Nat 15 MT Book PDF
Nat 15 MT Book PDF
Nat 15 MT Book PDF
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com
go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any
other company. (1721R)
© 2019 Cisco Systems, Inc. All rights reserved.
CONTENTS
Glossary 94
CHAPTER 9 Configuring Hosted NAT Traversal for Session Border Controller 145
Configuring a NAT Optimized SIP Media Path with SDP Messages Without MD5 Authentication
175
Configuration Examples for NAT Optimized SIP Media Path with SDP 176
Configuring a NAT Optimized SIP Media Path with SDP Including MD5 Authentication Example
176
Configuring a NAT Optimized SIP Media Path with SDP Without MD5 Authentication Example
176
Example: Specifying a Port for NAT TCP SIP ALG Support 221
Additional Reference for NAT TCP SIP ALG Support 221
Feature Information for NAT TCP SIP ALG Support 222
Note If you specify an access list with a NAT command, NAT will not support the permit ip any any command.
This command is commonly used in an access list.
NAT Requirements
Before configuring NAT in your network, ensure that you know the interfaces on which NAT is configured
and for what purposes. The following requirements help you decide how to configure and use NAT:
• Define the NAT inside and outside interfaces if:
• Users exist off multiple interfaces.
• Multiple interfaces connect to the internet.
From Cisco IOS XE Denali 16.3 release, NAT support is introduced on Bridge Domain Interface (BDI) for
enabling NAT configuration on the BDI interface.
• NAT hides the identity of hosts, which may be an advantage or a disadvantage, depending on the desired
result.
• A device configured with NAT must not advertise the local networks to the outside. However, routing
information that NAT receives from the outside can be advertised in the stub domain as usual.
• If you specify an access list with a NAT command, NAT will not support the permit ip any any command
that is commonly used in the access list.
• NAT configuration is not supported on the access side of the Intelligent Services Gateway (ISG).
• On Cisco Catalyst 6500 Series Switches, if you have a NAT overload configuration, we recommend that
you limit the number of NAT translations to less than 64512, by using the ip nat translation max-entries
command. If the number of NAT translations is 64512 or more, a limited number of ports are available
for use by local applications, which, in turn can cause security issues such as denial-of-service (DoS)
attacks. The port numbers used by local applications can easily be identified by DoS attacks, leading to
security threats. This restriction is specific to all NAT overload configurations (for example, interface
overload or pool overload configurations) that use a logical, loopback, or physical address for NAT
configurations.
• Configuring zone-based policy firewall high availability with NAT and NAT high availability with
zone-based policy firewalls is not recommended.
• If the NAT outside local address matches with any logical interface address, interface IP address, or a
tunnel-configured address; then packets are software-switched.
• NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN
and is part of the Cisco Validated Design.
Purpose of NAT
NAT is a feature that allows the IP network of an organization to appear from the outside to use a different
IP address space than what it is actually using. Thus, NAT allows an organization with nonglobally routable
addresses to connect to the Internet by translating those addresses into a globally routable address space. NAT
also allows a graceful renumbering strategy for organizations that are changing service providers or voluntarily
renumbering into classless interdomain routing (CIDR) blocks. NAT is described in RFC 1631.
NAT supports all H.225 and H.245 message types, including FastConnect and Alerting, as part of the H.323
Version 2 specification. Any product that makes use of these message types will be able to pass through a
Cisco NAT configuration without any static configuration. Full support for NetMeeting Directory (Internet
Locator Service) is also provided through NAT.
Uses of NAT
NAT can be used for the following scenarios:
• Connect to the internet when all your hosts do not have globally unique IP addresses. Network Address
Translation (NAT) enables private IP networks that use nonregistered IP addresses to connect to the
Internet. NAT is configured on a device at the border of a stub domain (mentioned as the inside network)
and a public network such as the Internet (mentioned as the outside network). NAT translates internal
local addresses to globally unique IP addresses before sending packets to the outside network. As a
solution to the connectivity problem, NAT is practical only when relatively few hosts in a stub domain
communicate simultaneously outside the domain. When outside communication is necessary, only a
small subset of the IP addresses in the domain must be translated into globally unique IP addresses. Also,
these addresses can be reused when they are no longer in use.
• Change your internal addresses. Instead of changing the internal addresses, which can be a considerable
amount of work, you can translate them by using NAT.
• For basic load-sharing of TCP traffic. You can map a single global IP address with many local IP addresses
by using the TCP Load Distribution feature.
Similarly, the term outside refers to those networks to which the stub network connects, and which are not
under the control of an organization. Also, hosts in outside networks can be subject to translation, and can
thus have local and global addresses. NAT uses the following definitions:
• Inside local address—An IP address that is assigned to a host on the inside network. The address that
the Network Information Center (NIC) or service provider assigns is probably not a legitimate IP address.
• Inside global address—A legitimate IP address assigned by the NIC or service provider that represents
one or more inside local IP addresses to the outside world.
• Outside local address—The IP address of an outside host as it appears to the inside network. Not
necessarily a legitimate address, it is allocated from the address space that is routable on the inside.
• Outside global address—The IP address that is assigned to a host on the outside network by the owner
of the host. The address is allocated from a globally routable address or network space.
VRF X Global VRF (also referred to as a When NAT is not configured for
non-VRF interface) Match-in-VRF support. For more
details, see the Match-in-VRF
Support for NAT chapter.
In Cisco IOS Release 15.1(3)T and later releases, when you configure the traceroute command, NAT returns
the same inside global IP address for all inside local IP addresses.
The following figure illustrates a device that is translating a source address inside a network to a source address
outside the network.
Figure 1: NAT Inside Source Translation
The following process describes the inside source address translation, as shown in the preceding figure:
1. The user at host 10.1.1.1 opens a connection to Host B in the outside network.
2. The first packet that the device receives from host 10.1.1.1 causes the device to check its Network Address
Translation (NAT) table. Based on the NAT configuration, the following scenarios are possible:
• If a static translation entry is configured, the device goes to Step 3.
• If no translation entry exists, the device determines that the source address (SA) 10.1.1.1 must be
translated dynamically. The device selects a legal, global address from the dynamic address pool,
and creates a translation entry in the NAT table. This kind of translation entry is called a simple entry.
3. The device replaces the inside local source address of host 10.1.1.1 with the global address of the translation
entry and forwards the packet.
4. Host B receives the packet and responds to host 10.1.1.1 by using the inside global IP destination address
(DA) 203.0.113.2.
5. When the device receives the packet with the inside global IP address, it performs a NAT table lookup
by using the inside global address as a key. It then translates the address to the inside local address of host
10.1.1.1 and forwards the packet to host 10.1.1.1.
Host 10.1.1.1 receives the packet and continues the conversation. The device performs Steps 2 to 5 for each
packet that it receives.
When multiple local addresses map to one global address, the TCP or UDP port numbers of each inside host
distinguish between local addresses.
The following figure illustrates a NAT operation when an inside global address represents multiple inside
local addresses. The TCP port numbers act as differentiators.
Figure 2: NAT Overloading Inside Global Addresses
The device performs the following process in the overloading of inside global addresses, as shown in the
preceding figure. Both Host B and Host C believe that they are communicating with a single host at address
203.0.113.2. Whereas, they are actually communicating with different hosts; the port number is the
differentiator. In fact, many inside hosts can share the inside global IP address by using many port numbers.
1. The user at host 10.1.1.1 opens a connection to Host B.
2. The first packet that the device receives from host 10.1.1.1 causes the device to check its NAT table.
Based on your NAT configuration the following scenarios are possible:
• If no translation entry exists, the device determines that IP address 10.1.1.1 must be translated, and
translates inside local address 10.1.1.1 to a legal global address.
• If overloading is enabled and another translation is active, the device reuses the global address from
that translation and saves enough information. This saved information can be used to translate the
global address back, as an entry in the NAT table. This type of translation entry is called an extended
entry.
3. The device replaces inside local source address 10.1.1.1 with the selected global address and forwards
the packet.
4. Host B receives the packet and responds to host 10.1.1.1 by using the inside global IP address 203.0.113.2.
5. When the device receives the packet with the inside global IP address, it performs a NAT table lookup
by using a protocol, the inside global address and port, and the outside address and port as keys. It translates
the address to the inside local address 10.1.1.1 and forwards the packet to host 10.1.1.1.
Host 10.1.1.1 receives the packet and continues the conversation. The device performs Steps 2 to 5 for each
packet it receives.
Types of NAT
NAT operates on a router—generally connecting only two networks. Before any packets are forwarded to
another network, NAT translates the private (inside local) addresses within the internal network into public
(inside global) addresses. This functionality gives you the option to configure NAT so that it advertises only
a single address for your entire network to the outside world. Doing this translation, NAT effectively hides
the internal network from the world, giving you some additional security.
The types of NAT include:
• Static address translation (static NAT)—Allows one-to-one mapping between local and global addresses.
• Dynamic address translation (dynamic NAT)—Maps unregistered IP addresses to registered IP addresses
from a pool of registered IP addresses.
• Overloading—Maps multiple unregistered IP addresses to a single registered IP address (many to one)
by using different ports. This method is also known as Port Address Translation (PAT). Thousands of
users can be connected to the Internet by using only one real global IP address through overloading.
The device examines every DNS reply to ensure that the IP address is not in a stub network. If it is, the device
translates the address as described in the following steps:
1. Host 10.1.1.1 opens a connection to 172.16.0.3.
2. The device sets up the translation mapping of the inside local and global addresses to each other. It also
sets up the translation mapping of the outside global and local addresses to each other.
3. The device replaces the SA with the inside global address and replaces the DA with the outside global
address.
4. Host C receives the packet and continues the conversation.
5. The device does a lookup, replaces the DA with the inside local address, and replaces the SA with the
outside local address.
6. Host 10.1.1.1 receives the packet and the conversation continues using this translation process.
Note Use access-control list (ACL) to prevent inside hosts trying to establish an IPSec session to the same IPsec
headend as the router.
Note NAT Virtual Interface gets dynamically created as part of NAT feature initialization and this interface is
required for enabling the support for specific NAT usage scenarios. When a crypto module avails specific
NAT services (APIs) to reserve transport ports that are of interest, the NAT feature is initialized creating a
NAT Virtual interface.
6. The device will allocate IP address 10.1.1.2 as the inside local address for the next connection request.
To support users who are configured with a static IP address, the NAT Static IP Address Support feature
extends the capabilities of public wireless LAN providers. By configuring a device to support users with a
static IP address, public wireless LAN providers extend their services to a greater number of users.
Users with static IP addresses can use services of the public wireless LAN provider without changing their
IP address. NAT entries are created for static IP clients and a routable address is provided.
RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access. Communication
between a network access server (NAS) and a RADIUS server is based on UDP. Generally, the RADIUS
protocol is considered a connectionless service. RADIUS-enabled devices handle issues that are related to a
server availability, retransmission, and timeouts rather than the transmission protocol.
The RADIUS client is typically a NAS, and the RADIUS server is usually a daemon process running on a
UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts
on the response that is returned. To deliver service to the user, RADIUS servers receive a user connection
request, authenticate the user, and then return the configuration information necessary for the client. A RADIUS
server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Denial-of-Service Attacks
A denial-of-service (DoS) attack typically involves misuse of standard protocols or connection processes.
The intent of DoS attack is to overload and disable a target, such as a device or web server. DoS attacks can
come from a malicious user or from a computer that is infected with a virus or worm. Distributed DoS attack
is an attack that comes from many different sources at once. This attack can be when a virus or worm has
infected many computers. Such distributed DoS attacks can spread rapidly and involve thousands of systems.
Note Configure different IP addresses for an interface on which NAT is configured and for inside addresses that
are configured by using the ip nat inside source static command.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip
4. interface type number
5. ip address ip-address mask [secondary]
6. ip nat inside
7. exit
8. interface type number
9. ip address ip-address mask [secondary]
10. ip nat outside
11. end
DETAILED STEPS
Step 3 ip nat inside source static local-ip global-ip Establishes static translation between an inside local
address and an inside global address.
Example:
Device(config)# ip nat inside source static
10.10.10.1 172.16.131.1
Step 5 ip address ip-address mask [secondary] Sets a primary IP address for an interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Step 6 ip nat inside Connects the interface to the inside network, which is
subject to NAT.
Example:
Device(config-if)# ip nat inside
Step 8 interface type number Specifies a different interface and enters the interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Step 9 ip address ip-address mask [secondary] Sets a primary IP address for an interface.
Example:
Device(config-if)# ip address 172.31.232.182
255.255.255.240
Note When inside global or outside local addresses belong to a directly connected subnet on a NAT device, the
device adds IP aliases for them. This action enables it to answer Address Resolution Protocol (ARP) requests.
However, a situation can arise where the device answers packets that are not destined for it, possibly causing
a security issue. This security issue can happen when an incoming Internet Control Message Protocol (ICMP)
packet or a UDP packet that is destined for one of the aliased addresses does not have a corresponding NAT
translation in the NAT table. Also, the device itself runs a corresponding service, for example, Network Time
Protocol (NTP). Such a situation can cause minor security risks.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
4. access-list access-list-number permit source [source-wildcard]
5. ip nat inside source list access-list-number pool name
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip {netmask netmask | Defines a pool of global addresses to be allocated as
prefix-length prefix-length} needed.
Example:
Device(config)# ip nat pool net-208 172.16.233.208
172.16.233.223 prefix-length 28
Step 4 access-list access-list-number permit source Defines a standard access list permitting those addresses
[source-wildcard] that are to be translated.
Example:
Step 5 ip nat inside source list access-list-number pool name Establishes dynamic source translation, specifying the
access list defined in Step 4.
Example:
Device(config)# ip nat inside source list 1 pool
net-208
Step 6 interface type number Specifies an interface and enters an interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Step 8 ip nat inside Connects the interface to the inside network, which is
subject to NAT.
Example:
Device(config-if)# ip nat inside
Step 10 interface type number Specifies an interface and enters an interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 172.16.232.182
255.255.255.240
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
4. access-list access-list-number permit source [source-wildcard]
5. ip nat inside source list access-list-number pool name overload
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip {netmask netmask | Defines a pool of global addresses to be allocated as
prefix-length prefix-length} needed.
Example:
Device(config)# ip nat pool net-208
192.168.202.129 192.168.202.158 netmask
255.255.255.224
Step 4 access-list access-list-number permit source Defines a standard access list permitting those addresses
[source-wildcard] that are to be translated.
Example: • The access list must permit only those addresses that
Device(config)# access-list 1 permit are to be translated. (Remember that there is an
192.168.201.30 0.0.0.255 implicit “deny all” at the end of each access list.) Use
of an access list that is too permissive can lead to
unpredictable results.
Step 5 ip nat inside source list access-list-number pool name Establishes dynamic source translation with overloading,
overload specifying the access list defined in Step 4.
Example:
Device(config)# ip nat inside source list 1 pool
net-208 overload
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.201.1
255.255.255.240
Step 8 ip nat inside Connects the interface to the inside network, which is
subject to NAT.
Example:
Device(config-if)# ip nat inside
Step 10 interface type number Specifies an interface and enters the interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.201.29
255.255.255.240
Note On Catalyst 6500 Series Switches, when the NAT translation is done in the hardware, timers are reset every
100 seconds or once the set timeout value is reached.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat translation seconds
4. ip nat translation udp-timeout seconds
5. ip nat translation dns-timeout seconds
6. ip nat translation tcp-timeout seconds
7. ip nat translation finrst-timeout seconds
8. ip nat translation icmp-timeout seconds
9. ip nat translation syn-timeout seconds
10. end
DETAILED STEPS
Step 4 ip nat translation udp-timeout seconds (Optional) Changes the UDP timeout value.
Example:
Device(config)# ip nat translation udp-timeout
300
Step 5 ip nat translation dns-timeout seconds (Optional) Changes the Domain Name System (DNS)
timeout value.
Example:
Device(config)# ip nat translation dns-timeout 45
Step 6 ip nat translation tcp-timeout seconds (Optional) Changes the TCP timeout value.
Example: • The default is 24 hours.
Device(config)# ip nat translation tcp-timeout
2500
Step 7 ip nat translation finrst-timeout seconds (Optional) Changes the finish and reset timeout value.
Example: • finrst-timeout—The aging time after a TCP session
Device(config)# ip nat translation finrst-timeout receives both finish-in (FIN-IN) and finish-out
45 (FIN-OUT) requests or after the reset of a TCP
session.
Step 8 ip nat translation icmp-timeout seconds (Optional) Changes the ICMP timeout value.
Example:
Device(config)# ip nat translation icmp-timeout
45
Step 9 ip nat translation syn-timeout seconds (Optional) Changes the synchronous (SYN) timeout value.
Example: • The synchronous timeout or the aging time is used
Device(config)# ip nat translation syn-timeout 45 only when a SYN request is received on a TCP
session. When a synchronous acknowledgment
(SYNACK) request is received, the timeout changes
to TCP timeout.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip
4. interface type number
5. ip address ip-address mask
6. ip nat inside
7. exit
8. interface type number
9. ip address ip-address mask
10. ip nat outside
11. end
DETAILED STEPS
Step 3 ip nat inside source static local-ip global-ip Establishes static translation between an inside local
address and an inside global address.
Example:
Step 4 interface type number Specifies an interface and enters the interface configuration
mode.
Example:
Device(config)# interface ethernet 1
Step 5 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Step 8 interface type number Specifies an interface and enters the interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 9 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 172.16.232.182
255.255.255.240
What to Do Next
When you have completed the required configuration, go to the “Monitoring and Maintaining NAT” module.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
4. access-list access-list-number permit source [source-wildcard]
5. ip nat outside source list access-list-number pool name
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip {netmask netmask | Defines a pool of global addresses to be allocated as
prefix-length prefix-length} needed.
Example:
Device(config)# ip nat pool net-10 10.0.1.0
10.0.1.255 prefix-length 24
Step 4 access-list access-list-number permit source Defines a standard access list permitting those addresses
[source-wildcard] that are to be translated.
Example: • The access list must permit only those addresses that
Device(config)# access-list 1 permit 10.114.11.0 are to be translated. (Remember that there is an
0.0.0.255 implicit “deny all” at the end of each access list.) Use
of an access list that is too permissive can lead to
unpredictable results.
Step 5 ip nat outside source list access-list-number pool name Establishes dynamic outside source translation, specifying
the access list defined in Step 4.
Example:
Device(config)# ip nat outside source list 1 pool
net-10
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 10.114.11.39
255.255.255.0
Step 10 interface type number Specifies an interface and enters the interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 172.16.232.182
255.255.255.240
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat enable
5. exit
6. ip nat pool name start-ip end-ip netmask netmask add-route
7. ip nat source list access-list-number pool name vrf name
8. ip nat source list access-list-number pool name overload
9. end
DETAILED STEPS
Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface FastEthernet l
Step 4 ip nat enable Configures an interface that connects VPNs and the Internet
for NAT.
Example:
Device(config-if)# ip nat enable
Step 6 ip nat pool name start-ip end-ip netmask netmask Configures a NAT pool and the associated mappings.
add-route
Example:
Device(config)# ip nat pool pool1 192.168.200.225
192.168.200.254 netmask 255.255.255.0 add-route
Step 8 ip nat source list access-list-number pool name overload Configures an overloading NVI without an inside or outside
specification.
Example:
Device(config)# ip nat source list 1 pool pool1
overload
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat enable
5. exit
6. ip nat source static local-ip global-ip vrf name
7. end
DETAILED STEPS
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface FastEthernet l
Step 4 ip nat enable Configures an interface that connects VPNs and the Internet
for NAT.
Example:
Device(config-if)# ip nat enable
Step 6 ip nat source static local-ip global-ip vrf name Configures a static NVI.
Example:
Device(config)# ip nat source static 192.168.123.1
192.168.125.10 vrf vrf1
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary
4. access-list access-list-number permit source [source-wildcard]
5. ip nat inside destination-list access-list-number pool name
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip {netmask netmask | Defines a pool of addresses containing the addresses of
prefix-length prefix-length} type rotary the real hosts.
Example:
Device(config)# ip nat pool real-hosts
192.168.201.2 192.168.201.5 prefix-length 28 type
rotary
Step 4 access-list access-list-number permit source Defines an access list permitting the address of the virtual
[source-wildcard] host.
Example:
Device(config)# access-list 1 permit
192.168.201.30 0.0.0.255
Step 5 ip nat inside destination-list access-list-number pool Establishes dynamic inside destination translation,
name specifying the access list defined in the prior step.
Example:
Device(config)# ip nat inside destination-list 2
pool real-hosts
Step 6 interface type number Specifies an interface and enters the interface configuration
mode.
Example:
Device(config)# interface ethernet 0
Step 7 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.201.1
255.255.255.240
Step 10 interface type number Specifies a different interface and enters the interface
configuration mode.
Example:
Device(config)# interface serial 0
Step 11 ip address ip-address mask Sets a primary IP address for the interface.
Example:
Device(config-if)# ip address 192.168.15.129
255.255.255.240
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload]| static
local-ip global-ip [route-map map-name]}
4. exit
5. show ip nat translations [verbose]
DETAILED STEPS
Step 3 ip nat inside source {list {access-list-number | Enables route mapping with static NAT configured on the
access-list-name} pool pool-name [overload]| static NAT inside interface.
local-ip global-ip [route-map map-name]}
Example:
Device(config)# ip nat inside source static
192.168.201.6 192.168.201.21 route-map isp2
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat pool name start-ip end-ip netmask netmask
5. ip nat inside source route-map name pool name [reversible]
6. ip nat inside source route-map name pool name [reversible]
7. end
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-A 192.168.201.4
192.168.201.6 netmask 255.255.255.128
Step 4 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-B 192.168.201.7
192.168.201.9 netmask 255.255.255.128
Step 5 ip nat inside source route-map name pool name Enables outside-to-inside initiated sessions to use route
[reversible] maps for destination-based NAT.
Example:
Step 6 ip nat inside source route-map name pool name Enables outside-to-inside initiated sessions to use route
[reversible] maps for destination-based NAT.
Example:
Device(config)# ip nat inside source route-map
MAP-B pool POOL-B reversible
Note When you configure the ip nat outside source static command to add static routes for outside local addresses,
there is a delay in the translation of packets and packets are dropped. Packets are dropped because a shortcut
is not created for the initial synchronization (SYN) packet when NAT is configured for static translation. To
avoid dropped packets, configure either the ip nat outside source static add-route command or the ip route
command.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static
network local-ip global-ip [no-payload]}
4. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static
{tcp | udp} local-ip local-port global-ip global-port [no-payload]}
5. ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static
[network] local-network-mask global-network-mask [no-payload]}
6. ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static local-ip
global-ip [no-payload]}
7. ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static {tcp | udp}
local-ip local-port global-ip global-port [no-payload]}
8. ip nat outside source {list {access-list-number | access-list-name} pool pool-name | static [network]
local-network-mask global-network-mask [no-payload]}
9. exit
10. show ip nat translations [verbose]
DETAILED STEPS
Step 3 ip nat inside source {list {access-list-number | Disables the network packet translation on the inside host
access-list-name} pool pool-name [overload] | static device.
network local-ip global-ip [no-payload]}
Example:
Device(config)# ip nat inside source static
network 10.1.1.1 192.168.251.0/24 no-payload
Step 4 ip nat inside source {list {access-list-number | Disables port packet translation on the inside host device.
access-list-name} pool pool-name [overload] | static {tcp
| udp} local-ip local-port global-ip global-port
[no-payload]}
Example:
Device(config)# ip nat inside source static tcp
10.1.1.1 2000 192.168.1.1 2000 no-payload
Step 5 ip nat inside source {list {access-list-number | Disables packet translation on the inside host device.
access-list-name} pool pool-name [overload] | static
[network] local-network-mask global-network-mask
[no-payload]}
Example:
Device(config)# ip nat inside source static
10.1.1.1 192.168.1.1 no-payload
Step 6 ip nat outside source {list {access-list-number | Disables packet translation on the outside host device.
access-list-name} pool pool-name | static local-ip
global-ip [no-payload]}
Step 7 ip nat outside source {list {access-list-number | Disables port packet translation on the outside host device.
access-list-name} pool pool-name | static {tcp | udp}
local-ip local-port global-ip global-port [no-payload]}
Example:
Device(config)# ip nat outside source static tcp
10.1.1.1 20000 192.168.1.1 20000 no-payload
Step 8 ip nat outside source {list {access-list-number | Disables network packet translation on the outside host
access-list-name} pool pool-name | static [network] device.
local-network-mask global-network-mask [no-payload]}
Example:
Device(config)# ip nat outside source static
network 10.1.1.1 192.168.251.0/24 no-payload
Note • You can use this feature to configure gaming devices with an IP address different from the IP address
of the PC. To avoid unwanted traffic or DoS attacks, use access lists.
• For traffic going from the PC to the outside, it is better to use a route map so that extended entries are
created.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source static local-ip interface type number
4. ip nat inside source static tcp local-ip local-port interface global-port
5. exit
6. show ip nat translations [verbose]
DETAILED STEPS
Step 3 ip nat inside source static local-ip interface type number Enables static NAT on the interface.
Example:
Device(config)# ip nat inside source static
10.1.1.1 interface Ethernet 1/1
Step 4 ip nat inside source static tcp local-ip local-port interface (Optional) Enables the use of telnet to the device from the
global-port outside.
Example:
Device(config)# ip nat inside source static tcp
10.1.1.1 23 interface 23
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat inside
5. exit
6. ip nat allow-static-host
7. ip nat pool name start-ip end-ip netmask netmask accounting list-name
8. ip nat inside source list access-list-number pool name
9. access-list access-list-number deny ip source
10. end
11. show ip nat translations verbose
DETAILED STEPS
Step 7 ip nat pool name start-ip end-ip netmask netmask Specifies an existing RADIUS profile name to be used for
accounting list-name authentication of the static IP host.
Example:
Device(config)# ip nat pool pool1 172.16.0.0
172.16.0.254 netmask 255.255.255.0 accounting
WLAN-ACCT
Step 8 ip nat inside source list access-list-number pool name Specifies the access list and pool to be used for static IP
support.
Example:
Device(config)# ip nat inside source list 1 pool • The specified access list must permit all traffic.
net-208
Step 9 access-list access-list-number deny ip source Removes the traffic of the device from NAT.
Example: • The source argument is the IP address of the device
Device(config)# access-list 1 deny ip that supports the NAT Static IP Support feature.
192.168.196.51
Step 11 show ip nat translations verbose (Optional) Displays active NAT translations and additional
information for each translation table entry, including how
Example:
long ago the entry was created and used.
Device# show ip nat translations verbose
Examples
The following is sample output from the show ip nat translations verbose command:
Device# show ip nat translations verbose
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip prefix-length prefix-length [accounting method-list-name] [arp-ping]
4. ip nat translation arp-ping-timeout [seconds]
5. end
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip prefix-length prefix-length Defines a pool of IP addresses for NAT.
[accounting method-list-name] [arp-ping]
Example:
Device(config)# ip nat pool net-208 172.16.233.208
172.16.233.223 prefix-length 28 accounting radius1
arp-ping
Step 4 ip nat translation arp-ping-timeout [seconds] Changes the amount of time after each network address
translation.
Example:
Device(config)# ip nat translation arp-ping-timeout
600
DETAILED STEPS
Step 4 ip nat translation max-entries {number | all-vrf number Configures the maximum number of NAT entries that are
| host ip-address number | list listname number | vrf name allowed from the specified source.
number}
• The maximum number of allowed NAT entries is
Example: 2147483647, although a typical range for a NAT rate
Device(config)# ip nat translation max-entries 300 limit is 100 to 300 entries.
• When you configure a NAT rate limit for all VRF
instances, each VRF instance is limited to the
maximum number of NAT entries that you specify.
• When you configure a NAT rate limit for a specific
VRF instance, you can specify a maximum number of
NAT entries for the named VRF instance that is greater
than or less than that allowed for all VRF instances.
The following example shows NAT configured on the provider edge (PE) device with a static route to the
shared service for the vrf1 and vrf2 VPNs. NAT is configured as inside source static one-to-one translation.
!
interface gigabitethernet 0/0/0
ip address 172.31.232.182 255.255.255.240
ip nat outside
!
interface gigabitethernet 1/1/1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
The following example shows how only traffic local to the provider edge (PE) device running NAT is translated:
ip nat inside source list 1 interface gigabitethernet 0/0/0 vrf vrf1 overload
ip nat inside source list 1 interface gigabitethernet 0/0/0 vrf vrf2 overload
!
ip route vrf vrf1 0.0.0.0 0.0.0.0 192.168.1.1
ip route vrf vrf2 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 1 permit 10.1.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface gigabitethernet 1/1/1 vrf vrf1 overload
ip nat inside source list 1 interface gigabitethernet 1/1/1 vrf vrf2 overload
!
ip route vrf vrf1 0.0.0.0 0.0.0.0 172.16.1.1 global
ip route vrf vrf2 0.0.0.0 0.0.0.0 172.16.1.1 global
access-list 1 permit 10.1.1.0 0.0.0.255
!
interface FastEthernet 1
ip nat enable
!
ip nat source static 192.168.123.1 182.168.125.10 vrf vr1
!
interface FastEthernet 1
ip nat enable
!
ip nat pool pool1 192.168.200.225 192.168.200.254 netmask 255.255.255.0 add-route
ip nat source list 1 pool pool1 vrf vrf1
ip nat source list 1 pool 1 vrf vrf2 overload
!
The following example shows how to limit the VRF instance named “vrf1” to 150 NAT entries:
ip nat translation max-entries vrf vrf1 150
The following example shows how to limit each VRF instance to 200 NAT entries:
ip nat translation max-entries all-vrf 200
The following example shows how to limit the VRF instance, “vrf2” to 225 NAT entries, but limit all other
VRF instances to 100 NAT entries each:
ip nat translation max-entries all-vrf 100
ip nat translation max-entries vrf vrf2 225
The following example shows how to limit the access control list named “vrf3” to 100 NAT entries:
ip nat translation max-entries list vrf3 100
The following example shows how to limit the host at IP address 10.0.0.1 to 300 NAT entries:
ip nat translation max-entries host 10.0.0.1 300
The following example shows how to limit the VRF instance, “vrf2” to 225 NAT entries, but limit all other
VRF instances to 100 NAT entries each:
Where to Go Next
• To configure NAT for use with application-level gateways, see the “Using Application Level Gateways
with NAT” module.
• To verify, monitor, and maintain NAT, see the “Monitoring and Maintaining NAT” module.
• To integrate NAT with Multiprotocol Label Switching (MPLS) VPNs, see the “Integrating NAT with
MPLS VPNs” module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
Additional References
Related Documents
Cisco IOS commands Cisco IOS Master Commands List, All Releases
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command Reference
command mode command history, defaults,
usage guidelines, and examples
RADIUS attributes overview RADIUS Attributes Overview and RADIUS IETF Attributes
module
Using HSRP and stateful NAT for high Configuring NAT for High Availability module
availability
Using NAT with MPLS VPNs Integrating NAT with MPLS VPNs module
Standard/RFC Title
Standard/RFC Title
Technical Assistance
Description Link
NAT Ability to Use Route Maps 12.2.(4)T The NAT Ability to Use Route Maps with Static
with Static Translation Translation feature provides a dynamic
translation command that can specify a route
map to be processed instead of an access list. A
route map allows you to match any combination
of the access list, next-hop IP address, and
output interface to determine which pool to use.
The ability to use route maps with static
translations enables NAT multihoming
capability with static address translations.
NAT Default Inside Server 12.3(13)T The NAT Default Inside Server feature enables
forwarding of packets from outside to a specified
inside local address.
NAT Route Maps 12.2(33)SXI5 The NAT Route Maps Outside-to-Inside Support
Outside-to-Inside Support feature enables the deployment of a NAT route
12.3(14)T
map configuration that allows IP sessions to be
initiated from the outside to the inside.
NAT RTSP Support Using NBAR 12.3(7)T The NAT RTSP Support Using NBAR feature
is a client/server multimedia presentation control
protocol that supports multimedia application
delivery. Applications that use RTSP include
WMS by Microsoft, QuickTime by Apple
Computer, and RealSystem G2 by
RealNetworks.
NAT Static and Dynamic Route 15.0(1)M The NAT Static and Dynamic Route Map
Map Name-Sharing Name-Sharing feature provides the ability to
configure static and dynamic NAT to share the
same route map name, while enforcing
precedence of static NAT over dynamic NAT.
NAT Static IP Support 12.3(7)T The NAT Static IP Support feature provides
support for users with static IP addresses,
enabling those users to establish an IP session
in a public wireless LAN environment.
NAT Virtual Interface 12.3(14)T The NAT Virtual Interface feature removes the
requirement to configure an interface as either
Network Address Translation (NAT) inside or
NAT outside. An interface can be configured to
use or not use NAT.
Rate Limiting NAT Translation 12.3(4)T The Rate Limiting NAT Translation feature
provides the ability to limit the maximum
15.0(1)S
number of concurrent Network Address
Translation (NAT) operations on a router. In
addition to giving users more control over how
NAT addresses are used, the Rate Limiting NAT
Translation feature can be used to limit the
effects of viruses, worms, and denial-of-service
attacks.
Support for ARP Ping in a Public 12.4(6)T The Support for ARP Ping in a Public Wireless
Wireless LAN LAN feature ensures that the NAT entry and the
secure ARP entry from removal when the static
IP client exists in the network, where the IP
address is unchanged after authentication.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
• Before performing the tasks in this module, you should verify that the Session Initiation Protocol (SIP)
and H.323 are not disabled. SIP and H.323 are enabled by default.
• ESP entries in the translation table are normally delayed from being transmitted until a reply is received
from the destination. With predictable security parameter indexes (SPIs) and SPI matching, the delay
can be eliminated because SPI entries are matched. Some third-party concentrators require both source
ports and incoming ports to use port 500. Use the ip nat service preserve-port command to preserve
the ports rather than changing them, which is required with regular NAT.
IPsec
IPsec is a set of extensions to the IP protocol family in a framework of open standards for ensuring secure
private communications over the Internet. Based on standards developed by the IETF, IPsec ensures
confidentiality, integrity, and authenticity of data communications across the public network and provides
cryptographic security services.
Secure tunnels between two peers, such as two routers, are provided and decisions are made as to which
packets are considered sensitive and should be sent through these secure tunnels, and which parameters should
be used to protect these sensitive packets by specifying characteristics of these tunnels. When the IPsec peer
receives a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to
the remote peer.
IPsec using Encapsulating Security Payload (ESP) can pass through a router running NAT without any specific
support from it as long as Network Address Port Translation (NAPT) or address overloading is not configured.
You can enable IPsec packet processing using ESP with the ip nat service ipsec-esp enable command.
There are a number of factors to consider when attempting an IPsec VPN connection that traverses a NAPT
device that represents multiple private internal IP addresses as a single public external IP address. Such factors
include the capabilities of the VPN server and client, the capabilities of the NAPT device, and whether more
than one simultaneous connection is attempted across the NAPT device.
There are two possible methods for configuring IPsec on a router with NAPT:
• Encapsulate IPsec in a Layer 4 protocol such as TCP or UDP. In this case, IPsec is sneaking through
NAT. The NAT device is unaware of the encapsulation.
• Add IPsec-specific support to NAPT. IPsec works with NAT in this case as opposed to sneaking through
NAT. The NAT Support for IPsec ESP-- Phase II feature provides support for Internet Key Exchange
(IKE) and ESP without encapsulation in tunnel mode through a Cisco IOS router configured with NAPT.
We recommend that TCP and UDP be used when conducting IPsec sessions that traverse a NAPT device.
However, not all VPN servers or clients support TCP or UDP.
SPI Matching
SPI matching is used to establish VPN connections between multiple pairs of destinations. NAT entries will
immediately be placed in the translation table for endpoints matching the configured access list..
Session Description Protocol (SDP) is a protocol that describes multimedia sessions. SDP may be used in SIP
message bodies to describe multimedia sessions used for creating and controlling multimedia sessions with
two or more participants.
The NAT Support for SIP feature allows SIP embedded messages passing through a router configured with
NAT to be translated and encoded back to the packet. An ALG is used with NAT to translate the SIP or SDP
messages.
Note By default support for SIP is enabled on port 5060. Therefore, NAT-enabled devices interpret all packets on
this port as SIP call messages. If other applications in the system use port 5060 to send packets, the NAT
service may corrupt the packet as it attempts to interpret the packet as a SIP call message.
Restrictions
The NAT Segmentation with Layer 4 Forwarding feature does not work when:
• Firewalls are configured using the ip inspect name command. (Context-Based Access Control (CBAC)
firewalls are not supported. Zone-based firewalls are supported.)
• H.323, SCCP, or TCP DNS messages are larger than 18 KB.
Note Effective January 31, 2014, Stateful NAT is not available in Cisco IOS software.
For more information, see End-of-Sale and End-of-Life Announcement for the
Cisco IOS Stateful Failover of Network Address Translation (SNAT).
• The match-in-vrf keyword is configured along with the ip nat inside source command for packet
translation.
• The packets are IPv6 packets.
Note IPsec can be configured for any NAT configuration, not just static NAT configurations.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat [inside | outside] source static local-ip global-ip [vrf vrf-name]
4. exit
5. show ip nat translations
DETAILED STEPS
Router> enable
Step 3 ip nat [inside | outside] source static local-ip global-ip Enables static NAT.
[vrf vrf-name]
Example:
Router(config)# exit
Note This task is required by certain VPN concentrators. Cisco VPN devices generally do not use this feature.
>
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service list access-list-number IKE preserve-port
DETAILED STEPS
Router> enable
Step 3 ip nat service list access-list-number IKE preserve-port Specifies IPsec traffic that matches the access list to
preserve the port.
Example:
Security parameter index (SPI) matching is used to establish VPN connections between multiple pairs of
destinations. NAT entries are immediately placed in the translation table for endpoints matching the configured
access list. SPI matching is available only for endpoints that choose SPIs according to the predictive algorithm
implemented in Cisco IOS Release 12.2(15)T.
The generation of SPIs that are predictable and symmetric is enabled. SPI matching should be used in
conjunction with NAT devices when multiple ESP connections across a NAT device are desired.
Note SPI matching must be configured on the NAT device and both endpoint devices.
>
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service list access-list-number ESP spi-match
DETAILED STEPS
Router> enable
Step 3 ip nat service list access-list-number ESP spi-match Specifies an access list to enable SPI matching.
Example: • This example shows how to enter ESP traffic matching
list 10 into the NAT table, making the assumption that
Router(config)# ip nat service list 10 ESP both devices are Cisco devices and are configured to
spi-match provide matchable SPIs.
Note Security parameter index (SPI) matching must be configured on the Network Address Translation (NAT)
device and on both endpoint devices.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec nat-transparency spi-matching
4. end
DETAILED STEPS
Step 3 crypto ipsec nat-transparency spi-matching Enables SPI matching on both endpoints.
Example:
Step 4 end Exits global configuration mode and enters privileged EXEC
mode.
Example:
Device(config)# end
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service allow-multipart
4. exit
5. show ip nat translations
DETAILED STEPS
Step 4 exit Exits global configuration mode and enters privileged EXEC
mode.
Example:
Device(config)# exit
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service skinny tcp port number
DETAILED STEPS
Router> enable
Step 3 ip nat service skinny tcp port number Configures the skinny protocol on the specified TCP port.
Example:
Where to Go Next
• To learn about NAT and configure NAT for IP address conservation, see the “Configuring NAT for IP
Address Conservation” module.
• To verify monitor, and maintain NAT, see the “Monitoring and Maintaining NAT” module.
• To integrate NAT with MPLS VPNs, see the “Integrating NAT with MPLS VPNs” module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
Additional References
Related Documents
Cisco IOS commands Cisco IOS Master Command List, All Releases
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command
command mode, defaults, usage guidelines, and Reference
examples
Technical Assistance
Description Link
MultiPart SDP Support for NAT 15.0(1)M The MultiPart SDP Support for NAT feature adds
support for multipart SDP in a SIP ALG. This
feature is disabled by default.
The following commands were modified by this
feature: debug ip nat and ip nat service.
NAT H.245 Tunneling Support 12.3(11)T The NAT H.245 Tunneling Support feature allows
H.245 tunneling in H.323 Application-Level
Gateways (ALGs).
NAT Support for H.323 v2 RAS 12.2(2)T NAT supports all H.225 and H.245 message types,
feature including those sent in the RAS protocol.
15.0(1)S
NAT Support for H.323 v3 and v4 12.3(2)T The NAT Support for H.323 v3 and v4 in v2
in v2 Compatibility Mode Compatibility Mode feature enables NAT routers
to support messages coded in H.323 Version 3 and
Version 4 when these messages contain fields that
are compatible with H.323 Version 2. This feature
does not add support for H.323 capabilities
introduced in H.323 Version 3 and Version 4, such
as new message types or new fields that require
address translation.
NAT Support for IPsec 12.2(15)T The NAT Support for IPsec ESP—Phase II feature
ESP—Phase II provides support for Internet Key Exchange (IKE)
and ESP without encapsulation in tunnel mode
through a router configured with NAPT.
NAT Support of SCCP 12.4(6)T The NAT Support of SCCP Fragmentation feature
Fragmentation adds support for TCP segments for the NAT
15.1(3)T
Skinny ALG. A fragmented payload that requires
an IP translation or a port translation is no longer
be dropped.
The following command was modified by this
feature: debug ip nat.
NAT Support for SIP 12.2(8)T NAT Support for SIP adds the ability to configure
NAT on VoIP solutions based on SIP.
Support for applications that do not 12.2(33)XNC NAT with an ALG will translate packets from
use H.323 applications that do not use H.323, as long as these
applications use port 1720.
Support for IPsec ESP Through 12.2(13)T The IPsec ESP Through NAT feature provides the
NAT ability to support multiple concurrent IPsec
Encapsulating Security Payload (ESP) tunnels or
connections through a NAT device configured in
Overload or Port Address Translation (PAT) mode.
• RG must be shut down on both peer devices before you configure NAT.
• If devices are already in active/standby states, you must apply any additional configuration changes first
on the standby device and then on the active device. To delete NAT configuration rules, you must apply
the changes first on the active device and then on the standby device.
Note We recommend that you disable all other ALGs using the no ip nat service
command, when using this feature.
• RG on an active device is reloaded using the redundancy application reload group command in
privileged EXEC mode.
• RG on an active device is shut down using the group command in redundancy application configuration
mode.
Note In a group of RG peers, only one peer can be active for a specific RG. Currently, the NAT Box-to-Box
High-Availability Support feature supports only two peers in an RG and one RG in the RG infrastructure.
Note Failover is caused by only those failures that the RG infrastructure listens to.
Each routing device has an asymmetric routing (AR) module, which forwards the traffic received by the
standby redundancy group (RG) using the module’s AR interface. In the above illustration, the standby RG
is RG1, on Router 1 with the Redundancy Interface Identifier (RII) configured as RII-1. The packet traffic
that is received by RG1 is forwarded over the AR interface configured on Router 1 towards Router 2. This
traffic is received by the AR module for RII-1 on Router 2 and is forwarded to RG1, which is active on Router
2.
• Redundancy number: A unique identification number for each interface that is part of the RG infrastructure.
• RG priority: A numeric value that you can configure on the active or standby devices to control the
switchover behavior. Each potential fault or error decrements the priority of the active device. The system
switches over to the standby device when the priority value reaches the configured limit.
• RG control interface: A dedicated physical interface that provides connectivity between the two peer
devices. The redundancy infrastructure uses this interface to exchange control information between the
devices.
• RG data interface: A dedicated physical interface that provides connectivity between two peer devices.
This interface is used by the redundancy infrastructure for data information exchange between devices,
such as session information for NAT. Control and data interfaces can be configured on the same physical
interface.
• Virtual IP address and virtual MAC address: The active device owns the virtual IP address and the virtual
MAC address. Hosts or servers on the LAN that use the virtual IP address to reach the device which is
currently in RG active state.
• RG decrement number: The priority value of an RG in local peer is decremented by the specified priority
decrement number if the interface on which this configuration is applied goes down.
• RG infrastructure: Defines multiple RGs to which applications can subscribe and function in an
active-standby mode across different routing devices. Currently, Network Address Translation (NAT)
supports only one RG with an RG ID value of either 1 or 2.
• NAT mapping ID: A numeric value that is attached to all NAT rules that are associated to an RG. This
value must be unique across different NAT rules and must be the same across NAT configurations on
active and standby devices.
4. application redundancy
5. group id
6. name group-name
7. shutdown
8. priority value [failover threshold value]
9. preempt
10. track object-number {decrement value | shutdown}
11. end
DETAILED STEPS
Step 6 name group-name (Optional) Specifies an optional alias for the protocol
instance.
Example:
Device(config-red-app-grp)# name group1
Step 8 priority value [failover threshold value] (Optional) Specifies the initial priority and failover
threshold for a redundancy group.
Example:
Device(config-red-app-grp)# priority 100 failover
threshold 50
Step 10 track object-number {decrement value | shutdown} Specifies the priority value of a redundancy group that will
be decremented if an event occurs.
Example:
Device(config-red-app-grp)# track 200 decrement
200
Note Asymmetric routing, data, and control must be configured on separate interfaces for zone-based firewall.
However, for Network Address Translation (NAT), asymmetric routing, data, and control can be configured
on the same interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. redundancy
4. application redundancy
5. group id
6. data interface-type interface-number
7. control interface-type interface-number protocol id
8. timers delay seconds [reload seconds]
9. asymmetric-routing interface type number
10. asymmetric-routing always-divert enable
11. end
DETAILED STEPS
Step 6 data interface-type interface-number Specifies the data interface that is used by the RG.
Example:
Device(config-red-app-grp)# data GigabitEthernet
0/0/1
Step 7 control interface-type interface-number protocol id Specifies the control interface that is used by the RG.
Example: • The control interface is also associated with an
Device(config-red-app-grp)# control instance of the control interface protocol.
GigabitEthernet 1/0/0 protocol 1
Step 8 timers delay seconds [reload seconds] Specifies the time required for an RG to delay role
negotiations that start after a fault occurs or the system is
Example:
reloaded.
Device(config-red-app-grp)# timers delay 100
reload 400
Step 9 asymmetric-routing interface type number Specifies the asymmetric routing interface that is used by
the RG.
Example:
Device(config-red-app-grp)# asymmetric-routing
interface GigabitEthernet 0/1/1
Step 10 asymmetric-routing always-divert enable Always diverts packets received from the standby RG to
the active RG.
Example:
Device(config-red-app-grp)# asymmetric-routing
always-divert enable
DETAILED STEPS
Step 3 interface type number Enters interface configuration mode for the data interface.
Example:
Device(config)# interface GigabitEthernet 0/0/1
Step 4 ip address ip-address mask Assigns an IP address for the data interface.
Example:
Device(config-if)# ip address 10.2.3.2
255.255.255.0
Step 7 interface type number Enters interface configuration mode for the control
interface.
Example:
Device(config)# interface gigabitethernet 1/0/0
Step 11 interface type number (Optional) Enters interface configuration mode for the
asymmetric routing (AR) interface.
Example:
Device(config)# interface gigabitethernet 0/1/1
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. ip nat inside
6. redundancy rii id
7. redundancy group id ip virtual-ip [exclusive] [decrement value]
8. exit
9. interface type number
10. ip address ip-address mask
11. ip nat outside
12. redundancy rii id [decrement number]
13. redundancy group id ip virtual-ip [exclusive] [decrement value]
14. exit
15. ip nat inside source static local-ip global-ip [redundancy rg-id mapping-id map-id]
16. end
DETAILED STEPS
Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface gigabitethernet 2/0/2
Step 4 ip address ip-address mask Assigns a virtual IP (VIP) address on the interface.
Example:
Device(config-if)# ip address 192.168.1.27
255.255.255.0
Step 5 ip nat inside Designates that traffic originating from the interface is
subject to Network Address Translation (NAT).
Example:
Step 7 redundancy group id ip virtual-ip [exclusive] Enables the redundancy group (RG) traffic interface
[decrement value] configuration.
Example:
Device(config-if)# redundancy group 1 ip
192.168.1.20 exclusive decrement 100
Step 9 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Step 10 ip address ip-address mask Assigns a virtual IP (VIP) address on the interface.
Example:
Device(config-if)# ip address 192.168.5.54
255.255.255.255.0
Step 11 ip nat outside Designates that traffic destined for the interface is subject
to NAT.
Example:
Device(config-if)# ip nat outside
Step 12 redundancy rii id [decrement number] Configures an RII for redundancy group-protected traffic
interfaces.
Example:
Device(config-if)# redundancy rii 101
Step 13 redundancy group id ip virtual-ip [exclusive] Enables the redundancy group (RG) traffic interface
[decrement value] configuration and specifies the decrement value number
that is decremented from the priority when the state of the
Example:
interface goes down.
Device(config-if)# redundancy group 1 ip
192.168.5.10 exclusive decrement 100
Step 15 ip nat inside source static local-ip global-ip Enables NAT redundancy of the inside source and
[redundancy rg-id mapping-id map-id] associates the mapping ID to NAT high-availability
redundancy.
Example:
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. ip nat outside
6. redundancy rii id [decrement number]
7. redundancy asymmetric routing enable
8. exit
9. ip nat inside source static local-ip global-ip [redundancy RG-id mapping-id map-id]
10. end
DETAILED STEPS
Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface serial 0/0/1
Step 4 ip address ip-address mask Assigns a virtual IP (VIP) address on the interface.
Example:
Device(config-if)# ip address 192.168.1.27
255.255.255.0
Step 6 redundancy rii id [decrement number] Configures a Redundancy Interface Identifier (RII) for
redundancy group-protected traffic interfaces.
Example:
Device(config-if)# redundancy rii 101
Step 7 redundancy asymmetric routing enable Establishes an asymmetric flow diversion tunnel for each
redundancy group (RG).
Example:
Device(config-if)# redundancy asymmetric-routing
enable
Step 9 ip nat inside source static local-ip global-ip Enables NAT redundancy of the inside source and
[redundancy RG-id mapping-id map-id] associates the mapping ID to NAT high-availability
redundancy.
Example:
Device(config)# ip nat inside source static
10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
Device> enable
Device# configure terminal
Device(config)# interface gigabitethernet 2/0/2
Device(config-if)# ip address 192.168.1.27 255.255.255.0
Device(config-if)# ip nat inside
Device(config-if)# redundancy rii 100
Device(config-if)# redundancy group 1 ip 192.168.1.20 exclusive decrement 100
Device(config-if)# exit
Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# ip address 192.168.5.54 255.255.255.255.0
Device(config-if)# ip nat outside
Device(config-if)# redundancy rii 101
Device(config-if)# redundancy group 1 ip 192.168.5.10 exclusive decrement 100
Device(config-if)# exit
Device(config)# ip nat inside source static 10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
Device(config-if)# end
Example:ConfiguringAsymmetricRoutingforNATBox-to-BoxHigh-Availability
Support
Device> enable
Device# configure terminal
Device(config)# interface serial 0/0/1
Device(config-if)# ip address 192.168.1.27 255.255.255.0
Device(config-if)# ip nat outside
Device(config-if)# redundancy rii 101
Device(config-if)# exit
Device(config)# ip nat inside source static 10.2.2.1 10.3.4.6 redundancy 1 mapping-id 120
Device(config-if)# end
Cisco IOS commands Cisco IOS Master Command List, All Releases
Technical Assistance
Description Link
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prefixes Format
A set of bits at the start of an IPv6 address is called the format prefix. Prefix length is a decimal value that
specifies how many of the leftmost contiguous bits of an address comprise the prefix.
An embedded IPv4 address is used to construct IPv4 addresses from the IPv6 packet. The Stateless NAT64
translator has to derive the IPv4 addresses that are embedded in the IPv6-translatable address by using the
prefix length. The translator has to construct an IPv6-translatable address based on the prefix and prefix length
and embed the IPv4 address based on the algorithm.
According to the IETF address format BEHAVE draft, a u-bit (bit 70) defined in the IPv6 architecture should
be set to zero. For more information on the u-bit usage, see RFC 2464. The reserved octet, also called u-octet,
is reserved for compatibility with the host identifier format defined in the IPv6 addressing architecture. When
constructing an IPv6 packet, the translator has to make sure that the u-bits are not tampered with and are set
to the value suggested by RFC 2373. The suffix will be set to all zeros by the translator. IETF recommends
that the 8 bits of the u-octet (bit range 64-71) should be set to zero.
The prefix lengths of 32, 40, 48, 56, 64, or 96 are supported for Stateless NAT64 translation. The Well Known
Prefix (WKP) is not supported. When traffic flows from the IPv4-to-IPv6 direction, either a WKP or a
configured prefix can be added only in stateful translation.
The figure below shows stateless translation for scenarios 1 and 2. An IPv6-only network communicates with
the IPv4 Internet.
Figure 11: Stateless Translation for Scenarios 1 and 2
Scenario 1 is an IPv6 initiated connection and scenario 2 is an IPv4 initiated connection. Stateless NAT64
translates these two scenarios only if the IPv6 addresses are IPv4 translatable. In these two scenarios, the
Stateless NAT64 feature does not help with IPv4 address depletion, because each IPv6 host that communicates
with the IPv4 Internet is a globally routable IPv4 address. This consumption is similar to the IPv4 consumption
rate as a dual-stack. The savings, however, is that the internal network is 100 percent IPv6, which eases
management (Access Control Lists, routing tables), and IPv4 exists only at the edge where the Stateless
translators live.
The figure below shows stateless translation for scenarios 5 and 6. The IPv4 network and IPv6 network are
within the same organization.
The IPv4 addresses used are either public IPv4 addresses or RFC 1918 addresses. The IPv6 addresses used
are either public IPv6 addresses or Unique Local Addresses (ULAs).
Both these scenarios consist of an IPv6 network that communicates with an IPv4 network. Scenario 5 is an
IPv6 initiated connection and scenario 6 is an IPv4 initiated connection. The IPv4 and IPv6 addresses may
not be public addresses. These scenarios are similar to the scenarios 1 and 2. The Stateless NAT64 feature
supports these scenarios if the IPv6 addresses are IPv4 translatable.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
10. interface type number
11. description string
12. ip address ip-address mask
13. nat64 enable
14. exit
DETAILED STEPS
Device> enable
Step 4 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Step 7 ipv6 address {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general prefix
sub-bits/prefix-length} and enables IPv6 processing on an interface.
Example:
Device(config-if)# exit
Step 10 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config-if)# exit
Step 15 nat64 prefix stateless ipv6-prefix/length Defines the Stateless NAT64 prefix to be added to the IPv4
hosts to translate the IPv4 address into an IPv6 address.
Example:
• The command also identifies the prefix that must be
Device(config)# nat64 prefix stateless used to create the IPv4-translatable addresses for the
2001:0db8:0:1::/96 IPv6 hosts.
Step 16 nat64 route ipv4-prefix/mask interface-type Routes the IPv4 traffic towards the correct IPv6 interface.
interface-number
Example:
Device(config)# end
SUMMARY STEPS
1. show nat64 statistics
2. show ipv6 route
3. show ip route
4. debug nat64 {all | ha {all | info | trace | warn} | id-manager | info | issu {all | message | trace} | memory
| statistics | trace | warn}
5. ping [protocol [tag]] {host-name | system-address}
DETAILED STEPS
NAT64 Statistics
Global Stats:
Packets translated (IPv4 -> IPv6): 21
Packets translated (IPv6 -> IPv4): 15
GigabitEthernet0/0/1 (IPv4 configured, IPv6 configured):
Packets translated (IPv4 -> IPv6): 5
Packets translated (IPv6 -> IPv4): 0
Packets dropped: 0
GigabitEthernet1/2/0 (IPv4 configured, IPv6 configured):
Packets translated (IPv4 -> IPv6): 0
Packets translated (IPv6 -> IPv4): 5
Packets dropped: 0
This command displays the configured stateless prefix and the specific route for the IPv4 embedded IPv6 address pointing
toward the IPv6 side.
Example:
Step 4 debug nat64 {all | ha {all | info | trace | warn} | id-manager | info | issu {all | message | trace} | memory | statistics
| trace | warn}
This command enables Stateless NAT64 debugging.
Example:
ipv6 unicast-routing
!
interface gigabitethernet 0/0/0
description interface facing ipv6
ipv6 enable
ipv6 address 2001:DB8::1/128
nat64 enable
!
Technical Assistance
Description Link
Stateless Network Address 15.4(1)T The Stateless Network Address Translation 64 feature
Translation 64 provides a translation mechanism that translates an IPv6
packet into an IPv4 packet and vice versa. The translation
involves parsing the entire IPv6 header, including the
extension headers, and extracting the relevant information
and translating it into an IPv4 header. Similarly, the IPv4
header is parsed in its entirety, including the IPv4 options,
to construct an IPv6 header. This processing happens on a
per-packet basis on the interfaces that are configured for
Stateless NAT64 translation.
The following commands were introduced or modified: clear
nat64 ha statistics, clear nat64 statistics, debug nat64,
nat64 enable, nat64 prefix, nat64 route, show nat64
adjacency, show nat64 ha status, show nat64 prefix
stateless, show nat64 routes, and show nat64 statistics.
Glossary
ALG—application-layer gateway or application-level gateway.
FP—Forward Processor.
IPv4-converted address—IPv6 addresses used to represent the IPv4 hosts. These have an explicit mapping
relationship to the IPv4 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6
address. Both stateless and stateful translators use IPv4-converted IPv6 addresses to represent the IPv4 hosts.
IPv6-converted address—IPv6 addresses that are assigned to the IPv6 hosts for the stateless translator. These
IPv6-converted addresses have an explicit mapping relationship to the IPv4 addresses. This relationship is
self-described by mapping the IPv4 address in the IPv6 address. The stateless translator uses the corresponding
IPv4 addresses to represent the IPv6 hosts. The stateful translator does not use IPv6-converted addresses,
because the IPv6 hosts are represented by the IPv4 address pool in the translator via dynamic states.
NAT—Network Address Translation.
RP—Route Processor.
stateful translation—In stateful translation a per-flow state is created when the first packet in a flow is
received. A translation algorithm is said to be stateful if the transmission or reception of a packet creates or
modifies a data structure in the relevant network element. Stateful translation allows the use of multiple
translators interchangeably and also some level of scalability. Stateful translation is defined to enable the IPv6
clients and peers without mapped IPv4 addresses to connect to the IPv4-only servers and peers.
stateless translation—A translation algorithm that is not stateful is called stateless. A stateless translation
requires configuring a static translation table, or may derive information algorithmically from the messages
it is translating. Stateless translation requires less computational overhead than stateful translation. It also
requires less memory to maintain the state, because the translation tables and the associated methods and
processes exist in a stateful algorithm and do not exist in a stateless one. Stateless translation enables the
IPv4-only clients and peers to initiate connections to the IPv6-only servers or peers that are equipped with
IPv4-embedded IPv6 addresses. It also enables scalable coordination of IPv4-only stub networks or ISP
IPv6-only networks. Because the source port in an IPv6-to-IPv4 translation may have to be changed to provide
adequate flow identification, the source port in the IPv4-to-IPv6 direction need not be changed.
Stateful NAT64 supports TCP, and UDP traffic. Packets that are generated in an IPv6 network and are destined
for an IPv4 network are routed within the IPv6 network towards the Stateful NAT64 translator. Stateful NAT64
translates the packets and forwards them as IPv4 packets through the IPv4 network. The process is reversed
for traffic that is generated by hosts connected to the IPv4 network and destined for an IPv6 receiver.
The Stateful NAT64 translation is not symmetric, because the IPv6 address space is larger than the IPv4
address space and a one-to-one address mapping is not possible. Before it can perform an IPv6 to an IPv4
translation, Stateful NAT64 requires a state that binds the IPv6 address and the TCP/UDP port to the IPv4
address. The binding state is either statically configured or dynamically created when the first packet that
flows from the IPv6 network to the IPv4 network is translated. After the binding state is created, packets
flowing in both directions are translated. In dynamic binding, Stateful NAT64 supports communication initiated
by the IPv6-only node toward an IPv4-only node. Static binding supports communication initiated by an
IPv4-only node to an IPv6-only node and vice versa. Stateful NAT64 with NAT overload or Port Address
Translation (PAT) provides a 1:n mapping between IPv4 and IPv6 addresses.
When an IPv6 node initiates traffic through Stateful NAT64, and the incoming packet does not have an existing
state and the following events happen:
• The source IPv6 address (and the source port) is associated with an IPv4 configured pool address (and
port, based on the configuration).
• The destination IPv6 address is translated mechanically based on the BEHAVE translation draft using
either the configured NAT64 stateful prefix or the Well Known Prefix (WKP).
• The packet is translated from IPv6 to IPv4 and forwarded to the IPv4 network.
When an incoming packet is stateful (if a state exists for an incoming packet), NAT64 identifies the state and
uses the state to translate the packet.
Scenario 1
An IPv6-only network that communicates with a global IPv4 Internet. This type of network is also called a
green-field network. In a green-field enterprise network only the the border between its network and the IPv4
Internet can be modified.
Translation is performed between IPv4 and IPv6 packets in unidirectional or bidirectional flows that are
initiated from an IPv6 host towards an IPv4 host. Port translation is necessary on the IPv4 side for efficient
IPv4 address usage. The stateful translator can service an IPv6 network of any size.
Both Stateful NAT64 and Stateless NAT64 support Scenario 1.
Scenario 3
Scenario 3 shows a legacy IPv4 network that provide services to IPv6 hosts. IPv6-initiated communication
can be achieved through stateful translation in this scenario.
Translation is preformed between IPv4 and IPv6 packets in unidirectional or bidirectional flows that are
initiated from an IPv6 host towards an IPv4 host. The stateful translator can service an IPv4 network using
either private or public IPv4 addresses.
Note Do not use the Well-Known Prefix (WKP) for Scenario 3, because it would lead to using the WKP with
non-global IPv4 addresses. Use a network-specific prefix (example, /96 prefix) in Scenario 3. For more
information, see RFC 6052, section "3.4 Choice of Prefix for Stateful Translation Deployments"
Scenario 5
This scenario has an IPv4 and IPv6 network within the same organization. The IPv4 addresses used are either
public IPv4 addresses or RFC 1918-compliant addresses. IPv6 addresses are either public IPv6 addresses or
Unique Local Addresses (ULAs) as specified by RFC 4193.
Translation is performed between IPv6 and IPv4 packets in unidirectional or bidirectional flows that are
initiated from an IPv6 host towards an IPv4 host. The stateful translator can service both IPv6 and IPv4
networks of any size; however neither networks should not be the Internet.
Both Stateful NAT64 and Stateless NAT64 support Scenario 5.
All subsequent IPv4-initiated packets are translated based on the previously created session.
• A new NAT64 translation is created in the session database and in the bind database. The pool and port
databases are updated depending on the configuration. The return traffic and the subsequent traffic of
the IPv6 packet flow will use this session database entry for translation.
IP Packet Filtering
Stateful Network Address Translation 64 (NAT64) filters IPv6 and IPv4 packets. All IPv6 packets that are
transmitted into the stateful translator are filtered because statefully translated IPv6 packets consume resources
in the translator. These packets consume processor resources for packet processing, memory resources (always
session memory) for static configuration, IPv4 address resources for dynamic configuration, and IPv4 address
and port resources for Port Address Translation (PAT).
Stateful NAT64 utilizes configured access control lists (ACLs) and prefix lists to filter IPv6-initiated traffic
flows that are allowed to create the NAT64 state. Filtering of IPv6 packets is done in the IPv6-to-IPv4 direction
because dynamic allocation of mapping between an IPv6 host and an IPv4 address can be done only in this
direction.
Stateful NAT64 supports endpoint-dependent filtering for the IPv4-to-IPv6 packet flow with PAT configuration.
In a Stateful NAT64 PAT configuration, the packet flow must have originated from the IPv6 realm and created
the state information in NAT64 state tables. Packets from the IPv4 side that do not have a previously created
state are dropped. Endpoint-independent filtering is supported with static Network Address Translation (NAT)
and non-PAT configurations.
Note You need to configure at least one of the configurations described in the following tasks for Stateful NAT64
to work.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
10. interface type number
11. description string
12. ip address ip-address mask
13. nat64 enable
14. exit
15. nat64 prefix stateful ipv6-prefix/length
16. nat64 v6v4 static ipv6-address ipv4-address
17. end
DETAILED STEPS
Step 4 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Step 7 ipv6 address {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general prefix
sub-bits/prefix-length} and enables IPv6 processing on an interface.
Example:
Device(config-if)# ipv6 address 2001:DB8:1::1/96
Step 10 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface gigabitethernet 1/2/0
Step 15 nat64 prefix stateful ipv6-prefix/length Defines the Stateful NAT64 prefix to be added to IPv4
hosts to translate the IPv4 address into an IPv6 address.
Example:
Device(config)# nat64 prefix stateful • The Stateful NAT64 prefix can be configured at the
2001:DB8:1::1/96 global configuration level or at the interface level.
Step 16 nat64 v6v4 static ipv6-address ipv4-address Enables NAT64 IPv6-to-IPv4 static address mapping.
Example:
Device(config)# nat64 v6v4 static 2001:DB8:1::FFFE
209.165.201.1
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
DETAILED STEPS
Step 4 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Step 7 ipv6 {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general prefix
sub-bits/prefix-length} and enables IPv6 processing on an interface.
Example:
Device(config-if)# ipv6 2001:DB8:1::1/96
Step 10 interface type number Configures an interface type and enters interface
configuration mode
Example:
Device(config)# interface gigabitethernet 1/2/0
Step 15 ipv6 access-list access-list-name Defines an IPv6 access list and enters IPv6 access list
configuration mode.
Example:
Device(config)# ipv6 access-list nat64-acl
Step 16 permit ipv6 ipv6-address any Sets permit conditions for an IPv6 access list.
Example:
Device(config-ipv6-acl)# permit ipv6
2001:DB8:2::/96 any
Step 17 exit Exits IPv6 access list configuration mode and enters global
configuration mode.
Example:
Device(config-ipv6-acl# exit
Step 18 nat64 prefix stateful ipv6-prefix/length Enables NAT64 IPv6-to-IPv4 address mapping.
Example:
Step 19 nat64 v4 pool pool-name start-ip-address end-ip-address Defines the Stateful NAT64 IPv4 address pool.
Example:
Device(config)# nat64 v4 pool pool1 209.165.201.1
209.165.201.254
Step 20 nat64 v6v4 list access-list-name pool pool-name Dynamically translates an IPv6 source address to an IPv6
source address and an IPv6 destination address to an IPv4
Example:
destination address for NAT64.
Device(config)# nat64 v6v4 list nat64-acl pool
pool1
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 unicast-routing
4. interface type number
5. description string
6. ipv6 enable
7. ipv6 {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
8. nat64 enable
9. exit
10. interface type number
11. description string
12. ip address ip-address mask
13. nat64 enable
14. exit
15. ipv6 access-list access-list-name
16. permit ipv6 ipv6-address any
17. exit
18. nat64 prefix stateful ipv6-prefix/length
DETAILED STEPS
Step 4 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Device(config)# interface gigabitethernet 0/0/0
Step 7 ipv6 {ipv6-address/prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general prefix
sub-bits/prefix-length} and enables IPv6 processing on an interface.
Example:
Device(config-if)# ipv6 2001:DB8:1::1/96
Step 15 ipv6 access-list access-list-name Defines an IPv6 access list and places the device in IPv6
access list configuration mode.
Example:
Device(config)# ipv6 access-list nat64-acl
Step 16 permit ipv6 ipv6-address any Sets permit conditions for an IPv6 access list.
Example:
Device(config-ipv6-acl)# permit ipv6
2001:db8:2::/96 any
Step 17 exit Exits IPv6 access list configuration mode and enters global
configuration mode.
Example:
Device(config-ipv6-acl)# exit
Step 18 nat64 prefix stateful ipv6-prefix/length Enables NAT64 IPv6-to-IPv4 address mapping.
Example:
Device(config)# nat64 prefix stateful
2001:db8:1::1/96
Step 19 nat64 v4 pool pool-name start-ip-address end-ip-address Defines the Stateful NAT64 IPv4 address pool.
Example:
Device(config)# nat64 v4 pool pool1 209.165.201.1
209.165.201.254
SUMMARY STEPS
1. show nat64 aliases [lower-address-range upper-address-range]
2. show nat64 logging
3. show nat64 prefix stateful {global | {interfaces | static-routes} [prefix ipv6-address/prefix-length]}
4. show nat64 timeouts
DETAILED STEPS
Aliases configured: 1
Address Table ID Inserted Flags Send ARP Reconcilable Stale Ref-Count
10.1.1.1 0 FALSE 0x0030 FALSE TRUE FALSE 1
Step 3 show nat64 prefix stateful {global | {interfaces | static-routes} [prefix ipv6-address/prefix-length]}
This command displays information about NAT64 stateful prefixes.
Example:
Device# show nat64 prefix stateful interfaces
Stateful Prefixes
NAT64 Timeout
enable
configure terminal
ipv6 unicast-routing
interface gigabitethernet 0/0/0
description interface facing ipv6
ipv6 enable
ipv6 2001:DB8:1::1/96
nat64 enable
exit
interface gigabitethernet 1/2/0
description interface facing ipv4
ip address 209.165.201.24 255.255.255.0
nat64 enable
exit
ipv6 access-list nat64-acl
permit ipv6 2001:db8:2::/96 any
exit
nat64 prefix stateful 2001:db8:1::1/96
nat64 v4 pool pool1 209.165.201.1 209.165.201.254
nat64 v6v4 list nat64-acl pool pool1 overload
end
Additional References
Related Documents
Standard/RFC Title
RFC 4291 IP Version 6 Addressing Architecture
Technical Assistance
Description Link
The Cisco Support website provides extensive online resources, including http://www.cisco.com/support
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
MAP-T is a mechanism that performs double translation (IPv4 to IPv6 and vice versa) on customer edge (CE)
devices and border routers. The Mapping of Address and Port Using Translation feature supports only the
MAP-T border router functionality. This feature does not support the MAP-T CE functionality.
The Mapping of Address and Port Using Translation feature leverages the Network Address Translation 64
(NAT64) translation engine and adds the MAP-T border router function to the NAT64 stateless function.
MAP-T is enabled on IPv4 and IPv6 interfaces. MAP-T uses IPv4 and IPv6 forwarding, IPv4 and IPv6
fragmentation functions, and NAT64 translation functions. A MAP-T domain is one or more MAP CE devices
and a border router, all connected to the same IPv6 network.
A MAP-T CE device connects a user’s private IPv4 address and the native IPv6 network to the IPv6-only
MAP-T domain. The MAP-T border router uses the stateless IPv4/IPv6 translation to connect external IPv4
networks to all devices available in the one or more MAP-T domains. MAP-T requires only one IPv6 prefix
per network and supports the regular IPv6 prefix/address assignment mechanisms. The MAP-T domain
contains regular IPv6-only hosts or servers that have an IPv4-translatable IPv6 address. MAP-T does not
require the operation of an IPv4 overlay network or the introduction of a non-native-IPv6 network device or
server functionality.
A MAP-T configuration provides the following features:
• Retains the ability for IPv4 end hosts to communicate across the IPv6 domain with other IPv4 hosts.
• Permits both individual IPv4 address assignment and IPv4 address sharing with a predefined port range.
• Allows communication between IPv4-only and IPv6-enabled end hosts and native IPv6-only servers in
domains that use IPv4-translatable IPv6 addresses.
• Allows the use of IPv6 native network operations, including the ability to classify IP traffic and perform
IP traffic routing optimization policies such as routing optimization based on peering policies for IPv4
destinations outside the domain.
• An FMR is used for forwarding packets. Each FMR results in an entry in the MRT for the rule IPv4
prefix. FMR is an optional rule for mapping IPv4 and IPv6 destinations within a MAP-T domain.
Note FMR is not supported by the Mapping of Address and Port Using Translation
feature.
Note Forwarding mapping rule (FMR) is not supported by the Mapping of Address and Port Using Translation
feature.
The figure below shows the mapped CE address format as defined in MAP-T configuration. This address
format is used in basic mapping rule (BMR) and FMR operations.
Figure 13: IPv4-Translatable Address for BMR and FMR
The figure below shows the address format used by the MAP-T default mapping rule (DMR), an IPv4-translated
address that is specific to MAP-T configuration.
Figure 14: IPv4-Translated Address for DMR
Note The Mapping of Address and Port Using Translation feature does not support the MAP-T customer edge (CE)
functionality. The CE functionality is provided by third-party devices.
mapping the destination IPv4 address without the port information for packets that do not contain the ID field,
and the corresponding CE device translates the ICMPv6 packets to ICMP.
SUMMARY STEPS
1. enable
2. configure terminal
3. nat64 map-t domain number
4. default-mapping-rule ipv6-prefix/prefix-length
5. basic-mapping-rule
6. ipv6-prefix prefix/length
7. ipv4-prefix prefix/length
8. port-parameters share-ratio ratio [start-port port-number]
9. end
10. show nat64 map-t domain number
DETAILED STEPS
Step 3 nat64 map-t domain number Configures the Network Address Translation 64 (NAT64)
mapping of address and port using translation (MAP-T)
Example:
domain and enters NAT64 MAP-T configuration mode.
Device(config)# nat64 map-t domain 1
Step 4 default-mapping-rule ipv6-prefix/prefix-length Configures the default domain mapping rule for the MAP-T
domain.
Example:
Device(config-nat64-mapt)# default-mapping-rule
2001:DA8:B001:FFFF::/64
Step 5 basic-mapping-rule Configures the basic mapping rule (BMR) for the MAP-T
domain and enters NAT64 MAP-T BMR configuration
Example:
mode.
Device(config-nat64-mapt)# basic-mapping-rule
Step 6 ipv6-prefix prefix/length Configures an IPv6 address and prefix for the MAP-T
BMR.
Example:
Device(config-nat64-mapt-bmr)# ipv6-prefix
2001:DA8:B001::/56
Step 7 ipv4-prefix prefix/length Configures an IPv4 address and prefix for the MAP-T
BMR.
Example:
Device(config-nat64-mapt-bmr)# ipv4-prefix
202.1.0.128/28
Step 8 port-parameters share-ratio ratio [start-port Configures port parameters for the MAP-T BMR.
port-number]
Example:
Device(config-nat64-mapt-bmr)# port-parameters
share-ratio 16 start-port 1024
Step 10 show nat64 map-t domain number Displays MAP-T domain information.
Example:
Device# show nat64 map-t domain 1
Example:
The following is sample output from the show nat64 map-t domain command:
Device# show nat64 map-t domain 1
MAP-T Domain 1
Mode MAP-T
Default-mapping-rule
Ip-v6-prefix 2001:DA8:B001:FFFF::/64
Basic-mapping-rule
Ip-v6-prefix 2001:DA8:B001::/56
Ip-v4-prefix 202.1.0.128/28
Port-parameters
Share-ratio 16 Contiguous-ports 64 Start-port 1024
Share-ratio-bits 4 Contiguous-ports-bits 6 Port-offset-bits 6
At the PC:
An IPv4 packet goes from 202.1.0.130 to 11.1.1.1. At the customer edge (CE) device the Mapping
of address and port mapping using translation (MAP-T) function translates the packet to Src:
2201:DA8:B001:2E:0:CA01:82:E00 Dest: 2001:DA8:B001:FFFF:B:0101:0100:0.
At the border router the MAP-T border router translates the packet to
Packet goes from 192.168.1.2 ---> 74.1.1.1, source 4000, destination port : 5000
At the CPE the MAP-T CE function translates the
packet to Src: 2201:DA8:B001:2E:0:CA01:82:E00 Dest: 2001:DA8:B001:FFFF:B:0101:0100:0.
At the BR the MAP-T BR function translates the packet to
Src:203.38.102.130 Dst:74.1.1.1 SrcPort:4000 DstPort:5000
From End device:
Src:74.1.1.1 Dst:203.38.102.130 SrcPort:4000 DstPort:5000
At the BR the MAP-T BR function translates the packet to
Src: 2201:DA8:B001:2E:0:CA01:82:E00 Dest: 2001:DA8:B001:FFFF:B:0101:0100:0.
At the CE the MAP-T CE function translates the packet from
Src: 2201:DA8:B001:2E:0:CA01:82:E00 Dest: 2001:DA8:B001:FFFF:B:0101:0100:0.
To
Src:74.1.1.1 Dst:203.38.102.130 SrcPort:4000 Dstport:5000
Cisco IOS commands Cisco IOS Master Command List, All Releases
Standard/RFC Title
Technical Assistance
Description Link
Mapping of Address and Cisco IOS Release 15.5(2)T The Mapping of Address and Port Using
Port Using Translation Translation feature provides connectivity to IPv4
hosts across IPv6 domains. MAP-T is a
mechanism that performs double translation
(IPv4 to IPv6 and vice versa) on CE devices and
border routers.
The following commands were introduced or
modified: basic-mapping-rule,
default-mapping-rule, ipv4-prefix, ipv6-prefix,
mode (nat64), nat64 map-t domain,
port-parameters, and show nat64 map-t.
Glossary
EA bits—Embedded address bits. The IPv4 EA bits in the IPv6 address identify an IPv4 prefix/address (or
part thereof) or a shared IPv4 address (or part thereof) and a port-set identifier.
IP fragmentation—The process of breaking a datagram into a number of pieces that can be reassembled
later. The IP source, destination, identification, total length, and fragment offset fields, along with the More
fragments and Don't Fragment (DF) flags in the IP header, are used for IP fragmentation and reassembly. A
DF bit is a bit within the IP header that determines whether a device is allowed to fragment a packet.
IPv4-translatable address—IPv6 addresses that are used to represent IPv4 hosts. These addresses have an
explicit mapping relationship to IPv6 addresses. This relationship is self-described by mapping the IPv4
address in the IPv6 address. Both stateless and stateful translators use IPv4-translatable (also called
IPv4-converted) IPv6 addresses to represent IPv4 hosts.
IPv6-translatable address—IPv6 addresses that are assigned to IPv6 hosts for stateless translation. These
IPv6-translatable addresses (also called IPv6-converted addresses) have an explicit mapping relationship to
IPv4 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6 address. The
stateless translator uses corresponding IPv4 addresses to represent IPv6 hosts. The stateful translator does not
use IPv6-translatable addresses because IPv6 hosts are represented by the IPv4 address pool in the translator
via dynamic states.
MAP rule—A set of parameters that define the mapping between an IPv4 prefix, an IPv4 address or a shared
IPv4 address, and an IPv6 prefix or address. Each MAP domain uses a different mapping rule set.
MAP-T border router—A mapping of address and port using translation (MAP-T)-enabled router or translator
at the edge of a MAP domain that provides connectivity to the MAP-T domain. A border relay router has at
least one IPv6-enabled interface and one IPv4 interface connected to the native IPv4 network, and this router
can serve multiple MAP-T domains.
MAP-T CE—A device that functions as a customer edge (CE) router in a MAP-T deployment. A typical
MAP-T CE device that adopts MAP rules serves a residential site with one WAN-side interface and one or
more LAN-side interfaces. A MAP-T CE device can also be referred to as a “CE” within the context of a
MAP-T domain.
MAP-T domain—Mapping of address and port using translation (MAP-T) domain. One or more customer
edge (CE) devices and a border router, all connected to the same IPv6 network. A service provider may deploy
a single MAP-T domain or use multiple MAP domains.
MRT—MAP rule table. Address and port-aware data structure that supports the longest match lookups. The
MRT is used by the MAP-T forwarding function.
path MTU—Path maximum transmission unit (MTU) discovery prevents fragmentation in the path between
endpoints. Path MTU discovery is used to dynamically determine the lowest MTU along the path from a
packet’s source to its destination. Path MTU discovery is supported only by TCP and UDP. Path MTU
discovery is mandatory in IPv6, but it is optional in IPv4. IPv6 devices never fragment a packet—only the
sender can fragment packets.
stateful translation—Creates a per-flow state when the first packet in a flow is received. A translation
algorithm is said to be stateful if the transmission or reception of a packet creates or modifies a data structure
in the relevant network element. Stateful translation allows the use of multiple translators interchangeably
and also some level of scalability. Stateful translation enables IPv6 clients and peers without mapped IPv4
addresses to connect to IPv4-only servers and peers.
stateless translation—A translation algorithm that is not stateful. A stateless translation requires configuring
a static translation table or may derive information algorithmically from the messages that it is translating.
Stateless translation requires less computational overhead than stateful translation. It also requires less memory
to maintain the state because the translation tables and the associated methods and processes exist in a stateful
algorithm and do not exist in a stateless one. Stateless translation enables IPv4-only clients and peers to initiate
connections to IPv6-only servers or peers that are equipped with IPv4-embedded IPv6 addresses. It also
enables scalable coordination of IPv4-only stub networks or ISP IPv6-only networks. Because the source port
in an IPv6-to-IPv4 translation may have to be changed to provide adequate flow identification, the source
port in the IPv4-to-IPv6 direction need not be changed.
MAP-E 15.6(1)T The MAP-E feature provides support for configurable rules used to define the
mapping between an IPv4 prefix and an IPv4 address or between a shared IPv4
address and an IPv6 prefix/address.
The following commands were introduced or modified: basic-mapping-rule,
default-mapping-rule, nat64 map-e, port-parameters, show nat64 map-e.
InformationAboutMappingofAddressPortUsingEncapsulation
Mapping of Address and Port Using Encapsulation
MAP-E refers to Mapping of Address and Port Encapsulation (MAP-E). The MAP-E feature enables you to
configure mapping rules for translation between IPv4 and IPv6 addresses. Each mapping of address and port
using MAP-E domain uses a different mapping rule. A MAP-E configuration comprises of one basic mapping
rule (BMR), one default mapping rule (DMR), and one or more forwarding mapping rules (FMRs) for each
MAP-E domain.
A BMR configures the MAP IPv6 address or prefix. You can configure only one BMR per IPv6 prefix. The
MAP-E CE uses the BMR to configure itself with an IPv4 address, an IPv4 prefix, or a shared IPv4 address
from an IPv6 prefix. A BMR can also be used for forwarding packets in such scenarios where an IPv4
destination address and a destination port are mapped into an IPv6 address/prefix. Every MAP-E node (CE
device is a MAP-E node) must be provisioned with a BMR. The BMR prefix along with the port parameter
is used as tunnel destination address. You can use the port-parameters command to configure port parameters
for the MAP-E BMR.
A DMR prefix which matches with the interface address is recognized as hosts and a DMR prefix with a
prefix length of 128 is recognized as the tunnel source address.
Persistent Storage
When a Customer Edge (CE) boots up for the first time, it sends the HTTP request to the rule server immediately
to acquire the MAP-E rules. After the CE receives the MAP-E rules, it saves a copy in the persistent storage,
such as bootflash. When the subsequent reboot happens, the CE detects a copy of MAP-E rules in the bootflash,
so it does not send the HTTP request immediately. Instead, it sends the HTTP request in a random time
between 1 minute and 10 minutes.
Below files are created once the MAP-E rules are downloaded:
• /bootflash/mape/mape-rule.json
• /bootflash/mape/hostname (for the fixed IP case)
Note In a fixed IP case, a tunnel interface (IP in IP) is used instead of a NAT64 configuration. The nat64
provisioning mode command is used to enable the tunnel interface.
DETAILED STEPS
Step 3 nat64 map-e domain number Specifies the nat64 MAP-E domain and enters the MAP-E
configuration mode.
Example:
Device(config)# nat64 map-e domain 1 • The range is from 1 to 128.
Step 4 basic-mapping-rule Specifies the MAP-E mapping rule and enters the basic
mapping rule configuration mode.
Example:
Device(config-nat64-mape)# basic-mapping-rule
Step 5 ipv4-prefix ipv4-prefix/length Specifies the IPv4 prefix and length for translation.
Example:
Device(config-nat64-mape-bmr)# ipv4-prefix
10.1.1.0/24
Step 7 port-parameters share-ratio number port-offset-bits Specifies the values for port-parameters share-ratio,
number| start-port port-number| no-eabits number contiguous ports and start-port for MAP-E Basic Mapping
Rule (BMR).
Example:
Device(config-nat64-mape-bmr)# port-parameters • If the share ratio is greater than 1, the configuration
share-ratio 2 port-offset-bits 5 start-port 1024 throws an error if the startport value is incorrect. The
calculation is based on the share-ratio and port-offset
bits. The configuration throws error and displays the
value to be configured.
• If the share ratio is 1, there are no port-offset bits as
the values is automatically set to 6 and the start port
is set to 1024.
Step 8 exit Exits basic mapping rule configuration mode and returns
to MAP-E configuration mode.
Example:
Device(config-nat64-mape-bmr)# exit
Step 9 default-mapping-rule ipv6 prefix/length Specifies the values of IPv6 prefix and length for MAP-E
Default Mapping Rule (DMR).
Example:
Device(config-nat64-map-e-dmr)#
default-mapping-rule 2001:22::0/128
DETAILED STEPS
Step 1 enable
Example:
Device> enable
Cisco IOS commands Cisco IOS Master Command List, All Releases
Standard/RFC Title
Technical Assistance
Description Link
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s14/fsaclseq.htm
Note If you specify an access list to use with a NAT command, NAT does not support the commonly used permit
ip any any command in the access list.
The figure below shows a typical NAT integration with MPLS VPNs. The PE router connected to the internet
and centralized mail service is employed to do the address translation.
Figure 15: Typical NAT Integration with MPLS VPNs
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat [inside | outside] source [list {access-list-number | access-list-name} | route-map name] [interface
type number | pool pool-name] vrf vrf-name[overload]
5. Repeat Step 4 for each VPN being configured
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of IP addresses for NAT.
Example:
Step 4 ip nat [inside | outside] source [list {access-list-number Allows NAT to be configured on a particular VPN.
| access-list-name} | route-map name] [interface type
number | pool pool-name] vrf vrf-name[overload]
Example:
Step 6 ip route vrf vrf-name prefix mask interface-type Allows NAT to be configured on a particular VPN.
interface-number next-hop-address
Example:
Router(config)#
ip route vrf shop 0.0.0.0 0.0.0.0 ethernet 0
168.58.88.2
Router(config)# exit
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source {static {esp local-ip interface type number | local-ip global-ip}} [extendable |
mapping-id map-id| no-alias | no-payload | redundancy group-name | route-map | vrf name]
4. Repeat Step 3 for each VPN being configured.
5. ip route vrf vrf-name prefix prefix mask next-hop-address global
6. Repeat Step 5 for each VPN being configured.
7. exit
8. show ip nat translations vrf vrf-name
DETAILED STEPS
Step 3 ip nat inside source {static {esp local-ip interface type Enables inside static translation on the VRF.
number | local-ip global-ip}} [extendable | mapping-id
map-id| no-alias | no-payload | redundancy group-name
| route-map | vrf name]
Example:
Router(config)#
ip nat inside source static 192.168.121.113 2.2.2.1
vrf shop
Router(config)#
ip route vrf shop 0.0.0.0 0.0.0.0 168.58.88.2
global
Router(config)# exit
Step 8 show ip nat translations vrf vrf-name (Optional) Displays the settings used by VRF translations.
Example:
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool outside global-ip local-ip netmask netmask
4. ip nat inside source static local-ip global-ip vrf vrf-name
5. Repeat Step 4 for each VRF being configured.
6. ip nat outside source static global-ip local-ip vrf vrf-name
7. exit
8. show ip nat translations vrf vrf-name
DETAILED STEPS
Step 3 ip nat pool outside global-ip local-ip netmask netmask Allows the configured VRF to be associated with the NAT
translation rule.
Example:
Router(config)#
ip nat pool outside 4.4.4.1 4.4.4.254 netmask
255.255.255.00
Step 4 ip nat inside source static local-ip global-ip vrf Allows the route to be shared by several customers.
vrf-name
Example:
Router(config)#
ip nat inside source static 192.168.121.113 2.2.2.1
vrf shop
Step 5 Repeat Step 4 for each VRF being configured. Allows the route to be shared by several customers.
Step 6 ip nat outside source static global-ip local-ip vrf Enables NAT translation of the outside source address.
vrf-name
Example:
Router(config)#
ip nat outside source static 168.58.88.2 4.4.4.1
vrf shop
Router(config)# exit
Step 8 show ip nat translations vrf vrf-name (Optional) Displays the settings used by VRF translations.
Example:
SUMMARY STEPS
1. enable
2. configure {terminal | memory | network}
3. ip nat pool inside global-ip local-ip netmask netmask
4. Repeat Step 3 for each pool being configured.
DETAILED STEPS
Step 3 ip nat pool inside global-ip local-ip netmask netmask Allows the configured VRF to be associated with the NAT
translation rule.
Example:
Step 5 ip nat inside source list access-list-number pool Allows the route to be shared by several customers.
pool-name vrf vrf-name
Example:
Router(config)#
ip nat inside source list 1 pool inside2 vrf shop
Step 6 Repeat Step 5 for each pool being configured. Defines the access list.
Step 7 ip nat outside source static global-ip local-ip vrf Allows the route to be shared by several customers.
vrf-name
Example:
Router(config)#
ip nat outside source static 168.58.88.2 4.4.4.1
vrf shop
Router(config)# exit
Step 10 show ip nat translations vrf vrf-name (Optional) Displays the settings used by VRF translations.
Example:
!
ip nat pool inside 2.2.2.10 2.2.2.10 netmask 255.255.255.0
ip nat inside source list 1 pool inside vrf bank overload
ip nat inside source list 1 pool inside vrf park overload
ip nat inside source list 1 pool inside vrf shop overload
!
ip route vrf shop 0.0.0.0 0.0.0.0 Ethernet1/3 168.58.88.2
ip route vrf bank 0.0.0.0 0.0.0.0 Ethernet1/3 168.58.88.2
ip route vrf park 0.0.0.0 0.0.0.0 Ethernet1/3 168.58.88.2
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
ip nat inside source static 192.168.121.113 2.2.2.1 vrf shop
ip nat inside source static 192.168.122.49 2.2.2.2 vrf shop
ip nat inside source static 192.168.121.113 2.2.2.3 vrf bank
ip nat inside source static 192.168.22.49 2.2.2.4 vrf bank
ip nat inside source static 192.168.121.113 2.2.2.5 vrf park
ip nat inside source static 192.168.22.49 2.2.2.6 vrf park
ip nat inside source static 192.168.11.1 2.2.2.11 vrf shop
ip nat inside source static 192.168.11.3 2.2.2.12 vrf shop
ip nat inside source static 140.48.5.20 2.2.2.13 vrf shop
!
ip route 2.2.2.1 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.2 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.3 255.255.255.255 Serial2/1.1 192.168.121.113
ip route 2.2.2.4 255.255.255.255 Serial2/1.1 192.168.121.113
ip route 2.2.2.5 255.255.255.255 FastEthernet0/0 192.168.121.113
ip route 2.2.2.6 255.255.255.255 FastEthernet0/0 192.168.121.113
ip route 2.2.2.11 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.12 255.255.255.255 Ethernet1/0 192.168.121.113
ip route 2.2.2.13 255.255.255.255 Ethernet1/0 192.168.121.113
!
ip nat pool outside 4.4.4.1 4.4.4.254 netmask 255.255.255.0
ip nat inside source static 192.168.121.113 2.2.2.1 vrf shop
ip nat inside source static 192.168.122.49 2.2.2.2 vrf shop
ip nat inside source static 192.168.121.113 2.2.2.3 vrf bank
ip nat inside source static 192.168.22.49 2.2.2.4 vrf bank
ip nat inside source static 192.168.121.113 2.2.2.5 vrf park
ip nat inside source static 192.168.22.49 2.2.2.6 vrf park
ip nat outside source list 1 pool outside
!
!
ip default-gateway 10.1.15.1
ip nat pool inside1 2.2.1.1 2.2.1.254 netmask 255.255.255.0
ip nat pool inside2 2.2.2.1 2.2.2.254 netmask 255.255.255.0
ip nat pool inside3 2.2.3.1 2.2.3.254 netmask 255.255.255.0
ip nat inside source list 1 pool inside2 vrf bank
ip nat inside source list 1 pool inside3 vrf park
ip nat inside source list 1 pool inside1 vrf shop
ip nat outside source static 168.58.88.2 4.4.4.1 vrf bank
ip nat outside source static 18.68.58.1 4.4.4.2 vrf park
ip nat outside source static 168.58.88.1 4.4.4.3 vrf shop
ip classless
ip route 192.170.10.0 255.255.255.0 Ethernet1/0 192.168.121.113
ip route 192.170.11.0 255.255.255.0 Serial2/1.1 192.168.121.113
ip route 192.170.12.0 255.255.255.0 FastEthernet0/0 192.168.121.113
ip route vrf shop 0.0.0.0 0.0.0.0 168.58.88.2 global
ip route vrf bank 0.0.0.0 0.0.0.0 168.58.88.2 global
ip route vrf park 0.0.0.0 0.0.0.0 168.58.88.2 global
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
Where to Go Next
• To learn about Network Address Translation and configure NAT for IP address conservation, see the
“Configuring NAT for IP Address Conservation” module.
• To verify, monitor, and maintain NAT, see the “Monitoring and Maintaining NAT” module.
• To use NAT with application level gateways, see the “Using Application Level Gateways with NAT”
module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
Technical Assistance
Description Link
Integrating NAT with MPLS VPNs 12.1(13)T The Integrating NAT with MPLS VPNs feature
allows multiple Multiprotocol Label Switching
15.1(1)SY
(MPLS) VPNs to be configured on a single device
to work together.
Note Effective January 31, 2014, Stateful NAT is not available in Cisco IOS software. For more information, see
End-of-Sale and End-of-Life Announcement for the Cisco IOS Stateful Failover of Network Address Translation
(SNAT).
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco IOS Hosted NAT Traversal for Session Border Controller Overview
Private IP addresses and ports inserted in the packet payload by client devices, such as IP phones and video
conferencing stations, are not routable in public networks using NAT. In addition, intermediate routers between
the inside phones and the NAT SBC can have the non-ALG functionality. The hosted NAT traversal handles
the signaling and the media streams involved in the setting up, conducting, and tearing down of calls that
traverse these intermediate routers.
The figure below illustrates how the NAT SBC handles embedded SIP/SDP information for the address and
port allocation by differentiating the overlapped embedded information.
Figure 16: NAT as a SIP Session Border Controller
The inside phones have the proxy configured as the NAT SBC’s preconfigured address and port. NAT SBC
has the Softswitch’s address and port preconfigured as the proxy. The NAT SBC intercepts the packets destined
from the inside phones to itself and translates the inside hosts and other information in the SIP/SDP payload
and the IP/UDP destination address or port to the Softswitch’s address and port, and vice versa.
SIP/SDP information is either a NAT or a PAT in order for the Real-Time Transport Protocol (RTP) flow to
be directly between the phones in the NAT SBC inside domain.
The address-only fields are not translated by the NAT SIP ALG. The address-only fields are handled by the
NAT SBC, except for the proxy-authorization and authorization translation, because these will break the
authentication.
If the intermediate routers between the inside phones and the NAT SBC are configured to do a PAT, the user
agents (phones and proxy) must support symmetric signaling and symmetric and early media. You must
configure the override port on the NAT SBC router. In the absence of support for symmetric signaling and
symmetric and early media, the intermediate routers must be configured without PAT and the override address
should be configured in the NAT SBC.
The registration throttling support enables you to define the parameters in the Expires: header and the expires=
parameter. It allows you to elect to not forward certain registration messages to the Softswitch.
Note When you use the NAT SBC feature and you want the call IDs to be translated, you must configure two
address pools in such a way that the pool for SBC is accessed before the pool for the call IDs. Use the ip nat
pool command to configure the address pools. Access lists are chosen in ascending order, so you should assign
the list associated with the SBC pool a lower number than the list associated with the call ID pool.
Note The proxy of the inside phones must be set to 200.1.1.1. The VPN routing and forwarding (VRF) instance
configuration as shown is optional.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip nat inside
5. exit
6. interface type number
7. ip nat outside
8. exit
9. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
10. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
11. ip nat inside source list access-list-number pool name [vrf vrf-name] [overload]
12. ip nat outside source list access-list-number pool name
13. ip nat sip-sbc
14. proxy inside-address inside-port outside-address outside-port protocol udp
15. vrf-list
16. vrf-name vrf - name
17. exit
18. ip nat sip-sbc
19. call-id-pool call -id-pool
20. session -timeout seconds
21. mode allow -flow-around
22. override address
23. end
DETAILED STEPS
Router> enable
Step 3 interface type number Specifies an interface and returns to interface configuration
mode.
Example:
Step 4 ip nat inside Connects the interface to the inside network (the network
subject to NAT translation).
Example:
Router(config-if)# exit
Step 6 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Router(config-if)# exit
Step 9 ip nat pool name start-ip end-ip {netmask netmask Defines a pool of global addresses to be allocated for the
| prefix-length prefix-length} inside network.
Example: Note You must configure two address pools when
you are using the NAT SBC feature and you
Router(config)# ip nat pool inside-pool-A want to translate the call IDs. In this step you
172.16.0.1 172.16.0.10 prefix-length 16 are configuring the first address pool.
Step 11 ip nat inside source list access-list-number pool Enables NAT of the inside source address and configures
name [vrf vrf-name] [overload] the access list for translation.
Example:
Step 12 ip nat outside source list access-list-number pool Enables NAT of the outside source address and configures
name the access list for translation.
Example:
Step 14 proxy inside-address inside-port outside-address Configures the address or port that the inside phones will
outside-port protocol udp be referring to, and the outside proxy’s address and port
to which the NAT SBC translates the destination IP address
Example:
and port.
Router(config-ipnat-sbc)# proxy 200.1.1.1 5060
192.0.2.2 5060 protocol udp
Router(config-ipnat-sbc)# vrf-list
Step 16 vrf-name vrf - name (Optional) Defines SBC VRF list names.
Example:
Step 17 exit Exits IP NAT SBC VRF configuration mode and enters
global configuration mode.
Example:
Router(config-ipnat-sbc-vrf)# exit
Step 19 call-id-pool call -id-pool Specifies a dummy pool name for the in to out SIP
signaling packet’s call ID that it will be translated to, and
Example:
that a 1:1 association will be maintained rather than using
the regular NAT pool.
Router(config-ipnat-sbc)# call-id-pool pool-name
• This pool can be used in an overload scenario:
• NAT mapping with an appropriate access control
list (ACL) and a NAT pool matching the pool
name must be configured.
• This pool is not used for any other NAT
processing except for call ID processing.
Step 20 session -timeout seconds Configures the timeout duration for NAT entries pertaining
to SIP signaling flows.
Example:
• The default is 5 minutes.
Router(config-ipnat-sbc)# session-timeout 300
Step 22 override address Allows the NAT SBC to override the out to in traffic’s
destination IP during signaling or RTP traffic, or to
Example:
override the address and port.
Router(config-ipnat-sbc)# override address
Router(config-ipnat-sbc)# end
interface ethernet1/1
ip nat inside
!
interface ethernet1/2
ip nat inside
!
interface ethernet1/3
ip nat outside
!
ip nat pool inside-pool-A 172.16.0.1 172.16.0.10 prefix-length 16
ip nat pool inside-pool-B 192.168.0.1 192.168.0.10 prefix-length 24
ip nat pool outside-pool 203.0.113.1 203.0.113.10 prefix-length 24
ip nat inside source list 1 pool inside-pool-A vrf vrfA overload
ip nat inside source list 2 pool inside-pool-B vrf vrfB overload
ip nat outside source list 3 pool outside-pool
!
! Access-list for VRF-A inside phones
access-list 1 permit 172.16.0.0 255.255.0.0
!
! Access-list for VRF-B inside phones
access-list 2 permit 192.0.2.0 255.255.255.0
!
access-list 3 permit 203.0.113.0 255.255.255.0
ip nat sip-sbc
proxy 200.1.1.1 5060 192.0.2.2 5060 protocol udp
vrf-list
vrf-name vrfA
vrf-name vrfB
exit
call-id-pool pool-name
session-timeout 300
mode allow-flow-around
override address
Additional References
Related Documents
Cisco IOS commands Cisco IOS Master Commands List, All Releases
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command Reference
command mode, command history, defaults, usage
guidelines, and examples
Standards
Standards Title
None --
MIBs
None To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco
MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description Link
Table 9: Feature Information for Configuring Hosted NAT Traversal for Session Border Controller
Cisco IOS Hosted NAT Traversal 12.4(9)T The Cisco IOS Hosted NAT Traversal for Session
for Session Border Controller Border Controller feature provides transparency with
Phase-1 the use of a proxy device on the NAT outside domain.
Hosted NAT Support for Session 12.4(15)T The Hosted NAT Support for Session Border
Border Controller Phase-2 Controller Phase-2 feature provides registration
throttling, media flow-through, and SNAT support.
Note Effective January 31, 2014, Stateful NAT
is not available in Cisco IOS software. For
more information, see End-of-Sale and
End-of-Life Announcement for the Cisco
IOS Stateful Failover of Network Address
Translation (SNAT).
NAT as SIP Session Border 12.4(9)T The NAT as SIP Session Border Controller Media
Controller Media Flow Flow feature provides support for media flow-around
for RTP or RTCP exchanges between phones on the
inside domain of the SBC.
NAT as SIP Session Border 12.4(9)T The NAT as SIP Session Border Controller Support
Controller Support for for Address-Only Fields feature provides support for
Address-Only Fields the translation of SIP address-only fields.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat portmap mapname application application startport startport size size
4. ip nat inside source list list - name pool pool - name overload portmap portmap - name
DETAILED STEPS
Router> enable
Step 3 ip nat portmap mapname application application Defines the port map.
startport startport size size
Example:
Step 4 ip nat inside source list list - name pool pool - Associates the port map to the NAT configuration.
name overload portmap portmap - name
Example:
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service allow-h323-even-rtp-ports | allow-sip-even-rtp-ports| allow-skinny-even-rtp-ports
DETAILED STEPS
Router> enable
Step 3 ip nat service allow-h323-even-rtp-ports | Establishes even port parity for H323, the SIP protocol, or
allow-sip-even-rtp-ports| allow-skinny-even-rtp-ports the skinny protocol.
Example:
Macros have been defined to make port map configuration easier. The table below lists the name of the macros
and the ports.
The following example enables even port parity for the skinny protocol.
Additional References
Related Documents
Cisco IOS commands Cisco IOS Master Commands List, All Releases
NAT commands: complete command syntax, command Cisco IOS IP Addressing Services Command
mode, defaults, usage guidelines, and examples Reference
Standards
Standards Title
None --
MIBs
• To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description Link
Table 11: Feature Information for User Defined Source Port Ranges for PAT
User Defined Source Port 12.4(11)T The User Defined Source Port Ranges for PAT feature enables
Ranges for PAT the specification of source port ranges for Port Address
Translation (PAT) for SIP, H.323, and Skinny Real-Time
Transport Protocol (RTP) and RTP Control Protocol (RTCP).
Port database with the requesting computer and the available port. An entry is added to the Symmetric Port
database, with the requesting computer, the allocated port and the requested port and the packet is sent.
This feature is only required if you need to configure NAT with pool overload or interface overload. This
feature is not applicable for other NAT configurations.
Note This feature must be enabled by the user. It should be enabled before NAT is enabled. If it is enabled later, it
will not translate the previously established connection. When this feature is disabled, it will not be seen in
the output of the show running-configcommand.
>
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface name
4. ip nat inside
5. exit
6. access list 1 permit ip address mask
7. ip nat inside source list 1 interface interface name
8. ip nat service enable-sym-port
9. exit
DETAILED STEPS
Router> enable
Step 4 ip nat inside Enables Network Address Translation (NAT) for the inside
address.
Example:
Step 6 access list 1 permit ip address mask Creates an access list called 1.
Example:
Step 7 ip nat inside source list 1 interface interface name Enables NAT for the inside source for access list 1 which
is attached to the Ethernet interface.
Example:
Router(config)# exit
SUMMARY STEPS
1. show ip nat translations
DETAILED STEPS
Example:
Additional References
Related Documents
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command
command mode, command history, usage guidelines, Reference
and examples
Standards
Standard Title
No new or modified standards are supported by this feature, and support for existing standards has not _
been modified by this feature.
MIBs
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco
feature, and support for existing MIBs has not IOS releases, and feature sets, use Cisco MIB Locator
been modified by this feature. found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been _
modified by this feature.
Technical Assistance
Description Link
Table 12: Feature Information for NAT Endpoint Agnostic Port Allocation
FPG: Endpoint Agnostic Port Allocation 12.4(24)T This feature was introduced.
• Processes all packets sent through the NAT-enabled router, even those without the Session Description
Protocol (SDP).
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg all-messages router router-id [md5-authentication
md5-authentication-key]
DETAILED STEPS
Router> enable
Step 3 ip nat piggyback-support sip-alg all-messages router Enables messages with a NAT optimized SIP Media path
router-id [md5-authentication md5-authentication-key] including MD5 authentication.
Example:
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg all-messages router router-id
DETAILED STEPS
Router> enable
Step 3 ip nat piggyback-support sip-alg all-messages router Enables messages with a NAT optimized SIP Media path
router-id without MD5 authentication.
Example:
Additional References
Related Documents
Cisco IOS commands Cisco IOS Master Commands List, All Releases
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command Reference
command mode command history, defaults,
usage guidelines, and examples
RADIUS attributes overview RADIUS Attributes Overview and RADIUS IETF Attributes
module
Using HSRP and stateful NAT for high Configuring NAT for High Availability module
availability
Using NAT with MPLS VPNs Integrating NAT with MPLS VPNs module
Standard/RFC Title
Technical Assistance
Description Link
Table 13: Feature Information for NAT Optimized SIP Media Path Without SDP
NAT Optimized SIP Media 12.4(2)T The NAT Optimized SIP Media Path Without SDP feature provides
Path Without SDP the ability to optimize the media path taken by a SIP VoIP session
when NAT is used. NAT forces the VoIP traffic to take at least one
extra hop in the network, which usually results in several additional
hops being added to the path between two IP hosts.
Information About the NAT Optimized SIP Media Path with SDP
Feature
Restrictions for NAT Optimized SIP Media Path with SDP
SIP messages may or may not have SDP. This feature processes SIP messages with SDP only. If a call exchange
with SDP is certain to occur, this feature should be used.
Use the “NAT - Optimized SIP Media without SPD” feature for SIP messages without SPD. This feature
processes all packets sent through the NAT-enabled router but is more CPU intensive than processing SIP
messages with SPD.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg sdp-only router router-id md5 -authentication
md5-authentication-key
DETAILED STEPS
Router> enable
Step 3 ip nat piggyback-support sip-alg sdp-only router Enables SDP messages with a NAT optimized SIP Media
router-id md5 -authentication md5-authentication-key path including MD5 authentication.
Example:
Configuring a NAT Optimized SIP Media Path with SDP Messages Without
MD5 Authentication
Perform this task to configure SDP messages with a NAT optimized SIP Media path without MD5
authentication.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat piggyback-support sip-alg sdp-only router router-id
DETAILED STEPS
Router> enable
Step 3 ip nat piggyback-support sip-alg sdp-only router Enables SDP messages with a NAT optimized SIP Media
router-id path without MD5 authentication.
Example:
Configuring a NAT Optimized SIP Media Path with SDP Without MD5
Authentication Example
The following example shows how to configure a NAT optimized SIP media path with SDP without MD5
authentication:
Additional References
Related Documents
NAT commands: complete command syntax, command mode, Cisco IOS IP Addressing Services Command
command history, defaults, usage guidelines, and examples Reference
NAT Optimized SIP Media Path without SDP configuration “NAT - Optimized SIP Media without SPD”
tasks and conceptual information module
Standards
Standard Title
None --
MIBs
None To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco
MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC Title
None --
Technical Assistance
Description Link
NAT Optimized SIP 12.4(2)T The NAT Optimized SIP Media Path with SDP feature allows the
Media Path with SDP creation of a shorter path for Session Initiation Protocol (SIP) media
channels by distributing endpoint IP addressing information with
Session Description Protocol (SDP) of SIP messages. This feature
allows endpoints to communicate directly by using standard routing
and eliminates the need for them to traverse through upstream NAT
routers.
Note All NAT commands that support VRF support the match-in-vrf keyword. Because NAT outside rules (ip
nat outside source command) support the match-in-VRF functionality by default, the match-in-vrf keyword
is not supported by NAT outside rules.
In VRF-aware NAT, the IP alias and Address Resolution Protocol (ARP) entries for inside global addresses
are configured in the global domain. For intra-VPN NAT, the IP alias and ARP entries for inside global
addresses are configured in the VRF through which the translation happens. In intra-VPN NAT, configuration
of the match-in-vrf keyword implies that at least one NAT outside interface is configured in the same VRF.
The ARP entry in that VRF replies to the ARP request from the outside host.
If inside addresses are configured, the match-in-VRF is determined through inside mappings during the address
translation of VRF traffic. If you have configured only outside mapping of IP addresses for address translations,
the match-in-VRF will work. When a translation entry is created with both inside and outside mappings, the
match-in-vrf keyword is determined by the inside mapping.
The Match-in-VRF Support for NAT feature supports the configuration of multiple dynamic mappings with
the same IP address pool.
The following table provides you information about VRF support for NAT:
MPLS IP VRF
Note You must use the match-in-vrf keyword
in the configuration to indicate that
communication is occurring within the
VRF.
VRF VRF
Note Both VRFs must be in the same inside
interface for this configuration to work.
VRF MPLS
Note You must use the match-in-vrf keyword
in the configuration to indicate that
communication is occurring within the
VRF.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip [vrf vrf-name [match-in-vrf]]
4. interface type number
5. ip address ip-address mask [secondary]
6. ip nat inside
7. ip vrf forwarding vrf-name
8. exit
9. interface type number
10. ip address ip-address mask
11. ip nat outside
12. ip vrf forwarding vrf-name
13. end
DETAILED STEPS
Step 3 ip nat inside source static local-ip global-ip [vrf Establishes static translation between an inside local
vrf-name [match-in-vrf]] address and an inside global address.
Example: • The match-in-vrf keyword enables NAT inside and
Router(config)# ip nat inside source static outside traffic in the same VRF.
10.10.10.1 172.16.131.1 vrf vrf1 match-in-vrf
Step 4 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Router(config)# interface gigabitethernet 0/0/1
Step 5 ip address ip-address mask [secondary] Sets a primary IP address for an interface.
Example:
Router(config-if)# ip address 10.114.11.39
255.255.255.0
Step 9 interface type number Specifies a different interface and enters interface
configuration mode.
Example:
Router(config)# interface gigabitethernet 0/0/0
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat inside source list access-list-number pool pool-name [vrf vrf-name [match-in-vrf]]
4. access-list access-list-number permit source [source-wildcard]
5. ip nat inside source list access-list-number pool pool-name vrf vrf-name [match-in-vrf]
6. interface type number
7. ip address ip-address mask
8. ip nat inside
9. ip vrf forwarding vrf-name
10. exit
11. interface type number
12. ip address ip-address mask
13. ip nat outside
14. ip vrf forwarding vrf-name
15. end
DETAILED STEPS
Step 4 access-list access-list-number permit source Defines a standard access list permitting those addresses
[source-wildcard] that are to be translated.
Example:
Router(config)# access-list 1 permit 192.168.34.0
0.0.0.255
Step 5 ip nat inside source list access-list-number pool Establishes dynamic source translation, specifying the
pool-name vrf vrf-name [match-in-vrf] access list defined in the previous step.
Example:
Router(config)# ip nat inside source list 1 pool
shared-pool vrf vpn1
Step 6 interface type number Specifies an interface and enters interface configuration
mode.
Example:
Router(config)# interface gigabitethernet 0/0/1
Step 11 interface type number Specifies a different interface and enters interface
configuration mode.
Example:
Router(config)# interface gigabitethernet 0/0/0
Cisco IOS commands Cisco IOS Master Command List, All Releases
NAT commands: complete command syntax, Cisco IOS IP Addressing Services Command Reference
command mode, command history, usage
guidelines, and examples
Using NAT with MPLS VPNs “Integrating NAT with MPLS VPNs” module
Standard/RFC Title
RFC 826 Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit
Ethernet address for transmission on Ethernet hardware
Technical Assistance
Description Link
Match-in-VRF Support for NAT Cisco IOS XE Release 3.5S The Match-in-VRF Support for
NAT feature supports the NAT
translation of packets that
communicate between two hosts
within the same VPN.
Translation Entries
Translation entry information includes the following:
• The protocol of the port identifying the address.
• The legitimate IP address that represents one or more inside local IP addresses to the outside world.
• The IP address assigned to a host on the inside network; probably not a legitimate address assigned by
the NIC or service provider.
• The IP address of an outside host as it appears to the inside network; probably not a legitimate address
assigned by the NIC or service provider.
• The IP address assigned to a host on the outside network by its owner.
• The time since the entry was created (in hours:minutes:seconds).
• The time since the entry was last used (in hours:minutes:seconds).
• Flags indicating the type of translation. Possible flags are:
• extended—Extended translation.
• static—Static translation.
• destination—Rotary translation.
• outside—Outside translation.
• timing out—Translation will no longer be used, due to a TCP finish (FIN) or reset (RST) flag.
Statistical Information
Statistical information includes the following:
• The total number of translations active in the system. This number is incremented each time a translation
is created and is decremented each time a translation is cleared or times out.
• A list of interfaces marked as outside with the ip nat outside command.
• A list of interfaces marked as inside with the ip nat inside command.
• The number of times the software does a translations table lookup and finds an entry.
• The number of times the software does a translations table lookup, fails to find an entry, and must try to
create one.
• A cumulative count of translations that have expired since the router was booted.
• Information about dynamic mappings.
• Information about an inside source translation.
• The access list number being used for the translation.
• The name of the pool.
• The number of translations using this pool.
• The IP network mask being used in the pool.
• The starting IP address in the pool range.
• The ending IP address in the pool range.
• The type of pool. Possible types are generic or rotary.
• The number of addresses in the pool available for translation.
• The number of addresses being used.
• The number of failed allocations from the pool.
NAT does not support access control lists (ACLs) with the log option. The same functionality can be achieved
by using one of the following options:
• By having a physical interface or virtual LAN (VLAN) with the logging option
• By using NetFlow
DETAILED STEPS
Step 3 show ip nat statistics (Optional) Displays active NAT translation statistics.
Example:
Device# show ip nat statistics
Example:
The following is sample output from the show ip nat translations command:
Device# show ip nat translations
The following is sample output from the show ip nat translations verbose command:
Device# show ip nat translations verbose
The following is sample output from the show ip nat statistics command:
Device# show ip nat statistics
SUMMARY STEPS
1. enable
2. clear ip nat translation inside global-ip local-ip outside local-ip global-ip
3. clear ip nat translation outside global-ip local-ip
4. clear ip nat translation protocol inside global-ip global-port local-ip local-port outside local-ip
local-port global-ip global-port
5. clear ip nat translation {* | [forced] | [inside global-ip local-ip] [outside local-ip global-ip]}
6. clear ip nat translation inside global-ip local-ip [forced]
7. clear ip nat translation outside local-ip global-ip [forced]
DETAILED STEPS
Step 2 clear ip nat translation inside global-ip local-ip outside (Optional) Clears a single dynamic half-entry containing
local-ip global-ip an inside translation or both an inside and outside translation
created in a dynamic configuration.
Example:
Device# clear ip nat translation inside • A dynamic half-entry is cleared only if it does not have
192.168.2.209 192.168.2.95 outside 192.168.2.100 any child translations.
192.168.2.101
Step 3 clear ip nat translation outside global-ip local-ip (Optional) Clears a single dynamic half-entry containing
an outside translation created in a dynamic configuration.
Example:
Device# clear ip nat translation outside • A dynamic half-entry is cleared only if it does not have
192.168.2.100 192.168.2.80 any child translations.
Step 4 clear ip nat translation protocol inside global-ip (Optional) Clears a UDP translation entry.
global-port local-ip local-port outside local-ip
local-port global-ip global-port
Example:
Device # clear ip nat translation udp inside
192.168.2.209 1220 192.168.2.195 1220 outside
192.168.2.13 53 192.168.2.132 53
Step 6 clear ip nat translation inside global-ip local-ip (Optional) Forces the clearing of a single dynamic half-entry
[forced] and its child translations containing an inside translation
created in a dynamic configuration, with or without its
Example:
corresponding outside translation.
Device# clear ip nat translation inside
192.168.2.209 192.168.2.195 forced • A dynamic half-entry is always cleared, regardless of
whether it has any child translations.
Step 7 clear ip nat translation outside local-ip global-ip (Optional) Forces the clearing of a single dynamic half-entry
[forced] and its child translations containing an outside translation
created in a dynamic configuration.
Example:
Device# clear ip nat translation outside • A dynamic half-entry is always cleared, regardless of
192.168.2.100 192.168.2.80 forced whether it has any child translations.
Where to Go Next
• To configure NAT for use with application level gateways, see the “Using Application Level Gateways
with NAT” module.
• To integrate NAT with MPLS VPNs, see the “Integrating NAT with MPLS VPNs” module.
• To configure NAT for high availability, see the “Configuring NAT for High Availability” module.
Cisco IOS commands Cisco IOS Master Command List, All Releases
NAT commands: complete command syntax, command Cisco IOS IP Addressing Services Command
mode, command history, defaults, usage guidelines, Reference
and examples
Technical Assistance
Description Link
NAT—Forced Clear of Dynamic 12.2(15)T A second forced keyword was added to the
NAT Half-Entries clear ip nat translation command to enable
the removal of half-entries regardless of whether
they have any child translations.
• NAT-PT supports only Domain Naming System (DNS), File Transfer Protocol (FTP), and Internet
Control Message Protocol (ICMP) application-layer gateways (ALGs).
• NAT-PT does not provide end-to-end security to networks. The device on which NAT-PT is configured
can be a single point of failure in the network.
• Bridge-group virtual interfaces (BVIs) in IPv6 are not supported with NAT-PT and wireless interfaces
Dot11Radio.
NAT-PT allows direct communication between IPv6-only networks and IPv4-only networks. Dual-stack
networks (networks that have IPv4 and IPv6) can have some IPv6-only hosts configured to take advantage
of the IPv6 autoconfiguration, global addressing, and simpler management features, and these hosts can use
NAT-PT to communicate with existing IPv4-only networks in the same organization.
One of the benefits of NAT-PT is that no changes are required to existing hosts if NAT-PT is configured,
because all NAT-PT configurations are performed at the NAT-PT device. Stable IPv4 networks can introduce
an IPv6 network and use NAT-PT to communicate between these networks without disrupting the network.
For a seamless transition, you can use FTP between IPv4 and IPv6 hosts.
When you configure IPv6, packet fragmentation is enabled by default, to allow IPv4 and IPv6 networks to
resolve fragmentation problems. Without the ability to resolve fragmentation, connectivity can be intermittent
when fragmented packets are dropped or not interpreted correctly.
We do not recommend the use of NAT-PT to communicate between a dual-stack host and an IPv6-only or
IPv4-only host. We do not recommend the use of NAT-PT in a scenario in which an IPv6-only network tries
to communicate with another IPv6-only network via an IPv4 backbone or vice versa, because NAT-PT requires
a double translation. You can use tunneling techniques for communication in these scenarios.
You can configure one the following operations for NAT-PT, but not all four.
Dynamic NAT-PT translation operation requires at least one static mapping for the IPv4 Domain Name System
(DNS) server.
After the IPv6 to IPv4 connection is established, reply packets going from IPv4 to IPv6 uses the previously
established dynamic mapping to translate back from IPv4 to IPv6 and vice versa for an IPv4-only host.
IPv4-Mapped Operation
You can send traffic from your IPv6 network to an IPv4 network without configuring the IPv6 destination
address mapping. A packet that arrives at an interface is checked to discover if it has a NAT-PT prefix that
was configured with the ipv6 nat prefix v4-mapped command. If the prefix matches, then an access-list
check is performed to discover if the source address matches the access list or prefix list. If the prefix does
not match, the packet is dropped. If the prefix matches, the source address translation is performed.
If a rule is configured for the source address translation, the last 32 bits of the destination IPv6 address is used
as the IPv4 destination and a flow entry is created.
With an IPv4-mapping configuration on a device, when the Domain Name System (DNS) application-level
gateway (ALG) IPv4 address is converted to an IPv6 address, the IPv6 address is processed and ALGs of the
DNS packets from IPv4 network is translated into the IPv6 network.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipv6 nat prefix ipv6-prefix / prefix-length
4. interface type number
5. ipv6 address ipv6-address {/prefix-length | link-local}
6. ipv6 nat
7. exit
8. interface type number
9. ip address ip-address mask [secondary]
10. ipv6 nat
DETAILED STEPS
Router> enable
Step 3 ipv6 nat prefix ipv6-prefix / prefix-length Assigns an IPv6 prefix as a global NAT-PT prefix.
Example: • Matching destination prefixes in IPv6 packets are
translated by NAT-PT.
Router# ipv6 nat prefix 2001:DB8::/96
• The only prefix length supported is 96.
Step 4 interface type number Specifies an interface type and number, and places the
router in interface configuration mode.
Example:
Step 5 ipv6 address ipv6-address {/prefix-length | link-local} Specifies an IPv6 address assigned to the interface and
enables IPv6 processing on the interface.
Example:
Step 7 exit Exits interface configuration mode, and returns the router
to global configuration mode.
Example:
Router(config-if)# exit
Step 8 interface type number Specifies an interface type and number, and places the
router in interface configuration mode.
Example:
Step 9 ip address ip-address mask [secondary] Specifies an IP address and mask assigned to the interface
and enables IP processing on the interface.
Example:
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ipv6 nat prefix ipv6-prefix v4-mapped {access-list-name | ipv6-prefix}
DETAILED STEPS
Router> enable
Step 3 interface type number Specifies an interface type and number, and places the router
in interface configuration mode.
Example:
Step 4 ipv6 nat prefix ipv6-prefix v4-mapped Enables customers to send traffic from their IPv6 network
{access-list-name | ipv6-prefix} to an IPv4 network without configuring IPv6 destination
address mapping.
Example:
SUMMARY STEPS
1. enable
2. configure terminal
DETAILED STEPS
Step 3 Configure one of the following commands: Enables a static IPv6 to IPv4 address mapping using
NAT-PT.
• ipv6 nat v6v4 source ipv6-address ipv4-address
• ipv6 nat v6v4 source {list access-list-name | or
route-map map-name} pool name Enables a dynamic IPv6 to IPv4 address mapping using
Example: NAT-PT.
Device(config)# ipv6 nat v6v4 source
2001:DB8:yyyy:1::1 10.21.8.10
Device(config)# ipv6 nat v6v4 source list pt-list1
pool v4pool
Step 4 ipv6 nat v6v4 pool name start-ipv4 end-ipv4 Specifies a pool of IPv4 addresses to be used by NAT-PT
prefix-length prefix-length for dynamic address mapping.
Example:
Device(config)# ipv6 nat v6v4 pool v4pool
10.21.8.1 10.21.8.10 prefix-length 24
Step 5 ipv6 nat translation [max-entries number] {timeout | (Optional) Specifies the time after which NAT-PT
udp-timeout | dns-timeout | tcp-timeout | finrst-timeout translations time out.
| icmp-timeout} {seconds | never}
Example:
Device(config)# ipv6 nat translation udp-timeout
600
Step 7 permit protocol {source-ipv6-prefix/prefix-length | any (Optional) Specifies permit conditions for an IPv6 ACL.
| host source-ipv6-address} [operator [port-number]]
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address}
Example:
Device(config-ipv6-acl)# permit ipv6
2001:DB8:bbbb:1::/64 any
Step 8 end Exits IPv6 access list configuration mode, and returns to
privileged EXEC mode.
Example:
Device(config-ipv6-acl)# end
Step 9 show ipv6 nat translations [icmp | tcp | udp] [verbose] (Optional) Displays active NAT-PT translations.
Example: • Use the optional icmp, tcp, and udp keywords to
Device# show ipv6 nat translations verbose display detailed information about the NAT-PT
translation events for the specified protocol.
• Use the optional verbose keyword to display more
detailed information about the active translations.
SUMMARY STEPS
1. enable
2. configure terminal
3. Configure one of the following commands:
• ipv6 nat v4v6 source ipv6-address ipv4-address
• ipv6 nat v4v6 source list {access-list-number | name} pool name
DETAILED STEPS
Step 3 Configure one of the following commands: Enables a static IPv4 to IPv6 address mapping using
NAT-PT.
• ipv6 nat v4v6 source ipv6-address ipv4-address
• ipv6 nat v4v6 source list {access-list-number | or
name} pool name Enables a dynamic IPv4 to IPv6 address mapping using
Example: NAT-PT.
Device(config)# ipv6 nat v4v6 source 10.21.8.11
2001:DB8:yyyy::2
Device(config)# ipv6 nat v4v6 source list 1 pool
v6pool
Step 4 ipv6 nat v4v6 pool name start-ipv6 end-ipv6 Specifies a pool of IPv6 addresses to be used by NAT-PT
prefix-length prefix-length for dynamic address mapping.
Example:
Device(config)# ipv6 nat v4v6 pool v6pool
2001:DB8:yyyy::1 2001:DB8:yyyy::2 prefix-length
128
Step 5 access-list {access-list-name | number}{deny | permit} Specifies an entry in a standard IPv4 access list.
[source source-wildcard] [log]
Example:
Device(config)# access-list 1 permit 192.168.30.0
0.0.0.255
SUMMARY STEPS
1. enable
2. configure terminal
3. Configure one of the following commands:
• ipv6 nat v6v4 source {list access-list-name | route-map map-name} pool name overload
• ipv6 nat v6v4 source {list access-list-name | route-map map-name} interface interface name
overload
4. ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length
5. ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout | tcp-timeout |
finrst-timeout | icmp-timeout} {seconds | never}
6. ipv6 access-list access-list-name
7. permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator
[port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address}
8. end
DETAILED STEPS
Step 3 Configure one of the following commands: Enables a dynamic IPv6 to IPv4 address overload mapping
using a pool address.
• ipv6 nat v6v4 source {list access-list-name |
route-map map-name} pool name overload or
• ipv6 nat v6v4 source {list access-list-name | Enables a dynamic IPv6 to IPv4 address overload mapping
route-map map-name} interface interface name using an interface address.
overload
Example:
Device(config)# ipv6 nat v6v4 source
2001:DB8:yyyy:1::1 10.21.8.10
Device(config)# ipv6 nat v6v4 source list pt-list1
pool v4pool overload
Step 4 ipv6 nat v6v4 pool name start-ipv4 end-ipv4 Specifies a pool of IPv4 addresses to be used by NAT-PT
prefix-length prefix-length for dynamic address mapping.
Example:
Device(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1
10.21.8.10 prefix-length 24
Step 6 ipv6 access-list access-list-name (Optional) Defines an IPv6 access list and enters IPv6 access
list configuration mode.
Example:
Device(config)# ipv6 access-list pt-list1 • IPv6 ACL names cannot contain a space or quotation
mark, or begin with a numeral.
Step 7 permit protocol {source-ipv6-prefix/prefix-length | any (Optional) Specifies permit conditions for an IPv6 ACL.
| host source-ipv6-address} [operator [port-number]]
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address}
Example:
Device(config-ipv6-acl)# permit ipv6
2001:DB8:bbbb:1::/64 any
Step 8 end Exits IPv6 access list configuration mode and returns to
privileged EXEC mode.
Example:
Device(config-ipv6-acl)# end
SUMMARY STEPS
1. enable
2. clear ipv6 nat translation *
3. debug ipv6 nat [detailed | port]
DETAILED STEPS
Step 2 clear ipv6 nat translation * Clears dynamic Network Address Translation (NAT)-Port
Translation (PT) entries from the dynamic translation state
Example:
table.
Device# clear ipv6 nat translation *
Step 3 debug ipv6 nat [detailed | port] Displays debugging messages for NAT-PT translation
events.
Example:
Device# debug ipv6 nat detail
interface Ethernet3/1
ipv6 address 2001:DB8:3002::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source 192.168.30.1 2001:DB8:0::2
ipv6 nat v6v4 source 2001:DB8:bbbb:1::1 10.21.8.10
ipv6 nat prefix 2001:DB8:0::/96
Example: Dynamic NAT-PT Configuration for IPv6 Hosts Accessing IPv4 Hosts
The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and
configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT
mapping is also configured to map IPv6 addresses to IPv4 addresses using a pool of IPv4 addresses named
v4pool. The packets to be translated by NAT-PT are filtered using an IPv6 access list named pt-list1. The
User Datagram Protocol (UDP) translation entries are configured to time out after 10 minutes. Ethernet
interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
interface Ethernet3/1
ipv6 address 2001:DB8:bbbb:1::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source 192.168.30.1 2001:DB8:0::2
ipv6 nat v6v4 source list pt-list1 pool v4pool
ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24
ipv6 nat translation udp-timeout 600
ipv6 nat prefix 2001:DB8:1::/96
!
ipv6 access-list pt-list1
permit ipv6 2001:DB8:bbbb:1::/64 any
Example: Dynamic NAT-PT Configuration for IPv4 Hosts Accessing IPv6 Hosts
The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and
configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT
mapping is also configured to map IPv4 addresses to IPv6 addresses using a pool of IPv6 addresses named
v6pool. The packets to be translated by NAT-PT are filtered using an access list named pt-list2. Ethernet
interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
interface Ethernet3/1
ipv6 address 2001:DB8:bbbb:1::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source list 72 pool v6pool
ipv6 nat v4v6 pool v6pool 2001:DB8:0::1 2001:DB8:0::2 prefix-length 128
ipv6 nat v6v4 source 2001:DB8:bbbb:1::1 10.21.8.0
ipv6 nat prefix 2001:DB8:0::/96
!
access-list 72 permit 192.168.30.0 0.0.0.255
Additional References
Related Documents
Standard/RFC Title
Technical Assistance
Description Link
NAT-PT: Support for DNS ALG 12.2(13)T IPv6 provides DNS ALG support.
NAT-PT: Support for FTP ALG 12.3(2)T IPv6 provides FTP ALG support.
NAT-PT: Support for Overload 12.3(2)T This feature allows a single IPv4
address to be used among multiple
sessions by multiplexing on the port
number to associate several IPv6
users with a single IPv4 address.
• NAT application-layer gateway (ALG) fixup for Session Initiation Protocol (SIP) messages over TCP
is not done when Layer 4 Forwarding (L4F) functionality is disabled. In this case, SIP messages are
considered as TCP messages and only Layer 3 and Layer 4 fixups are done.
• As per RFC 5128, NAT TCP SIP ALG feature uses Endpoint-Independent mapping to perform address
translations. This combination allows incoming SIP traffic from any external endpoint on the public
network to a mapped public port. If you do not need Endpoint-Independent mapping, use ACL or
Zone-based Policy Firewall to limit the scope of incoming traffic.
SIP Messages
Entities that are present in a Session Initiation Protocol (SIP) deployment communicate with each other by
using well-defined SIP messages that take the form of requests and responses. These SIP messages can contain
embedded IP address or port information that might belong to a private domain, and such messages must be
fixed up when they pass through a Network Address Translation (NAT) device. Fixup denotes the writing of
the translated IP address back into the packet. This fixup is normally performed by an application-layer gateway
(also called an application-level gateway) (ALG) module that resides on the NAT device.
By default, support for SIP is enabled on the standard TCP port 5060 to exchange SIP messages. You can
also configure nonstandard ports for SIP to operate. NAT ALG accepts and attempts fixup operations on all
TCP segments that originate from or are destined to the configured SIP port. SIP message processing involves
performing the fixup operation on a complete SIP message. A TCP segment may carry multiple SIP messages.
It is also possible that a SIP message is segmented and carried in two different TCP segments.
SIP messages are text based. Any adjustment that is made to the message as part of the ALG fixup can result
in the message to increase or decrease in size. A change in the message size means that the ALG must make
adjustments to the TCP sequence or acknowledgment numbers and keep track of the same. There are cases
where the ALG must perform spoof acknowledgments and complete TCP retransmission.
TCP proxy is an essential component that terminates a TCP connection passing through NAT ALG and
regenerates the TCP connection. This connection allows NAT ALG to modify the TCP payload without any
TCP session handling issues.
The table below identifies the six available SIP request messages.
ACK Sent by calling party to confirm the receipt of a final response to INVITE.
CANCEL Sent to end a call that has not yet been connected.
INVITE Request sent from a User Agent Client (UAC) to initiate a session.
REGISTER Sent by the client to register the address with a SIP proxy.
SIP Functionality
Users in a SIP network are identified by unique SIP addresses. A SIP address is similar to an e-mail address
and is in the format sip:userID@gateway.com. The userID can be either a username or an E.164 address. The
gateway can be either a domain (with or without a hostname) or a specific internet IP address.
Note An E.164 address is a telephone number with a string of decimal digits, which uniquely indicates the public
network termination point. This address contains all information that is necessary to route a call to a termination
point.
Users register with a registrar server using their assigned SIP addresses. The registrar server provides SIP
addresses to the location server on request. The registrar server processes requests from user-agent clients
(UACs) for registration of their current locations.
When a user initiates a call, a SIP request is sent to a SIP server (either a proxy or a redirect server). The
request includes the address of the caller (in the From header field) and the address of the intended called
party (in the To header field).
A SIP end user might move between end systems. The location of the end user can be dynamically registered
with the SIP server. The location server can use one or more protocols (including Finger, RWhois, and
Lightweight Directory Access Protocol [LDAP]) to locate the end user. Because the end user can be logged
in at more than one station and the location server can sometimes have inaccurate information, the location
server might return more than one address for the end user. If the request is coming through a SIP proxy
server, the proxy server tries each of the returned addresses until it locates the end user. If the request is coming
through a SIP redirect server, the redirect server forwards all the addresses to the caller available in the Contact
header field of the invitation response.
and a session, or conference, is established between them. The Real-time Transfer Protocol (RTP) is then
used for communication across the connection now established between the caller and called UA.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat service sip tcp port port-number
4. end
5. debug ip nat sip
DETAILED STEPS
Step 3 ip nat service sip tcp port port-number Specifies a port number other than the default port.
Example:
Device(config)# ip nat service sip tcp port 8000
Step 5 debug ip nat sip Displays SIP messages that NAT recognizes and the
embedded IP addresses contained in those messages.
Example:
Device# debug ip nat sip
The following is sample output from the debug ip nat sip command:
Device# debug ip nat sip
May 23 14:11:17.243 IST: NAT-L4F:setting ALG_NEEDED flag in subblock for SIP message
May 23 14:11:17.243 IST: NAT-ALG: lookup=0 l7_bytes_recd=509 appl_type=7
May 23 14:11:17.243 IST: NAT-ALG: Complete SIP Message header of size: 376
Cisco IOS commands Cisco IOS Master Command List, All Releases
Standard/RFC Title
Technical Assistance
Description Link
Table 20: Feature Information for NAT TCP SIP ALG Support
NAT TCP SIP ALG Support 15.3(1)T The NAT TCP SIP ALG Support feature allows
embedded messages of the Session Initiation Protocol
(SIP) passing through a device that is configured with
Network Address Translation (NAT) to be translated
and encoded back to the packet. An application-layer
gateway (ALG) is used with NAT to translate the SIP
or Session Description Protocol (SDP) messages.
for a route-map-based dynamic entry) unless you configure the reversible keyword with the ip nat inside
source command.
Note • Access lists with reversible route maps must be configured to match the inside-to-outside traffic.
• Only IP hosts that are part of the route-map configuration will allow outside sessions.
• Outside-to-inside support is not available with PAT.
• Outside sessions must use an access list.
• The match interface and match ip next-hop commands are not supported for reversible route maps.
• Reversible route maps are not supported for static NAT.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat inside source route-map name pool name reversible
5. exit
DETAILED STEPS
Router> enable
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Step 4 ip nat inside source route-map name pool name Enables outside-to-inside initiated sessions to use route
reversible maps for destination-based NAT.
Example:
Step 5 exit Exits global configuration mode and enters privileged EXEC
mode.
Example:
Router(config)# exit
SUMMARY STEPS
1. enable
2. configure terminal
3. ip nat pool name start-ip end-ip netmask netmask
4. ip nat pool name start-ip end-ip netmask netmask
5. ip nat inside source route-map name pool name [reversible]
6. ip nat inside source route-map name pool name [reversible]
7. end
DETAILED STEPS
Step 3 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-A 192.168.201.4
192.168.201.6 netmask 255.255.255.128
Step 4 ip nat pool name start-ip end-ip netmask netmask Defines a pool of network addresses for NAT.
Example:
Device(config)# ip nat pool POOL-B 192.168.201.7
192.168.201.9 netmask 255.255.255.128
Step 6 ip nat inside source route-map name pool name Enables outside-to-inside initiated sessions to use route
[reversible] maps for destination-based NAT.
Example:
Device(config)# ip nat inside source route-map
MAP-B pool POOL-B reversible
Cisco IOS commands Cisco IOS Master Command List, All Releases
Technical Assistance
Description Link
Table 21: Feature Information for NAT Route Maps Outside-to-Inside Support
NAT Route Maps Outside-to-Inside 12.3(14)T The NAT Route Maps Outside-to-Inside Support
Support feature enables you to configure a NAT route map
configuration that allows IP sessions to be initiated
from the outside to the inside.
The following command was introduced or modified:
ip nat inside.