mode. To disable the endpoint agnostic port allocation, use the no form of this command.

ip nat service enable-sym-port

no ip nat service enable-sym-port

Syntax Description

This command has no arguments or keywords.

Command Default

If you do not issue this command, the endpoint agnostic port allocation is disabled.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.4(24)T

This command was introduced.


Usage Guidelines

Use the ip nat service enable-sym-port command to enable the endpoint agnostic port allocation, which is also known as symmetric port allocation.


Note Use this command before you enable Network Address Translation (NAT). If you enable the symmetric port database after creating entries in the NAT database, then corresponding entries are not added to the symmetric port database.


Examples

In the following example, an access list is created and the inside source address is translated using NAT. The endpoint agnostic port allocation is enabled after the inside source address is translated.

Router(config)# interface Ethernet 0/0
Router(config-if)# ip nat inside
Router(config-if)# exit
Router(config)# access list 1 permit 172.18.192.0 0.0.0.255 
Router(config)# ip nat inside source list 1 interface Ethernet 0/0
Router(config)# ip nat service enable-sym-port
Router(config)# end

Following are the list of entries which are made to the SymmetricPort (Sym Port) table, debugs, and Symmetric DB (Sym DB) when the command is issued and when the command is not entered:

NAT Symmetric Port Database: 1 entries 
public ipaddr:port [tableid] | port# [refcount][syscount] | localaddr:localport [flags] 
172.18.192.69:1024 [0] | 1025 [1] [0] | 172.18.192.69:1024 [0] 

Sample SymPort Debugs: 
If SymDB is not enabled or initiated:  
NAT-SymDB: DB is either not enabled or not initiated. 
If an entry needs to be inserted into SymDB: 
NAT-SymDB: insert 172.18.192.69 1024 0 
172.18.192.69 is the local address, 1024 is the local port, and 0 is the tableid 
If SymDB lookup found an entry: 
NAT-SymDB: [0] Entry was found for 172.18.192.69 -> 10.10.10.1: wanted 1024 got 1025 
172.18.192.69 is the local address, 10.10.10.1 is the global address, 1024 is the 
requested port, and 1025 is the allocated port 
If entry was deleted from SymDB: 
NAT-SymDB: deleting entry 172.18.192.69:1024 
172.18.192.69 is the local address, 1024 is the local port.

Related Commands

Command
Description

show ip nat translations

Displays the list of translations entries.

show ip nat statistics

Displays the entries in the symmetric port database


ip nat sip-sbc

To configure a Cisco IOS hosted Network Address Translation (NAT) traversal for Session Border Controller (SBC), use the ip nat sip-sbc command in global configuration mode. To disable the Cisco IOS hosted NAT traversal for SBC, use the no form of this command.

ip nat sip-sbc proxy inside-address inside-port outside-address outside-port {tcp | udp} [call-id-pool pool-name] [override {address | none | port}] [mode allow-flow-around] [mode allow-flow-through pool-name] [session-timeout {seconds | nat-default}] [registration-throttle inside-timeout seconds outside-timeout seconds] [vrf-list vrf-name vrf-name | no | exit]

no ip nat sip-sbc proxy inside-address inside-port outside-address outside-port {tcp | udp} [call-id-pool pool-name] [override {address | none | port}] [mode allow-flow-around] [mode allow-flow-through pool-name] [session-timeout {seconds | nat-default}] [registration-throttle inside-timeout seconds outside-timeout seconds] [vrf-list vrf-name vrf-name | no | exit]

Syntax Description

proxy

Configures the address or port which the inside phones refer to, and configures the outside proxy's address or port that the NAT SBC translates the destination IP address or port.

inside-address

Sets the Proxy's private IP address, which is configured on the inside phones.

inside-port

Sets the Proxy's private port.

outside-address

Sets the Proxy's public address, which is the actual proxy's address that NAT SBC changes the destination address to.

outside-port

Sets the Proxy's port.

tcp

Establishes the Transmission Control Protocol.

udp

Establishes the User Datagram Protocol.

call-id-pool pool-name

(Optional) Specifies a dummy pool name from which the inside to outside SIP signaling packets' call ID is translated to a 1:1 maintained association rather than using the regular NAT pool.

override address

(Optional) Specifies the default override address mode.

override none

(Optional) Specifies that no override will be configured.

override port

(Optional) Specifies override port mode.

mode allow-flow-around

(Optional) Configures Real-Time Transport Protocol (RTP) for flow around for traffic between phones in the inside domain.

mode allow-flow-through pool-name

(Optional) Configures Real-Time Transport Protocol (RTP) for flow through for traffic between phones in the inside domain.

session-timeout seconds

(Optional) Configures the timeout duration for NAT entries pertaining to SIP signaling flows.

session-timeout nat-default

(Optional) Allows the default timeout to return to the NAT default timeout value of 5 minutes.

none

(Optional) Prevents modification of the out > in destination L3/L4 to the L3/L4 as saved in the sbc_appl_data of the door or NAT entry.

vrf-list vrf-name

(Optional) Defines SIP SBC VPN Routing and Forwarding (VRF) list names.

no

(Optional) Removes a name from the VRF list.

registration-throttle

(Optional) Defines the registration throttling parameter.

inside-timeout seconds

Timeout in seconds in the range of 1-536870.

outside-timeout seconds

Timeout in seconds in the range of 1-536870.

exit

(Required) Exit from SBC VRF configuration mode.


Command Default

Disabled

Command Modes

Global configuration

Command History

Release
Modification

12.4(9)T

This command was introduced.

12.4(15)T

The allow-flow-through and registration-throttle sub commands were added.


Usage Guidelines

The proxy keyword configures the address or port, which the inside phones refer to, and it configures the outside proxy's address or port that the NAT SBC translates the destination IP address or port. This keyword installs an outside static port half-entry with OL as the inside address or port and OG as the outside address or port.

The mode allow-flow-around keyword enables the RTP to be flow around. This keyword is only applicable for traffic between phones in the inside domain.

The optional vrf-list keyword must be followed by a list of VRF names. After the outside static port entry is created, a static route is installed wit the destination IP address as OL and next hop as OG. The NAT entry created is associated with appropriate VRFs as configured by this command.

Examples

The following example shows how to configure a Cisco IOS hosted NAT traversal for SBC:

interface ethernet1/1
 ip nat inside
 ip forwarding A
!
interface ethernet1/2
 ip nat inside
 ip forwarding B
!
interface ethernet1/3
 ip nat outside
!
ip nat pool call-id-pool 1.1.1.1 1.1.1.100
ip nat pool outside-pool 2.2.2.1.1.1 2.2.2.1.1.10
ip nat pool inside-pool-A 169.1.1.1 169.1.1.10
ip nat pool inside-pool-B 170.1.1.1 170.1.1.10
ip nat inside source list 1 pool inside-pool-A vrf A overload
ip nat inside source list 2 pool inside-pool-B vrf B overload
ip nat outside list 3 pool outside-pool
ip nat inside source list 4 pool call-id-pool
!
access-list for VRF-A inside-phones
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 172.1.1.0 0.0.0.255
!
access-=list for call-id-pool
access-list 4 permit 10.1.1.0 0.0.0.255
access-list 4 permit 20.1.1.0 0.0.0.255
!
ip nat sip-sbc
 proxy 200.1.1.1 5060 192.1.1.1 5060 protocol udp
 vrf-list
  vrf-name A
  vrf-name B
 call-id-pool call-id-pool
 session-timeout 300

 mode allow-flow-around
 override address

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

debug ip nat

Displays information about IP packets translated by NAT.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside source

Enables NAT of the inside destination address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat source

To enable Network Address Translation (NAT) on a virtual interface without inside or outside specification, use the ip nat source command in global configuration mode.

Dynamic NAT

ip nat source {list {access-list-number | access-list-name} interface type number | pool name} [overload | vrf name]

no ip nat source {list {access-list-number | access-list-name} interface type number | pool name} overload | vrf name]

Static NAT

ip nat source {static {esp local-ip interface type number | local-ip global-ip}} [extendable | no-alias | no-payload | vrf name]

no ip nat source {static {esp local-ip interface type number | local-ip global-ip}} [extendable | no-alias | no-payload | vrf name]

Port Static NAT

ip nat source {static {tcp | udp {local-ip local-port global-ip global-port | interface type number global-port}} [extendable | no-alias | no-payload | vrf name]

no ip nat source {static {tcp | udp {local-ip local-port global-ip global-port | interface type number global-port}} [extendable | no-alias | no-payload | vrf name]

Network Static NAT

ip nat source static network local-network global-network mask [extendable | no-alias | no-payload | vrf name]

no ip nat source static network local-network global-network mask [extendable | no-alias | no-payload | vrf name]

Syntax Description

list access-list-number

Number of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

list access-list-name

Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

interface type

Specifies the interface type for the global address.

interface number

Specifies the interface number for the global address.

pool name

Name of the pool from which global IP addresses are allocated dynamically.

overload

(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or User Datagram Protocol (UDP) port number of each inside host distinguishes between the multiple conversations using the same local IP address.

vrf name

(Optional) Associates the NAT translation rule with a particular VPN routing and forwarding (VRF) instance.

static local-ip

Sets up a single static translation. The local-ip argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from the RFC 1918, or obsolete.

local-port

Sets the local TCP/UDP port in a range from 1 to 65535.

static global-ip

Sets up a single static translation. The local-ip argument establishes the globally unique IP address of an inside host as it appears to the outside network.

global-port

Sets the global TCP/UDP port in the range from 1 to 65535.

extendable

(Optional) Extends the translation.

no-alias

(Optional) Prohibits as alias from being created for the global address.

no-payload

(Optional) Prohibits the translation of an embedded address or port in the payload.

esp local-ip

Establishes IPSec-ESP (tunnel mode) support.

tcp

Establishes the Transmission Control Protocol.

udp

Establishes the User Datagram Protocol.

network local-network

Specified the local subnet translation.

global-network

Specifies the global subnet translation.

mask

Establishes the IP network mask to be used with subnet translations.


Command Modes

Global Configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Examples

The following example shows how to configure a virtual interface without inside or outside specification for the global address:

ip nat source list 1 pool NAT vrf bank overload
ip nat source list 1 pool NAT vrf park overload
ip nat source static 192.168.123.1 192.168.125.10 vrf services

Related Commands

Command
Description

ip nat enable

Configures an interface connecting VPNs and the Internet for NAT translation.

ip nat pool

Defines a pool of IP addresses for Network Address Translation.


ip nat stateful id

To designate the members of a translation group, use the ip nat stateful id command in global configuration mode. To disable the members of a translation group or reset default values, use the no form of this command.

ip nat stateful id id-number {redundancy name mapping-id map-number [protocol {tcp | udp}] [as-queuing {disable | enable}] | {primary ip-address-primary backup ip-address-backup peer ip-address-peer mapping-id mapping-id-number}

no ip nat stateful id id-number

Syntax Description

id-number

Unique number given to each router in the stateful translation group.

redundancy name

Establishes Hot Standby Routing Protocol (HSRP) as the method of redundancy.

mapping-id map-number

Specifies whether or not the local Stateful (SNAT) router will distribute a particular set of locally created entries to a peer SNAT router.

protocol

(Optional) Enables the HSRP UDP default to be changed to TCP.

tcp

(Optional) Establishes the Transmission Control Protocol.

udp

(Optional) Establishes the User Datagram Protocol.

as-queuing

(Optional) Enables asymmetric routing during queuing for HSRP to be disabled.

disable

(Optional) Disables asymmetric routing during queuing in HSRP mode.

enable

(Optional) Enables asymmetric routing during queuing in HSRP mode.

primary ip-address-primary

Manually establishes redundancy for the primary router.

backup ip-address-backup

Manually establishes redundancy for the backup router.

peer ip-address-peer

Specifies the IP address of the peer router in the translation group.


Command Modes

Global configuration

Command History

Release
Modification

12.2(13)T

This command was introduced.

12.4(3)

The protocol and as-queuing keywords were added.

12.4(4)T

This command was intregrated into Cisco IOS Release 12.4(4)T.


Usage Guidelines

This command has two forms: HSRP stateful NAT and manual stateful NAT. The form that uses the keyword redundancy establishes the HSRP redundancy method. When HSRP mode is set, the primary and backup NAT routers are elected according to the HSRP standby state. To enable stateful NAT manually, configure the primary router and backup router.

In HSRP mode, the default TCP can be changed to UDP by using the optional protocol udp keywords with the redundancy keyword.

To disable the queuing during asymmetric routing in HSRP mode, use the optional as-queuing disable keywords with the redundancy keyword.

Examples

The following example shows how to configure SNAT with HSRP:

!
standby delay minimum 30 reload 60
standby 1 ip 10.1.1.1 
standby 1 name SNATHSRP
standby 1 preempt delay minimum 60 reload 60 sync 60
!
ip nat Stateful id 1
redundancy SNATHSRP
mapping-id 10
as-queuing disable
protocol udp
ip nat pool SNATPOOL1 10.1.1.1 10.1.1.9 prefix-length 24
ip nat inside source route-map rm-101 pool SNATPOOL1 mapping-id 10 overload
ip classless
ip route 10.1.1.0 255.255.255.0 Null0
no ip http server
ip pim bidir-enable

The following example shows how to manually configure SNAT:

ip nat stateful id 1
primary 10.88.194.17
peer 10.88.194.18
mapping-id 10

ip nat stateful id 2
backup 10.88.194.18
peer 10.88.194.17
mapping-id 10

Related Commands

Command
Description

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Changes the amount of time after which NAT translations time out.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat translation

The ip nat translation command is replaced by the ip nat translation (timeout) and ip nat translation max-entries commands. See these commands for more information.

ip nat translation (timeout)

To change the amount of time after which Network Address Translation (NAT) translations time out, use the ip nat translation command in global configuration mode. To disable the timeout, use the no form of this command.

ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout | arp-ping-timeout} {seconds | never}

no ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout | pptp-timeout | syn-timeout | port-timeout | arp-ping-timeout}

Syntax Description

timeout

Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86,400 seconds (24 hours).

udp-timeout

Specifies that the timeout value applies to the User Datagram Protocol (UDP) port. Default is 300 seconds (5 minutes).

dns-timeout

Specifies that the timeout value applies to connections to the Domain Name System (DNS). Default is 60 seconds.

tcp-timeout

Specifies that the timeout value applies to the TCP port. Default is 86,400 seconds (24 hours).

finrst-timeout

Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds.

icmp-timeout

Specifies the timeout value for Internet Control Message Protocol (ICMP) flows. Default is 60 seconds.

pptp-timeout

Specifies the timeout value for NAT Point-to-Point Tunneling Protocol (PPTP) flows. Default is 86,400 seconds (24 hours).

syn-timeout

Specifies the timeout value for TCP flows immediately after a synchronous transmission (SYN) message that consists of digital signals that are sent with precise clocking. The default is 60 seconds.

port-timeout

Specifies that the timeout value applies to the TCP/UDP port.

arp-ping-timeout

Specifies that the timeout value applies to the arp ping.

seconds

Number of seconds after which the specified port translation times out. The default is 0.

never

Specifies no port translation time out.


Defaults

timeout: 86,400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86,400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
seconds: 0 (never)

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.3(4)T

The timeout functions of the ip nat translation command were documented under the command name ip nat translation (timeout).

12.4(6)T

The arp-ping-timeout keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

When port translation is configured, each entry contains more context about the traffic that is using it, which gives you finer control over translation entry timeouts. Non-DNS UDP translations time out after 5 minutes, and DNS times out in 1 minute. TCP translations time out in 24 hours, unless an RST or FIN bit is seen on the stream, in which case they will time out in 1 minute.

Examples

The following example configures the router to cause UDP port translation entries to time out after 10 minutes (600 seconds):

ip nat translation udp-timeout 600

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

ip nat translation max-entries

Limits the maximum number of NAT entries.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


ip nat translation max-entries

To limit the size of a Network Address Translation (NAT) table to a specified maximum, use the ip nat translation max-entries command in global configuration mode. To remove a specified limit, use the no form of this command.

ip nat translation max-entries {number | all-host number | all-vrf number | host ip-address number | list {listname | number} | vrf name number}

no ip nat translation max-entries {number | all-host number | all-vrf number | host ip-address number | list {listname | number} | vrf name number}

Syntax Description

number

Maximum number of allowed NAT entries. Range is from 1 to 2147483647.

all-host

Constrains each host by the specified number of NAT entries.

all-vrf

Constrains each VPN routing and forwarding (VRF) instance by the specified NAT limit.

host

Constrains an IP address by the specified NAT limit.

ip-address

The IP address subject to the NAT limit.

list

Constrains an access control list (ACL) by the specified NAT limit.

listname

The ACL name subject to the NAT limit.

vrf

Constrains an individual VRF instance by the specified NAT limit.

name

The name of the VRF instance subject to the NAT limit.


Defaults

No maximum size is specified for the NAT table.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.3(4)T

This command was introduced.


Usage Guidelines

Before you configure a NAT rate limit, you should first classify current NAT usage and determine the sources of requests for NAT translations. If a specific host, access control list, or VRF instance is generating an unexpectedly high number of NAT requests, it may be the source of a malicious virus or worm attack.

Once you have identified the source of excess NAT requests, you can set a NAT rate limit that constrains a specific host, access control list, or VRF instance, or you can set a general limit for the maximum number of NAT requests allowed regardless of their source.


Note When using the no form of ip nat translation max-entries, you must specify the type of NAT rate limit you wish to remove and its current value. For more information about how to display current NAT rate limit settings, refer to the show ip nat statistics command.


Examples

The following examples show how to configure rate limiting NAT translation.

Setting a General NAT Limit

The following example shows how to limit the maximum number of allowed NAT entries to 300:

ip nat translation max-entries 300

Setting NAT Limits for VRF Instances

The following example shows how to limit each VRF instance to 200 NAT entries:

ip nat translation max-entries all-vrf 200

The following example shows how to limit the VRF instance named vrf1 to 150 NAT entries:

ip nat translation max-entries vrf vrf1 150

The following example shows how to limit the VRF instance named vrf2 to 225 NAT entries, but limit all other VRF instances to 100 NAT entries each:

ip nat translation max-entries all-vrf 100
ip nat translation max-entries vrf vrf2 225

Setting NAT Limits for Access Control Lists

The following example shows how to limit the access control list named vrf3 to 100 NAT entries:

ip nat translation max-entries list vrf3 100

Setting NAT Limits for an IP Address

The following example shows how to limit the host at IP address 10.0.0.1 to 300 NAT entries:

ip nat translation max-entries host 10.0.0.1 300

Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

ip nat translation (timeout)

Changes the NAT timeout value.

show ip nat statistics

Displays NAT statistics.

show ip nat translations

Displays active NAT translations.


show ip nat nvi statistics

To display NAT virtual interface (NVI) statistics, use the show ip nat nvi statistics command in user EXEC or privileged EXEC mode.

show ip nat nvi statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release
Modification

12.3(14)T

This command was introduced.


Examples

The following is sample output from the show ip nat nvi statistics command:

Router# show ip nat nvi statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended) NAT Enabled interfaces:
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 pool pool1 refcount 1213 pool pool1: netmask 255.255.255.0
         start 192.168.1.10 end 192.168.1.253
         start 192.168.2.10 end 192.168.2.253
         start 192.168.3.10 end 192.168.3.253
         start 192.168.4.10 end 192.168.4.253
         type generic, total addresses 976, allocated 222 (22%), misses 0
[Id: 2] access-list 5 pool pool2 refcount 0 pool pool2: netmask 255.255.255.0
         start 192.168.5.2 end 192.168.5.254
         type generic, total addresses 253, allocated 0 (0%), misses 0
[Id: 3] access-list 6 pool pool3 refcount 3 pool pool3: netmask 255.255.255.0
         start 192.168.6.2 end 192.168.6.254
         type generic, total addresses 253, allocated 2 (0%), misses 0
[Id: 4] access-list 7 pool pool4 refcount 0 pool pool4 netmask 255.255.255.0
         start 192.168.7.30 end 192.168.7.200
         type generic, total addresses 171, allocated 0 (0%), misses 0
[Id: 5] access-list 8 pool pool5 refcount 109195 pool pool5: netmask 255.255.255.0
         start 192.168.10.1 end 192.168.10.253
         start 192.168.11.1 end 192.168.11.253
         start 192.168.12.1 end 192.168.12.253
         start 192.168.13.1 end 192.168.13.253
         start 192.168.14.1 end 192.168.14.253
         start 192.168.15.1 end 192.168.15.253
         start 192.168.16.1 end 192.168.16.253
         start 192.168.17.1 end 192.168.17.253
         start 192.168.18.1 end 192.168.18.253
         start 192.168.19.1 end 192.168.19.253
         start 192.168.20.1 end 192.168.20.253
         start 192.168.21.1 end 192.168.21.253
         start 192.168.22.1 end 192.168.22.253
         start 192.168.23.1 end 192.168.23.253
         start 192.168.24.1 end 192.168.24.253
         start 192.168.25.1 end 192.168.25.253
         start 192.168.26.1 end 192.168.26.253
         type generic, total addresses 4301, allocated 3707 (86%),misses 0 Queued 
Packets:0

Table 36 describes the fields shown in the display.

Table 36 show ip nat nvi statistics Field Descriptions 

Field
Description

Total active translations

Number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or timed out.

NAT enabled interfaces

List of interfaces marked as NAT enabled with the ip nat enable command.

Hits

Number of times the software does a translations table lookup and finds an entry.

Misses

Number of times the software does a translations table lookup, fails to find an entry, and must try to create one.

CEF Translated packets

Number of packets switched via Cisco Express Forwarding (CEF).

CEF Punted packets

Number of packets punted to the process switched level.

Expired translations

Cumulative count of translations that have expired since the router was booted.

Dynamic mappings

Indicates that the information that follows is about dynamic mappings.

Inside Source

The information that follows is about an inside source translation.

access-list

Access list number being used for the translation.

pool

Name of the pool.

refcount

Number of translations using this pool.

netmask

IP network mask being used in the pool.

start

Starting IP address in the pool range.

end

Ending IP address in the pool range.

type

Type of pool. Possible types are generic or rotary.

total addresses

Number of addresses in the pool available for translation.

allocated

Number of addresses being used.

misses

Number of failed allocations from the pool.

Queued Packets

Number of packets in the queue.


Related Commands

Command
Description

show ip nat nvi translations

Displays active NAT virtual interface translations.


show ip nat nvi translations

To display active NAT virtual interface (NVI) translations, use the show ip nat nvi translations command in user EXEC or privileged EXEC mode.

show ip nat nvi translations [protocol [global | vrf vrf-name] | vrf vrf-name | global] [verbose]

Syntax Description

protocol

(Optional) Displays protocol entries. The protocol argument must be replaced with one of the following keywords:

esp—Encapsulating Security Payload (ESP) protocol entries.

icmp—Internet Control Message Protocol (ICMP) entries.

pptp—Point-to-Point Tunneling Protocol (PPTP) entries.

tcp—TCP protocol entries.

udp—User Datagram Protocol (UDP) entries.

global

(Optional) Displays entries in the global destination table.

vrf vrf-name

(Optional) Displays VPN routing and forwarding (VRF) traffic-related information.

verbose

(Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used.


Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release
Modification

12.3(14)T

This command was introduced.


Examples

The following is sample output from the show ip nat nvi translations command:

Router# show ip nat nvi translations

Pro    Source global        Source local        Destin  local      Destin  global
icmp   172.20.0.254:25    172.20.0.130:25      172.20.1.1:25      10.199.199.100:25
icmp   172.20.0.254:26    172.20.0.130:26      172.20.1.1:26      10.199.199.100:26
icmp   172.20.0.254:27    172.20.0.130:27      172.20.1.1:27      10.199.199.100:27
icmp   172.20.0.254:28    172.20.0.130:28      172.20.1.1:28      10.199.199.100:28

Table 37 describes the fields shown in the display.

Table 37 show ip nat nvi translations Field Descriptions 

Field
Description

Pro

Protocol of the port identifying the address.

Source global

Source global address.

Source local

Source local address.

Destin local

Destination local address.

Destin global

Destination global address.


Related Commands

Command
Description

show ip nat nvi statistics

Displays NAT virtual interface statistics.


show ip nat statistics

To display Network Address Translation (NAT) statistics, use the show ip nat statistics command in EXEC mode.

show ip nat statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release
Modification

11.2

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Examples

The following is sample output from the show ip nat statistics command:

Router# show ip nat statistics

Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135  Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool net-208 refcount 2
 pool net-208: netmask 255.255.255.240
        start 172.16.233.208 end 172.16.233.221
        type generic, total addresses 14, allocated 2 (14%), misses 0

Table 38 describes the significant fields shown in the display.

Table 38 show ip nat statistics Field Descriptions 

Field
Description

Total translations

Number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out.

Outside interfaces

List of interfaces marked as outside with the ip nat outside command.

Inside interfaces

List of interfaces marked as inside with the ip nat inside command.

Hits

Number of times the software does a translations table lookup and finds an entry.

Misses

Number of times the software does a translations table lookup, fails to find an entry, and must try to create one.

Expired translations

Cumulative count of translations that have expired since the router was booted.

Dynamic mappings

Indicates that the information that follows is about dynamic mappings.

Inside Source

The information that follows is about an inside source translation.

access-list

Access list number being used for the translation.

pool

Name of the pool (in this case, net-208).

refcount

Number of translations using this pool.

netmask

IP network mask being used in the pool.

start

Starting IP address in the pool range.

end

Ending IP address in the pool range.

type

Type of pool. Possible types are generic or rotary.

total addresses

Number of addresses in the pool available for translation.

allocated

Number of addresses being used.

misses

Number of failed allocations from the pool.


Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Changes the amount of time after which NAT translations time out.

show ip nat translations

Displays active NAT translations.


show ip nat translations

To display active Network Address Translation (NAT) translations, use the show ip nat translations command in EXEC mode.

show ip nat translations [inside global-ip] [outside local-ip] [esp] [icmp] [pptp] [tcp] [udp] [verbose] [vrf vrf-name]

Syntax Description

esp

(Optional) Displays Encapsulating Security Payload (ESP) entries.

icmp

(Optional) Displays Internet Control Message Protocol (ICMP) entries.

inside global-ip

(Optional) Displays entries for only a specific inside global IP address.

outside local-ip

(Optional) Displays entries for only a specific outside local IP address.

pptp

(Optional) Displays Point-to-Point Tunneling Protocol (PPTP) entries.

tcp

(Optional) Displays TCP protocol entries.

udp

(Optional) Displays User Datagram Protocol (UDP) entries.

verbose

(Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used.

vrf vrf-name

(Optional) Displays VPN routing and forwarding (VRF) traffic-related information.


Command Modes

EXEC

Command History

Release
Modification

11.2

This command was introduced.

12.2(13)T

The vrf vrf-name keyword and argument combination was added.

12.2(15)T

The esp keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

XE 2.4.2

The inside and outside keywords were added.


Examples

The following is sample output from the show ip nat translations command. Without overloading, two inside hosts are exchanging packets with some number of outside hosts.

Router# show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global
--- 10.69.233.209     192.168.1.95       ---                ---
--- 10.69.233.210     192.168.1.89       ---                --

With overloading, a translation for a Domain Name Server (DNS) transaction is still active, and translations for two Telnet sessions (from two different hosts) are also active. Note that two different inside hosts appear on the outside with a single IP address.

Router# show ip nat translations

Pro Inside global        Inside local       Outside local      Outside global
udp 10.69.233.209:1220  192.168.1.95:1220  172.16.2.132:53    172.16.2.132:53
tcp 10.69.233.209:11012 192.168.1.89:11012 172.16.1.220:23    172.16.1.220:23
tcp 10.69.233.209:1067  192.168.1.95:1067  172.16.1.161:23    172.16.1.161:23

The following is sample output that includes the verbose keyword:

Router# show ip nat translations verbose

Pro Inside global        Inside local       Outside local      Outside global
udp 172.16.233.209:1220  192.168.1.95:1220  172.16.2.132:53    172.16.2.132:53
        create 00:00:02, use 00:00:00, flags: extended
tcp 172.16.233.209:11012 192.168.1.89:11012 172.16.1.220:23    172.16.1.220:23
        create 00:01:13, use 00:00:50, flags: extended
tcp 172.16.233.209:1067  192.168.1.95:1067  172.16.1.161:23    172.16.1.161:23
        create 00:00:02, use 00:00:00, flags: extended

The following is sample output that includes the vrf keyword:

Router# show ip nat translations vrf abc

Pro Inside global      Inside local       Outside local      Outside global
--- 10.2.2.1            192.168.121.113    ---                ---
--- 10.2.2.2            192.168.122.49     ---                ---
--- 10.2.2.11           192.168.11.1       ---                ---
--- 10.2.2.12           192.168.11.3       ---                ---
--- 10.2.2.13           172.16.5.20        ---                ---

Pro Inside global      Inside local       Outside local      Outside global
--- 10.2.2.3            192.168.121.113    ---                ---
--- 10.2.2.4            192.168.22.49      ---                ---

The following is sample output that includes the esp keyword:

Router# show ip nat translations esp 

Pro Inside global         Inside local          Outside local         Outside global 
esp 192.168.22.40:0       192.168.122.20:0      192.168.22.20:0       
192.168.22.20:28726CD9 
esp 192.168.22.40:0       192.168.122.20:2E59EEF5 192.168.22.20:0     192.168.22.20:0 

The following is sample output that includes the esp and verbose keywords:

Router# show ip nat translation esp verbose 

Pro Inside global         Inside local          Outside local         Outside global 
esp 192.168.22.40:0       192.168.122.20:0      192.168.22.20:0       
192.168.22.20:28726CD9 
    create 00:00:00, use 00:00:00, 
    flags:
extended, 0x100000, use_count:1, entry-id:192, lc_entries:0 
esp 192.168.22.40:0       192.168.122.20:2E59EEF5 192.168.22.20:0     192.168.22.20:0 
    create 00:00:00, use 00:00:00, left 00:04:59, Map-Id(In):20, 
    flags:
extended, use_count:0, entry-id:191, lc_entries:0 

The following is sample output that includes the inside keyword:

Router# show ip nat translations inside 10.69.233.209

Pro Inside global        Inside local       Outside local      Outside global
udp 10.69.233.209:1220  192.168.1.95:1220  172.16.2.132:53    172.16.2.132:53

Table 39 describes the significant fields shown in the display.

Table 39 show ip nat translations Field Descriptions 

Field
Description

Pro

Protocol of the port identifying the address.

Inside global

The legitimate IP address that represents one or more inside local IP addresses to the outside world.

Inside local

The IP address assigned to a host on the inside network; probably not a legitimate address assigned by the Network Interface Card (NIC) or service provider.

Outside local

IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or service provider.

Outside global

The IP address assigned to a host on the outside network by its owner.

create

How long ago the entry was created (in hours:minutes:seconds).

use

How long ago the entry was last used (in hours:minutes:seconds).

flags

Indication of the type of translation. Possible flags are:

extended—Extended translation

static—Static translation

destination—Rotary translation

outside—Outside translation

timing out—Translation will no longer be used, due to a TCP finish (FIN) or reset (RST) flag.


Related Commands

Command
Description

clear ip nat translation

Clears dynamic NAT translations from the translation table.

ip nat

Designates that traffic originating from or destined for the interface is subject to NAT.

ip nat inside destination

Enables NAT of the inside destination address.

ip nat inside source

Enables NAT of the inside source address.

ip nat outside source

Enables NAT of the outside source address.

ip nat pool

Defines a pool of IP addresses for NAT.

ip nat service

Enables a port other than the default port.

show ip nat statistics

Displays NAT statistics.


show ip snat

To display active Stateful Network Address Translation (SNAT) translations, use the show ip snat command in EXEC mode.

show ip snat [distributed [verbose] | peer ip-address]

Syntax Description

distributed

(Optional) Displays information about the distributed NAT, including its peers and status.

verbose

(Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used.

peer ip-address

(Optional) Displays TCP connection information between peer routers.


Command Modes

EXEC

Command History

Release
Modification

12.2(13)T

This command was introduced.


Examples

The following is sample output from the show ip snat distributed command for stateful NAT connected peers:

Router# show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode PRIMARY
:State READY
:Local Address 192.168.123.2
:Local NAT id 100
:Peer Address 192.168.123.3
:Peer NAT id 200
:Mapping List 10

The following is sample output from the show ip snat distributed verbose command for stateful NAT connected peers:

Router# show ip snat distributed verbose

SNAT: Mode PRIMARY
Stateful NAT Connected Peers

:State READY
:Local Address 192.168.123.2
:Local NAT id 100
:Peer Address 192.168.123.3
:Peer NAT id 200
:Mapping List 10
:InMsgs 7, OutMsgs 7, tcb 0x63EBA408, listener 0x0