|
|
This chapter describes the commands that enable the Network Address Translation (NAT) feature, which allows an organization's IP network to appear from the outside to use different IP address space than what it is actually using.
For configuration tasks and examples, refer to the chapter "Configuring Network Address Translation" in the Dial Solutions Configuration Guide.
To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation EXEC command.
clear ip nat translation {* | [inside global-ip local-ip] [outside local-ip global-ip]}| * | Clears all dynamic translations. |
| inside global-ip | (Optional) When used without the arguments protocol, global-port, and local-port, clears a simple translation that also contains the specified local-ip address. When used with the arguments protocol, global-port, and local-port, clears an extended translation. |
| outside local-ip | (Optional) Clears an entry that contains this local IP address and the specified global-ip address. |
| protocol | (Optional) Clears an entry that contains this protocol and the specified global-ip address, local-ip address, global-port, and local-port. |
| global-port | (Optional) Clears an entry that contains this global-port and the specified protocol, global-ip address, local-ip address, and local-port. |
| local-port | (Optional) Clears an entry that contains this local-port and the specified protocol, global-ip address, local-ip address, and global-port. |
EXEC
This command first appeared in Cisco IOS Release 11.2.
Use this command to clear entries from the translation table before they time out.
The following example shows the NAT entries before and after the UDP entry being cleared:
router#show ip nat translationPro Inside global Inside local Outside local Outside global udp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53 tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23 tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23 router#clear ip nat translation udp inside 171.69.233.209 1220 192.168.1.95 1220171.69.2.132 53 171.69.2.132 53router#show ip nat translationPro Inside global Inside local Outside local Outside global tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23 tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
You can use the master indexes or search online to find documentation of related commands.
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translations
To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being able to translate, use the no form of this command.
ip nat {inside | outside}| inside | Indicates the interface is connected to the inside network (the network subject to NAT translation). |
| outside | Indicates the interface is connected to the outside network. |
Traffic leaving or arriving at this interface is not subject to network address translation.
Interface configuration
This command first appeared in Cisco IOS Release 11.2.
Only packets moving between "inside" and "outside" interfaces can be translated. You must specify at least one inside interface and outside interface for each border router where you intend to use NAT.
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside source list 1 pool net-208 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translations
To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination global configuration command. To remove the dynamic association to a pool, use the no form of this command.
ip nat inside destination list {access-list-number | name} pool name| list access-list-number | Standard IP access list number. Packets with destination addresses that pass the access list are translated using global addresses from the named pool. |
| list name | Name of a standard IP access list. Packets with destination addresses that pass the access list are translated using global addresses from the named pool. |
| pool name | Name of the pool from which global IP addresses are allocated during dynamic translation. |
No inside destination addresses are translated.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the keyword static establishes a single static translation.
The following example translates between inside hosts addressed to either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside destination list 1 pool net-208 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translations
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source global configuration command. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
ip nat inside source {list {access-list-number | name} pool name [overload] | static local-ip| list access-list-number | Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool. |
| list name | Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool. |
| pool name | Name of the pool from which global IP addresses are allocated dynamically. |
| overload | (Optional) Enables the router to use one global address for many local addresses. When overloading is configured, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address. |
| static local-ip | Sets up a single static translation; this argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete. |
| global-ip | Sets up a single static translation; this argument establishes the globally unique IP address of an inside host as it appears to the outside world. |
No NAT translation of inside source addresses occurs.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the keyword static establishes a single static translation.
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside source list 1 pool net-208 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat
ip nat inside destination
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translations
To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source global configuration command. To remove the static entry or the dynamic association, use the no form of this command.
ip nat outside source {list {access-list-number | name} pool name | static global-ip local-ip}| list access-list-number | Standard IP access list number. Packets with source addresses that pass the access list are translated using global addresses from the named pool. |
| list name | Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool. |
| pool name | Name of the pool from which global IP addresses are allocated. |
| static global-ip | Sets up a single static translation. This argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space. |
| local-ip | Sets up a single static translation. This argument establishes the local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918). |
No translation of source addresses coming from the outside to the inside network occurs.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the keyword static establishes a single static translation.
The following example would translate between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the network 10.0.1.0/24.
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24 ip nat inside source list 1 pool net-208 ip nat outside source list 1 pool net-10 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 9.114.11.39 255.255.255.0 ip nat inside ! access-list 1 permit 9.114.11.0 0.0.0.255
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translations
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool global configuration command. To remove one or more addresses from the pool, use the no form of this command.
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}| name | Name of the pool. |
| start-ip | Starting IP address that defines the range of addresses in the address pool. |
| end-ip | Ending IP address that defines the range of addresses in the address pool. |
| netmask netmask | Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong. |
| prefix-length prefix-length | Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong. |
| type rotary | (Optional) Indicates that the range of address in the address pool identify real, inside hosts among which TCP load distribution will occur. |
No pool of addresses is defined.
Global configuration
This command first appeared in Cisco IOS Release 11.2.
This command defines a pool of addresses using start address, end address, and either netmask or prefix length. The pool could define either an inside global pool, an outside local pool, or a rotary pool.
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat inside source list 1 pool net-208 ! interface ethernet 0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface ethernet 1 ip address 192.168.1.94 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat translation
show ip nat statistics
show ip nat translations
To change the amount of time after which Network Address Translation (NAT) translations time out, use the ip nat translation global configuration command. To disable the timeout, use the no form of this command.
ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout} seconds| timeout | Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86400 seconds (24 hours). |
| udp-timeout | Specifies that the timeout value applies to the UDP port. Default is 300 seconds (5 minutes). |
| dns-timeout | Specifies that the timeout value applies to connections to the Domain Name System (DNS). Default is 60 seconds. |
| tcp-timeout | Specifies that the timeout value applies to the TCP port. The default is 86400 seconds (24 hours). |
| finrst-timeout | Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds. |
| seconds | Number of seconds after which the specified port translation times out. Default values are listed in the Default section. |
timeout is 86400 seconds (24 hours)
udp-timeout is 300 seconds (5 minutes)
dns-timeout is 60 seconds (1 minute)
tcp-timeout is 86400 seconds (24 hours)
finrst-timeout is 60 seconds (1 minute)
Global configuration
This command first appeared in Cisco IOS Release 11.2.
When port translation is configured, there is finer control over translation entry timeouts because each entry contains more context about the traffic that is using it. Non-Domain Name System UDP translations time out after 5 minutes, while DNS times out in 1 minute. TCP translations time out in 24 hours, unless an RST or FIN is seen on the stream, in which case they will time out in 1 minute.
The following example causes UDP port translation entries to time out after 10 minutes:
ip nat translation udp-timeout 600
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
show ip nat statistics
show ip nat translations
To display Network Address Translation (NAT) statistics, use the show ip nat statistics EXEC command.
show ip nat statisticsThis command has no arguments or keywords.
EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show ip nat statistics command:
router# show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool net-208 refcount 2
pool net-208: netmask 255.255.255.240
start 171.69.233.208 end 171.69.233.221
type generic, total addresses 14, allocated 2 (14%), misses 0
Table 126 describes the significant fields in the display.
| Field | Description |
|---|---|
| Total translations | Number of translations active in the system. This number is incremented each time a translation is created and is decremented each time a translation is cleared or times out. |
| Outside interfaces | List of interfaces marked as outside with the ip nat outside command. |
| Inside interfaces | List of interfaces marked as inside with the ip nat inside command. |
| Hits | Number of times the software does a translations table lookup and finds an entry. |
| Misses | Number of times the software does a translations table lookup, fails to find an entry, and must try to create one. |
| Expired translations | Cumulative count of translations that have expired since the router was booted. |
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translations
To display active Network Address Translation (NAT) translations, use the show ip nat translations EXEC command.
show ip nat translations [verbose]| verbose | (Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used. |
EXEC
This command first appeared in Cisco IOS Release 11.2.
The following is sample output from the show ip nat translations command. Without overloading, two inside hosts are exchanging packets with some number of outside hosts.
router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 171.69.233.209 192.168.1.95 --- ---
--- 171.69.233.210 192.168.1.89 --- --
With overloading, a translation for a DNS transaction is still active, and translations for two Telnet sessions (from two different hosts) are also active. Note that two different inside hosts appear on the outside with a single IP address.
router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53
tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23
tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
The following is sample output that includes the verbose keyword:
router# show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
udp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53
create 00:00:02, use 00:00:00, flags: extended
tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23
create 00:01:13, use 00:00:50, flags: extended
tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
create 00:00:02, use 00:00:00, flags: extended
Table 127 describes the significant fields in the display.
| Field | Description |
|---|---|
| Pro | Protocol of the port identifying the address. |
| Inside global | Legitimate IP address (assigned by the NIC or service provider) that represents one or more inside local IP addresses to the outside world. |
| Inside local | IP address assigned to a host on the inside network; probably not a legitimate address assigned by the NIC or service provider. |
| Outside local | IP address of an outside host as it appears to the inside network; probably not a legitimate address assigned by the NIC or service provider. |
| Outside global | IP address assigned to a host on the outside network by its owner. |
| create | How long ago the entry was created (in hours:minutes:seconds). |
| use | How long ago the entry was last used (in hours:minutes:seconds). |
You can use the master indexes or search online to find documentation of related commands.
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
|
|