Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5809
Views
24
Helpful
92
Replies

ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

ciscomoderator
Community Manager
Community Manager

‎10-20-2006 10:54 AM - edited ‎03-03-2019 02:25 PM

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.

 

Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.

 

Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

1 person had this problem
Labels:
0 Helpful
92 Replies 92

sebastan_bach
Level 4
Level 4

‎10-21-2006 01:56 PM

hi aamer glad to have u in the forum. can u pls tell me if i am using nat overload and my ipsec is also passing through the nat device. is it possible that the ike source port udp 500 be translated to 500 only and not to any other port. i want no other traffic to get the source port 500 by the nat device. cause the other end of the nat device is a ipsec peer which establishes ike only if the source port and destination port are udp 500. is it possible. pls let me know.

regards

sebastan

aakhter
Cisco Employee
Cisco Employee
In response to sebastan_bach

‎10-23-2006 04:15 PM

Hi Sebastan,

I think you may want to look at that NAT-T (enabled by default in 12.2(13)T) or IPSec pass-thru features. That will allow you to have multiple IPsec clients behind your NAT device rather than just one as you've got above.

In case you've described above, the method would be to use the 'IKE preserve-port' function described in the 'IPSec pass-thru' URL below.

However, if you have only one device behind the NAT box, IPsec (ESP mode) should work anyway (unless the peer really wants to see both UDP ports as 500) as the IP header is not in the digest envelope, and there isn't any confusion about which inside host is doing IPsec.

Hope this helps. Please let me know if I can be of further help.

NAT-T

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

IPsec pass-thru

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftsecnat.htm

Regards,

aa

dknov
Level 3
Level 3

‎10-22-2006 12:28 AM

Hi,

I have a question regarding stateful NAT. I had noticed that the setting of Master/Backup NAT peers has nothing to do with who is allowed to update whom, meaning that it's Active/Active model in this sense.

I was wondering what is the true meaning of Master/Backup in stateful NAT context? Is it only for the purpose of building TCP session between two NAT devices, meaning Master will initiate the session to Backup, but once established, any side can update other one.

Thanks,

David

0 Helpful

sebastan_bach
Level 4
Level 4
In response to dknov

‎10-22-2006 08:37 AM

hi aamer is it possible to do nat overload for multiple pptp clients connecting to a pptp server. in the documentation they have mentioned since it;s uses gre which doesn;t use ports it;s tuff passing them through a pat device. however they have mentioned patting can be done if patting is done on the basis of the caller-id in the gre packet. does cisco support this kind of natting. can u pls help .

regards

sebastan

0 Helpful

sebastan_bach
Level 4
Level 4
In response to sebastan_bach

‎10-24-2006 02:56 AM

hi aamer thanks a lot man. and thanks for the links. aamer can u answer to my above query pls. i am wating for ur reply.

regards

sebastan

0 Helpful

kevineck
Level 1
Level 1
In response to sebastan_bach

‎10-24-2006 06:48 AM

Sebastan,

Yes, IOS supports PPTP through PAT beginning with 12.1(4)T.

You can view a configuration example here:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

Kevin

0 Helpful

kevineck
Level 1
Level 1
In response to dknov

‎10-23-2006 07:20 PM

David,

IOS Stateful NAT Phase II, which was introduced in 12.3(7)T, added support for asymmetric outside-to-inside paths. If return traffic is routed via the Backup the Backup is able to update the Primary so that the Primary does not time out the translation. Is this the behavior you are seeing?

More on Stateful NAT - Phase II:

http://www/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801fce09.html

Kevin

0 Helpful

devang_etcom
Level 7
Level 7

‎10-22-2006 11:11 AM

hi,

I want to understand the working of NAT with the redundancy in HSRP and in GLBP... so please give me overview or give me good link for the explenation...

one more thing is how many praivate IP address i can bound to one GLOBAL IP address with the help of "extendable" keyword... on 26XX and 36XX series router...

regards

Devang

0 Helpful

kevineck
Level 1
Level 1
In response to devang_etcom

‎10-24-2006 05:54 AM

Devang,

Stateful NAT is able to work with HSRP for redundancy. SNAT is configured on each of the HSRP routers and HSRP is used to determine which is router is Active. The transisitions are kept in synch between the routers and if HSRP switched to a standby router SNAT does as well.

You can read more about Stateful NAT here:

http://www/en/US/products/ps6350/products_configuration_guide_chapter09186a008044edaa.html

You can read about GLBP here:

http://www/en/US/products/ps6600/prod_presentation0900aecd801790a3.html

It is currently not recommended to use NAT along with GLBP.

The "extendable" keyword is used to map a single inside local address to multiple global addresses. The keyword I think you want is "overload" which allows you to use a single global for multiple local addresses by using Port Address Translation. The number of translations is limited by the number of ports and the amount of RAM on the router. The theoretical maximum, based on ports is 65535 translations for one global IP. The memory used by each translation is pretty small (10,000 translations uses < 2MB) so thousands of translations per address are possible.

Kevin

0 Helpful

juliocarossella
Level 1
Level 1

‎10-22-2006 05:36 PM

Hi:

Could you tell me how to make that the DHCP SERVER in a router provides the dns-servers information (on the internal interface: ip nat inside) that it received from the ISP ont the PPPoE interface.

Just to avoid configuring them statically with the command "dns-server" in the router?s mode "ip dhcp pool .

I tried "import all", but it seemed not to work as expected.

Thanks a lot.

Julio

0 Helpful

aakhter
Cisco Employee
Cisco Employee
In response to juliocarossella

‎10-23-2006 06:11 PM

Hi Julio,

Please keep in mind that this is the NAT forum.

You may want to enabled ipcp dns accept:

ppp ipcp accept-address

ppp ipcp dns accept

ppp ipcp wins accept

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5012/prod_release_note09186a0080087a7a.html#28640

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t2/dt_dhcpi.htm#xtocid0

Regards,

aa

juliocarossella
Level 1
Level 1
In response to aakhter

‎10-24-2006 04:33 AM

Thank you very much for your answer.

Sorry if this subject is out of the scope of this forum, but when I looked for a forum, the closest to the issue was this as long as it is intimately connected with NAT functionality.

Thanks again

0 Helpful

examples20001
Level 1
Level 1

‎10-22-2006 08:17 PM

Hi,

I am using ISR 2821 router with IOS version C2800NM-ADVSECURITYK9-M), Version 12.4(5).

I have enabled the IP SNAT and using HSRP.

IP SNAT process is using too many memory daily and memory usage is getting increased daily and after 6-7 months the memory usage by IP SNAT goes more than 80-90% and by that time I used to reload the router manually.

Why is this happening? Is there any bug for IP SNAT feature in my current IOS version?

M1#show processes memory sorted

Processor Pool Total: 198245536 Used: 173996592 Free: 24248944

I/O Pool Total: 12582912 Used: 5348672 Free: 7234240

PID TTY Allocated Freed Holding Getbufs Retbufs Process

187 0 136808520 208 136810080 2268 0 IP SNAT Conn Pro

0 Helpful

aakhter
Cisco Employee
Cisco Employee
In response to examples20001

‎10-23-2006 04:29 PM

Hi examples20001,

I would highly recommend that you open up a case with cisco TAC to properly track this issue. I was able to do a quick search in our defect database did note a memory-leak type issue. But without proper analysis it would be uncertain that this defect is the one you are running into:

CSCsc59032, fixed in 12.4(07.02)T 012.004(007.002)

Regards,

aa

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card