IP Addressing Services

This document provides answers to some of the more frequently asked questions about Cisco IOS® Network Address Translation (NAT).

A. Network Address Translation (NAT) is designed for IP address simplification and conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network. As part of this capability, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation, and is typically implemented in remote-access environments.

A. Routing for IP addresses created by NAT is learned if:

• The inside global address pool is derived from the subnet of a next-hop router.
• Static route entry is configured in the next-hop router and redistributed within the routing network.

A. The NAT session limit is bounded by the amount of available DRAM in the router. Each NAT translation consumes about 312 bytes in DRAM. As a result, 10,000 translations (more than would generally be handled on a single router) would consume about 3 MB. Therefore, typical routing hardware has more than enough memory to support thousands of NAT translations.

A. Cisco IOS NAT supports Cisco Express Forwarding switching, fast switching, and process switching. Performance depends on several factors:

• The type of application and its type of traffic
• Whether IP addresses are embedded
• Exchange and inspection of multiple messages
• Source port required
• The number of translations
• Other applications running at the time
• The type of hardware and processor

For most applications, degradation of performance due to NAT should be negligible.

A. Yes. Source and/or destination NAT translations can be applied to any interface or subinterfaces having an IP address (including dialer interfaces).

A. No. In this scenario, the standby router would not have the translation table of the active router. When the cutover occurs, connections will time out and fail.

A. Yes.

A. Yes. This can be accomplished through the use of an access list that describes the set of hosts or networks that require NAT. All sessions on the same host will either be translated or will pass through the router and not be translated.

Access lists, extended access lists, and route maps can be used to define "rules" by which IP devices get translated. The network address and appropriate subnet mask should always be specified. The keyword "any" should not be used in place of the network address or subnet mask.

Sample NAT Configuration Rules

NAT Translation Configuration	Comment
ip nat inside source static 10.1.1.10 140.16.1.254	! Static translation for ns.bar.com DNS server
ip nat outside source static 10.1.1.10 192.168.1.254	! Static translation for ns.foo.com DNS server
ip nat pool iga 140.16.1.1 140.16.1.253 netmask 255.255.255.0	! Dynamic IL->IG address xlations
ip nat pool ola 192.168.1.1 192.168.1.253 netmask 255.255.255.0	! Dynamic OG->OL address xlations
ip nat inside source list 1 pool iga	! NAT Translation rule for inside traffic to be NAT'd, for which inside addresses and to what will they be NAT'd
ip nat outside source list 2 pool ola	! NAT Translation rule for outside traffic to be NAT'd, for which inside addresses and to what will they be NAT'd
access-list 1 permit 10.2.17.0 .255.255.255.0	! Translate all traffic from 10.2.17 internal hosts
access-list 2 permit 10.0.0.0 255.0.0.0	! Translate all externally originated traffic

A. PAT, or overloading, is a feature of Cisco IOS NAT and can be used to translate "internal" (inside local) private addresses to one or more "outside" (inside global, usually registered) IP addresses. Unique source port numbers on each translation are used to distinguish between the conversations. With NAT overload, a translation table entry containing full address and source port information is created.

A. PAT (overloading) divides the available ports per global IP address into three ranges: 0-511, 512-1023, and 1024-65535. PAT assigns a unique source port for each UDP or TCP session. It will attempt to assign the same port value of the original request, but if the original source port has already been used, it will start scanning from the beginning of the particular port range to find the first available port and will assign it to the conversation.

A. PAT works with either one IP address or multiple addresses.

• PAT with one IP address:
  1. NAT/PAT inspects traffic and matches it to a translation rule.
  2. Rule matches to a PAT configuration.
  3. If PAT knows about the traffic type, and that traffic type has "a set of specific ports or ports it negotiates" that it will use, PAT sets them aside and does not allocate them as unique identifiers.
  4. If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example).

     Note: For Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), the ranges are: 1-511, 512-1023, 1024-65535. For Internet Control Message Protocol (ICMP), the first group starts at 0.

  5. If the requested source port is available, PAT assigns the source port, and the session continues.
  6. If the requested source port is not available, NAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
  7. If a port is available it is assigned, and the session continues.
  8. If no ports are available, the packet is dropped.
• PAT with multiple IP addresses:

  Note: The first seven conditions are the same as with a single IP address.

  1. If no ports are available in the relevant group on the first IP address, NAT flips to the next IP address in the pool and tries to allocate the original source port requested.
  2. If the requested source port is available, NAT assigns the source port and the session continues.
  3. If the requested source port is not available, NAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
  4. If a port is available, it is assigned and the session continues
  5. If no ports are available, the packet is dropped, unless another IP address is available in the pool.

A. NAT IP pools are a range of IP addresses that are allocated for NAT translation as needed. In order to define a pool, the configuration command is used:

ip nat pool <name> <start-ip> <end-ip> { netmask <netmask>
| prefix-length <prefix-length> } [ type { rotary } ]

A. In practical use, the maximum number of configurable IP pools is limited by the amount of available DRAM being used in the particular router. It is highly recommended that a pool of size 255 is configured.

A. Static NAT translations have one-to-one mapping between local and global addresses. Users can also configure static address translations to the port level, and use the remainder of the IP address for other translations. This typically occurs where you are performing Port Address Translation (PAT).

A. In dynamic NAT translations, the users can establish dynamic mapping between local and global addresses. This is done by describing the local addresses to be translated and the pool of addresses from which to allocate global addresses, and associating the two.

A. The subnet mask is used to double-check the addresses allocated from the pool. For example, the subnet broadcast address does not get allocated. The subnet mask must match the size of the subnet into which it is translated.

A. Yes. The NAT router will answer Address Resolution Protocol (ARP) requests for these IP addresses in the dynamic pool.

A. Yes.

A. Application traffic is transparent to Cisco IOS NAT unless:

• There are embedded IP addresses in the data portion.
• An application requires preset or negotiated source/destination port values.

Cisco IOS NAT performs stateful inspection and needs to have previous knowledge of all applications that embed or require specific source ports. For instance, Cisco supports the translation of embedded IP addresses in DNS "A and PTR" records, FTP, and NetMeeting v2.11 (4.3.2519) and 3.01 (4.4.3385) by setting aside the source port values they require. Cisco will not assign those source port values when using the PAT feature of Cisco IOS NAT.

With embedded IP addresses, Cisco IOS NAT needs to know the messages that contain embedded addresses and the offset within these messages. If the embedded addresses match the configured rules, they will be translated according to the configuration. An application that embeds IP addresses that Cisco IOS NAT does not know about will not work properly in a Cisco IOS NAT configuration.

There is an exception. When a tunneling protocol such as Point-to-Point Tunneling Protocol (PPTP) is used, the embedded IP addresses of the tunneled packets will not be translated, but it is assumed that users who are connecting back to their corporate networks using PPTP would be using the IP addressing scheme of the corporate network, so NAT would not need to be applied to any embedded messages. If those users then want to access the outside world through their corporate networks, they might choose to apply NAT at that point.

Embedded IP addresses are an issue regardless of the types of translation that have been configured with Cisco IOS NAT (simple or extended overload, for example). Pre-set or negotiated source port values are an issue only when the PAT feature of Cisco IOS NAT is used. PAT multiplexes multiple IP conversations over one or more IP addresses and uses the source port to uniquely identify conversations on each IP address. The PAT feature needs to set aside all specific port values that Cisco has awareness for, in case it gets a conversation for those application types (FTP or NetMeeting, for example).

A. The SNMP packet format depends on the particular MIB being used and is not self-describing. There is no single format for SNMP requests and responses that can be processed in a general fashion.

A. Yes. Cisco IOS NAT will translate the addresses that appear in DNS responses to name lookups (A queries) and inverse lookups (PTR queries). Therefore, if an outside host sends a name lookup to a DNS server on the inside, and that server responds with a local address, the NAT code will translate that local address to a global address. The opposite is also true. This is how Cisco supports IP addresses overlapping: an inside host queries an outside DNS server and the response contains an address that matches the access list specified on the outside source command, so the code translates the outside global address to an outside local address.

Time-to-live (TTL) values on all DNS resource records, which receive address translations in resource records payloads, are automatically set to zero.

Cisco IOS NAT does not translate IP addresses embedded in DNS zone transfers.

A. Session Initiation Protocol (SIP) is an ASCII-based, application-layer control protocol that can be used to establish, maintain, and terminate calls between two or more endpoints. SIP is an alternative protocol developed by the Internet Engineering Task Force (IETF) for multimedia conferencing over IP. The Cisco SIP implementation enables supported Cisco platforms to signal the setup of voice and multimedia calls over IP networks.

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support the use of any or all packets in the ACLs used by NAT. If any or all packets are used, then unexpected behavior can occur.

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.

A. PAT is also knows as NAT Overload. PAT technology allows the NAT-enabled router to permit access to the Internet through the public IP address given by the service provider. PAT is a type of NAT, hence it can work simultaneously on a single router.

A. The term longest chain refers to the size of a data structure that is used internally when route-map is configured with NAT. The maximum value that can be seen in the ouput is 2048. It does not cause any problems even if it reaches maximum value.

A. NAT translates public IP addresses to private address pools, and private addresses to public IP addresses, so SVI is typically used as a NAT inside interface.

A. With Bi-directional NAT, it is possible to initiate sessions from hosts in the public network and the private network. Private network addresses are bound to globally unique addresses, statically or dynamically as you establish connections in either direction.

A. Dynamic translations time out after a period of non-use. When port translation is not configured, translation entries times out after 24 hours. This time can be adjusted with these command variations:

ip nat translation udp-timeout [seconds]
ip nat translation dns-timeout [seconds] 
ip nat translation tcp-timeout [seconds]
ip nat translation finrst-timeout [seconds]

When port translation is configured, there is finer control over translation entry timeouts because each entry contains more context about the traffic that uses it. Non-DNS UDP translations time out after five minutes; DNS times out in one minute. TCP translations time out after 24 hours, unless a RST or FIN is seen on the stream, in which case it times out in one minute.