-
When you configure Network Address Translation (NAT) on an interface, that interface becomes optimized for NAT packet flow.
Any nontranslated packet that flows through the NAT interface goes through a series of checks to determine whether the packet
must be translated or not. These checks result in increased latency for nontranslated packet flows and thus negatively impact
the packet processing latency of all packet flows through the NAT interface. We highly recommend that a NAT interface must
be used only for NAT-only traffic. Any non-NAT packets must be separated and these packets must go through an interface that
does not have NAT configured on it. You can use Policy-Based Routing (PBR) for separating non-NAT traffic.
-
NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.
-
In Cisco IOS XE software, NAT outside interfaces show up in the translations tables, by default. This view of NAT outside
interfaces causes the connection that originates from the outside interface of the device to fail. To restore connectivity,
you must explicitly deny the outside Interface within the NAT ACL using the deny command. After using the deny command, no translation is observed for the outside interface.
-
NAT is not practical if large numbers of hosts in the stub domain communicate outside of the domain.
-
Some applications use embedded IP addresses in such a way that translation by a NAT device is impractical. These applications
may not work transparently or at all through a NAT device.
-
In a NAT configuration, addresses configured for any inside mapping must not be configured for any outside mapping.
-
Do not configure the interface IP address as part of the IP address NAT pool.
-
By default, support for the Session Initiation Protocol (SIP) is enabled on port 5060. Therefore, NAT-enabled devices interpret
all packets on this port as SIP call messages. If other applications in the system use port 5060 to send packets, the NAT
service may corrupt the packet. This packet corruption is due to its attempt to interpret the packet as a SIP call message.
-
NAT hides the identity of hosts, which may be an advantage or a disadvantage depending on the needed result.
-
Devices that are configured with NAT must not advertise the local networks to outside the network. However, routing information
that NAT receives from the outside can be advertised in the stub domain as usual.
-
NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN and is part of the Cisco
Validated Design.
-
For VRF-aware NAT, remove the NAT configuration before you remove the VRF configuration.
-
If you specify an access list to use with a NAT command, NAT does not support the permit ip any any command. This NAT command is commonly used in the access list.
-
This platform does not support an access list with a port range.
-
NAT configuration is not supported on the access side of the Intelligent Services Gateway (ISG).
-
Using any IP address that is configured of a device as an address pool or in a NAT static rule is not supported. NAT can share
the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration.
A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use
for translation. This communication happens only when the NAT interface overload is configured.
-
The output of the show ip nat statistics command displays information about all IP address pools and NAT mappings that you have configured. If your NAT configuration
has a high number of IP address pools and NAT mappings, the update rate of the pool and mapping statistics in show ip nat statistics is slow. For example, NAT configuration output with 1000 to 4000 NAT mappings.
-
Static and dynamic NAT with generic routing encapsulation (generic GRE) and dynamic NAT with Layer 2 do not work when used
along with hardware-based Cisco AppNav appliances such as, Wide Area Application Services (WAAS). In the context of WAAS,
generic GRE is an out of path deployment mechanism. It helps to return packets from the WAAS Wide-Area Application Engine
(WAE) through the GRE tunnel to the same device from which they were originally redirected after completing optimization.
-
Port Address Translation (also called NAT overload) only supports protocols whose port numbers are known; these protocols
are Internet Control Message Protocol (ICMP), TCP, and UDP. Other protocols do not work with PAT because they consume the
entire address in an address pool. Configure your access control list to only permit ICMP, TCP, and UDP protocols, so that
all other protocol traffic is prevented from entering the network.
-
NAT, Zone-Based Policy Firewall, and Web Cache Communication Protocol (WCCP) cannot coexist in a network.
-
Non-Pattable traffic, is traffic for a protocol where there are no ports. PAT/Overload can only be done on protocols where
the ports are known, that is, UDP, TCP, and ICMP.
When NAT overload (PAT) is configured and Non-Pattable traffic hits the router, Non-Pattable BIND entry gets created for this
traffic. Following is a bind entry in the NAT table: --- 213.252.7.132 172.16.254.242 ---
This bind entry consumes an entire address from the pool. In this example, 213.252.7.132 is an address from an overloaded
pool.
That means an inside local IP Address gets bound to the outside global IP which is similar to static NAT. Because of this
binding action, new inside local IP Addresses cannot use this global IP Address until the current entry gets timed out. All
the translation that is created off this BIND is 1-to-1 translations instead of overload.
To avoid consumption of an entire address from the pool, make sure that there are not any entries for the Non-Pattable traffic
across the router.
-
When configuring NAT with ACLs or route maps, the ACLs or route maps must not overlap. If the ACLs or route maps overlap,
NAT cannot map to the required transition.
-
Port Address Translation (PAT) over 64K Endpoint Dependant Mapping (EDM) is only supported in the classic NAT mode and not
the in Carrier Grade Network Address Translation (CGN) mode and SD-WAN mode.
-
Virtual Routing and Forwarding (VRF) is not supported in PAT over 64K.
-
Password Authentication Protocol (PAP) mode is not supported in PAT over 64K.
-
Application Level Gateway (ALGs) are not supported in PAT over 64K.
-
You can only use 1024-65535 ports and not 0-1023 ports in PAT over 64K.
-
When configuring a static NAT entry while dynamic NAT is already in use, first ensure the IP address for static mapping doesn't
overlap with dynamic NAT addresses. If conflicts exist, update the ACL to deny those IPs and clear any conflicting dynamic
NAT entries from the translation table. Once resolved, add the static NAT configuration..