Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.
Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.
Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
hi aamer glad to have u in the forum. can u pls tell me if i am using nat overload and my ipsec is also passing through the nat device. is it possible that the ike source port udp 500 be translated to 500 only and not to any other port. i want no other traffic to get the source port 500 by the nat device. cause the other end of the nat device is a ipsec peer which establishes ike only if the source port and destination port are udp 500. is it possible. pls let me know.
I think you may want to look at that NAT-T (enabled by default in 12.2(13)T) or IPSec pass-thru features. That will allow you to have multiple IPsec clients behind your NAT device rather than just one as you've got above.
In case you've described above, the method would be to use the 'IKE preserve-port' function described in the 'IPSec pass-thru' URL below.
However, if you have only one device behind the NAT box, IPsec (ESP mode) should work anyway (unless the peer really wants to see both UDP ports as 500) as the IP header is not in the digest envelope, and there isn't any confusion about which inside host is doing IPsec.
Hope this helps. Please let me know if I can be of further help.
I have a question regarding stateful NAT. I had noticed that the setting of Master/Backup NAT peers has nothing to do with who is allowed to update whom, meaning that it's Active/Active model in this sense.
I was wondering what is the true meaning of Master/Backup in stateful NAT context? Is it only for the purpose of building TCP session between two NAT devices, meaning Master will initiate the session to Backup, but once established, any side can update other one.
hi aamer is it possible to do nat overload for multiple pptp clients connecting to a pptp server. in the documentation they have mentioned since it;s uses gre which doesn;t use ports it;s tuff passing them through a pat device. however they have mentioned patting can be done if patting is done on the basis of the caller-id in the gre packet. does cisco support this kind of natting. can u pls help .
hi aamer thanks a lot man. and thanks for the links. aamer can u answer to my above query pls. i am wating for ur reply.
Yes, IOS supports PPTP through PAT beginning with 12.1(4)T.
You can view a configuration example here:
IOS Stateful NAT Phase II, which was introduced in 12.3(7)T, added support for asymmetric outside-to-inside paths. If return traffic is routed via the Backup the Backup is able to update the Primary so that the Primary does not time out the translation. Is this the behavior you are seeing?
More on Stateful NAT - Phase II:
I want to understand the working of NAT with the redundancy in HSRP and in GLBP... so please give me overview or give me good link for the explenation...
one more thing is how many praivate IP address i can bound to one GLOBAL IP address with the help of "extendable" keyword... on 26XX and 36XX series router...
Stateful NAT is able to work with HSRP for redundancy. SNAT is configured on each of the HSRP routers and HSRP is used to determine which is router is Active. The transisitions are kept in synch between the routers and if HSRP switched to a standby router SNAT does as well.
You can read more about Stateful NAT here:
You can read about GLBP here:
It is currently not recommended to use NAT along with GLBP.
The "extendable" keyword is used to map a single inside local address to multiple global addresses. The keyword I think you want is "overload" which allows you to use a single global for multiple local addresses by using Port Address Translation. The number of translations is limited by the number of ports and the amount of RAM on the router. The theoretical maximum, based on ports is 65535 translations for one global IP. The memory used by each translation is pretty small (10,000 translations uses < 2MB) so thousands of translations per address are possible.
Could you tell me how to make that the DHCP SERVER in a router provides the dns-servers information (on the internal interface: ip nat inside) that it received from the ISP ont the PPPoE interface.
Just to avoid configuring them statically with the command "dns-server" in the router?s mode "ip dhcp pool
I tried "import all", but it seemed not to work as expected.
Thanks a lot.
Please keep in mind that this is the NAT forum.
You may want to enabled ipcp dns accept:
ppp ipcp accept-address
ppp ipcp dns accept
ppp ipcp wins accept
Thank you very much for your answer.
Sorry if this subject is out of the scope of this forum, but when I looked for a forum, the closest to the issue was this as long as it is intimately connected with NAT functionality.
I am using ISR 2821 router with IOS version C2800NM-ADVSECURITYK9-M), Version 12.4(5).
I have enabled the IP SNAT and using HSRP.
IP SNAT process is using too many memory daily and memory usage is getting increased daily and after 6-7 months the memory usage by IP SNAT goes more than 80-90% and by that time I used to reload the router manually.
Why is this happening? Is there any bug for IP SNAT feature in my current IOS version?
M1#show processes memory sorted
Processor Pool Total: 198245536 Used: 173996592 Free: 24248944
I/O Pool Total: 12582912 Used: 5348672 Free: 7234240
PID TTY Allocated Freed Holding Getbufs Retbufs Process
187 0 136808520 208 136810080 2268 0 IP SNAT Conn Pro
I would highly recommend that you open up a case with cisco TAC to properly track this issue. I was able to do a quick search in our defect database did note a memory-leak type issue. But without proper analysis it would be uncertain that this defect is the one you are running into:
CSCsc59032, fixed in 12.4(07.02)T 012.004(007.002)
Hi Aamer. I have asked this question in the VPN/Security forum but didn't receive any response - so I wondered if you could help.
I have a customer who has a lan-to-lan vpn between a Concentrator 3000 and a Checkpoint firewall.
Packets entering the concentrator to be sent across the VPN are natted.
Most protocols seem to work fine apart from the netbios protocols UDP 137 and 138. These are sent through the tunnel but do not get natted.
I know Netbios embeds IP addresses inside of the packets, and that the ASA has an application inspection (fixup) which can handle this.
Is this a problem with the way the concentrator performs natting? Would you expect to see error messages regarding this in the concentrator logs?
Thanks in advance
I believe that you are absolutely correct. This is a feature limitation of the VPN Concentrator 3000 where it's implementation of NAT does not support Netbios.
I don't see an easy solution out of this, as you are probably using the 3000 on the public net, hence the need for NAT. Otherwise you could possibly move the NAT service to another device and only do IPsec tunneling on the VPN 3000.
You may want to contact your cisco representative and look at ASA or IOS based options.
Thanks for the reply Aamer. This doesn't have anything to do with being connected to the Internet, as the actual packets are transported across the Internet inside of IPSEC.
The packets being natted are the original clear packets before they get encrypted - as in Lan-to-Lan where both LANNs are using the same private address range.
Does this still apply?
If the address range you are NATing to can sit behind the vpn 3000, in other works the 3000 the 3000 (after decryption of return traffic) can send the still NATted traffic to a node inside: Then you should be able to move the NAT function to another device inside.
I am trying to make multiple sites act as one large broadcast domain. I have tried to set up Mobile IP, but I have about 40% packet loss. I would like to pass a 802.1q trunk through a IPSec VPN. Is this possible?
Please note that this is the NAT forum.
There is only one solution for connecting multiple (more than 2) sites in a broadcast domain over multiple L3 hops, and that is currently VPLS, which requires MPLS. MPLS and IPsec do not work together well.
There are a couple solutions:
1) Setup a full mesh of GRE tunnels between the sites, run MPLS-VPLS inside the GRE. Let IPsec encrypt the GRE.
2) Setup a full mesh of L2TPv3 tunnels in raw mode between all your sites. Let IPsec encrypt the L2tpv3. You may have to burn a few ports (one for each site) on the L2TPv3 hosts and acquire a switch to frontend.
Is it possible to assign the IP address of same segment(172.17.8.0/24) to both interface (inside, outside). NATting is not used in this router.
The router is used as a Firewall to filter out the traffic accoring the ACL and just forward the traffic to ISP router.
Is this setup possible? If possible what is the draw back on this setup and will I face any problem in future?
If not possible, how to implement it in anothere way with using same segment IP address.
Attached diagram with more details.
Keep in mind this is the NAT forum.
IOS does not allow the same subnet to exist in the same routing context on the same router. You may use VRFs to do the IP addressing as you've described, but will have to use static routes in the VRF to get the traffic to 'jump' over the VRF boundaries.
Thank you very much for the details.
Can you please give some links which explains your details and with some configuration details.
Is it posssible to NAT and or Route-map across networks?
ie..our isp will send us 18.104.22.168 to our router we then need to take this 22.214.171.124 and NAT it to 10.1.1.10. The only thing is when 126.96.36.199 comes in it connected to 192.168.x.x network. The 10.x.x.x network is at some other remote location connect using gre VPN tunnel. All routers are connnected using EIGRP and are routing properly. Is NAT'ing across networks possible (if needed with route-maps)?
Hello my friends,
I don't have a specific Q., just i need your comments and feedback about the following:
I have a customer which "since no technical availability for L.L or F.R links" have ADSL connection with Cisco R. 877W with fixed IP address for the outside interface "only 1 IP" and i placed a Cisco ASA5510 after this R. with private IP address at the outside interface for the ASA since no way to have another real IPs.
My point, the Cisco R. is doing the NAT "PAT" and the ASA doing static NAT ONLY for the management and CSC IPs. Is this the best design?
Thanks in advance
based on what features you are trying to achieve you may not have a choice. If the feature set you are trying to use exist on the ASA, but your WAN connection is ADSL, you don't have much of a choice.
There is no requirement for the ASA to have real. Just be aware that for any servers that are sitting behind the ASA you will need to create static NAT/PAT bindings on both the 877 as well as the ASA.
I'm not sure I understand the question. Could you possible draw the design that you are asking about?
I'm not sure I completely understand the scenario you are describing, so please correct me if needed. As Aamer suggested a network diagram would be helpful.
The ISP is sending traffic destined to the address 188.8.131.52 to the outside interface of your router. The router translates the destination to 10.1.1.10 for the internal network. The 10.x.x.x network is not directly conneted to the router but is reachable from there via a gre tunnel which originates from the router.
If this is a correct interpretation of the network, then yes this is possible.
The provider interface would be configured with "ip nat outside".
Both the 192.168.x.x interface and the tunnel interface would be configured as "ip nat inside".
"ip nat source inside static 10.1.1.10 184.108.40.206" will configure the described translation.
ip address 192.168.209.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile Profile1
ip address 192.168.109.30 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no ip mroute-cache
no mop enabled
ip address 220.127.116.11 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
no mop enabled
router eigrp 100
ip route 0.0.0.0 0.0.0.0 18.104.22.168
no ip http server
no ip http secure-server
ip nat pool hq 22.214.171.124 126.96.36.199 netmask 255.255.255.0
ip nat inside source route-map nonat pool hq overload
logging trap debugging
access-list 100 deny ip 192.168.109.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.109.0 0.0.0.255 any
no cdp run
this is where i was thinking i should put the cahnge
ip address 188.8.131.52 255.255.255.0 secondary
i tried what you have but it didnt work, maybe i type it out wrong. can you edit my config and re-post ..so i can try that, thanks