-
Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
- Part 1: IP Addressing
- Part 2: ARP
-
Part 3: DHCP
-
DHCP Features Roadmap
-
DHCP Overview
-
Configuring the Cisco IOS DHCP Server
-
Configuring the DHCP Server On-Demand Address Pool Manager
-
Configuring the Cisco IOS DHCP Relay Agent
-
Configuring the Cisco IOS DHCP Client
-
Configuring DHCP Services for Accounting and Security
-
Configuring DHCP Enhancements for Edge Session Management
-
- Part 4: DNS
- Part 5: NHRP
- Part 6: NAT
Table Of Contents
Using Application Level Gateways with NAT
Prerequisites for Using Application Level Gateways with NAT
Information About Configuring Application Level Gateways with NAT
How to Configure Application Level Gateways with NAT
Benefits of Configuring NAT ALG
Voice and Multimedia over IP Networks
NAT Support for H.323 v3 and v4 in v2 Compatibility Mode
Configuring IPsec ESP Through NAT
Enabling SPI Matching on the NAT Device
Enabling SPI Matching on the Endpoints
Enabling Multi Part SDP Support for NAT
Deploying NAT Between an IP Phone and Cisco CallManager
NAT Support of Skinny Client Control Protocol
NAT Support of SCCP Fragmentation
Configuration Examples for Using Application Level Gateways with NAT
Configuring IPsec ESP Through NAT: Example
Enabling the Preserve Port: Example
Enabling SPI Matching: Example
Configuring SPI Matching on the Endpoint Routers: Example
Enabling Multi Part SDP Support for NAT: Example
Deploying NAT Between an IP Phone and Cisco CallManager: Example
Feature Information for Using Application Level Gateways with NAT
Using Application Level Gateways with NAT
First Published: May 2, 2005Last Updated: October 2, 2009
Network Address Translation (NAT) performs translation service on any Transmission Control Protocol/User Datagram Protocol (TCP/UDP) traffic that does not carry source and/or destination IP addresses in the application data stream. These protocols include HTTP, Trivial File Transfer Protocol (TFTP), telnet, archie, finger, Network TimeProtocol (NTP), Network File System (NFS), remote login (rlogin), remote shell protocol (rsh), and remote copy protocol (rcp). Specific protocols that do imbed IP address information within the payload require support of an Application Level Gateway (ALG).
The support for IPsec ESP Through NAT feature provides the ability to support multiple concurrent IP Security (IPsec) Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS NAT device configured in Overload or Port Address Translation (PAT) mode.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Using Application Level Gateways with NAT" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Using Application Level Gateways with NAT
•
•
•
Prerequisites for Using Application Level Gateways with NAT
•
•
/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html
•
Information About Configuring Application Level Gateways with NAT
To configure ALGs with NAT, you should understand the following concept:
Application Level Gateway
An application level gateway is an application that translates IP address information inside the payload of an applications packet.
How to Configure Application Level Gateways with NAT
This section contains the following procedures:
•
•
•
Configuring IPsec Through NAT
This section contains the following tasks related to configuring IPsec through NAT:
•
•
•
•
•
Benefits of Configuring NAT ALG
•
•
•
•
IP Security
IP Security (IPsec) is a set of extensions to the IP protocol family in a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the Internet Engineering Task Force (IETF), IPsec ensures confidentiality, integrity, and authenticity of data communications across the public network and provides cryptographic security services.
Secure tunnels between two peers, such as two routers, are provided and decisions are made as to which packets are considered sensitive and should be sent through these secure tunnels, and which parameters should be used to protect these sensitive packets by specifying characteristics of these tunnels. When the IPsec peer receives a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.
IPsec using ESP can pass through a router running NAT without any specific support from it as long as Network Address Port Translation (NAPT) or address overloading are not configured.
There are a number of factors to consider when attempting an IPsec Virtual Private Network (VPN) connection that traverses a NAPT device that represents multiple private internal IP addresses as a single public external IP address. Such factors include the capabilities of the VPN server and client, the capabilities of the NAPT device, and whether more than one simultaneous connection is attempted across the NAPT device.
There are two possible methods for configuring IPsec on a router with NAPT:
•
•
The recommended protocols to use when conducting IPsec sessions that traverse a NAPT device are TCP and UDP but not all VPN servers or clients support TCP or UDP.
SPI Matching
Security Parameter Index (SPI) matching is used to establish VPN connections between multiple pairs of destinations. NAT entries will immediately be placed in the translation table for endpoints matching the configured access list. SPI Matching is available only for endpoints that choose SPIs according to the predictive algorithm implemented in Cisco IOS Release 12.2(15)T.
Voice and Multimedia over IP Networks
SIP is a protocol developed by the Internet Engineering Task Force (IETF) Multiparty Multimedia Session Control (MMUSIC) Working Group. The Cisco SIP functionality equips Cisco routers to signal the setup of voice and multimedia calls over IP networks. SIP provides an alternative to H.323 within the Voice over IP (VoIP) internetworking software.
Session Description Protocol (SDP) is a protocol that describes multimedia sessions. SDP may be used in SIP message bodies to describe multimedia sessions used for creating and controlling multimedia sessions with two or more participants.
The NAT Support for SIP feature allows SIP embedded messages passing through a router configured with NAT to be translated and encoded back to the packet. An ALG is used with NAT to translate the SIP or SDP messages.
NAT Support of H.323 v2 RAS
Cisco IOS NAT supports all H.225 and H.245 message types, including those sent in the Registration, Admission, and Status (RAS) protocol. RAS provides a number of messages that are used by software clients and Voice over IP (VoIP) devices to register their location, request assistance in call setup, and control bandwidth. The RAS messages are directed toward an H.323 gatekeeper.
Some RAS messages include IP addressing information in the payload, typically meant to register a user with the gatekeeper or learn about another user already registered. If these messages are not known to NAT, they cannot be translated to an IP address that will be visible to the public.
Previously, NAT did not support H.323 v2 RAS messages. With this enhancement, embedded IP addresses can be inspected for potential address translation.
NAT Support for H.323 v3 and v4 in v2 Compatibility Mode
H.323 is an ITU-T specification for transmitting audio, video, and data across a packet network. Four versions of the H.323 protocols are currently in use: v1, v2, v3, and v4. The NAT Support for H.323 v3 and v4 in v2 Compatibility Mode feature enables Cisco NAT routers to support messages coded in H.323 v3 and v4 when those messages contain fields compatible with H.323 v2. This feature does not add support for H.323 capabilities introduced in v3 and v4, such as new message types or new fields that require address translation.
NAT H.245 Tunneling Support
NAT H.245 tunneling allows H.245 tunneling in H.323 ALGs. NAT H.245 tunneling provides a mechanism for supporting H.245 tunnel message which are needed to create a media channel setup.
In order for an H.323 call to take place, an H.225 connection on TCP port 1720 needs to be opened. When the H.225 connection is opened, the H.245 session is initiated and established. This connection can take place on a separate channel from the H.225 or it can be done using H.245 tunneling on the same H.225 channel whereby the H.245 messages are embedded in the H.225 messages and sent on the previously established H.225 channel.
If the H.245 tunneled message is not understood, the media address or port is going to be left untranslated by the Cisco IOS NAT resulting in failure in media traffic. H.245 FastConnect procedures will not help because FastConnect is terminated as soon as an H.245 tunneled message is sent.
Restrictions
•
Configuring IPsec ESP Through NAT
IPsec ESP Through NAT provides the ability to support multiple concurrent IPsec ESP tunnels or connections through a Cisco IOS NAT device configured in Overload or PAT mode.
Perform this task to configure IPsec ESP through NAT.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Enabling Preserve Port
This task is used for IPsec traffic using port 500 for the source port. Perform this task to enable port 500 to be preserved for the source port.
Restrictions
This task is required by certain VPN concentrators. Cisco VPN devices generally do not use this feature.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Enabling SPI Matching on the NAT Device
Note
Security parameter index (SPI) matching is used to establish VPN connections between multiple pairs of destinations. NAT entries are immediately placed in the translation table for endpoints matching the configured access list. SPI Matching is available only for endpoints that choose SPIs according to the predictive algorithm implemented in Cisco IOS Release 12.2(15)T.
The generation of SPIs that are predictable and symmetric is enabled. SPI Matching should be used in conjunction with NAT devices when multiple ESP connections across a NAT device are desired.
Prerequisites
Cisco IOS software must be running on both the source router and the remote gateway enabling parallel processing.
Restrictions
SPI Matching must be configured on the NAT device and both endpoint devices.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Enabling SPI Matching on the Endpoints
Perform this task to enable SPI Matching on both endpoints.
Prerequisites
Cisco IOS software must be running on both the source router and the remote gateway enabling parallel processing.
Restrictions
SPI Matching must be configured on the NAT device and both endpoint devices.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Enabling Multi Part SDP Support for NAT
The Multi Part SDP Support for NAT feature provides support for multi part SDP in SIP ALG for the Advanced NAT portfolio. Multi Part SDP support for NAT is disabled by default.
Perform this task to enable multi part support for NAT.
Restrictions
•
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Deploying NAT Between an IP Phone and Cisco CallManager
This section describes deploying Cisco's Skinny Client Control Protocol (SCCP) for a Cisco IP phone to Cisco CallManager (CCM) communication. The task in this section deploys NAT between an IP phone and CCM.
NAT Support of Skinny Client Control Protocol
Cisco IP phones use the SCCP to connect with and register to CCM.
To be able to deploy Cisco IOS NAT between the IP phone and CCM in a scalable environment, NAT needs to be able to detect the SCCP and understand the information passed within the messages. Messages flow back and forth that include IP address and port information used to identify other IP phone users with which a call can be placed.
The SCCP client to CCM communication typically flows from inside to outside. DNS should be used to resolve the CCM IP address connection when the CCM is on the inside (behind the NAT device), or static NAT should be configured to reach the CCM in the inside.
When an IP phone attempts to connect to the CCM and it matches the configured NAT rules, NAT will translate the original source IP address and replace it with one from the configured pool. This new address will be reflected in the CCM and be visible to other IP phone users.
NAT Support of SCCP Fragmentation
Skinny control messages are exchanged over TCP. If either the IP phone or CCM has been configured to have TCP maximum segment size (MSS) lower than the skinny control message payload, the skinny control message will be segmented across multiple TCP segments. Prior to this feature skinny control message exchanges would fail in a TCP segmentation scenario because NAT skinny ALG was not able to reassemble the skinny control messages. The NAT SCCP Fragmentation Support feature adds support for TCP segments for NAT skinny ALG. A fragmented payload that requires an IP or port translation will no longer be dropped.
Skinny control messages can also be IP fragmented but they are supported using Virtual Fragmentation Reassembly (VFR).
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for Using Application Level Gateways with NAT
This section provides the following configuration examples:
•
•
•
•
•
•
Configuring IPsec ESP Through NAT: Example
The following example shows NAT configured on the Provider Edge (PE) router with a static route to the shared service for the gold and silver Virtual Private Networks (VPNs). NAT is configured as inside source static 1- to-1 translations.
ip nat pool outside 192.0.2.1 192.0.2.14 netmask 255.255.255.0ip nat outside source list 1 pool mypoolaccess-list 1 permit 192.0.2.3 0.0.0.255ip nat inside source static 192.0.2.23 192.0.2.22 vrf goldip nat inside source static 192.0.2.21 192.0.2.2 vrf silverEnabling the Preserve Port: Example
The following example shows how to configure TCP port 500 of the third-party concentrator. Access list 10 is configured:
ip nat service list 10 ike preserve-portaccess-list 10 permit 10.1.1.1Enabling SPI Matching: Example
The following example shows how to enable SPI Matching. Access list 10 is configured:
ip nat service list 10 esp spi-matchaccess-list 10 permit 10.1.1.1Configuring SPI Matching on the Endpoint Routers: Example
The following example show how to enable SPI Matching on the endpoint routers:
crypto ipsec nat-transparency spi-matching
Enabling Multi Part SDP Support for NAT: Example
The following example shows how to enable multi part SDP support for NAT:ip nat service allow-multipartDeploying NAT Between an IP Phone and Cisco CallManager: Example
The following example shows how to configure the 20002 port of the CallManager:
ip nat service skinny tcp port 20002Where to Go Next
•
•
•
•
Additional References
The following sections provide references related to using application level gateways with NAT.
Related Documents
NAT commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
Technical Assistance
Feature Information for Using Application Level Gateways with NAT
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or later appear in the table.
For information on a feature in this technology that is not documented here, see the "Configuring Network Address Translation Features Roadmap" or other available documentation for your Cisco IOS release.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Using Application Level Gateways with NAT
The NAT Support for IPsec ESP— Phase II feature
12.2(15)T
The NAT Support for IPsec ESP— Phase II feature provides support for Internet Key Exchange (IKE) and ESP without encapsulation in tunnel mode through a Cisco IOS router configured with NAPT.
The following sections provide information about this feature:
•
NAT Support for SIP feature
12.2(8)T
NAT Support for SIP adds the ability to deploy Cisco IOS NAT between VoIP solutions based on SIP.
The following section provides information about this feature:
NAT Support for H.323 v2 RAS feature
12.2(2)T
Cisco IOS NAT supports all H.225 and H.245 message types, including those sent in the RAS protocol.
The following section provides information about this feature:
Support for IPsec ESP Through NAT
12.2(13)T
IPsec ESP Through NAT provides the ability to support multiple concurrent IP Security (IPsec) Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS Network Address Translation (NAT) device configured in Overload or Port Address Translation (PAT) mode.
The following section provides information about this feature:
NAT Support for H.323 v3 and v4 in v2 Compatibility Mode
12.3(2)T
The NAT Support for H.323 v3 and v4 in v2 Compatibility Mode feature enables Cisco NAT routers to support messages coded in H.323 v3 and v4 when those messages contain fields compatible with H.323 v2. This feature does not add support for H.323 capabilities introduced in v3 and v4, such as new message types or new fields that require address translation.
The following section provides information about this feature:
•
NAT H.245 Tunneling Support
12.3(11)T
The NAT H.245 Tunneling Support feature allows H.245 tunneling in H.323 Application Level Gateways (ALGs).
The following section provides information about this feature:
NAT SCCP Fragmentation Support
12.4(6)T
The NAT SCCP Fragmentation Support feature adds support for TCP segments for NAT skinny ALG. A fragmented payload that requires an IP or port translation will no longer be dropped.
The following section provides information about this feature:
Multi Part SDP Support for NAT
15.0(1)M
The Multi Part SDP Support for NAT feature adds support for multi part SDP in SIP ALG for the Advanced NAT Portfolio. This feature is disabled by default.
The following section provides information about this feature:
•
The following commands were modified by this feature: debug ip nat, ip nat service.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
© 2005-2009 Cisco Systems, Inc. All rights reserved.
