cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4635
Views
24
Helpful
92
Replies

ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.

 

Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.

 

Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

92 Replies 92

Aksher,

'netmask' specifies the subnet mask associated with the address but it does not configure a range of addresses based on the mask. Unless a range of addresses is given, such as 'global (outside) 1 10.10.1.2-10.10.1.10' then PAT will be used with the address specified.

Kevin

Kevin

So when an address like global (out) 1 10.80.132.0 255.25.255.0 is used which single ip will be taken during PAT?

Secondly does a netmask in static st. too doesnot represent a range?

Aksher

Aksher,

global (out) 1 10.80.132.0 255.255.255.0 will basically use a single IP (PAT) unless something (like GRE) can not be handled by PAT.

The first address picked would be the first numeric host address. In your 10.80.132.0/24 case the first address would be 10.80.132.1, but keep in mind it could expand to other IP addresses, unless you are only allowing TCP and UDP traffic...

Hope that helps.

Don1
Level 1
Level 1

Hi,

I am using cisco 3662 router with IOS version C3660-DS-MZ.122-10B.BIN.I have configured NAT & PAT on router, & only one ip address is there in PAT pool. all PCs using NAT are working fine but PCs using PAT facing lot of problem.Every time i have to use " clear ip nat tr " commnad.is there any IOS problem or something else ??

Regards,

Nitin

Nitin,

Can you provide us with some more information?

What does your NAT/PAT configuration look like?

What are the problems you are seeing with the hosts using PAT?

Kevin

Please find my NAT/PAT configuration

ip nat translation timeout 3000

ip nat pool A1_MumbaiCO 192.168.81.62 192.168.81.62 netmask 255.255.

ip nat inside source list 1 pool A1_MumbaiCO overload

ip nat inside source static 172.16.1.3 192.168.81.35

ip nat inside source static 172.16.5.1 192.168.81.36

ip nat inside source static 172.16.1.9 192.168.81.41

ip nat inside source static 172.16.1.12 192.168.81.46

ip nat inside source static 172.16.1.13 192.168.81.47

ip nat inside source static 172.16.1.15 192.168.81.49

ip nat inside source static 172.16.1.179 192.168.81.51

ip nat inside source static 172.16.1.30 192.168.81.50

ip nat inside source static 172.16.1.11 192.168.81.48

ip nat inside source static 172.16.1.14 192.168.81.45

ip nat inside source static 172.16.1.19 192.168.81.53

ip nat inside source static 172.16.1.16 192.168.81.55

ip nat inside source static 172.16.1.122 192.168.81.42

ip nat inside source static 172.16.1.245 192.168.81.56

ip nat inside source static 172.16.1.121 192.168.81.44

ip nat inside source static 172.16.4.2 192.168.81.57

ip nat inside source static 172.16.4.3 192.168.81.58

ip nat inside source static 172.16.2.113 192.168.81.60

ip nat inside source static 172.16.55.9 192.168.81.33

ip nat inside source static 172.16.2.112 192.168.81.59

ip nat inside source static 172.16.4.250 192.168.81.61

ip nat inside source static 172.16.1.181 10.30.240.133

ip nat inside source static 172.16.1.180 10.30.240.132

ip nat inside source static 172.16.1.175 10.30.240.134

ip nat inside source static 172.16.1.17 192.168.81.34

ip nat inside source static 172.16.1.119 192.168.81.43

ip nat inside source static 172.16.1.2 192.168.81.37

ip nat inside source static 172.16.1.4 192.168.81.52

ip nat inside source static 172.23.16.10 192.168.203.199

ip nat inside source static 172.16.1.114 192.168.81.39

ip nat inside source static 172.16.5.70 192.168.81.38

ip nat inside source static 172.16.1.115 192.168.81.40

ip nat inside source static 172.16.1.7 192.168.81.54

The problem i am facing is one of the PC which is not nated is Continuously pingigng to the remote locations for checking Remote ATM connectivity.when that PC starts pinging to remote ATMs, it is able to ping but after some time it is getting request time out,whereas PCs which are statically nated are able to ping remote locations without any problem.

Regards

Nitin

Nitin,

Does the IP address used by the PC overlap with the address used for PAT? If so, then it will work until a dynamic entry is created in the table for an address that uses the PAT pool. Once a translation exists then the PC won't receive packets back since traffic is being translated for a different address. Clearing the NAT translations would remove the entry from the table and the PC would be able to ping until another NAT entry was dynamically created.

Kevin

pengfang
Level 1
Level 1

Hi Aamer and Kevin,I hope it's not too late to submit my questions.

My situation is we have a bounch of sites will migrate to a PIX Spoke-Hub-Spoke IpSec VPN infrustructure and we need to configure VPN on the stick because of SurfControl will be deployed on the hub side.The hub PIX run 7.2 and sopke run PIX v6.3 or IOS 12.4,followed are requirements

(1)all inter-spoke traffic will go hub and go the other spoke without NAT

(2)all internet traffic also go hub and then PATted

So from my understanding NAT occurs before IpSec encryption,should I configure Policy NAT on the outside interface like:

access-list internet-traffic deny ip spoke1 spoke2

access-list internet-traffic deny ip spoke2 spoke1

access-list internet-traffic permit ip spoke1 any

access-list internet-traffic permit ip spoke2 any

nat (outside) 1 access-list internet-traffic

global (outside) 1 interface

pengfang,

A topology diagram would be helpful to better understand your question, but I will make an attempt at answering.

You have two spokes connected to a hub. The hub is also connected to the internet. You want traffic between the two spokes to occur normally. You want traffic from the spokes to the internet to use PAT on the hub.

Where does the VPN come into play? Are you using a VPN between the spokes or to remote locations via the internet?

The 'nat ()' statement specifies the interface for the "real" addresses. The 'global ()' statement specifies the interface for the "mapped" addresses.

You would need:

nat (inside-spoke1) 1 access-list internet-traffic

nat (inside-spoke2) 1 access-list internet-traffic

global (outside) 1 interface

You could use the single ACL you have, or you might want to create a separate ACL for each of the spoke interfaces.

Complications can occur when using PAT with IPsec. One method for dealing with IPsec and PAT is NAT-T. You can read more about that here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080637127.html#wp1120836

Kevin

Hi Kevin,thanks for your reply,I use same topology as followed link,the only different are

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

1.All hub to spoke are site-to-site IPSec VPN

2.all inter-site traffic will pass through VPN normally,because PIX v7.2 support "enter and exit the same interface for IPsec traffic" by command "same-security-traffic permit intra-interface";we have spoke site pix running 6.3 and IOS box running 12.4

3.For the purpose of deployment of WebSense url filtering,we need all spoke internet traffic not be natted on the local site,we want them go to the hub and be patted on the hub outside interface like hub inside network.

I configured nat examption (nat0) for all inter-site traffic on pix box and no need configure anything for IOS box.so for all traffic go to internet will be patted on hub together.

so my understanding is when a packet go to internet from spoke site decryptioned on the hub,pix should look at the destination address,

(1)if it's another sopke address,should be no natting and send to another tunnel to that spoke site

(2)if it's inernet address,it should be patted

My question is how can I configure nat on the hub to achieve this,I thought we should do policy nat ,is it right ?

Thanks for pointing out the "intra-interface" command.

Nat exemption will accomplish sending traffic between the spokes without using NAT. For PATing the internet traffic you would only need a normal nat statement since packets which match the nat exemption rules will not be considered for the PAT rule. You can, of course, use an access-list for added security if you wish. To PAT only at the hub you would need to configure the spokes to route all traffic over tunnel to the hub.

Kevin

aksher
Level 1
Level 1

Kevin

Hope nat-control was introduced in vr 7.0 .Does a nat-control statement is only for dynamic nat and not for static nat?

Aksher

Aksher,

nat-control is for both static and dynamic NAT.

Regards

lorenacuison
Level 1
Level 1

Hi Mr. Aamer,

I would like to know if there is a required IOS and memory of the router if we gonna use NAT. If there is any, what is the minimum IOS version for Cisco 3620 router and its minimum memory. Is there a possibility that the router will experiencing failure due to NAT config? Thanks

Hi lorenacuison,

Great question, unfortunatley there isn't really a good answer other than it depends. You will need to monitor the regular memory usage of your router to determine the high watermark (in a non-failure scenario ) and plan around that number.

Basic NAT is going to be available in all versions of IOS for the 3620. Be sure to keep ~20-25% of your memory available in a steady state situation.

To help control NAT memory usage (can get very high when being port scanned or DoS attacked) you will want to use the NAT rate-limit feature:

http://cco/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d09f0.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: