NAT configuration command directory
Use interface configuration command IP NAT to designate that the communication traffic from or to the interface obeys NAT (network address translation), if you want to prohibit the translation function of the interface, use “no” form of this command.
Note: Command “ip nat mss” only applies to ip nat outside interface, its function is to modify the MSS(Maximum Segment Size)value in TCP packet option with SYN tag from inside network. If you want to prohibit the function to modify MSS value of this interface, use “no” form of this command.
ip nat {inside | outside | mss }
no ip nat {inside | outside | mss }
inside |
Means
the interface connects to the inside network (the network obeys NAT
translation) |
outside |
Means the interface connects to the outside network (the network obeys NAT translation) |
mss |
Modify MSS value (should first configure
ip nat outside) |
default:
The communication traffic
on this interface does not obey NAT.
Command mode:
Interface configuration
mode
Explanation:
Only packets transmitted between “inside” and “outside” interfaces can be translated. You should designate at least one inside interface and one outside interface for each boundary router supposes to use NAT.
Example:
The following example translated the IP address communicates between inside hosts with network address of 192.168.1.0 or 192.168.2.0 to the sole IP address in 171.69.233.208/28 network, and modifys MSS value.
ip nat pool
net-208 171.69.233.208 171.69.233.223 255.255.255.240
ip nat inside
source list a1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182
255.255.255.240
ip nat outside
ip nat mss
!
interface ethernet 1
ip address 192.168.1.94
255.255.255.0
ip nat inside
!
ip access-list
standard a1
permit 192.168.1.0 255.255.255.0
.permit 192.168.2.0
255.255.255.0
!
Use
global configuration command “ip nat inside destination” to start NAT of inside
destination address. Use “NO” form of this command to delete the dynamic link
with address pool.
ip nat inside destination list access-list-name pool name
no ip nat inside destination list access-list-name
Parameter:
list name |
Name
of the standard IP access list. Use global address from designated pool to
translate the packet with destination address. |
pool name |
Name
of the address pool, allocate inside local IP address from this pool during
the dynamic translation. |
default:
Inside
destination address is not translated
Command mode:
global
configuration mode
Explanation:
This command establishes dynamic address translation in form of access list. Packets from address matched standard access list, will use the global address allocated in the designated address pool, this address pool is designated with command “ip nat pool”.
Example:
In the following example, NAT use the address of net-208 pool to replace the destination address of packets matching with access list a1.
ip
nat pool net-208 192.168.2.208 192.168.2.223 255.255.255.240
ip
nat inside destination list a1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
ip
access-list standar a1
permit 171.69.233.208 255.255.255.240
!
Use global configuration command “ip nat inside source” to start NAT of inside source address. Use “no” form of this command to delete static translation or dynamic link with the pool.
ip nat inside source {list access-list-name pool name [overload]
| static local-ip
global-ip}
no ip nat inside source {list access-list-name pool name
[overload] | static local-ip global-ip}
Parameter:
List access-list-name |
Name of standard IP
access list. The packets whose source address corresponds with access list
will be translated with global address in the address pool. |
pool name |
Name of the address pool, it dynamically
allocate global IP address from this pool. |
overload |
(Optional) Enable the router
to use one global address for many local addresses. When “overload” is set, many sessions on
the same inside host will be discerned by TCP or UDP port number. |
static local-ip |
Establish
an independent static address translation; this parameter establishes an
allocated local address for the host on inside network. This address can be
freely chosen, or allocated from RFC1918. |
global-ip |
Establish
an independent static address translation; this parameter sets up an IP
address that outside network could only access for inside host. |
default:
NAT of any insider
source address does not exist
Command mode:
global configuration
mode
Explanation:
This command has two
forms: dynamic and static address translation. Establish dynamic translation in
format of access list. Packet from address that is matching with standard
access list, will use global address allocated in the designated pool to
perform address translation, this pool is designated with command “ip nat
pool”.
As a substitution method, create an independent static address translation in grammar format with key word “STATIC”.
Example:
The following example
translates IP address from the communication between inside hosts of 192.168.1.0
or 192.168.2.0 network to global sole IP address in 171.69.233.208/28 network.
ip nat pool
net-208 171.69.233.208 171.69.233.223 255.255.255.240
ip nat inside
source list a1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182
255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 192.168.1.94
255.255.255.0
ip nat inside
!
ip access-list
standard a1
permit 192.168.1.0 255.255.255.0
permit 192.168.2.0 255.255.255.0
!
Use
global configuration command “ip nat outside source” to start NAT of outside
source address. Use “no” form of this command to delete static entry or dynamic
link.
ip nat outside source {list access-list-name pool name
| static global-ip local-ip}
no ip nat outside source {list access-list-name pool name
| static global-ip local-ip}
Parameter:
List access-list-name |
Name of standard IP
access list. Packets with destination address matches
access list will be translated with global address in the address pool. |
pool name |
Name
of the pool, dynamically allocate global IP address from this list. |
Static global-ip |
Establish
an independent static address translation;This parameter establishes a
self-owned local IP address for hosts on outside network.This address can be
allocated from network address space routable globally. |
local-ip |
Establish an
independent static address translation; This parameter
establishes a local IP address of outside host accessible only by inside
network for inside host. This address can be allocated from the address space routable from inside network. (mostly obeys RFC 1918) |
default:
The translation from source address of
outside network to inside network address does not exist
Command mode:
global configuration mode
Explanation:
Maybe you have used illegal and informal allocated IP address. Maybe you have chosen IP addresses that have been formally allocated to other networks. This situation where IP address is legally used (outside network) yet illegally used (inside network) is called “address overlapping”. You can use NAT to translate the inside address which overlaps with the outside address. If the IP address in your single connection network is coincidentally the same as the legal IP address allocated to other networks, and you want to communicate with these hosts or routers, you can use this function.
There
are two forms of this command: dynamic and static address translation.
Establish dynamic address translation in the form of access list. The packets
from the address that match standard access list, will use local address
allocated in the designated address pool to perform address translation, this
address pool is designated with command “ip nat pool”.
As a
method to replace, establish an independent static translation in grammar
format with key word STATIC.
Example:
The following example can translate the IP address of
the communication between inside hosts from 9.114.11.0 network to global sole
IP address in 171.69.233.208/28
network. Moreover, packets of outside host from network 9.114.11.0 (really
existed 9.114.11.0 network) is translated in the form from network 10.0.1.0/24.
ip nat pool
net-208 171.69.233.208 171.69.233.223 255.255.255.240
ip nat pool net-10
10.0.1.0 10.0.1.255 255.255.255.0
ip nat inside source
list a1 pool net-208
ip nat outside
source list a1 pool net-10
!
interface ethernet 0
ip address 171.69.232.182
255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 9.114.11.39
255.255.255.0
ip nat inside
!
ip access-list
standard a1
permit 9.114.11.0 255.255.255.0
!
Use
global configuration command “ip nat pool”to define an IP address pool used for
NAT. Use “no” form of this command to delete the IP address pool.
ip nat pool name start-ip end-ip netmask
no ip nat pool name start-ip end-ip netmask
Parameter:
name |
Name
of the pool |
start-ip |
Define
the range of IP address pool: start address |
end-ip |
Define
the range of IP address pool: end address |
netmask |
Sub-network mask. Sub-network
mask tells which of the addresses belong to the network and sub-network part,
yet which belong to the host part. Designate the
sub-network mask of network belongs to the address in IP pool. |
default:
IP
pool not defined
Command mode:
global configuration mode
Explanation:
This command uses start address, end address and sub-network mask to define an address pool. The defined pool can be an inside global pool or an outside local address.
Example:
The following example translates the IP address from the communication between inside hosts of 192.168.1.0 or 192.168.2.0 network to the global sole IP address in 171.69.233.208/28 network.
ip nat pool
net-208 171.69.233.208 171.69.233.223 255.255.255.240
ip nat inside
source list a1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182
255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 192.168.1.94
255.255.255.0
ip nat inside
!
ip access-list
standard a1
permit 192.168.1.0 255.255.255.0
permit 192.168.2.0 255.255.255.0
Use global configuration
command “ip nat translation” to change the time value of NAT translation
timeout. Use “no” form of this command to close the timeout.
ip nat translation {timeout | udp-timeout | dns-timeout
| tcp-timeout | finrst-timeout | icmp-timeout | max-entries
|syn-timeout } seconds
no ip nat translation
{timeout | udp-timeout
| dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout |
max-entries |syn-timeout }
Parameter:
timeout |
Designate the timeout
value of dynamic translation except overload translation. 3600 seconds by
default (1hour) |
udp-timeout |
Designate the timeout
value used on UDP interface. 300 seconds by default (5 minutes) |
dns-timeout |
Designate the timeout
value used to connect to DNS. 60 seconds by default. |
tcp-timeout |
Designate the timeout
value used on TCP interface. 3600 seconds by default (1 hour) |
finrst-timeout |
Designate the timeout value
used on “finish and reset TCP” packet, this value is used to stop a
connection, The default value is 60 seconds. |
icmp-timeout |
Set the NAT timeout value of ICMP, 60 seconds by default |
max-entries |
Set the maximum translation entry number of NAT, 1024 by
default. |
syn-timeout |
Set the NAT timeout value of TCP SYN mode, 60 seconds by
default. |
seconds |
Timeout value of
translation on designated interface. The default value is the value listed in
the default part. |
Default:
timeout is 3600 seconds (1 hours)
udp-timeout is 300 seconds
(5 minutes)
dns-timeout is 60 seconds (1
minute)
tcp-timeout is 3600 seconds
(1 hours)
finrst-timeout is 60 seconds (1 minute)
Command mode:
global configuration
mode
Explanation:
After configured
interface translation, because each translation entry includes more context
information about using its communication traffic, you can have better control
over translation entry. UDP translation of Non-domain name system (DNS)
timeouts after 5 minutes, but UDP of domain name system timeouts after one
minute. If there isn’t RST or FIN in data stream, TCP translation timeouts
after an hour; but it will timeout after one minute with RST or FIN.
Example:
The following example
makes UDP interface translation entry timeouts after 10 minutes.
ip nat translation
udp-timeout 600
In order to clear the statistical
information of NAT, use command “clear ip nat statistics”.
clear ip nat statistics
Parameter:
none
Command mode:
Supervisor mode
Explanation:
User this command to reset all NAT statistical
information to initial mode.
Example:
Router#show ip nat
statistics
Total active translations:
1 (0 static, 0 dynamic; 1 PAT)
Outside interfaces:
Dialer1 Virtual-access0
Inside interfaces:
FastEthernet0/0
Dynamic mappings:
-- Inside Source
-- Outside Source
ICMP=3, UDP=29, TCP=155,
FRAG_ID=5 FRAG_PTR=0 / TOTAL=192
Router#clear ip nat
statistics
Router#show ip nat
statistics
Total active translations:
1 (0 static, 0 dynamic; 1 PAT)
Outside interfaces:
Dialer1 Virtual-access0
Inside interfaces:
FastEthernet0/0
Dynamic mappings:
-- Inside Source
-- Outside Source
ICMP=0, UDP=0, TCP=0,
FRAG_ID=0 FRAG_PTR=0 / TOTAL=0
In order to clear dynamic
network address translation from translation entry, use executive command “clear ip nat translation”.
clear ip nat translation
{* | [inside local-ip global-ip ] [outside local-ip
global-ip]}
clear ip nat translation {tcp|udp}
inside local-ip local-port global-ip global-port [outside
local-ip
global-ip]
Parameter:
* |
Clear all dynamic
translation entrys |
Inside |
Clear the inside
translation including designated global IP address and local IP address. |
global-ip |
Designate global IP
address |
local-ip |
Designate local IP
address |
outside |
Clear the outside
translation including designated global IP address and local IP address. |
tcp|udp |
Protocol |
global-port |
Designate the global port
of corresponding protocol |
local-port |
Designate the local
port of corresponding protocol |
Command mode:
Supervisor mode
Explanation:
Use this command can clear the dynamic translation entrys before their timeouts
Example:
The following example first shows NAT translation entry, then clears UDP translation entry:
Router# show ip nat
translation
Pro Inside global Inside
local Outside local Outside global
udp 171.69.233.209:1220
192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53
tcp
171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23
tcp
171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
Router# clear ip nat
translation udp inside 171.69.233.209 1220 192.168.1.95 1220
171.69.2.132 53 171.69.2.132 53
Router# show ip nat
translation
Pro Inside global Inside
local Outside local Outside global
tcp
171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23
tcp
171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23
Use
command “show ip nat statistics” to show NAT statistical list
show ip nat
statistics
This command has no parameter or keyword
Supervisor mode
Example:
The following is the
output result of the example using command “show ip nat statistics” :
Router# show ip nat
statistics
Total
translations: 2 (0 static, 2 dynamic; 0 PAT)
Outside interfaces:
Serial0
Inside interfaces:
Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool net-208
pool
net-208: netmask 255.255.255.240
start 171.69.233.208 end 171.69.233.221
total addresses 14, allocated 2, misses 0
Table 9 describes the
important field in output result
Table 9: Show IP NAT statistics field description
Field |
Description |
Total translations |
The number of designated
translation rule activated in the system. When an address translation rule is
added, this value will be added with 1; meanwhile, when an address
translation rule is cleared, this value will be deducted by 1. |
Outside interfaces |
Interface list of
outside interfaces tagged with command “ip nat outside”. |
Inside interfaces |
Interface list of
inside interfaces tagged with command “ip nat inside” |
Expired translations |
Accumulated traffic of
all timeout address translations from the start of the router or last
clearance of statistical inofmration. |
Dynamic mappings |
Information showed
after it is about dynamic mappings. |
Inside Source |
Information about
inside source address translation follows it |
Access-list |
Access list numbers
used for address translation. |
Pool |
Pool name (Pool name
in this example is net-208) |
Netmask |
IP network mask used
in the pool |
Start |
Start IP address
within address range in the pool |
End |
Close IP address within
address range in the pool |
Total addresses |
Address number usable
for address translation in the pool |
Allocated |
Address numbers
allocated |
Misses |
address numbers not
allocatable in the pool |
Use configure mode
command “show ip nat translations” to show activated NAT address
translation
show ip nat translations [verbose]
Parameter:
Verbose |
(optional)
show the extra information about each translation address list entry, include
how much time it is established and how much time remained till timeout. |
Command mode:
Supervisor mode
Example:
The following is the output of example using command “show ip nat translation”. Several outside hosts and two inside hosts exchange packets, no overloads.
Router# show ip nat
translations
Pro Inside
local Inside
global Outside
local Outside global
---
192.168.1.95
171.69.233.209 ---
---
---
192.168.1.89
171.69.233.210
---
--
In a situation of overloading, the address
translation used for one DNS service is still activated, and the two TELNET
sessions (from two different hosts) are also activated. Attention: two
different inside hosts will appear in the form with same outside address.
Router# show ip nat
translations
Pro Inside
local Inside
global Outside
local Outside global
udp 192.168.1.95:1220
171.69.233.209:1220 171.69.2.132:53
171.69.2.132:53
tcp 192.168.1.89:11012
171.69.233.209:11012 171.69.1.220:23
171.69.1.220:23
tcp 192.168.1.95:1067
171.69.233.209:1067 171.69.1.161:23
171.69.1.161:23
The following is the output example with key word “verbose”:
Router# show ip nat
translations verbose
Pro Inside
local Inside global
Outside
local Outside global
udp 192.168.1.95:1220 171.69.233.209:1220
171.69.2.132:53 171.69.2.132:53
create time 00:00:02, left time 00:01:10,
tcp 192.168.1.89:11012 171.69.233.209:11012
171.69.1.220:23 171.69.1.220:23
create time 00:01:13, left time 00:00:50,
tcp 192.168.1.95:1067 171.69.233.209:1067
171.69.1.161:23 171.69.1.161:23
create time 00:00:02, left time 00:53:19,
Table
10: describes the key field in output result list
Table 10: the field description of the output result of command “show IP NAT Translations”
Field |
Description |
Pro |
Define the interface
protocol of the address. |
Inside global |
Legal IP address(
provided by NIC or ISPs), they represent one or more inside local IP address
towards outside network. |
Inside local |
IP address allocated
to the host in inside network; they may not be legal addresses provided by a
NIC or ISPs. |
Outside local |
The IP address when an
outside host looks like an inside network; they may not be the legal
addresses provided by an NIC or ISPs. |
Outside global |
IP address of outside
host allocated by its owner |
Create time |
The create time of address
translation entry. (unit is hour: minute: second) |
Left time |
The timeout of address
translation entry. |
Use executive command “debug ip nat ” to debug network address translation (NAT).
debug ip nat {detail
| h323}
no debug ip nat {detail
| h323}
Parameter:
none
Command mode:
Supervisor mode
Explanation:
Using command debug ip nat detail can output the detail in output translation process, including the source, destination IP address of the packet, protocol, port number and the reason of unsuccessful translation and etc…
Example:
Router# debug
ip nat detail
Ethernet1/1 recv ICMP Src
194.4.4.89 Dst 10.10.10.102 no link found
Ethernet1/0 send TCP Src 194.4.4.102:2000 Dst 192.2.2.1:21 no matched
rule
This table describes the
domain displayed.
Domain |
Description |
Ethernet1/0 |
Type, number of the
interface.
|
send/recv |
Send/receive. |
ICMP/TCP/UDP |
ICMP/TCP/UDPprotocol |
Src 194.4.4.102:2000 |
Source IP address and
port number |
Dst 192.2.2.1:21 |
Destination IP address
and port number.
|
no link found |
No link to NAT matches |
no matched rule |
No rule matches NAT. |
First entry: ICMP packet received on Ethernet1/1 interface (the source address of it is 194.4.4.89 and the destination address is 10.10.10.102; ICMP), no corresponding NAT connection found (matching NAT rules are found)
Second entry: ICMP packet received on Ethernet1/1 interface (the source address of it is 194.4.4.102 and the destination address is 192.2.2.1; the source port of it is 2000 and the destination port is 21), no matched NAT rule found.