Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT

Hi,

I need an explanation of the key word "extendable" in the nat configuration.

have you an idea

12 REPLIES

Re: NAT

Hi Ismail,

Can you please paste the exach line that "extendable" is used?

You may be referring to the "extended" keyword in ACLs defined for NAT. Extended word defines the type of ACL, (either used for NAT or filtering or tunneling). A Standard ACL has only one network entry, which is the source. Extended ACLs does have source, destination ,protocol and port. That helps you to create more specific entries.

Regards

Community Member

Re: NAT

ip nat inside source static tcp 192.168.10.26 21 79.29.20.136 21 extendable

Re: NAT

Why did you do that? I mean why did you rate 1 ? I am trying to understand what you are talking about and trying to help you, that post was not for getting rated, ratings are used if your issue is resolved or not resolved or adds you knowledge. You rate people 1 if they corrupt your system with their suggestion, or if they make absolutely nonesense suggestions, and that 1 decreases their %

Hall of Fame Super Blue

Re: NAT

Huseyin

Agreed, you should not have been rated 1 altho it may not have been Ismail.

Rated you to try and adjust accordingly.

Jon

Community Member

Re: NAT

Hi,

I didn't make a rate.

Hall of Fame Super Blue

Re: NAT

Ismail

The extendable keyword "extends" the NAT translation. In simple terms it means it uses not just the IP address but also the port numbers. This would allow you to map two local addresses to the same global address on different ports.

One other thing, if it was you that rated Huseyin 1 then this is not appropriate as he was only asking for clarification so there should have been no rating for this. People are here to help and help with free advice.

If it wasn't you then please ignore the last bit.

Jon

Re: NAT

Jon:

Please provide an example for clarification.

Port numbers were specified in the commands, and I'm sure I've used the following without ever specifying the "extendable" keyword:

ip nat inside source static tcp 192.168.100.18 25 interface Ethernet1 25

ip nat inside source static tcp 192.168.100.20 110 interface Ethernet1 110

Is the keyword usage IOS release dependent?

Re: NAT

Ismail,

I thought it was you, sorry about that

Jon,

Thank you :), I sometimes dont understand why people treat people who are trying to help, like that. I am also a qualified expert in www.experts-exchange.com and we have moderators, expert care sections, dont we have moderators in here?

Regards

Hall of Fame Super Blue

Re: NAT

Huseyin

There is a moderator on NetPro and he does a very good job of monitoring what is going on. But if you allow people to rate answers there will always be a few people who mark inappropriately. It can't really be helped.

That is also why you need to be careful with making assumptions on who has rated.

Jon

Hall of Fame Super Blue

Re: NAT

Michael

Yes if you specify port numbers it is a bit redundant. From one of Cisco's NAT papers

=============================================

"Extendable" static translations:

The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.

ip nat inside source static extendable

Some customers want to use more than one service provider and translate into each provider's address space. You can use route-maps to base the selection of global address pool on output interface as well as an access-list match. Following is an example:

ip nat pool provider1-space ...

ip nat pool provider2-space ...

ip nat inside source route-map provider1-map pool provider1-space

ip nat inside source route-map provider2-map pool provider2-space

!

route-map provider1-map permit 10

match ip address 1

match interface Serial0/0

!

route-map provider2-map permit 10

match ip address 1

match interface Serial0/1

Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation.

=============================================

Jon

Re: NAT

Jon:

The absence of the use of the "extendable" keyword in your example leaves me with questions.

First, I'll paraphrase what I believe I've understood, and then I'll address the scenario I have questions about.

It appears that you are saying that the following won't work:

Exhibit A

ip nat inside source static tcp 192.168.10.26 aaa.0.0.136

ip nat inside source static tcp 192.168.10.26 bbb.0.0.136

... that it should be configured as:

Exhibit B

ip nat inside source static tcp 192.168.10.26 aaa.0.0.136 extendable

ip nat inside source static tcp 192.168.10.26 bbb.0.0.136 extendable

... to generate full un-ambiguous translations.

The following two statements are understood:

- For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation.

- For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation.

However, your earlier post stated:

"This would allow you to map two local addresses to the same global address on different ports."

In a NAT overload scenario:

Presumably this would not work (less than full translation):

Exhibit C

ip nat inside source static tcp 192.168.0.100 aaa.bbb.ccc.ddd 80

ip nat inside source static tcp 192.168.0.200 aaa.bbb.ccc.ddd 21

... however, I am wondering if this:

Exhibit D

ip nat inside source static tcp 192.168.0.100 80 aaa.bbb.ccc.ddd 80

ip nat inside source static tcp 192.168.0.200 21 aaa.bbb.ccc.ddd 21

.... is any different than this:

Exhibit E

ip nat inside source static tcp 192.168.0.100 80 aaa.bbb.ccc.ddd 80 extendable

ip nat inside source static tcp 192.168.0.200 21 aaa.bbb.ccc.ddd 21 extendable

... which, much like Ismail884's example:

ip nat inside source static tcp 192.168.10.26 21 79.29.20.136 21 extendable

... looks redundant to me.

I don't see the need for the extendable keyword here. It looks like the extendable keyword is the redundancy, and not the port specifications.

I'm not trying to prove anyone wrong, or split hairs. It just felt like I was missing something when I started this reply (its taken a while to compose), and have arrived where I am now.

Re: NAT

I've just encountered an alternative command format that I have not previously considered/used:

ip nat inside source static tcp inside-ip outside-ip 25 extendable

... perhaps this is the usage you were referring to.

165
Views
11
Helpful
12
Replies
CreatePlease to create content