https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-addr-consv.htmlWhen you configure Network Address Translation (NAT) on an interface, that interface becomes optimized for NAT packet flow. Any nontranslated packet that flows through the NAT interface goes through a series of checks to determine whether the packet must be translated or not. These checks result in increased latency for nontranslated packet flows and thus negatively impact the packet processing latency of all packet flows through the NAT interface. We highly recommend that a NAT interface must be used only for NAT-only traffic. Any non-NAT packets must be separated and these packets must go through an interface that does not have NAT configured on it. You can use Policy-Based Routing (PBR) for separating non-NAT traffic.
NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.In Cisco IOS XE software, NAT outside interfaces show up in the translations tables, by default. This view of NAT outside interfaces causes the connection that originates from the outside interface of the device to fail. To restore connectivity, you must explicitly deny the outside Interface within the NAT ACL using the deny command. After using the deny command, no translation is observed for the outside interface.
NAT is not practical if large numbers of hosts in the stub domain communicate outside of the domain.
Some applications use embedded IP addresses in such a way that translation by a NAT device is impractical. These applications may not work transparently or at all through a NAT device.
In a NAT configuration, addresses configured for any inside mapping must not be configured for any outside mapping.
Do not configure the interface IP address as part of the IP address NAT pool.
By default, support for the Session Initiation Protocol (SIP) is enabled on port 5060. Therefore, NAT-enabled devices interpret all packets on this port as SIP call messages. If other applications in the system use port 5060 to send packets, the NAT service may corrupt the packet. This packet corruption is due to its attempt to interpret the packet as a SIP call message.
NAT hides the identity of hosts, which may be an advantage or a disadvantage depending on the needed result.
Devices that are configured with NAT must not advertise the local networks to outside the network. However, routing information that NAT receives from the outside can be advertised in the stub domain as usual.
NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN and is part of the Cisco Validated Design.
For VRF-aware NAT, remove the NAT configuration before you remove the VRF configuration.
If you specify an access list to use with a NAT command, NAT does not support the permit ip any any command. This NAT command is commonly used in the access list.
Cisco ASR 1000 Series Aggregation Services Routers do not support an access list with a port range.
NAT configuration is not supported on the access side of the Intelligent Services Gateway (ISG).
Using any IP address that is configured of a device as an address pool or in a NAT static rule is not supported. NAT can share the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.
The output of the show ip nat statistics command displays information about all IP address pools and NAT mappings that you have configured. If your NAT configuration has a high number of IP address pools and NAT mappings (for example, 1000 to 4000), the update rate of the pool and mapping statistics in show ip nat statistics is slow.
Static and dynamic NAT with generic routing encapsulation (generic GRE) and dynamic NAT with Layer 2 do not work when used along with hardware-based Cisco AppNav appliances (for example, Wide Area Application Services [WAAS]). In the context of WAAS, generic GRE is an out-of-path deployment mechanism. It helps to return packets from the WAAS Wide-Area Application Engine (WAE) through the GRE tunnel to the same device from which they were originally redirected after completing optimization.
Port Address Translation (also called NAT overload) only supports protocols whose port numbers are known; these protocols are Internet Control Message Protocol (ICMP), TCP, and UDP. Other protocols do not work with PAT because they consume the entire address in an address pool. Configure your access control list to only permit ICMP, TCP, and UDP protocols, so that all other protocol traffic is prevented from entering the network.
NAT, Zone-Based Policy Firewall, and Web Cache Communication Protocol (WCCP) cannot coexist in a network.
Non-Pattable traffic, is traffic for a protocol where there are no ports. PAT/Overload can only be done on protocols where the ports are known, that is, UDP, TCP, and ICMP.
When ASR is configured for NAT overload (PAT) and Non-Pattable traffic hits the router, Non-Pattable BIND entry gets created for this traffic. Following is a bind entry in the NAT table:
--- 213.252.7.132 172.16.254.242 ---
This bind entry consumes an entire address from the pool. In this example, 213.252.7.132 is an address from an overloaded pool.
That means an inside local IP Address gets bound to the outside global IP which is similar to static NAT. Because of this binding action, new inside local IP Addresses cannot use this global IP Address until the current entry gets timed out. All the translation that is created off this BIND is 1-to-1 translations instead of overload.
To avoid consumption of an entire address from the pool, make sure that there are not any entries for the Non-Pattable traffic across the router.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
