-
Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
- Part 1: IP Addressing
- Part 2: ARP
-
Part 3: DHCP
-
DHCP Features Roadmap
-
DHCP Overview
-
Configuring the Cisco IOS DHCP Server
-
Configuring the DHCP Server On-Demand Address Pool Manager
-
Configuring the Cisco IOS DHCP Relay Agent
-
Configuring the Cisco IOS DHCP Client
-
Configuring DHCP Services for Accounting and Security
-
Configuring DHCP Enhancements for Edge Session Management
-
- Part 4: DNS
- Part 5: NHRP
- Part 6: NAT
Table Of Contents
Configuring NAT for IP Address Conservation
Prerequisites for Configuring NAT for IP Address Conservation
Restrictions for Configuring NAT for IP Address Conservation
Information About Configuring NAT for IP Address Conservation
Benefits of Configuring NAT for IP Address Conservation
NAT Inside and Outside Addresses
How to Configure NAT for IP Address Conservation
Configuring the Inside Source Addresses
Inside Source Address Translation
Configuring Static Translation of Inside Source Addresses
Configuring Dynamic Translation of Inside Source Addresses
Allowing Internal Users Access to the Internet Using NAT
Inside Global Addresses Overloading
Configuring Address Translation Timeouts
Changing the Translation Timeout Default
Changing the Default Timeouts When Overloading Is Configured
Allowing Overlapping Networks to Communicate Using NAT
Address Translation of Overlapping Networks
Configuring Static Translation of Overlapping Networks
Configuring Dynamic Translation of Overlapping Networks
Configuring the NAT Virtual Interface
Benefits of NAT Virtual Interface
Restrictions for NAT Virtual Interface
Enabling a Dynamic NAT Virtual Interface
Enabling a Static NAT Virtual Interface
Avoiding Server Overload Using TCP Load Balancing
Using Route Maps for Address Translation Decisions
Benefits of Using Route Maps for Address Translation
Enabling NAT Routemaps Outside-to-Inside Support
Routemaps Outside-to-Inside Support Design
Configuring NAT of External IP Addresses Only
Benefits of Configuring NAT of External IP Addresses Only
Configuring NAT for a Default Inside Server
Configuring NAT RTSP Support Using NBAR
Configuring Support for Users with Static IP Addresses
Configuring Support for ARP Ping in a Public Wireless LAN
Limiting the Number of Concurrent NAT Operations
Benefits of Limiting the Number of concurrent NAT Operations
Viruses and Worms That Target NAT
Configuration Examples for Configuring NAT for IP Address Conservation
Configuring Static Translation of Inside Source Addresses: Examples
Configuring Dynamic Translation of Inside Source Addresses: Example
Overloading Inside Global Addresses: Example
Translating Overlapping Address: Example
Enabling NAT Virtual Interface: Example
Avoiding Server Overload Using Load Balancing: Example
Enabling NAT Route Mapping: Example
Enabling NAT Routemaps Outside-to-Inside Support: Example
Configuring NAT Translation of External IP Addresses Only: Example
Configuration Examples for NAT Static IP Support
Configuring NAT Static IP Support: Example
Creating a RADIUS Profile for NAT Static IP Support: Example
Configuration Examples for Rate Limiting NAT Translation
Setting a Global NAT Rate Limit: Example
Setting NAT Rate Limits for a Specific VRF Instance: Example
Setting NAT Rate Limits for All VRF Instances: Example
Setting NAT Rate Limits for Access Control Lists: Example
Setting NAT Rate Limits for an IP Address: Example
Feature Information for Configuring NAT for IP Address Conservation
Configuring NAT for IP Address Conservation
First Published: May 2, 2005Last Updated: October 2, 2009NAT enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) address in the internal network into legal addresses before packets are forwarded onto another network. NAT can be configured to advertise only one address for the entire network to the outside world. This ability provides additional security, effectively hiding the entire internal network behind that one address.
NAT is also used at the Enterprise edge to allow internal users access to the Internet and to allow Internet access to internal devices such as mail servers.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring NAT for IP Address Conservation" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Configuring NAT for IP Address Conservation
•
•
•
•
•
Prerequisites for Configuring NAT for IP Address Conservation
Access Lists
All access lists required for use with the tasks in this module should be configured prior to beginning the configuration task. For information about how to configure an access list, refer to the IP Access List Sequence Numbering document at the following URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ip_entry_numbrng.html
Note
Defining the NAT Requirements, Objectives, and Interfaces
Before configuring NAT in your network, it is important to understand on which interfaces NAT will be configured and for what purposes. You can use the questions below to determine how you will use NAT and how NAT will need to be configured.
1.
–
–
2.
–
–
–
–
–
–
–
Restrictions for Configuring NAT for IP Address Conservation
•
•
•
•
•
Information About Configuring NAT for IP Address Conservation
To configure NAT for IP address conservation, you should understand the following concepts:
•
•
Benefits of Configuring NAT for IP Address Conservation
NAT allows organizations to resolve the problem of IP address depletion when they have existing networks and need to access the Internet. Sites that do not yet possess NIC-registered IP addresses must acquire them, and if more than 254 clients are present or planned, the scarcity of Class B addresses becomes a serious issue. Cisco IOS NAT addresses these issued by mapping thousands of hidden internal addresses to a range of easy-to-get Class C addresses.
Sites that already have registered IP addresses for clients on an internal network may want to hide those addresses from the Internet so that hackers cannot directly attack the clients. With client addresses hidden, a degree of security is established. Cisco IOS NAT gives LAN administrators complete freedom to expand Class A addressing, which is drawn from the reserve pool of the Internet Assigned Numbers Authority (RFC 1597). This expansion occurs within the organization without concern for addressing changes at the LAN/Internet interface.
Cisco IOS can selectively or dynamically perform NAT. This flexibility allows the network administrator to use a mix of RFC 1597 and RFC 1918 addresses or registered addresses. NAT is designed for use on a variety of routers for IP address simplification and conservation. In addition, Cisco IOS NAT allows the selection of which internal hosts are available for NAT.
A significant advantage of NAT is that it can be configured without requiring changes to hosts or routers other than those few routers on which NAT will be configured.
Purpose of NAT
Two key problems facing the Internet are depletion of IP address space and scaling in routing. NAT is a feature that allows the IP network of an organization to appear from the outside to use different IP address space than what it is actually using. Thus, NAT allows an organization with nonglobally routable addresses to connect to the Internet by translating those addresses into globally routable address space. NAT also allows a more graceful renumbering strategy for organizations that are changing service providers or voluntarily renumbering into classless interdomain routing (CIDR) blocks. NAT is described in RFC 1631.
Beginning with Cisco IOS Release 12.1(5)T, NAT supports all H.225 and H.245 message types, including FastConnect and Alerting as part of the H.323 version 2 specification. Any product that makes use of these message types will be able to pass through a Cisco IOS NAT configuration without any static configuration. Full support for NetMeeting Directory (Internet Locator Service) is also provided through Cisco IOS NAT.
How NAT Works
A router configured with NAT will have at least one interface to the inside network and one to the outside network. In a typical environment, NAT is configured at the exit router between a stub domain and backbone. When a packet is leaving the domain, NAT translates the locally significant source address into a globally unique address. When a packet is entering the domain, NAT translates the globally unique destination address into a local address. If more than one exit point exists, each NAT must have the same translation table. If the software cannot allocate an address because it has run out of addresses, it drops the packet and sends an ICMP host unreachable packet.
Uses of NAT
NAT can be used for the following applications:
•
•
•
As a solution to the connectivity problem, NAT is practical only when relatively few hosts in a stub domain communicate outside of the domain at the same time. When this is the case, only a small subset of the IP addresses in the domain must be translated into globally unique IP addresses when outside communication is necessary, and these addresses can be reused when no longer in use.
NAT Inside and Outside Addresses
With reference to NAT, the term inside refers to those networks that are owned by an organization and that must be translated. Inside this domain, hosts will have addresses in the one address space, while on the outside, they will appear to have addresses in another address space when NAT is configured. The first address space is referred to as the local address space and the second is referred to as the global address space.
Similarly, outside refers to those networks to which the stub network connects, and which are generally not under the control of the organization. Hosts in outside networks can be subject to translation also, and can thus have local and global addresses.
NAT uses the following definitions:
•
•
•
•
Types of NAT
NAT operates on a router—generally connecting only two networks together—and translates your private (inside local) addresses within the internal network, into public (inside global) addresses before any packets are forwarded to another network. This functionality give you the option to configure NAT so that it will advertise only a single address for your entire network to the outside world. Doing this effectively hides the internal network from the world, giving you some additional security.
NAT types include:
•
•
•
How to Configure NAT for IP Address Conservation
The tasks described in this section configure NAT for IP address conservation. No single task in this section is required; however, at least one of the tasks must be performed. More than one of the tasks may be needed. This section contains the following procedures:
•
•
•
•
•
•
•
•
•
•
•
•
•
Configuring the Inside Source Addresses
Inside source address can be configured for static or dynamic translation. Perform one of the following tasks depending on your requirements:
•
•
Inside Source Address Translation
You can translate your own IP addresses into globally unique IP addresses when communicating outside of your network. You can configure static or dynamic inside source translation as follows:
•
•
Figure 1 illustrates a router that is translating a source address inside a network to a source address outside the network.
Figure 1 NAT Inside Source Translation
The following process describes inside source address translation, as shown in Figure 1:
1.
2.
–
–
3.
4.
5.
Host 1.1.1.1 receives the packet and continues the conversation. The router performs Steps 2 through 5 for each packet.
Configuring Static Translation of Inside Source Addresses
Configure static translation of inside source addresses when you want to allow one-to-one mapping between your inside local address and an inside global address. Static translation is useful when a host on the inside must be accessible by a fixed address from the outside.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configuring Dynamic Translation of Inside Source Addresses
Dynamic translation establishes a mapping between an inside local address and a pool of global addresses. Dynamic translation is useful when multiple users on a private network need to access the Internet. The dynamically configured pool IP address may be used as needed and are released for use by other users when access to the Internet is no longer required.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Allowing Internal Users Access to the Internet Using NAT
Perform this task to allow your internal users access to the internet and conserve addresses in the inside global address pool using overloading of global addresses.
Inside Global Addresses Overloading
You can conserve addresses in the inside global address pool by allowing the router to use one global address for many local addresses. When this overloading is configured, the router maintains enough information from higher-level protocols (for example, TCP or UDP port numbers) to translate the global address back to the correct local address. When multiple local addresses map to one global address, the TCP or UDP port numbers of each inside host distinguish between the local addresses.
Figure 2 illustrates NAT operation when one inside global address represents multiple inside local addresses. The TCP port numbers act as differentiators.
Figure 2 NAT Overloading Inside Global Addresses
The router performs the following process in overloading inside global addresses, as shown in Figure 2. Both host B and host C believe they are communicating with a single host at address 2.2.2.2. They are actually communicating with different hosts; the port number is the differentiator. In fact, many inside hosts could share the inside global IP address by using many port numbers.
1.
2.
–
–
3.
4.
5.
Host 1.1.1.1 receives the packet and continues the conversation. The router performs Steps 2 through 5 for each packet.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Configuring Address Translation Timeouts
The tasks in this section are presented together because they address similar objectives, but you must select the one that is applicable to the specific configuration of NAT.
Perform one of the following tasks:
•
•
Changing the Translation Timeout Default
By default, dynamic address translations time out after some period of non-use. You can change the default values on timeouts, if necessary. When overloading is not configured, simple translation entries time out after 24 hours.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Changing the Default Timeouts When Overloading Is Configured
If you have configured overloading, you have more control over translation entry timeout, because each entry contains more context about the traffic using it. To change timeouts on extended entries, use the following commands as needed.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Allowing Overlapping Networks to Communicate Using NAT
The tasks in this section are group together because they perform the same action but are executed differently depending on the type of translation that is implemented: static or dynamic.
Perform the task that applies to the translation type that is implemented.
•
•
Address Translation of Overlapping Networks
NAT is used to translate your IP addresses, which could occur because your IP addresses are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used both illegally and legally is called index overlapping. You can use NAT to translate inside addresses that overlap with outside addresses.
Figure 3 shows how NAT translates overlapping networks.
Figure 3 NAT Translating Overlapping Addresses
The router performs the following process when translating overlapping addresses:
1.
2.
The router examines every DNS reply from everywhere, ensuring that the IP address is not in the stub network. If it is, the router translates the address.
3.
4.
5.
6.
7.
8.
Configuring Static Translation of Overlapping Networks
Configure static translation of overlapping networks if your IP addresses in the stub network are legitimate IP addresses belonging to another network and you want to communicate with those hosts or routers using static translation.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
What to Do Next
When you have completed all required configuration, go to the "Monitoring and Maintaining NAT" module.
Configuring Dynamic Translation of Overlapping Networks
Configure dynamic translation of overlapping networks if your IP addresses in the stub network are legitimate IP addresses belonging to another network and you want to communicate with those hosts or routers using dynamic translation.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Configuring the NAT Virtual Interface
The NAT Virtual Interface (NVI) feature removes the requirement to configure an interface as either Network Address Translation (NAT) inside or NAT outside. An interface can be configured to use NAT or not use NAT.
This section contains the following procedures:
•
•
Before you configure the NAT Virtual Interface feature, you should understand the following concepts:
•
NAT Virtual Interface Design
The NAT Virtual Interface feature allows all NAT traffic flows on the virtual interface, eliminating the need to specify inside and outside domains. When a domain is specified, the translation rules are applied either before or after route decisions depending on the traffic flow from inside to outside or outside to inside. The translation rules are applied only after the route decision for an NVI.
When a NAT pool is shared for translating packets from multiple networks connected to a NAT router, an NVI is created and a static route is configured that forwards all packets addressed to the NAT pool to the NVI. The standard interfaces connected to various networks will be configured to identify that the traffic originating and receiving on the interfaces needs to be translated.
Figure 4 shows a typical NAT virtual interface configuration.
Figure 4 NAT Virtual Interface Typical Configuration
Benefits of NAT Virtual Interface
•
•
Restrictions for NAT Virtual Interface
Routemaps are not supported.
Enabling a Dynamic NAT Virtual Interface
Perform this task to enable a dynamic NAT virtual interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Enabling a Static NAT Virtual Interface
Perform this task to enable a static NAT virtual interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Avoiding Server Overload Using TCP Load Balancing
Perform this task to configure server TCP load balancing by way of destination address rotary translation. These commands allow you to map one virtual host to many real hosts. Each new TCP session opened with the virtual host will be translated into a session with a different real host.
TCP Load Distribution for NAT
Another use of NAT is unrelated to Internet addresses. Your organization may have multiple hosts that must communicate with a heavily used host. Using NAT, you can establish a virtual host on the inside network that coordinates load sharing among real hosts. DAs that match an access list are replaced with addresses from a rotary pool. Allocation is done on a round-robin basis, and only when a new connection is opened from the outside to the inside. Non-TCP traffic is passed untranslated (unless other translations are in effect). Figure 5 illustrates this feature.
Figure 5 NAT TCP Load Distribution
The router performs the following process when translating rotary addresses:
1.
2.
3.
4.
5.
The next connection request will cause the router to allocate 1.1.1.2 for the inside local address.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Using Route Maps for Address Translation Decisions
Perform this task to use route maps for address translation decisions.
Route Map Overview
For NAT, a route map must be processed instead of an access list. A route map allows you to match any combination of access list, next hop IP address, and output interface to determine which pool to use. The ability to use route maps with static translations enables NAT multihoming capability with static address translations. Multihomed internal networks can host common services such as the Internet and Domain Name System (DNS), which are accessed from different outside networks. NAT processes route map-based mappings in lexicographical order. When static NAT and dynamic NAT are configured with route maps that share the same name, static NAT is given precedence over dynamic NAT. In order to ensure the precedence of static NAT over dynamic NAT, you can either configure the route map associated with static NAT and dynamic NAT to share the same name, or configure the static NAT route map name so that it is lexicographically lower than that of the dynamic NAT route map name.
Benefits of Using Route Maps for Address Translation
•
•
Prerequisites
All route maps required for use with this task should be configured prior to beginning the configuration task.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Enabling NAT Routemaps Outside-to-Inside Support
The NAT Routemaps Outside-to-Inside Support feature enables the deployment of a NAT routemap configuration that will allow IP sessions to be initiated from the outside to the inside. Perform this task to enable NAT Routemaps Outside-to-Inside Support.
Routemaps Outside-to-Inside Support Design
An initial session from inside-to-outside is required to trigger a NAT. New translation sessions can then be initiated from outside-to-inside to the inside host that triggered the initial translation.
When routemaps are used to allocate global addresses, the global address can allow return traffic, and the return traffic is allowed only if the return traffic matches the defined routemap in the reverse direction. Current functionality remains unchanged by not creating additional entries to allow the return traffic for a routemap-based dynamic entry unless the reversible keyword is used with the ip nat inside source command.
Restrictions
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring NAT of External IP Addresses Only
When configuring NAT of external IP addresses only, NAT can be configured to ignore all embedded IP addresses for any application and traffic type. Traffic between a host and the outside world flows through the internal network. A router configured for NAT translates the packet to an address that is able to be routed inside the internal network. If the intended destination is the outside world, the packet gets translated back to an external address and sent out.
Benefits of Configuring NAT of External IP Addresses Only
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configuring NAT for a Default Inside Server
The NAT Default Inside Server feature provides for the need to forward packets from the outside to a specified inside local address. Traffic is redirected that does not match any existing dynamic translations or static port translations, and the packets are not dropped. For online games, outside traffic comes on different User Datagram Ports (UDP).
Dynamic mapping and interface overload can be configured for the PC traffic and also for the gaming device. If a packet is destined for the 806 interface from the outside and there is not a match in the NAT table for the fully extended entry or a match for the static port entry, it will be forwarded to the gaming device using a simple static entry created as a result of the new command-line interface (CLI).
Restrictions
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring NAT RTSP Support Using NBAR
The Real Time Streaming Protocol (RTSP) is a client-server multimedia presentation control protocol that supports multimedia application delivery. Some of the applications that use RTSP include Windows Media Services (WMS) by Microsoft, QuickTime by Apple Computer, and RealSystem G2 by RealNetworks.
When the RTSP protocol passes through a NAT router, the embedded address and port must be translated in order for the connection to be successful. NAT uses Network Based Application Recognition (NBAR) architecture to parse the payload and translate the embedded information in the RTSP payload.
RTSP is enabled by default. Use the following commands to re-enable RTSP on a NAT router if this configuration has been disabled.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring Support for Users with Static IP Addresses
Configuring support for users with static IP addresses enables those users to establish an IP session in a Public Wireless LAN environment.
The NAT Static IP Support feature extends the capabilities of Public Wireless LAN providers to support users configured with a static IP address. By configuring a router to support users with a static IP address, Public Wireless LAN providers extend their services to a greater number of potential users, which can lead to greater user satisfaction and additional revenue.
Users with static IP addresses can use services of the public wireless LAN provider without changing their IP address. NAT entries are created for static IP clients and a routable address is provided.
This section contains the following procedures:
•
•
Public Wireless LAN
A Public Wireless LAN provides users of mobile computing devices with wireless connections to a public network, such as the Internet.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system that secures networks against unauthorized access. Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol.
RADIUS is a client/server protocol. The RADIUS client is typically a NAS, and the RADIUS server is usually a daemon process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Prerequisites
Before configuring support for users with static IP addresses for NAT, you must first enable NAT on your router and configure a RADIUS server host. For additional information on NAT and RADIUS configuration, see the "Related Documents" section.
Configuring Static IP Support
Perform this task to configure the NAT Static IP Support feature.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Verifying Static IP Support
To verify the NAT Static IP Support feature, use the following command.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Use this command to verify that NAT is configured to support static IP addresses, for example:
Router# show ip nat translations verbose--- 172.16.0.0 10.1.1.1 --- ---create 00:05:59, use 00:03:39, left 23:56:20, Map-Id(In): 1, flags: none wlan-flags: Secure ARP added, Accounting Start sent Mac-Address:0010.7bc2.9ff6 Input-IDB:Ethernet1/2, use_count: 0, entry-id:7, lc_entries: 0Configuring Support for ARP Ping in a Public Wireless LAN
When the static IP client's NAT entry times out, the NAT entry and the secure ARP entry associations are deleted for the client. Reauthentication with the Service Selection Gateway (SSG) is needed for the client to reestablish WLAN services. The ARP Ping feature enables the NAT entry and the secure ARP entry to not be deleted when the static IP client exists in the network where the IP address is unchanged after authentication.
An ARP ping is necessary to determine static IP client existence and to restart the NAT entry timer.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Limiting the Number of Concurrent NAT Operations
Limiting the number of concurrent NAT operations using the Rate Limiting NAT Translation feature provides users more control over how NAT addresses are used. The Rate Limiting NAT Translation feature can be used to limit the effects of viruses, worms, and denial-of-service attacks.
Benefits of Limiting the Number of concurrent NAT Operations
Since NAT is a CPU-intensive process, router performance can be adversely affected by denial-of-service attacks, viruses, and worms that target NAT. The Rate Limiting NAT Translation feature allows you to limit the maximum number of concurrent NAT requests on a router.
Denial-of-Service Attacks
A denial-of-service (DoS) attack typically involves the misuse of standard protocols or connection processes with the intent to overload and disable a target, such as a router or web server. DoS attacks can come from a malicious user or from a computer infected with a virus or worm. When the attack comes from many different sources at once, such as when a virus or worm has infected many computers, it is known as a distributed denial-of-service (DDoS) attack. Such DDoS attacks can spread rapidly and involve thousands of systems.
Viruses and Worms That Target NAT
Viruses and worms are malicious programs designed to attack computer and networking equipment. While viruses are typically embedded in discrete applications and only run when executed, worms self-propagate and can quickly spread on their own. Although a specific virus or worm may not expressly target NAT, it might use NAT resources to propagate itself. The Rate Limiting NAT Translation feature can be used to limit the impact of viruses and worms that originate from specific hosts, access control lists, and VPN routing and forwarding (VRF) instances.
Prerequisites
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuration Examples for Configuring NAT for IP Address Conservation
This section provides the following configuration examples:
•
•
•
•
•
•
•
•
•
•
•
Configuring Static Translation of Inside Source Addresses: Examples
The following example translates between inside hosts addressed from the 9.114.11.0 network to the globally unique 172.69.233.208/28 network. Further packets from outside hosts addressed from the 10.114.11.0 network (the true 10.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network.
ip nat pool net-208 172.69.233.208 172.69.233.223 prefix-length 28ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24ip nat inside source list 1 pool net-208ip nat outside source list 1 pool net-10!interface ethernet 0ip address 172.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 10.114.11.39 255.255.255.0ip nat inside!access-list 1 permit 10.114.11.0 0.0.0.255The following example shows NAT configured on the Provider Edge (PE) router with a static route to the shared service for the gold and silver Virtual Private Networks (VPNs). NAT is configured as inside source static one-to-one translations.
ip nat pool outside 10.4.4.1 4.4.4.254 netmask 255.255.255.0ip nat outside source list 1 pool mypoolaccess-list 1 permit 172.16.18.0 0.0.0.255ip nat inside source static 192.168.121.33 10.2.2.1 vrf goldip nat inside source static 192.169.121.33.10.2.2.2 vrf silverConfiguring Dynamic Translation of Inside Source Addresses: Example
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 172.69.233.208/28 network:
ip nat pool net-208 172.69.233.208 172.69.233.223 prefix-length 28ip nat inside source list 1 pool net-208!interface ethernet 0ip address 172.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255The following example translates only traffic local to the provider edge device running NAT (NAT-PE):
ip nat inside source list 1 interface e 0 vrf shop overloadip nat inside source list 1 interface e 0 vrf bank overload!ip route vrf shop 0.0.0.0 0.0.0.0 192.1.1.1ip route vrf bank 0.0.0.0 0.0.0.0 192.1.1.1!access-list 1 permit 10.1.1.1.0 0.0.0.255!ip nat inside source list 1 interface e 1 vrf shop overloadip nat inside source list 1 interface e 1 vrf bank overload!ip route vrf shop 0.0.0.0 0.0.0.0 172.1.1.1 globalip route vrf bank 0.0.0.0 0.0.0.0 172.1.1.1 globalaccess-list 1 permit 10.1.1.0 0.0.0.255Overloading Inside Global Addresses: Example
The following example creates a pool of addresses named net-208. The pool contains addresses from 171.69.233.208 to 171.69.233.233. Access list 1 allows packets having the SA from 192.168.1.0 to 192.168.1.255. If no translation exists, packets matching access list 1 are translated to an address from the pool. The router allows multiple local addresses (192.168.1.0 to 192.168.1.255) to use the same global address. The router retains port numbers to differentiate the connections.
ip nat pool net-208 171.69.233.208 171.69.233.233 netmask 255.255.255.240ip nat inside source list 1 pool net-208 overload!interface serial0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet0ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255Translating Overlapping Address: Example
In the following example, the addresses in the local network are being used legitimately by someone else on the Internet. An extra translation is required to access that external network. Pool net-10 is a pool of outside local IP addresses. The ip nat outside source list 1 pool net-10 statement translates the addresses of hosts from the outside overlapping network to addresses in that pool.
ip nat pool net-208 172.31.233.208 172.31.233.223 prefix-length 28ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24ip nat inside source list 1 pool net-208ip nat outside source list 1 pool net-10!interface serial 0ip address 172.31.232.192 255.255.255.240ip nat outside!interface ethernet0ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255Enabling NAT Virtual Interface: Example
The following example shows how to configure NAT virtual interfaces without the use of inside or outside source addresses:
interface Ethernet0/0ip vrf forwarding bankip address 192.168.122.1 255.255.255.0ip nat enable!interface Ethernet1/0ip vrf forwarding parkip address 192.168.122.1 255.255.255.0ip nat enable!interface Serial2/0ip vrf forwarding servicesip address 192.168.123.2 255.255.255.0ip nat enable!ip nat pool NAT 192.168.25.20 192.168.25.30 netmask 255.255.255.0 add-routeip nat source list 1 pool NAT vrf bank overloadip nat source list 1 pool NAT vrf park overloadip nat source static 192.168.123.1 192.168.125.10 vrf services!access-list 1 permit 192.168.122.20access-list 1 permit 192.168.122.0 0.0.0.255!Avoiding Server Overload Using Load Balancing: Example
In the following example, the goal is to define a virtual address, connections to which are distributed among a set of real hosts. The pool defines the addresses of the real hosts. The access list defines the virtual address. If a translation does not already exist, TCP packets from serial interface 0 (the outside interface) whose destination matches the access list are translated to an address from the pool.
ip nat pool real-hosts 192.168.15.2 192.168.15.15 prefix-length 28 type rotaryip nat inside destination list 2 pool real-hosts!interface serial 0ip address 192.168.15.129 255.255.255.240ip nat outside!interface ethernet 0ip address 192.168.15.17 255.255.255.240ip nat inside!access-list 2 permit 192.168.15.1Enabling NAT Route Mapping: Example
The following example shows the use of route mapping with static NATs:
interface Ethernet3ip address 172.68.1.100 255.255.255.0ip nat outsidemedia-type 10BaseT!interface Ethernet4ip address 192.68.1.100 255.255.255.0ip nat outsidemedia-type 10BaseT!interface Ethernet5ip address 110.1.1.100 255.255.255.0ip nat insideip policy route-map isp1media-type 10BaseT!router ripnetwork 172.68.0.0network 192.68.1.0!ip nat inside source static 10.1.1.2 192.68.1.21 route-map isp2ip nat inside source static 10.1.1.2 172.68.1.21 route-map isp1ip nat inside source static 10.1.1.1 192.68.1.11 route-map isp2ip nat inside source static 10.1.1.1 172.68.1.11 route-map isp1access-list 101 permit ip 10.1.1.0 0.0.0.255 172.0.0.0 0.255.255.255access-list 102 permit ip 10.1.1.0 0.0.0.255 192.0.0.0 0.255.255.255!route-map isp2 permit 10match ip address 102set ip next-hop 192.68.1.1!route-map isp1 permit 10match ip address 101set ip next-hop 172.68.1.1Enabling NAT Routemaps Outside-to-Inside Support: Example
The following example shows how to configure routemap A and routemap B to allow outside-to-inside translation for a destination-based NAT.
ip nat pool POOL-A 10.1.10.1 10.1.10.126 netmask 255.255.255.128ip nat pool POOL-B 10.1.20.1 10.1.20.126 netmask 255.255.255.128ip nat inside source route-map MAP-A pool POOL-A reversibleip nat inside source route-map MAP-B pool POOL-B reversible!ip access-list extended ACL-Apermit ip any 10.1.10.128 0.0.0.127ip access-list extended ACL-Bpermit ip any 10.1.20.128 0.0.0.127!route-map MAP-A permit 10match ip address ACL-A!route-map MAP-B permit 10match ip address ACL-BThe following example shows how to configure routemap R1 to allow outside-to-inside translation for static NAT:
ip nat inside source static 10.1.1.1 10.2.2.2 route-map R1 reversible!ip access-list extended ACL-Apermit ip any 10.1.10.128 0.0.0.127route-map R1 permit 10match ip address ACL-AConfiguring NAT Translation of External IP Addresses Only: Example
The following example shows how to translate the packet to an address that is able to be routed inside the internal network:
interface ethernet 3ip address 10.1.1.1 255.255.255.0ip nat outsideno ip mroute-cachemedia-type 10BaseT!interface Ethernet4ip address 192.168.15.1 255.255.255.0ip nat insideno ip mroute-cachemedia-type 10BaseT!router ripnetwork 10.0.0.0Network 192.168.15.0!ip nat outside source static network 10.1.1.0 192.168.251.0/24 no-payload!ip route 10.1.1.0 255.255.255.0 Ethernet4ip route 10.1.1.0 255.255.255.0 Ethernet3Configuration Examples for NAT Static IP Support
This section provides the following configuration examples:
•
•
Configuring NAT Static IP Support: Example
The following example shows how to enable static IP address support for the router at 192.168.196.51:
interface ethernet 1ip nat insideip nat allow-static-hostip nat pool xyz 172.1.1.1 172.1.1.10 netmask 255.255.255.0 accounting WLAN-ACCTip nat inside source list 1 pool net-208access-list 1 deny ip 192.168.196.51Creating a RADIUS Profile for NAT Static IP Support: Example
The following example shows how to create a RADIUS profile for use with the NAT Static IP Support feature:
aaa new-model
!
aaa group server radius WLAN-RADIUS
server 168.58.88.1 auth-port 1645 acct-port 1645
server 168.58.88.1 auth-port 1645 acct-port 1646
!
aaa accounting network WLAN-ACCT start-stop group WLAN-RADIUS
aaa session-id common
ip radius source-interface Ethernet3/0
radius-server host 172.58.88.1 auth-port 1645 acct-port 1646
radius-server key cisco
Configuration Examples for Rate Limiting NAT Translation
This section provides the following configuration examples:
•
•
•
•
•
Setting a Global NAT Rate Limit: Example
The following example shows how to limit the maximum number of allowed NAT entries to 300:
ip nat translation max-entries 300Setting NAT Rate Limits for a Specific VRF Instance: Example
The following example shows how to limit the VRF instance named "vrf1" to 150 NAT entries:
ip nat translation max-entries vrf vrf1 150Setting NAT Rate Limits for All VRF Instances: Example
The following example shows how to limit each VRF instance to 200 NAT entries:
ip nat translation max-entries all-vrf 200The following example shows how to limit the VRF instance named "vrf2" to 225 NAT entries, but limit all other VRF instances to 100 NAT entries each:
ip nat translation max-entries all-vrf 100ip nat translation max-entries vrf vrf2 225Setting NAT Rate Limits for Access Control Lists: Example
The following example shows how to limit the access control list named "vrf3" to 100 NAT entries:
ip nat translation max-entries list vrf3 100Setting NAT Rate Limits for an IP Address: Example
The following example shows how to limit the host at IP address 10.0.0.1 to 300 NAT entries:
ip nat translation max-entries host 127.0.0.1 300Where to Go Next
•
•
•
•
Additional References
The following sections provide references related to Configuring NAT for IP Address Conservation.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for Configuring NAT for IP Address Conservation
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(4)T, 12.2(4)2T, 12.3(13)T or later appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.
Note
Table 1 Feature Information for Configuring NAT for IP Address Conservation
NAT Ability to Use Route Maps with Static Translation
12.2.(4)T
This feature provides a dynamic translation command that can specify a route map to be processed instead of an access list. A route map allows you to match any combination of access list, next-hop IP address, and output interface to determine which pool to use. The ability to use route maps with static translations enables NAT multihoming capability with static address translations.
The following section provides information about this feature:
•
NAT Default Inside Server
12.3(13)T
The NAT Default Inside Server feature provides for the need to forward packets from the outside to a specified inside local address.
The following section provides information about this feature:
NAT Routemaps Outside-to-Inside Support
12.3(14)T
The NAT Routemaps Outside-to-Inside Support feature enables the deployment of a NAT routemap configuration that will allow IP sessions to be initiated from the outside to the inside.
The following sections provide information about this feature:
•
•
NAT RTSP Support Using NBAR
12.3(7)T
The Real Time Streaming Protocol (RTSP) is a client-server multimedia presentation control protocol that supports multimedia application delivery. Some of the applications that use RTSP include Windows Media Services (WMS) by Microsoft, QuickTime by Apple Computer, and RealSystem G2 by RealNetworks.
The following section provides information about this feature:
NAT Static IP Support
12.3(7)T
The NAT Static IP Support feature provides support for users with static IP addresses, enabling those users to establish an IP session in a Public Wireless LAN environment.
The following sections provide information about this feature:
•
NAT Translation of External IP Addresses Only
12.2(4)T
12.2(4)T2Using the NAT Translation of External IP Addresses Only feature, NAT can be configured to ignore all embedded IP addresses for any application and traffic type.
The following sections provide information about this feature:
•
NAT Virtual Interface (NVI)
12.3(14)T
The NAT Virtual Interface (NVI) feature removes the requirement to configure an interface as either Network Address Translation (NAT) inside or NAT outside. An interface can be configured to use NAT or not use NAT.
The following sections provide information about this feature:
•
Rate Limiting NAT Translation
12.3(4)T
The Rate Limiting NAT Translation feature provides the ability to limit the maximum number of concurrent Network Address Translation (NAT) operations on a router. In addition to giving users more control over how NAT addresses are used, the Rate Limiting NAT Translation feature can be used to limit the effects of viruses, worms, and denial-of-service attacks.
The following sections provide information about this feature:
•
•
Configuring Support for ARP Ping in a Public Wireless LAN
12.4(6)T
The ARP Ping feature enables the NAT entry and the secure ARP entry to not be deleted when the static IP client exists in the network where the IP address is unchanged after authentication.
The following section provides information about this feature:
•
NAT Static and Dynamic Route Map Name-Sharing
15.0(1)M
The NAT Static and Dynamic Route Map Name-sharing feature provides the ability to configure static and dynamic NAT to share the same route map name, while enforcing precedence of static NAT over dynamic NAT.
The following section provides information about this feature:
•
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
