This data sheet provides an overview of the Network Address Translation features available in select Cisco IOS® Software images.
Network Address Translation (NAT) simplifies and conserves IP addresses. It enables private IP networks to connect to the Internet using unregistered IP addresses (in the private address space specified in RFC 1918). NAT operates on a router, usually connecting two networks together, and is used to translate the private addresses in the internal network into legal routable addresses, before packets are forwarded to another network, because ISPs will not route RFC 1918 addresses. NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that one address. This capability is called Port Address Translation (PAT) and is also referred to as "overloading" (Figure 1). NAT offers the dual functions of security and address conservation, and is typically implemented in remote-access environments at the edge of the network where an enterprise connects to its ISP.
The NAT function available in Cisco IOS Software offers the following benefits:
• IP address preservation
• Easy management
• IP address and application privacy
Cisco IOS NAT Features
• Static address translation: You can establish one-to-one mapping between local and global addresses. You can also configure static address translations to the port level, and use the remainder of the routable IP address for other translations; this is typically performed in conjunction with PAT.
• Dynamic address translation: You can establish dynamic mapping between the local and global addresses. This is done by defining the local addresses to be translated and defining the pool of addresses from which to allocate global addresses, and associating the two.
• Match host: This capability allows you to configure NAT to assign the same host portion of an IP address and only translate the network prefix portion of the IP address. This is useful where you are using the host portion as a means to identify or number users uniquely.
Port Address Translation
Figure 1. Basic Concepts of PAT
The PAT feature, a subset of NAT functionality, can be used to translate several internal addresses into only one or a few external addresses. PAT uses unique source port numbers on the private global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port number. If this number is already allocated then PAT will attempt to find the first available port number starting from the beginning of the appropriate port group 0-511, 512-1023, or 1024-655351. If there is still no port number available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address in the pool and try to allocate the original source port number again. This continues until it runs out of available ports and IP addresses.
PAT offers the following capabilities:
• Provides many-to-one address translation
• Maps multiple IP addresses to one or a few IP addresses
• Identifies a unique source port number in each session
• Conserves registered IP addresses
Destination Address Rotary Translation
A dynamic form of destination translation can be configured for some outside-to-inside traffic. After a mapping is set up, a destination address matching one of those on an access control list (ACL) will be replaced with an address from a rotary pool. Allocation is done on a round-robin basis, performed only when a new connection is opened from the outside to the inside. All non-TCP traffic is passed untranslated (unless other translations are in effect). This feature was designed to provide protocol-translation load distribution. It is not designed nor intended to be used as a substitute technology for the Cisco® LocalDirector appliance and software. Destination-address rotary translation should not be used to provide Web service load balancing because, like basic Domain Name System (DNS), it knows nothing about service availability. As a result, if a Web server were to go offline, the destination-address rotary translation feature would continue to send requests to the unavailable server. For more information, please visit http://www.cisco.com/warp/public/732/Tech/ipservices/natalgs.pdf.
Cisco NAT is available in Advanced Security, Advanced Enterprise, and Advanced IP Services software images for all currently supported Cisco access router platforms, Cisco 7200 Series Routers, and the Cisco 7301 Router (Table 1). The default Security Router Bundle includes the appropriate Cisco IOS Software image, along with enough memory and storage to support NAT features and other threat-defense capabilities.
1Group starts at 0 for ICMP, but 1 for all other applications. As of DDTS CSCdm05636, the number of port groups changed from four to three. As of DDTS CSCed93887 Cisco IOS Software Releases 12.3(09.10) Mainline and 12.3(09.10)T, each PAT IP address can accommodate all 64,000 ports for IPsec sessions using the NAT-T UDP wrapper. The new CLI command required is "ip nat service full range udp port 500". With this new feature, PAT can allocate a maximum of 65536 ports.