NAT Advanced

NAT/PAT
Config & Troubleshooting

N.T.C
7/11/2015
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 1

Agenda
 NAT Overview
• NAT Operations
• NAT Config & Troubleshooting
• NAT Redundancy
• NAT in MPLS/VRF environment

Why Use NAT?
Inside Outside
SA
SA 200.1.1.1
10.1.1.1
10.1.1.1
Internet
NAT
border
10.1.1.2 router
• Typical examples of NAT :

– You need to connect to the Internet and your hosts do not have
globally unique IP addresses
– You change over to a new ISP that requires you to renumber
your network
– Two intranets with duplicate addresses merge

NAT Implementation Considerations
Advantages Disadvantages
Conserves legally Translation introduces
registered addresses switching path delays
Hide internal network Certain applications will not
function with NAT enabled
Increases flexibility in IP
addressing design
Eliminates address
renumbering as ISP
changes

Private IP address ranges
Class A - 10.0.0.0/8
Class B - 172.16.0.0/19
Class C – 192.168.0.0/16
• These IP addresses are not advertised on Internet.

• Defined in RFC 1918
N.B. Even though NAT is typically used to translate a private IP

to a public IP, there are scenarios where NAT is used to
translate a private IP to another private IP or a public IP to
private IP, etc…

Agenda
• NAT Overview
 NAT Operations
• NAT Redundancy

NAT Address Terminology
Inside DA
200.1.1.1
B Host B
DA
150.1.1.1
SA
10.1.1.1 200.1.1.1 C
10.1.1.2 Internet
SA
10.1.1.1 A
10.1.1.1
NAT table B
Inside Global Inside Local Outside Local Outside Global
IP Address IP Address IP Address IP Address
200.1.1.1 10.1.1.1 150.1.1.1 150.1.1.1
B A C
NAT & Routing
IGP Default route
Inside Outside
(Internet)
(Private IP)
• Inside Local (IL) → Typically learnt via IGP

• Inside Global (IG) → ‘owned’ by NAT router, no local
route, should be known Outside
• Outside Global (OG) → Typically using a Bdefault route
• Outside Local (OL) → ‘owned’ by NAT router, need
local route pointing to Outside, should be advertised
Inside
NAT Operations
Inside
Internet
10.1.1.2
10.1.1.1 • NAT functions:

– Dynamic NAT
NAT table
– Dynamic NAT with
Inside Local Inside Global overloading
IP Address IP Address
– Static NAT
10.1.1.1 200.1.1.1 – Translation outside global
10.1.1.2 200.1.1.2 addresses

Translating Inside Local Addresses
Dynamic NAT
• A pool of public IP is defined [200.1.1.x]
Inside • Need as many public IP as internal hosts !
• Traffic should be initiated from Inside 4
• Not used oftenly in practice DA
200.1.1.1
10.1.1.3 5 3 Host B
DA SA
150.1.1.1
10.1.1.1 200.1.1.1
10.1.1.2 Internet
10.1.1.2
SA
10.1.1.1 1 2 NAT table
Inside Local Inside Global
10.1.1.1 IP Address IP Address
10.1.1.3 200.1.1.3
10.1.1.2 200.1.1.2
10.1.1.1 200.1.1.1
Dynamic NAT with Overloading
Inside Same address is used for 4

different internal users ! DA
200.1.1.1
Host B
10.1.1.3 5 3 150.1.1.1
DA
10.1.1.1
SA
200.1.1.1
4
DA
Internet 200.1.1.1
Host C
10.1.1.2 150.1.2.1
1 2 NAT table
SA
10.1.1.1
Protocol Inside Local IP Inside Global IP Outside Global
Address: Port Address: Port IP Address: Port
10.1.1.1 TCP 10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23
TCP 10.1.1.2:1723 200.1.1.1:1723 150.1.1.1:23
TCP 10.1.1.3:1024 200.1.1.1:11024 150.1.1.1:23
TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23

Static NAT
 Typically used to provide access from Outside
to internal servers
 Can map TCP/UDP ports to different Internal
servers
Inside
Web
Server
NAT
10.1.1.5
Internet
75.1.1.1
Host B
Mail 150.1.1.1
Server 10.1.1.5  75.1.1.1:80
10.1.1.1 10.1.1.1  75.1.1.1:25

Translating Outside Global Addresses
Inside Host B should appear 4

as an inside host
SA DA
150.1.1.1 200.1.1.1
5 3
10.1.1.3 Host B
SA DA SA
1 DA 150.1.1.1
10.1.1.100 10.1.1.1 200.1.1.1 150.1.1.1
10.1.1.2 Internet
10.1.1.2
1
SA DA
1
10.1.1.1 10.1.1.100 2 NAT table
10.1.1.1 IP Address IP Address IP Address IP Address
200.1.1.1 10.1.1.1 10.1.1.100 150.1.1.1
N.B. there should be a route for 10.1.1.100 pointing to outside

NAT – Order of Operations
Inside to Outside Outside to Inside
• If IPSec then check input access list • If IPSec then check input access list
• decryption for CET (Cisco Encryption • decryption for CET or IPSec
Technology) or IPSec
• check input access list
• check input access list
• check input rate limits
• check input rate limits
• input accounting
• input accounting
• NAT outside to inside (global to local
• policy routing translation)
• Routing • policy routing
• redirect to web cache • routing
• NAT inside to outside (local to global • redirect to web cache
translation)
• crypto (check map and mark for
• crypto (check map and mark for encryption)
encryption)
• check output access list
• check output access list
• inspect CBAC
• inspect (Context based Access Control
(CBAC)) • TCP intercept
• TCP intercept • encryption
• encryption

Agenda
• NAT Overview
• NAT Operations
 NAT Config & Troubleshooting
• NAT Redundancy

Inside One public IP for 4

every internal hosts ! DA
200.1.1.1
10.1.1.3 5 3 Host B
DA SA
150.1.1.1
10.1.1.1 200.1.1.1
10.1.1.2 Internet
10.1.1.2
- Static NAT
SA
- Dynamic NAT
10.1.1.1 1 2 NAT table
Inside Local Inside Global
10.1.1.1 IP Address IP Address
10.1.1.3 200.1.1.3
10.1.1.2 200.1.1.2
10.1.1.1 200.1.1.1

Static NAT Configuration Example
ip nat inside source static 10.1.1.1 200.1.1.1

! OR
ip nat inside source static network 10.1.1.0 200.1.1.0 /24
!
This interface
interface Ethernet0 connected to
ip address 10.1.1.10 255.255.255.0 the inside
ip nat inside network.
! This interface
interface Serial0 connected to
ip address 120.16.2.1 255.255.255.0 the outside
world.
ip nat outside
NAT# sh ip nat translations

Pro Inside global Inside local Outside local Outside global
--- 200.1.1.1 10.1.1.1 --- ---
NAT#

Static NAT – Example 1
Inside 10.1.1.5  75.1.1.1:80

Web
10.1.1.1  75.1.1.1:25
Server
NAT
10.1.1.5
Internet
75.1.1.1
Host B
Mail 150.1.1.1
Server
ip nat inside source static tcp 10.1.1.5 80 75.1.1.1 80
10.1.1.1
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 75.1.1.1 255.255.255.0
ip nat outside
Static NAT – Example 2 – Port Rewrite
Inside 10.1.1.2:8080  75.1.1.1:80 [tcp]

Web
10.1.1.8:69  75.1.1.1:69 [udp]
Server
NAT
10.1.1.2
Internet
75.1.1.1
Host B
TFTP 150.1.1.1
Server
10.1.1.8
ip nat inside source static udp 10.1.1.8 69 75.1.1.1 69
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 75.1.1.1 255.255.255.0
ip nat outside
Static NAT – ARP cache
! N.B. For dynamic nat, ARP
interface Ethernet0/0 entry is created as soon as
ip address 10.1.1.10 255.255.255.0 first NAT entry is created
ip nat inside for the inside global
!
interface Ethernet1/0
ip address 75.1.1.1 255.255.255.0
ip nat outside Ethernet (75.1.1.0/24)
→ ARP entry created IN OUT

for inside global Internet
Eth0/0 Eth1/0
NAT#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.10 - aabb.cc00.6600 ARPA Ethernet0/0
Internet 10.1.1.1 122 aabb.cc00.6500 ARPA Ethernet0/0

Static NAT Options
NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 ?
extendable Extend this translation when used
mapping-id Associate a mapping id to this mapping
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
route-map Specify route-map
vrf Specify vrf
<cr>

Static NAT Options - extendable
NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 extendable
NAT(config)#ip nat inside source static 10.1.1.1 100.1.1.1 extendable
• Creates extended entries for every translated flows

• Necessary to support 2 entries for same inside local IP
• First packet sent by user creates the extended entry so traffic back from
server could use same ISP
Rem : NAT has no influence on packet forwarding, i.e. packets coming in from
ISP1 will be sent back with source IP of ISP1 but CEF might send packets
through ISP2 link !!!
ISP1 User
(200.1.1.0/24)
Server
Internet
ISP2
NAT#sh ip nat translations (100.1.1.0/24)
tcp 200.1.1.1:23 10.1.1.1:23 150.1.1.1:64493 150.1.1.1:64993
User
tcp 100.1.1.1:23 10.1.1.1:23 18.1.1.1:16564 18.1.1.1:16564
--- 200.1.1.1 10.1.1.1 --- ---
--- 100.1.1.1 10.1.1.1 --- ---

Extended entries
• Extended entries are automatically created in all recent

releases
• Use following command to disable automatic creation of
extended entries
NAT(config)# no ip nat create flow-entries
• Can use then extendable keyword to create extended

entries for selected static NAT

Static NAT Options – no-alias
NAT(config)#ip nat inside source static 10.1.1.1 120.16.1.5 no-alias
→ no ARP entry created for inside global
Ethernet (120.16.1.0/24)
IN OUT
Internet
Eth0/0 Eth1/0
NAT#sh ip arp

Static NAT Options
NAT(config)#ip nat inside source static 10.1.1.1 200.1.1.1 no-payload
• Source IP/port appears in payload of many applications

• IOS NAT code supports payload modification (ALG - Application Layer Gateway)
for some applications (FTP, H323, DNS, …) BUT not all
• Can specify port number used by application (if different from default) with “ip nat
services” global configuration command
• No-payload option disables ALG (payload modification) for this entry
N.B. There is no way to disable ALG for dynamic NAT
ip nat inside source static 10.1.1.1 200.1.1.1 route-map COND [reversible]
!
access-list 150 permit tcp any host 150.1.1.1
!
route-map COND permit 10
match ip address 150
• Adds conditions for a static NAT entry (only acl in route-map supported)
• Only traffic matching route-map is allowed to be translated
• Works from OUT to IN since CSCec54909 (12.4(2.11)) with "reversible"
keyword
Dynamic NAT Configuration
ip nat pool PUBLIC 200.1.1.1 200.1.1.254

netmask 255.255.255.0
ip nat inside source list 1 pool PUBLIC
!
access-list 1 permit 10.1.1.0 0.0.0.255
NAT#sh ip nat translations

NAT#
NAT# ! No entry as long as no traffic received from inside
NAT#
NAT# ! We generate traffic …
NAT#
tcp 200.1.1.1:27354 10.1.1.1:27354 150.1.1.1:23 150.1.1.1:23
--- 200.1.1.1 10.1.1.1 --- ---
tcp 200.1.1.2:16554 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23
--- 200.1.1.2 10.1.1.5 --- ---
N.B. Traffic should be initiated from inside but once inside local is associated
with an inside global, other sessions could be initiated from outside
Dynamic NAT Pool Options
NAT(config)#ip nat pool PUBLIC prefix-length 24
NAT(config-ipnat-pool)#address 200.1.1.1 200.1.1.10
NAT(config-ipnat-pool)#address 100.1.1.1 100.1.1.20
• Can define discontinuous pool
ip nat pool PUBLIC 200.1.1.1 200.1.1.10 prefix-length 24 type match-host
• Prefix-length defines host part

• Keeps host part in translation
• If not possible, no translation occurs
• Addresses are prepopulated (consume memory) CSCdp05523
ip nat pool PUBLIC 200.1.1.1 200.1.1.10 prefix-length 24 add-route
• Adds static route pointing to NVI (Nat Virtual Interface)

• Static route subnet mask is prefix-length defined in pool
• Used in VRF environment where NAT NVI is required
Dynamic NAT Options
NAT(config)#ip nat inside source list 1 pool PUBLIC ?
mapping-id Associate a mapping id to this mapping
overload Overload an address translation
reversible Allow out->in traffic
vrf Specify vrf

Dynamic NAT Options - overload
Inside Same address is used for 4

different internal users ! DA
200.1.1.1
Host B
10.1.1.3 5 3 150.1.1.1
DA
10.1.1.1
SA
200.1.1.1
4
DA
Internet 200.1.1.1
Host C
10.1.1.2 150.1.2.1
1 2 NAT table
SA
10.1.1.1
Protocol Inside Local IP Inside Global IP Outside Global
Address: Port Address: Port IP Address: Port
10.1.1.1 TCP 10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23
TCP 10.1.1.2:1723 200.1.1.1:1723 150.1.1.1:23
TCP 10.1.1.3:1024 200.1.1.1:11024 150.1.1.1:23
TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23

Dynamic NAT Config with Overloading
ip nat pool ovrld-nat 200.1.1.1 200.1.1.1

netmask 255.255.255.0
ip nat inside source list 1 pool ovrld-nat overload
! OR
ip nat inside source list 1 interface Serial0/0 overload
!

NAT#
NAT# ! No entry as long as no traffic received from inside
NAT#
NAT# ! We generate traffic …
NAT#
tcp 200.1.1.1:19250 10.1.1.1:19250 150.1.1.1:23 150.1.1.1:23
tcp 200.1.1.1:16564 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23
Icmp 200.1.1.1:9 10.1.1.2:9 150.1.1.1:9 150.1.1.1:9

Dynamic NAT Options
NAT(config)#ip nat inside source ?

list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
• Using list allows to check source IP -> std access-list. Extended acl
should be used via route-map
• Using route-map enforces conditional NAT, i.e. only packets
matching route-map are translated. Can use extended acl, match on
interface/next-hop

Dynamic NAT Options – route-map
• Example 1
 All HTTP traffic is seen outside as coming from 200.1.1.1
 All TELNET traffic is seen outside as coming from 200.1.1.2
 Rest of traffic is seen as coming from 200.1.1.3
ip nat pool PUB_1 200.1.1.1 200.1.1.1 netmask 255.255.255.0
!
ip nat inside source route-map WWW pool PUB_1 overload
ip nat inside source route-map TELNET pool PUB_2 overload
ip nat inside source route-map OTHERS pool PUB_3 overload
!
route-map WWW permit 10
route-map TELNET permit 10
route-map OTHERS deny 10
match ip address 150 151
route-map OTHERS permit 20
!
access-list 150 permit tcp any any eq www
access-list 151 permit tcp any any eq telnet

icmp 200.1.1.3:7 10.1.1.1:7 150.1.1.1:7 150.1.1.1:7
tcp 200.1.1.2:11158 10.1.1.1:11158 150.1.1.1:23 150.1.1.1:23
tcp 200.1.1.1:37312 10.1.1.1:37312 150.1.1.1:80 150.1.1.1:80
Dynamic NAT Options – route-map
• Example 2
 A single link to reach Internet and Intranet remote sites
 Translation only if destination IP is a public IP
ip nat pool PUB 200.1.1.1 200.1.1.1 netmask 255.255.255.0
!
ip nat inside source route-map COND pool PUB overload
!
route-map COND deny 10
route-map COND permit 20
!
access-list 150 permit ip any 10.0.0.0 0.255.255.255
Access-list 150 permit ip any 192.168.0.0 0.0.255.255
Internet
In Out
MPLS/VPN
Internet + Intranet Remote site

traffic Intranet

Translating Outside Global Addresses -
Static
Inside Host B should appear 4
as an inside host
SA DA
150.1.1.1 200.1.1.1
5 3
10.1.1.3 Host B
SA DA SA
1 DA 150.1.1.1
10.1.1.100 10.1.1.1 200.1.1.1 150.1.1.1
10.1.1.2 Internet
10.1.1.2
1
SA DA
1
10.1.1.1 10.1.1.100 2 NAT table
10.1.1.1 IP Address IP Address IP Address IP Address
200.1.1.1 10.1.1.1 10.1.1.100 150.1.1.1

Configuring Example

ip nat outside source static 150.1.1.1 10.1.1.100
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 120.16.2.1 255.255.255.0
ip nat outside
!
ip route 10.1.1.100 255.255.255.255 120.16.2.2
From inside to outside, routing occurs before NAT, then there should be
a route for destination of original packet.
--- --- --- 10.1.1.100 150.1.1.1
icmp 200.1.1.1:2 10.1.1.1:2 10.1.1.100:2 150.1.1.1:2
--- 200.1.1.1 10.1.1.1 --- ---

Translating Outside Global Addresses -
Dynamic
All hosts on Internet should 1
appear as internal hosts
Inside [10.1.1.128-159] SA DA
150.1.1.1 200.1.1.1
3
Host
SA DA 150.1.1.1
10.1.1.100 10.1.1.1
10.1.1.2 Internet
10.1.1.1 4 5
SA DA
1 DA
10.1.1.1 10.1.1.100
SA
1
200.1.1.1 150.1.1.1
Host
180.1.1.1
2 NAT table
Protocol Inside Local IP Inside Global IP Outside Local Host Outside Global
180.1.1.1
Overloading Address: Port Address: Port IP Address: Port IP Address: Port
not supported TCP 2 NAT table
10.1.1.1:80 200.1.1.1:80 10.1.1.128:1024 150.1.1.1:1024
TCP 10.1.1.1:80 200.1.1.1:80 10.1.1.129:1024 180.1.1.1:1024

Configuring Example
ip nat pool OUT 10.1.1.128 10.1.1.159 prefix-length 24

ip nat outside source list 1 pool OUT
!
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0/0
ip address 120.16.2.1 255.255.255.0
ip nat outside
!
ip route 10.1.1.128 255.255.255.224 serial 0/0
!
access-list 1 permit any
N.B. there should be a route for pool used for outside source translation

--- --- --- 10.1.1.128 150.1.1.1
--- --- --- 10.1.1.129 180.1.1.1
icmp 200.1.1.1:2 10.1.1.1:2 10.1.1.128:2 150.1.1.1:2
icmp 200.1.1.1:3 10.1.1.1:3 10.1.1.129:3 180.1.1.1:3
--- 200.1.1.1 10.1.1.1 --- ---

NAT timeout
• Dynamic NAT entries should be deleted when not used anymore
• Each NAT entry has an inactivity counter (left …)
• There are different timeout depending on type of traffic
• All these timeouts are reset when a packet uses the entry
• Basic timeout (when no else matches) is by default set to 86400 sec (1day)
• When huge amount of NAT entries, maintaining timeout is very CPU
intensive and could cause high CPU utilization (IP NAT Ager process)
NAT(config)#ip nat translation ?

dns-timeout Specify timeout for NAT DNS flows
finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST
icmp-timeout Specify timeout for NAT ICMP flows
max-entries Specify maximum number of NAT entries
port-timeout Specify timeout for NAT TCP/UDP port specific flows
pptp-timeout Specify timeout for NAT PPTP flows
routemap-entry-timeout Specify timeout for routemap created half entry
syn-timeout Specify timeout for NAT TCP flows after a SYN and no
further data
tcp-timeout Specify timeout for NAT TCP flows
timeout Specify timeout for dynamic NAT translations
udp-timeout Specify timeout for NAT UDP flows

VFR (Virtual Fragment Reassembly)
NAT(config-if)# ip virtual-reassembly
• Layer4 (TCP, UDP) informations are available only in first

fragment of an IP packet
• NAT cannot do overloading without layer4 informations
• Idea is for NAT router to reassemble the packet although it’s
not the destination of packet
• This command is automatically added when NAT is enabled
on an interface
• Can specify the following options :
• Max-reassemblies (default 64) : max number of fragments belonging
to different IP packet which could be stored at any given time
• Max-fragments (default 16) : max number of fragments stored for a
given IP packet
• Timeout (default 3 sec) : max time to receive all fragments of an IP
packet
NAT Services
NAT(config)#ip nat service ?
H225 H323-H225 protocol
allow-h323-even-rtp-ports Allow even RTP ports for H323
allow-h323-keepalive Allow H323 KeepAlive
allow-sip-even-rtp-ports Allow even RTP ports for SIP
allow-skinny-even-rtp-ports Allow even RTP ports for Skinny
fullrange allocate all available port of 1 to 65535
list Specify access list describing global addresses
ras H323-RAS protocol
sip SIP protocol
skinny skinny protocol

NAT Services
NAT(config)# ip nat service allow-h323-keepalive
• Introduced by CSCsa62551
• Background : when NAT modifies payload, length of TCP
segment might change so ALG uses a sequence-fixup to
adapt TCP seq# accordingly. This seq-fixup keeps track of
next expected seq# and delta and adapt the seq# if it’s equal
or higher than the expected next seq#.
• Problem is H323 KA seq# uses previous seq# – 1 so seq-
fixup doesn’t work for H323 KA
• This feature modifies seq-fixup to take care of H323 KA
• Disabled by default
• Need to enable it when TCP keepalives are sent on H323 port
(1720)

NAT Services
NAT(config)# ip nat service allow-h323-even-rtp-ports

NAT(config)# ip nat service allow-sip-even-rtp-ports
NAT(config)# ip nat service allow-skinny-even-rtp-ports
• Introduced by CSCsa86914
• Background : RTP sessions use classically even UDP port
numbers and related RTCP sessions use the next available
port (odd port). Some applications accept only RTP sessions
using even port and refuse RTP sessions using odd port.
• NAT selects the next available port+1 for H323/SIP/SKINNY
fixup in the NAT translations. NAT does NOT check for
even/odd pair for RTP\RTCP port numbers.
• This feature changes H323/SIP/SKINNY fixup to use only
even port for RTP session
• Need to enable this when application expects RTP to use
even port only.

NAT Services
NAT(config)# ip nat service fullrange udp/tcp port [1-511]
• Introduced by CSCed93887
• Background : when NAT modifies a port, it uses a new port in
same range as original port. Ranges are [1-511], [512- 1023],
[1024-65535].
• Problem : when many sessions with same source port are
initiated, NAT could run out of free ports in the same range.
Typical example is IKE using source UDP port 500.
• This feature allows NAT to use full port range [1-65535] for
packets coming in with source port specified in command
• Example : ‘ip nat service fullrange udp port 500’ allows NAT
to use full port range for IKE traffic. Otherwise, only 511 IKE
connections are allowed

NAT Services - IPSEC
NAT(config)# ip nat service list <acl> ESP spi-match
• Introduced by CSCdw17198
• Acl should match the outside global address of the IPSEC
server/concentrator
• Background :
• IPSEC peers can negotiate NAT-T (NAT-Transversal) to add a UDP header
on top of ESP packets so NAT could use UDP port for overloading
• NAT-T is on by default on IOS devices -> (config)#no crypto ipsec nat-
transparency udp-encaps’ on IPSEC client/server to disable this
• Without NAT-T, NAT uses SPI (part of ESP header) for overloading
• Difficulty comes from the fact there is one SPI per direction so NAT router
should ‘bind’ both SPIs
• Limitations :
• NAT router accepts only one connection to same outside server at a time as
long as SPI binding is not done. Once SPI binding is done, another
connection could be initiated
• NAT router should first see ESP packet from IN to OUT

• Client 1 initiates connection with SPI1, this creates the first NAT
entry
• If at that moment, client 2 initiates a connection to same server,
this packet is dropped by NAT router
• When server replies (with SPI2) to client 1 request, a second
NAT entry is created and associated with first one, i.e. any esp
packets from server with SPI2 are dispatched to client 1
esp 200.1.1.1:0 10.1.1.1:SPI1 150.1.1.1:0 150.1.1.1:0
esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:SPI2
.1 150.1.1.1
IPSEC Server
.2 IN OUT
IPSEC Clients Internet
.3 10.1.1.0/24

*Apr 13 12:09:03.307: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.1, SPI=5940943A, IG=200.1.1.1
*Apr 13 12:09:03.307: NAT: IPSec: created In->Out ESP translation IL=10.1.1.1 SPI=0x5940943A, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1
*Apr 13 12:09:03.307: NAT: IPSec: Inside host (IL=10.1.1.1) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply
*Apr 13 12:09:03.307: NAT: creating portlist proto 50 globaladdr 200.1.1.1
*Apr 13 12:09:03.307: NAT: creating ESP portlist for IG=200.1.1.1
*Apr 13 12:09:03.311: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [80]
*Apr 13 12:09:03.311: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [80]
.... [server doesn't reply for any reason]
*Apr 13 12:09:13.415: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [88]
*Apr 13 12:09:13.415: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [88]
.... [a second client tries to establish a IPSEC connection to same server]
*Apr 13 12:09:47.059: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.2, SPI=1BF6BAA5, IG=200.1.1.1
*Apr 13 12:09:47.059: NAT: IPSec: another inside host (10.1.1.1) is trying to open an ESP conn to 150.1.1.1, cannot process request from 10.1.1.2
*Apr 13 12:09:47.059: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Apr 13 12:09:47.059: NAT: IPSec: another inside host (10.1.1.1) is trying to open an ESP conn to 150.1.1.1, cannot process request from 10.1.1.2
*Apr 13 12:09:47.059: NAT: translation failed (A), dropping packet s=10.1.1.2 d=150.1.1.1
*Apr 13 12:10:04.711: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [98]
*Apr 13 12:10:04.711: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [98]
*Apr 13 12:10:04.711: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x7FB18572, IG=200.1.1.1, IL=10.1.1.1
... [SPI of first session is bound -> now second client can establish a ESP connection ]
*Apr 13 12:10:12.587: NAT: IPSec: created In->Out ESP translation IL=10.1.1.2 SPI=0x1BF6BAA5, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1
*Apr 13 12:10:12.587: NAT: IPSec: Inside host (IL=10.1.1.2) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply
*Apr 13 12:10:12.591: NAT: i: esp (10.1.1.2, 0x1BF6BAA5) -> (150.1.1.1, 0x0) [22]
*Apr 13 12:10:12.591: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [22]
*Apr 13 12:10:12.591: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x1093AEB7, IG=200.1.1.1, IL=10.1.1.2

esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:7FB18572
esp 200.1.1.1:0 10.1.1.1:5940943A 150.1.1.1:0 150.1.1.1:0
esp 200.1.1.1:0 10.1.1.2:0 150.1.1.1:0 150.1.1.1:1093AEB7
esp 200.1.1.1:0 10.1.1.2:1BF6BAA5 150.1.1.1:0 150.1.1.1:0

NAT Services – SPI matching
• If IPSEC responder supports SPI matching (on Cisco IOS

device -> (config)# crypto ipsec nat-transparency spi-matching),
SPI used by responder is not randomly generated anymore
but computed based on MD5 hash done on incoming SPI
• This allows NAT router to calculate what’s the SPI of out-to-in
esp packets once first in-to-out esp packet is received
• This allows many inside clients to initiate simultaneously esp
connection to same outside server
• Disabled by default
NAT(config)# ip nat service list 1 ESP spi-match
NAT(config)# access-list 1 permit 150.1.1.1
• If outside server (150.1.1.1) uses SPI-matching, this command

will enable SPI-matching for this server on NAT router
• Rem: if server matched in acl does NOT use SPI matching, esp
session cannot be translated (return packet is dropped) !
NAT Services – SPI-matching
*Apr 13 14:09:40.899: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.1, SPI=ED19E956, IG=200.1.1.1
*Apr 13 14:09:40.899: NAT: IPSec: created In->Out ESP translation IL=10.1.1.1 SPI=0xED19E956, IG=200.1.1.1,
OL=150.1.1.1, OG=150.1.1.1
*Apr 13 14:09:40.899: NAT: IPSec: Inside host (IL=10.1.1.1) trying to open an ESP connection to Outside host
(OG=150.1.1.1), wait for Out->In reply
*Apr 13 14:09:40.899: NAT: creating portlist proto 50 globaladdr 200.1.1.1
*Apr 13 14:09:40.899: NAT: creating ESP portlist for IG=200.1.1.1
*Apr 13 14:09:40.899: NAT: i: esp (10.1.1.1, 0xED19E956) -> (150.1.1.1, 0x0) [184]
*Apr 13 14:09:40.899: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [184]
… [esp packet from server is received and it matches calculated SPI]
*Apr 13 14:09:40.903: NAT: ESP: SPIs matched
*Apr 13 14:09:40.903: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x5FF2220B, IG=200.1.1.1, IL=10.1.1.1

esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:5FF2220B
esp 200.1.1.1:0 10.1.1.1:ED19E956 150.1.1.1:0 150.1.1.1:0

NAT Services
NAT(config)# ip nat service list <acl> IKE preserve-port
• Introduced by CSCdu76854 – see ENG-114802

• Acl should match the outside global address of the IPSEC
server/concentrator
• Source port 500 is preserved, multiplexing is done on
initiator cookie (part of IKE header)
• Initiator cookie is visible with ‘show ip nat translations verbose’
• Disabled by default (breaks some IPSEC implementations in
Phase 1 rekeying)
NAT(config)# ip nat service list <acl> ftp tcp port <1-65535>
• Acl should match the outside global address of the FTP server
• Allows FTP server to use non-default port (21) for control session
NAT Services – IKE Preserve-port
*Apr 13 15:29:08.179: NAT: address not stolen for 10.1.1.1, proto 17 port 500
*Apr 13 15:29:08.179: NAT: preserving IKE port for source addr 10.1.1.1, destination addr 150.1.1.1, initiator cookie 0x4EBDB5C
*Apr 13 15:29:08.179: NAT: [0] Allocated Port for 10.1.1.1 -> 200.1.1.1: wanted 500 got 500
*Apr 13 15:29:08.179: NAT: i: udp (10.1.1.1, 500) -> (150.1.1.1, 500) [258]
*Apr 13 15:29:08.179: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [258]
*Apr 13 15:29:08.243: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [302]
*Apr 13 15:29:08.243: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.1 [302]
... [second inside client initiate an IKE session]
*Apr 13 15:29:25.135: NAT: preserving IKE port for source addr 10.1.1.2, destination addr 150.1.1.1, initiator cookie 0x28810D1E
*Apr 13 15:29:25.135: NAT: [0] Allocated Port for 10.1.1.2 -> 200.1.1.1: wanted 500 got 3
[without IKE preserve-port command, source UDP port would have been set to 3 ]
*Apr 13 15:29:25.139: NAT: i: udp (10.1.1.2, 500) -> (150.1.1.1, 500) [72]
*Apr 13 15:29:25.139: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [72]
*Apr 13 15:29:25.207: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [306]
*Apr 13 15:29:25.207: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.2 [306]
[out-to-in packet are dispatched to correct internal host based on initiator cookie ]

udp 200.1.1.1:500 10.1.1.1:500 150.1.1.1:500 150.1.1.1:500
udp 200.1.1.1:500 10.1.1.2:500 150.1.1.1:500 150.1.1.1:500
NAT#sh ip nat translations verbose

udp 200.1.1.1:500 10.1.1.1:500 150.1.1.1:500 150.1.1.1:500
create 00:00:29, use 00:00:12 timeout:300000, left 00:04:47, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 40, lc_entries: 0
initiator cookie: 0xAFD17956, Entry type : 0
udp 200.1.1.1:500 10.1.1.2:500 150.1.1.1:500 150.1.1.1:500
flags:
extended, use_count: 0, entry-id: 41, lc_entries: 0
initiator cookie: 0x9716334C, Entry type : 0
NAT Services
NAT(config)# ip nat service sip tcp/udp port [port]

NAT(config)# ip nat service skinny tcp port [port]
• SIP and skinny services are enabled by default on standard

ports (5060 for SIP and 2000 for skinny-SCCP)
• These commands had been introduced to allow customers to
use non standard port for these protocols
• Can also be used to disable ALG processing on the standard
port if another application uses this port

NAT Services
NAT(config)# ip nat service h225

NAT(config)# ip nat service ras
• Introduced by CSCdx40184
• H323-H225 and H323-RAS services are enabled by default
• These commands had been introduced to allow to turn these
services off
• Had been initially introduced because of some H323
vulnerabilities
• Could be useful if another application uses these ports…

Verifying NAT

icmp 120.6.2.1:5 10.1.1.10:5 150.1.1.1:5 150.1.1.1:5
NAT#sh ip nat translations verbose

icmp 120.6.2.1:5 10.1.1.10:5 150.1.1.1:5 150.1.1.1:5
flags:
extended, use_count: 0, VRF : A, entry-id: 3, lc_entries: 0
NAT#sh ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
Serial2/0
Inside interfaces:
Ethernet0/0
Hits: 9042 Misses: 3
CEF Translated packets: 9045, CEF Punted packets: 14
Expired translations: 2
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 interface Serial2/0 refcount 1
Queued Packets: 0

Troubleshooting NAT
• Various NAT debug

• Can specify a standard acl to limit debug output
NAT#debug ip nat ?
<1-99> Access list
detailed NAT detailed events
fragment NAT fragment events
generic NAT generic ALG handler events
h323 NAT H.323 events
ipsec NAT IPSec events
nvi NVI events
port NAT PORT events
pptp NAT PPTP events
route NAT Static route events
sip NAT SIP events
skinny NAT skinny events
vrf NAT VRF events
wlan-nat WLAN NAT events
<cr>

Troubleshooting NAT
debug ip nat detail
*Aug 8 20:04:19.675: NAT: Allocated Port for 10.1.1.10 -> 120.6.2.1: wanted 19964 got
19964
*Aug 8 20:04:19.675: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5860]
*Aug 8 20:04:19.675: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5860]
*Aug 8 20:04:19.675: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5860]
*Aug 8 20:04:19.691: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7604]
*Aug 8 20:04:19.691: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7604]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5861]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5861]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5862]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5862]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5863]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5863]
*Aug 8 20:04:19.711: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7605]
*Aug 8 20:04:19.711: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7605]
*Aug 8 20:04:19.711: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7606]
*Aug 8 20:04:19.711: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7606]

Clearing NAT Translation Entries
Router#sh ip nat trans
tcp 200.1.1.1:11003 10.1.1.1:11003 150.1.1.1:23 150.1.1.1:23
tcp 200.1.1.1:1067 10.1.1.5:1067 150.1.1.1:23 150.1.1.1:23
router#clear ip nat trans *
router#
router#show ip nat trans
All entries are cleared.

udp 192.168.2.2:1220 10.1.1.2:1120 171.69.2.132:53 171.69.2.132:53
tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23
tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23
router#clear ip nat trans udp inside 192.168.2.2 10.1.1.2 1220
171.69.2.132 53 171.69.2.132 53
tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23
tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23
192.168.2.2 is cleared.

Troubleshooting NAT
• Get details about what exactly is failing (specific traffic or all
traffic ? traffic from IN to OUT or from OUT to IN ? etc…)
→ Should end up with an example of problematic traffic (source
and destination IP, where is the source and destination, etc…)
• Check NAT table for impacted traffic -> ‘sh ip nat trans | i x.x.x.x’
• Run ‘debug ip nat <acl>’ with acl matching impacted flow
• Check with acl hitcounts packet hits the NAT router on correct
interface (caution : acl hitcount are not always reliable on
hardware platform)
• Check you can ping inside local and outside global from NAT
router (caution : there could be a FW denying ICMP)
• Use inside global (outside local) as secondary on outside (inside)
interface and do extended ping to outside global (inside local)
with secondary as source
• Check there is an ARP entry for inside global and outside local if
Ethernet interface -> ‘sh ip arp <interface>’
Troubleshooting NAT
Application specific issue
If problem is related to a specific application/protocol (ping works
but not telnet or ftp…) :
• Check if static port translation is configured
• Check if packets hit the NAT router with acl hitcounts (could be
acl or FW on the path filtering packets)
• Check it’s not a ‘packet size issue’ using ping with small and big
size
• Check if application/protocol requires ALG (Application Layer
Gateway). If yes, a sniffer trace from IN and OUT could identify
which field in payload is not correctly handled

Agenda
• NAT Overview
• NAT Operations
 NAT Redundancy

NAT Redundancy
Several scenarios
• 1 Router – 2 Providers
• 2 Routers – 1 Provider
• 2 Routers – 2 Providers – no dedicated public pool
• 2 Routers – 2 Providers – dedicated public pool

NAT Redundancy
1 Router – 2 Providers
• 2 Providers used in a failover scenario (or simultaneously)
• ISP1 is the primary, ISP2 the backup
• We use NAT overload with public IP provided by ISPs
• If ISP1 fails, NAT should use IP of ISP2
Inside ISP1
(200.1.1.0/24)
S1/0
Eth0/0
10.0.0.0/8 Internet
S2/0
ISP2
(100.1.1.0/24)
• Existing sessions are lost during failover

• Special care should be taken about sessions initiated from
outside (static NAT) if ISPs have a source IP check (uRPF, acl)
NAT Redundancy
1 Router – 2 Providers
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Serial1/0
ip nat outside
!
interface Serial2/0
ip nat outside
!
ip nat inside source route-map ISP1 interface Serial1/0 overload
ip nat inside source route-map ISP2 interface Serial2/0 overload
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 0.0.0.0 0.0.0.0 Serial2/0 100
!
route-map ISP1 permit 10
match ip address 1
match interface Serial1/0
!
route-map ISP2 permit 10
match ip address 1
match interface Serial2/0
!

NAT Redundancy
2 Routers – 1 Provider (1 public pool)
• 2 NAT routers used in a failover scenario

• In normal conditions, all traffic passed through NAT1 router
• Should provide redundancy for static and dynamic NAT
• HSRP is used on Inside and Outside interfaces
200.1.1.0/24
Inside NAT1
10.0.0.0/8 Internet
NAT2
N.B. Existing sessions could be maintained

NAT Redundancy
2 Routers – 1 Provider
Stateful NAT
• Idea is to mirror on standby SNAT router NAT entries created by SNAT
active router
• When SNAT active router goes down, SNAT standby router is ready to
do the translations (with same inside global IP/port)
• It permits to keep existing sessions
• NAT entries are mirrored via a TCP session established permanently
between SNAT peers or by UDP acknowledged packets
• IP-Redundancy mode (HSRP) or Primary/Backup mode
ACTIVE
Inside NAT1
TCP/UDP Internet
10.0.0.0/8
NAT2
STANDBY
NAT Redundancy - SNAT
ip nat inside
standby 1 name HSRP_IN
!
ip nat Stateful id 1
redundancy HSRP_IN
mapping-id 10
!
NAT1 ip nat pool PUB 200.1.2.1 200.1.2.1 prefix-length 24
Router ip nat inside source list 1 pool PUB mapping-id 10 overload
!
ip route 10.1.1.0 255.255.255.0 200.1.1.3 10
!
ip nat inside
!
NAT2 redundancy HSRP_IN
Router mapping-id 10
!
ip nat pool PUB 200.1.2.1 200.1.2.1 prefix-length 24
ip nat inside source list 1 pool PUB mapping-id 10 overload
!

NAT1#sh ip snat distributed verbose
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: ACTIVE

NAT1 : State READY
: Local Address 10.1.1.2
Router : Local NAT id 1
: Peer Address 10.1.1.3
: Peer NAT id 2
: Mapping List 10
: InMsgs 4, OutMsgs 8, tcb 0x261B7E8, listener 0x0
NAT2#sh ip snat distributed verbose
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: STANDBY

NAT2 : State READY
Router : Local Address 10.1.1.3
: Local NAT id 2
: Peer Address 10.1.1.2
: Peer NAT id 1
: Mapping List 10
: InMsgs 9, OutMsgs 4, tcb 0x2971C18, listener 0x2971760

NAT1#sh ip nat translations verbose
icmp 200.1.2.1:1 10.1.1.50:1 150.1.1.1:1 150.1.1.1:1
flags:
extended, use_count: 0 nat_id: 1 nat_entry_num: 2 nat_mapping_id[in]: 10
nat_mapping_id[out]: 0, entry-id: 4, lc_entries: 0
NAT1 NAT1#
Router NAT1#NAT1#sh ip snat peer 10.1.1.3
Show NAT Entries created by peer: 10.1.1.3

NAT1#
NAT2#sh ip nat translations verbose

icmp 200.1.2.1:1 10.1.1.50:1 150.1.1.1:1 150.1.1.1:1
create 00:01:05, use 00:00:00 timeout:60000, timing-out, Map-Id(In): 1,
flags:
extended, created-by-remote, use_count: 0 nat_id: 1 nat_entry_num: 2
NAT2 nat_mapping_id[in]: 10 nat_mapping_id[out]: 0, entry-id: 3, lc_entries: 0
Router NAT2#
NAT2#sh ip snat peer 10.1.1.2
Show NAT Entries created by peer: 10.1.1.2

icmp 200.1.2.1:1 10.1.1.50:1 150.1.1.1:1 150.1.1.1:1
NAT2#
debug ip snat [std_acl] [detail]
NAT1#debug ip snat
NAT1#debug ip tcp packet
NAT1#
*Aug 6 15:01:05.207: SNAT (snd msg): Add new entry for router-id 1
*Aug 6 15:01:05.207: SNAT (sndmsg): Found Peer to ADD entry
*Aug 6 15:01:05.207: SNAT (write2net): 10.1.1.2 <---> 10.1.1.3 send message
*Aug 6 15:01:05.207: tcp0: O ESTAB 10.1.1.3:15555 10.1.1.2:44014 seq 4243310795
DATA 116 ACK 1259957032 PSH WIN 64591
NAT1 *Aug 6 15:01:05.227: tcp0: I ESTAB 10.1.1.3:15555 10.1.1.2:44014 seq 1259957032
Router DATA 116 ACK 4243310795 PSH WIN 65024
ACK 1259957148 WIN 64475
*Aug 6 15:01:05.439: tcp0: I ESTAB 10.1.1.3:15555 10.1.1.2:44014 seq 1259957148
ACK 4243310911 WIN 64908
*Aug 6 15:01:05.459: SNAT (readfromnet 1): There is some pending data on tcp. Value:116
NAT1#debug ip snat
NAT1#debug ip tcp packet
NAT1#
*Aug 6 15:01:05.575: SNAT (snd msg): Add new entry for router-id 2
*Aug 6 15:01:05.575: SNAT (sndmsg): Found Peer to ADD entry
*Aug 6 15:01:05.575: SNAT (write2net): 10.1.1.3 <---> 10.1.1.2 send message
NAT2 *Aug 6 15:01:05.575: tcp0: O ESTAB 10.1.1.2:44014 10.1.1.3:15555 seq 1259957032
DATA 116 ACK 4243310795 PSH WIN 65024
Router *Aug 6 15:01:05.607: tcp0: I ESTAB 10.1.1.2:44014 10.1.1.3:15555 seq 4243310795
DATA 116 ACK 1259957032 PSH WIN 64591
ACK 4243310911 WIN 64908
*Aug 6 15:01:05.811: tcp0: I ESTAB 10.1.1.2:44014 10.1.1.3:15555 seq 4243310911
ACK 1259957148 WIN 64475
*Aug 6 15:01:06.359: SNAT (readfromnet 1): There is some pending data on tcp. Value:116
SNAT additional commands
redundancy HSRP_IN
protocol udp
as-queuing disable
Interface Ethernet0/0
standby delay reload delay
standby 1 preempt delay minimum|reload|sync
• Recommended protocol is UDP (more scalable)

• When snat is activated, an additional delay might be seen for
packet requiring creation of a new NAT entry
• Active NAT router should buffer the packet till it receives
confirmation from backup SNAT router that entry had been
populated
• Useless if no assymetric routing OUT-to-IN, ‘as-queuing disable’
removes this extra delay
• Delay should be introduced in HSRP to make sure SNAT gets the
time to converge before it becomes HSRP active
• Several phases in SNAT implementation

• Phase 2 (introduced in 12.3(7)T) added support for :
– ALGs (Application Layer Gateway) failover
– Asymmetric routing for out->in traffic
– Distribution of all forms of dynamic-NAT-entries (created by static
NAT, etc…)
• Next phases (3,4) should add support for :
• Bidirectional mirroring (actually, only entries on SNAT active router
are mirrored)
• More than 2 SNAT routers
• …

NAT Redundancy
Static Inside NAT
• Problem : if both NAT routers create an ARP entry for inside global IP, we
have a duplicate IP problem -> only 1 NAT router should create the alias
• To avoid problems with some ALG protocols (FTP,...), reflexive acl, etc…,
traffic should be handled by same router in both directions.
• Traffic from Inside is handled by HSRP active router on Inside LAN
• Traffic from Internet is handled by router replying to Provider ARP request
→ Inside global IP should be owned (i.e. inserted in ARP cache) by HSRP active
router on inside LAN.
Rem : other solution is to use non-directly connected IPs for inside global
200.1.1.0/24
Inside NAT1
10.1.1.100
HSRP_OUT
HSRP_IN
10.0.0.0/8 Internet
server
NAT2

NAT Redundancy
ip address 10.1.1.2 255.255.255.0
ip nat inside
standby 1 ip 10.1.1.1
standby 1 priority 120
!
NAT1 ip address 200.1.1.2 255.255.255.0
Router ip nat outside
standby 2 priority 120
standby 2 name HSRP_OUT
!
ip nat inside source static 10.1.1.100 200.1.1.100 redundancy HSRP_IN
ip address 10.1.1.3 255.255.255.0
ip nat inside
NAT2 !
Router interface Ethernet1/0
ip address 200.1.1.3 255.255.255.0
ip nat outside
standby 2 name HSRP_OUT
!
ip nat inside source static 10.1.1.100 200.1.1.100 redundancy HSRP_IN
NAT Redundancy
NAT1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et0/0 1 120 Active local 10.1.1.3 10.1.1.1
Et1/0 2 120 Active local 200.1.1.3 200.1.1.1
NAT1#
NAT1#sh ip arp
NAT1 Protocol Address Age (min) Hardware Addr Type Interface
Router Internet 10.1.1.2 - aabb.cc00.6500 ARPA Ethernet0/0
Internet 10.1.1.1 - 0000.0c07.ac01 ARPA Ethernet0/0
Internet 200.1.1.1 - 0000.0c07.ac02 ARPA Ethernet1/0
NAT1#
NAT2#sh standby brief

P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et0/0 1 100 Standby 10.1.1.2 local 10.1.1.1
NAT2 Et1/0 2 100 Standby 200.1.1.2 local 200.1.1.1
Router NAT2#
NAT2#sh ip arp
NAT2#

NAT Redundancy
Static Outside NAT
• Same issue as Static Inside NAT but for outside local IP
• Traffic from Internet is handled by HSRP active router on outside
ethernet (assuming there is no inside NAT or inside NAT uses a pool ≠
200.1.1.0/24)
• Traffic from Inside is handled by router replying to ARP request for
outside local IP address
→ Outside local IP should be owned (i.e. inserted in ARP cache) by HSRP
active router on outside ethernet.
Server 150.1.1.1 should
200.1.1.0/24
NAT1 appear as an internal host
Inside
HSRP_OUT
HSRP_IN
10.0.0.0/8 Internet server

NAT2
150.1.1.1

NAT Redundancy
2 Router – 2 Providers – Provider IPs
• We use NAT overload with public IP provided by ISPs
• 2 Providers used simultaneously or in a failover scenario
• If used simultaneously, cannot use per packet load-balancing
• If one NAT router or one ISP fails, packets should be rerouted to other
NAT router
• For session initiated from outside (static NAT), should make sure packets
are sent back via border router it came from (PBR, nat outside source)
• SNAT not useful in this scenario
Inside NAT1 ISP1

(200.1.1.0/24)
10.0.0.0/8 Internet
NAT2
ISP2
(100.1.1.0/24)
N.B. Existing sessions are lost during failover

NAT Redundancy
2 Router – 2 Providers – Dedicated Public Pool
• Customer has its own public IP pool (195.1.1.0/24)

• BGP is used to advertise this pool on Internet
• SNAT permits to use both providers simultaneously for inbound
traffic
• Without SNAT, only one ISP can be used at a time because
 Traffic should come back from Internet via same ISP
 No control on inbound traffic
Inside NAT1 ISP1

(200.1.1.0/24)
BGP
10.0.0.0/8 195.1.1.0/24 Internet
NAT2 BGP
ISP2
(100.1.1.0/24)
N.B. Existing sessions could be maintained

Agenda
• NAT Overview
• NAT Operations
• NAT Redundancy
 NAT in MPLS/VRF environment

VRF Introduction
• VRFs are used on PE routers in MPLS/VPN network to isolate different

customers within the same physical router
• Can be used without MPLS → VRF-lite
• Each VRF (Virtual Routing & Forwarding) has its own Routing & CEF table so
routes/traffic from different customers are kept private
• VRFs permits to create several virtual routers within a single physical router
• One (sub-)interface can be attached to only one VRF
Virtual Router Global IP Router

for Customer A
Customer A
Site #1
Global P Router
VRF Routing Table Routing Table
Customer A
Site #2
Virtual Router
Customer A for Customer B
Site #3
One physical
Customer B VRF Routing Table
Site #1 router
Customer B
Site #2
VRF Configuration
• Need first to create VRFs :
ip vrf <VRF_name>
• Each VRF needs a unique RD (Route Distinguisher)

2 possible formats ( ASN:nn or IP-address:nn)
rd <RD_value>
• Assign interface to VRF :
ip vrf forwarding <VRF_name>
• Example :
Router(config)#ip vrf CUST_A

Router(config-vrf)#rd 1:1
Router(config-vrf)#exit
Router(config)#interface ethernet0/0
Router(config-if)#ip vrf forwarding CUST_A
NAT-VRF
• VRF Routing & CEF table are similar to Global Routing and CEF
table, we can then configure NAT within a VRF
• Need to specify VRF name in NAT commands
• Example :
ip vrf CUST_A
rd 1:1
!
interface ethernet0/0
ip vrf forwarding CUST_A
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 120.16.2.1 255.255.255.0
ip nat outside
!
ip nat inside source static 10.1.1.1 200.1.1.1 vrf CUST_A

NAT in VRF-lite Examples
ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
!
OUT
interface ethernet0/0 S2/0
ip address 10.1.1.10 255.255.255.0 IN E0/0
ip nat inside
!
ip vrf forwarding CUST_B IN
E1/0
ip address 10.1.1.1 255.255.255.0 S3/0
ip nat inside
!
OUT
interface serial 2/0
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip vrf forwarding CUST_B
ip address 50.1.1.1 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface serial 2/0 vrf CUST_A overload
ip nat inside source list 2 interface serial 3/0 vrf CUST_B overload
!
NAT in VRF-lite Examples
NAT#sh ip nat translations vrf CUST_A
tcp 120.6.2.1:19250 10.1.1.1:19250 150.1.1.1:23 150.1.1.1:23
tcp 120.6.2.1:16564 10.1.1.5:16564 150.1.1.1:23 150.1.1.1:23
Icmp 120.6.2.1:9 10.1.1.2:9 150.1.1.1:9 150.1.1.1:9
NAT#
NAT#
NAT#sh ip nat translations vrf CUST_B
tcp 50.1.1.1:18050 10.1.1.2:18050 180.1.1.1:23 180.1.1.1:23
tcp 50.1.1.1:21660 10.1.1.5:21660 180.1.1.1:23 180.1.1.1:23
Icmp 50.1.1.1:1 10.1.1.2:1 180.1.1.1:1 180.1.1.1:1
N.B. - “sh ip nat translation” shows all entries (verbose keyword shows VRF entry is bound to)
- This VRF (in-VRF) information is used to know which VRF inside local IP address belongs to
- NTD (NAT Translation Database – NAT translation table is only a part of it) keeps track of VRF
outgoing interface belongs to (out-VRF).
- Only packets belonging to that out-VRF (which could be different to in-VRF) are allowed to
use this existing NAT entry OUT
S2/0
IN E0/0
IN E1/0
S3/0
OUT
VRF – Packet Leaking
• Packet leaking permits packets from VRF to reach Global routing
table
• Implementation of packet leaking requires 2 static routes
• VRF static route which points to a global next-hop
ip route vrf <vrf_name> <subnet> <mask> <next-hop> global
• Global static route which points to VRF interface
ip route <subnet> <mask> <vrf_int> [next-hop]
• Example :
ip route vrf CUST_A 0.0.0.0 0.0.0.0 120.6.2.2 global
(VRF traffic matching the default route is sent to

120.6.2.2 which is reachable via the global routing table)
ip route 10.0.0.0 255.0.0.0 ethernet 0/0 10.1.1.1
(Traffic in global routing table matching this static

route is sent in VRF ethernet 0/0 is attached to)
NAT VRF – Packet leaking VRF -> Global
ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
IN E0/0 OUT
!
Internet
ip address 10.1.1.10 255.255.255.0 IN S2/0
ip nat inside E1/0
!
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 120.6.2.2 global
ip route vrf CUST_B 0.0.0.0 0.0.0.0 120.6.2.2 global
!
!
N.B. There is no static route in global table pointing to VRF interface for traffic back from Internet.
A match is found in NAT table for the flow and a layer3 lookup is done in in-VRF routing table
(in-VRF is stored in NAT table)
There is a check as well to see if packet comes from out-VRF (stored in NTD)
NAT VRF – Packet leaking VRF -> VRF
ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B IN E0/0 OUT
rd 1:2
!
ip vrf SERVICE Internet
rd 1:3 IN S2/0
! E1/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip vrf forwarding SERVICE
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
ip route vrf CUST_B 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
!
!

NAT VRF – Packet leaking – Static NAT
ip vrf CUST_A
rd 1:1 10.1.1.20
!
ip vrf CUST_B IN E0/0 OUT
rd 1:2
!
ip vrf SERVICE Internet
rd 1:3 IN S2/0
! E1/0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip vrf forwarding SERVICE
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
ip route vrf CUST_B 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
!
ip nat inside source static 10.1.1.20 200.1.1.1 vrf CUST_A
N.B. • packets entering via any outside interface could use the static NAT entry
(there is no possible check on out-VRF)
• if we try to create exact same static NAT entry in 2 different VRFs, command is
refused and ‘similar static NAT entry already exists’ message is displayed
MPLS/VPN - Intro
• MPLS is used in the provider cloud to connect different PEs

• VRFs are defined on PEs to separate customers
• Traffic sent across provider cloud is labeled (2 labels)
• Top label (LDP/TDP) identifies egress PE
• Inner label (BGP) identifies the VPN
MPLS interface
Customer A CE1 in Global table
10.0.0.0/8
PE1 PE2 CE2

Provider Cloud
MPLS
Common Servers
CE2 200.1.1.1/24
Customer B
10.0.0.0/8
Provider offers a set of Common Services (VoIP, Web Hosting,…)

NAT - MPLS/VPN – 2 Options
• NAT on ingress PE (PE1)
+ Easy to configure
- Not very scalable if many PEs
• NAT on egress PE (PE2)
+ Scalable
- More complex to configure
Customer A CE1
10.0.0.0/8
PE1 PE2 CE2

Provider Cloud
MPLS
Common Servers
CE2 200.1.1.1/24
Customer B
10.0.0.0/8
Provider offers a set of Common Services (VoIP, Web Hosting,…)

NAT MPLS/VPN – Ingress PE
ip vrf CUST_A
rd 1:1
route-target both 1:1
route-target import 1:100
route-target export 1:101 CE1
!
ip vrf CUST_B
rd 1:2
route-target import 1:100
S0/0
route-target export 1:101 PE1
!
interface serial0/0
S2/0 MPLS
ip address 10.1.1.1 255.255.255.252
ip nat inside
!
interface serial1/0
CE2 S1/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
!
interface serial2/0
ip address 120.6.2.1 255.255.255.252
mpls ip
ip nat outside
!
router bgp 1
address-family ipv4 vrf CUST_A
redistribute static
address-family ipv4 vrf CUST_B
redistribute static Inside global addresses we need
!
ip route vrf CUST_A 200.1.2.1 255.255.255.255 10.1.1.2 to advertise in MPLS
ip route vrf CUST_B 200.1.2.2 255.255.255.255 10.1.1.2
!
ip nat pool A 200.1.2.1 200.1.2.1 prefix-length 24
ip nat pool B 200.1.2.2 200.1.2.2 prefix-length 24
ip nat inside source route-map NAT_A pool A vrf CUST_A overload
ip nat inside source route-map NAT_B pool B vrf CUST_B overload
!
route-map NAT_A permit 10
route-map NAT_B permit 10
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 200.1.1.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.255.255.255 200.1.1.0 0.0.0.255
NAT MPLS/VPN – Egress PE
ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
!
ip vrf COMMON
!
rd 1:3
S0/0 PE2 CE2
interface serial0/0
ip address 120.4.2.1 255.255.255.255 MPLS
mpls ip
ip nat inside fa1/0
!
interface FastEthernet1/0
ip vrf forwarding COMMON
ip address 200.1.1.1 255.255.255.0
ip nat outside
!
router bgp 1
address-family ipv4 vrf CUST_A
redistribute static
address-family ipv4 vrf CUST_B
redistribute static N.B.
!
ip route vrf CUST_A 200.1.1.0 255.255.255.0 FastEthernet1/0 200.1.1.2 - 200.1.2.0/30 should be known by CE2
ip route vrf CUST_B 200.1.1.0 255.255.255.0 Fastethernet1/0 200.1.1.2 - packets back from servers match
!
ip nat pool COM_POOL 200.1.2.1 200.1.2.3 prefix-length 24 existing NAT entries
ip nat inside source route-map NAT_COM pool COM_POOL vrf CUST_A overload - a layer3 lookup is done in in-vrf
ip nat inside source route-map NAT_COM pool COM_POOL vrf CUST_B overload
! where labels are found
route-map NAT_COM permit 10
!

NAT NVI – Nat Virtual Interface
• Used to tackle limitations of classical NAT implementation

which binds address space (interface) to either Inside OR
Outside domain (not both)
• Idea is to direct traffic destined to fake IP (source global) to a
virtual interface. This allows to do NAT operation AFTER
routing decision in ALL cases
 no need to define Inside/Outside domain anymore
• Interfaces just need to be NAT ‘enable’
• NAT NVI ‘trigger’ : packet comes from a NAT enabled interface
and is forwarded to a NAT enabled interface
ip nat enable
VRF A IN
X E0/0
X
OUT
Internet
S2/0
VRF B
X
IN E1/0
ip nat enable ip nat enable

NAT NVI – Nat Virtual Interface
Goal is to allow scenarios such as following :

• VRF A and VRF B use same private address space
• Hosts in VRF A and VRF B should use NAT to go on Internet
• Hosts in VRF A should use NAT to reach server in VRF B
HostA 10.1.1.10 Server
VRF A E0/0
Global
Internet
S2/0
VRF B E1/0
ServerB 10.1.1.10

NAT NVI – Config Example – to Internet
HostA
ip vrf A 150.1.1.1
rd 1:1 10.1.1.10
! Server
ip vrf B
rd 1:2
!
interface ethernet0/0 VRF A
ip vrf forwarding A Global
ip address 10.1.1.1 255.255.255.0
ip nat enable Internet
!
interface ethernet1/0 VRF B
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0
ip nat enable 10.1.1.10
!
ip address 200.1.1.1 255.255.255.252 ServerB
ip nat enable
!
ip route vrf A 0.0.0.0 0.0.0.0 200.1.1.2 global
ip route vrf B 0.0.0.0 0.0.0.0 200.1.1.2 global
!
ip nat source list 1 interface serial 2/0 vrf A overload
ip nat source list 2 interface serial 2/0 vrf B overload
!

Host A generates a ping to 150.1.1.1 :

• A first entry is created in NVI NAT table of VRF A (src_VRF)
• A second entry is created in global NVI NAT table (dst_VRF) to
allow the traffic back (note that source/destination are inversed to
match traffic back)
NAT#sh ip nat nvi translations vrf A verbose

Pro Source global Source local Destin local Destin global
icmp 200.1.1.1:5 10.1.1.10:5 150.1.1.1:5 150.1.1.1:5
create 00:00:28, use 00:00:28 timeout:60000, left 00:00:31,
flags:
extended, routemap-out2in, use_count: 0, src_VRF: A, entry-id: 3, lc_entries: 0
NAT#sh ip nat nvi translations verbose

icmp 150.1.1.1:5 150.1.1.1:5 200.1.1.1:5 10.1.1.10:5
flags:

Host B generates a ping to 150.1.1.1 :

• An entry is created in NVI NAT table of VRF B
• A second entry is created in global NVI NAT table to allow the traffic
back (src_VRF tells which VRF packet needs to be forwarded to)
NAT#sh ip nat nvi translations vrf B verbose

icmp 200.1.1.1:1 10.1.1.10:1 150.1.1.1:1 150.1.1.1:1
flags:
extended, routemap-out2in, use_count: 0, src_VRF: B, entry-id: 9, lc_entries: 0

icmp 150.1.1.1:1 150.1.1.1:1 200.1.1.1:1 10.1.1.10:1
flags:
icmp 150.1.1.1:5 150.1.1.1:5 200.1.1.1:5 10.1.1.10:5
flags:

NAT NVI – Config Example – To Server B
HostA
ip vrf A 150.1.1.1
rd 1:1 10.1.1.10
! Server
ip vrf B
rd 1:2
!
interface ethernet0/0 VRF A
ip vrf forwarding A Global
ip address 10.1.1.1 255.255.255.0
ip nat enable Internet
!
interface ethernet1/0 VRF B
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0
ip nat enable 10.1.1.10
!
ip address 200.1.1.1 255.255.255.252 ServerB
ip nat enable
!
ip route vrf A 0.0.0.0 0.0.0.0 200.1.1.2 global
!
ip nat source static 10.1.1.10 200.1.1.10 vrf B
!

Host A generates a ping to Server B (200.1.1.10)

• A second entry is created in NVI NAT table of VRF B (dst_VRF) to
allow the traffic back (note that src_VRF and dst_VRF are recorded
since both source and destination IP are translated)

icmp 200.1.1.1:11 10.1.1.10:11 200.1.1.10:11 10.1.1.10:11
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, dst_VRF: B, entry-id: 12,
lc_entries: 0

icmp 200.1.1.10:11 10.1.1.10:11 200.1.1.1:11 10.1.1.10:11
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, dst_VRF: B, entry-id: 12,
lc_entries: 0
--- 200.1.1.10 10.1.1.10 --- ---
create 00:06:01, use 00:00:15 timeout:0,
flags:
static, routemap-out2in, use_count: 1, src_VRF: B, entry-id: 11, lc_entries: 0

Internet Server (150.1.1.1) generates a ping to Server B (200.1.1.10)

• A first entry is created in Global NVI NAT table (src_VRF)
• A second entry is created in NVI NAT table of VRF B (dst_VRF) to allow
the traffic back (note that only dst_VRF is recorded in extended entry
since only destination IP is translated)

icmp 150.1.1.1:1 150.1.1.1:1 200.1.1.10:1 10.1.1.10:1
flags:
extended, outside, routemap-out2in, use_count: 0, dst_VRF: B, entry-id: 14, lc_entries: 0

icmp 200.1.1.10:1 10.1.1.10:1 150.1.1.1:1 150.1.1.1:1
flags:
extended, outside, routemap-out2in, use_count: 0, dst_VRF: B, entry-id: 14, lc_entries: 0
--- 200.1.1.10 10.1.1.10 --- ---
flags:
static, routemap-out2in, use_count: 1, src_VRF: B, entry-id: 11, lc_entries: 0

NAT NVI – Other Example
‘ip nat outside source’ scenarios could be achieved

with ‘ip nat source’ command in dst VRF
ip vrf A
HostA
rd 1:1 150.1.1.1
! 10.1.1.10
ip vrf B Server
rd 1:2
!
ip vrf forwarding A VRF A
ip address 10.1.1.1 255.255.255.0 Global
ip nat enable
! Internet
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0 VRF B
ip nat enable
!
ip address 200.1.1.1 255.255.255.252 10.1.1.10
ip nat enable
!
ip route vrf A 0.0.0.0 0.0.0.0 200.1.1.2 global ServerB
!
ip nat source static 10.1.1.10 200.1.1.10 vrf B
Server 150.1.1.1 should be
ip nat source static 150.1.1.1 10.1.2.150 reachable via a private IP
!
Host A generates a ping to Internet Server using 10.1.2.150

• A second entry is created in global NVI NAT table (dst_VRF) to allow the
traffic back (note dst_VRF doesn’t appear – because it’s Global table ??)

icmp 200.1.1.1:18 10.1.1.10:18 10.1.2.150:18 150.1.1.1:18
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, entry-id: 16, lc_entries: 0

icmp 10.1.2.150:18 150.1.1.1:18 200.1.1.1:18 10.1.1.10:18
flags:
extended, outside, routemap-out2in, use_count: 0, src_VRF: A, entry-id: 16, lc_entries: 0
--- 10.1.2.150 150.1.1.1 --- ---
flags:
static, routemap-out2in, use_count: 1, entry-id: 15, lc_entries: 0

• Internet Server is still reachable via public IP 150.1.1.1

• Host B generates a ping to 150.1.1.1
• A first entry is created in NVI NAT table of VRF B (src_VRF)
• A second entry is created in global NVI NAT table (dst_VRF) to allow the
traffic back

icmp 200.1.1.1:2 10.1.1.10:2 150.1.1.1:2 150.1.1.1:2
flags:

icmp 150.1.1.1:2 150.1.1.1:2 200.1.1.1:2 10.1.1.10:2
flags:
--- 10.1.2.150 150.1.1.1 --- ---
flags:
static, routemap-out2in, use_count: 0, entry-id: 15, lc_entries: 0

NetWork Training Center
www.facebook.com/ciscoedu2014

NAT Advanced

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NAT Advanced

Uploaded by

Copyright:

Available Formats

NAT/PAT

Config & Troubleshooting

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 1

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 2

• Typical examples of NAT :

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 3

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 4

• These IP addresses are not advertised on Internet.

N.B. Even though NAT is typically used to translate a private IP

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 5

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 6

IGP Default route

• Inside Local (IL) → Typically learnt via IGP

10.1.1.1 • NAT functions:

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 9

Inside Same address is used for 4

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 11

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 12

Inside Host B should appear 4

N.B. there should be a route for 10.1.1.100 pointing to outside

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 13

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 14

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 15

Inside One public IP for 4

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 16

ip nat inside source static 10.1.1.1 200.1.1.1

NAT# sh ip nat translations

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 17

Inside 10.1.1.5  75.1.1.1:80

Inside 10.1.1.2:8080  75.1.1.1:80 [tcp]

→ ARP entry created IN OUT

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 20

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 21

• Creates extended entries for every translated flows

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 22

• Extended entries are automatically created in all recent

NAT(config)# no ip nat create flow-entries

• Can use then extendable keyword to create extended

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 23

→ no ARP entry created for inside global

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 24

• Source IP/port appears in payload of many applications

ip nat pool PUBLIC 200.1.1.1 200.1.1.254

NAT#sh ip nat translations

• Can define discontinuous pool

ip nat pool PUBLIC 200.1.1.1 200.1.1.10 prefix-length 24 type match-host

• Prefix-length defines host part

• Adds static route pointing to NVI (Nat Virtual Interface)

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 28

Inside Same address is used for 4

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 29

ip nat pool ovrld-nat 200.1.1.1 200.1.1.1

NAT#sh ip nat translations

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 30

NAT(config)#ip nat inside source ?

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 31

NAT#sh ip nat translations

Internet + Intranet Remote site

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 33

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 34

ip nat inside source static 10.1.1.1 200.1.1.1

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 35

NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 36

ip nat pool OUT 10.1.1.128 10.1.1.159 prefix-length 24