Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco experts Aamer Akhter and Kevin Eckhardt about the Network Address Translation (NAT) which is designed for IP address simplification and conservation. NAT enables private IP networks that use unregistered IP addresses to connect to the Internet. Aamer Mr. Akhter is currently leading a team for testing Layer 3 VPNs and related technologies in a cross-Cisco effort. He is a CCIE number 4543. Kevin He has six years of experience working with IS-IS, OSPF, and BGP routing protocol performance and scalability. Eckhardt is currently working as a technical marketing engineer in the areas of IP Routing and IP Services.

 

Remember to use the rating system to let Aamer and Kevin know if you have received an adequate response.

 

Aamer and Kevin might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 3, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

92 REPLIES
Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

hi aamer glad to have u in the forum. can u pls tell me if i am using nat overload and my ipsec is also passing through the nat device. is it possible that the ike source port udp 500 be translated to 500 only and not to any other port. i want no other traffic to get the source port 500 by the nat device. cause the other end of the nat device is a ipsec peer which establishes ike only if the source port and destination port are udp 500. is it possible. pls let me know.

regards

sebastan

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi Sebastan,

I think you may want to look at that NAT-T (enabled by default in 12.2(13)T) or IPSec pass-thru features. That will allow you to have multiple IPsec clients behind your NAT device rather than just one as you've got above.

In case you've described above, the method would be to use the 'IKE preserve-port' function described in the 'IPSec pass-thru' URL below.

However, if you have only one device behind the NAT box, IPsec (ESP mode) should work anyway (unless the peer really wants to see both UDP ports as 500) as the IP header is not in the digest envelope, and there isn't any confusion about which inside host is doing IPsec.

Hope this helps. Please let me know if I can be of further help.

NAT-T

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

IPsec pass-thru

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftsecnat.htm

Regards,

aa

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi,

I have a question regarding stateful NAT. I had noticed that the setting of Master/Backup NAT peers has nothing to do with who is allowed to update whom, meaning that it's Active/Active model in this sense.

I was wondering what is the true meaning of Master/Backup in stateful NAT context? Is it only for the purpose of building TCP session between two NAT devices, meaning Master will initiate the session to Backup, but once established, any side can update other one.

Thanks,

David

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

hi aamer is it possible to do nat overload for multiple pptp clients connecting to a pptp server. in the documentation they have mentioned since it;s uses gre which doesn;t use ports it;s tuff passing them through a pat device. however they have mentioned patting can be done if patting is done on the basis of the caller-id in the gre packet. does cisco support this kind of natting. can u pls help .

regards

sebastan

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

hi aamer thanks a lot man. and thanks for the links. aamer can u answer to my above query pls. i am wating for ur reply.

regards

sebastan

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Sebastan,

Yes, IOS supports PPTP through PAT beginning with 12.1(4)T.

You can view a configuration example here:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800949c0.shtml

Kevin

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

David,

IOS Stateful NAT Phase II, which was introduced in 12.3(7)T, added support for asymmetric outside-to-inside paths. If return traffic is routed via the Backup the Backup is able to update the Primary so that the Primary does not time out the translation. Is this the behavior you are seeing?

More on Stateful NAT - Phase II:

http://www/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801fce09.html

Kevin

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

hi,

I want to understand the working of NAT with the redundancy in HSRP and in GLBP... so please give me overview or give me good link for the explenation...

one more thing is how many praivate IP address i can bound to one GLOBAL IP address with the help of "extendable" keyword... on 26XX and 36XX series router...

regards

Devang

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Devang,

Stateful NAT is able to work with HSRP for redundancy. SNAT is configured on each of the HSRP routers and HSRP is used to determine which is router is Active. The transisitions are kept in synch between the routers and if HSRP switched to a standby router SNAT does as well.

You can read more about Stateful NAT here:

http://www/en/US/products/ps6350/products_configuration_guide_chapter09186a008044edaa.html

You can read about GLBP here:

http://www/en/US/products/ps6600/prod_presentation0900aecd801790a3.html

It is currently not recommended to use NAT along with GLBP.

The "extendable" keyword is used to map a single inside local address to multiple global addresses. The keyword I think you want is "overload" which allows you to use a single global for multiple local addresses by using Port Address Translation. The number of translations is limited by the number of ports and the amount of RAM on the router. The theoretical maximum, based on ports is 65535 translations for one global IP. The memory used by each translation is pretty small (10,000 translations uses < 2MB) so thousands of translations per address are possible.

Kevin

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi:

Could you tell me how to make that the DHCP SERVER in a router provides the dns-servers information (on the internal interface: ip nat inside) that it received from the ISP ont the PPPoE interface.

Just to avoid configuring them statically with the command "dns-server" in the router?s mode "ip dhcp pool .

I tried "import all", but it seemed not to work as expected.

Thanks a lot.

Julio

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi Julio,

Please keep in mind that this is the NAT forum.

You may want to enabled ipcp dns accept:

ppp ipcp accept-address

ppp ipcp dns accept

ppp ipcp wins accept

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5012/prod_release_note09186a0080087a7a.html#28640

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t2/dt_dhcpi.htm#xtocid0

Regards,

aa

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Thank you very much for your answer.

Sorry if this subject is out of the scope of this forum, but when I looked for a forum, the closest to the issue was this as long as it is intimately connected with NAT functionality.

Thanks again

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi,

I am using ISR 2821 router with IOS version C2800NM-ADVSECURITYK9-M), Version 12.4(5).

I have enabled the IP SNAT and using HSRP.

IP SNAT process is using too many memory daily and memory usage is getting increased daily and after 6-7 months the memory usage by IP SNAT goes more than 80-90% and by that time I used to reload the router manually.

Why is this happening? Is there any bug for IP SNAT feature in my current IOS version?

M1#show processes memory sorted

Processor Pool Total: 198245536 Used: 173996592 Free: 24248944

I/O Pool Total: 12582912 Used: 5348672 Free: 7234240

PID TTY Allocated Freed Holding Getbufs Retbufs Process

187 0 136808520 208 136810080 2268 0 IP SNAT Conn Pro

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi examples20001,

I would highly recommend that you open up a case with cisco TAC to properly track this issue. I was able to do a quick search in our defect database did note a memory-leak type issue. But without proper analysis it would be uncertain that this defect is the one you are running into:

CSCsc59032, fixed in 12.4(07.02)T 012.004(007.002)

Regards,

aa

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi Aamer. I have asked this question in the VPN/Security forum but didn't receive any response - so I wondered if you could help.

I have a customer who has a lan-to-lan vpn between a Concentrator 3000 and a Checkpoint firewall.

Packets entering the concentrator to be sent across the VPN are natted.

Most protocols seem to work fine apart from the netbios protocols UDP 137 and 138. These are sent through the tunnel but do not get natted.

I know Netbios embeds IP addresses inside of the packets, and that the ASA has an application inspection (fixup) which can handle this.

Is this a problem with the way the concentrator performs natting? Would you expect to see error messages regarding this in the concentrator logs?

Thanks in advance

Mick

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi m.reay,

I believe that you are absolutely correct. This is a feature limitation of the VPN Concentrator 3000 where it's implementation of NAT does not support Netbios.

I don't see an easy solution out of this, as you are probably using the 3000 on the public net, hence the need for NAT. Otherwise you could possibly move the NAT service to another device and only do IPsec tunneling on the VPN 3000.

You may want to contact your cisco representative and look at ASA or IOS based options.

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Thanks for the reply Aamer. This doesn't have anything to do with being connected to the Internet, as the actual packets are transported across the Internet inside of IPSEC.

The packets being natted are the original clear packets before they get encrypted - as in Lan-to-Lan where both LANNs are using the same private address range.

Does this still apply?

Thanks.

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

m. Reay,

If the address range you are NATing to can sit behind the vpn 3000, in other works the 3000 the 3000 (after decryption of return traffic) can send the still NATted traffic to a node inside: Then you should be able to move the NAT function to another device inside.

Regards,

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi,

I am trying to make multiple sites act as one large broadcast domain. I have tried to set up Mobile IP, but I have about 40% packet loss. I would like to pass a 802.1q trunk through a IPSec VPN. Is this possible?

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Joe,

Please note that this is the NAT forum.

There is only one solution for connecting multiple (more than 2) sites in a broadcast domain over multiple L3 hops, and that is currently VPLS, which requires MPLS. MPLS and IPsec do not work together well.

There are a couple solutions:

1) Setup a full mesh of GRE tunnels between the sites, run MPLS-VPLS inside the GRE. Let IPsec encrypt the GRE.

2) Setup a full mesh of L2TPv3 tunnels in raw mode between all your sites. Let IPsec encrypt the L2tpv3. You may have to burn a few ports (one for each site) on the L2TPv3 hosts and acquire a switch to frontend.

Regards,

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hi,

Is it possible to assign the IP address of same segment(172.17.8.0/24) to both interface (inside, outside). NATting is not used in this router.

The router is used as a Firewall to filter out the traffic accoring the ACL and just forward the traffic to ISP router.

Is this setup possible? If possible what is the draw back on this setup and will I face any problem in future?

If not possible, how to implement it in anothere way with using same segment IP address.

Attached diagram with more details.

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Examples,

Keep in mind this is the NAT forum.

IOS does not allow the same subnet to exist in the same routing context on the same router. You may use VRFs to do the IP addressing as you've described, but will have to use static routes in the VRF to get the traffic to 'jump' over the VRF boundaries.

Regards,

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Thank you very much for the details.

Can you please give some links which explains your details and with some configuration details.

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Is it posssible to NAT and or Route-map across networks?

ie..our isp will send us 70.1.1.1 to our router we then need to take this 70.1.1.1 and NAT it to 10.1.1.10. The only thing is when 70.1.1.1 comes in it connected to 192.168.x.x network. The 10.x.x.x network is at some other remote location connect using gre VPN tunnel. All routers are connnected using EIGRP and are routing properly. Is NAT'ing across networks possible (if needed with route-maps)?

Bronze

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Hello my friends,

I don't have a specific Q., just i need your comments and feedback about the following:

I have a customer which "since no technical availability for L.L or F.R links" have ADSL connection with Cisco R. 877W with fixed IP address for the outside interface "only 1 IP" and i placed a Cisco ASA5510 after this R. with private IP address at the outside interface for the ASA since no way to have another real IPs.

My point, the Cisco R. is doing the NAT "PAT" and the ASA doing static NAT ONLY for the management and CSC IPs. Is this the best design?

Thanks in advance

Abd Alqader

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

a.hajhamad,

based on what features you are trying to achieve you may not have a choice. If the feature set you are trying to use exist on the ASA, but your WAN connection is ADSL, you don't have much of a choice.

There is no requirement for the ASA to have real. Just be aware that for any servers that are sitting behind the ASA you will need to create static NAT/PAT bindings on both the 877 as well as the ASA.

Regards,

aa

Cisco Employee

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

MauricioB,

I'm not sure I understand the question. Could you possible draw the design that you are asking about?

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

Mauricio,

I'm not sure I completely understand the scenario you are describing, so please correct me if needed. As Aamer suggested a network diagram would be helpful.

My guess:

The ISP is sending traffic destined to the address 70.1.1.1 to the outside interface of your router. The router translates the destination to 10.1.1.10 for the internal network. The 10.x.x.x network is not directly conneted to the router but is reachable from there via a gre tunnel which originates from the router.

If this is a correct interpretation of the network, then yes this is possible.

The provider interface would be configured with "ip nat outside".

Both the 192.168.x.x interface and the tunnel interface would be configured as "ip nat inside".

"ip nat source inside static 10.1.1.10 70.1.1.1" will configure the described translation.

Kevin

Community Member

Re: ASK THE EXPERT - NETWORK ADDRESS TRANSLATION (NAT)

main site

interface Tunnel0

bandwidth 1000

ip address 192.168.209.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 100

ip nhrp authentication DMVPN_NW

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

no ip split-horizon eigrp 100

delay 1000

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile Profile1

!

interface FastEthernet0/0

ip address 192.168.109.30 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

no ip mroute-cache

duplex full

speed auto

no mop enabled

!

interface FastEthernet0/1

ip address 70.2.2.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

router eigrp 100

network 192.168.109.0

network 192.168.209.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 70.2.2.1

!

!

no ip http server

no ip http secure-server

ip nat pool hq 70.2.2.2 70.2.2.2 netmask 255.255.255.0

ip nat inside source route-map nonat pool hq overload

!

logging trap debugging

access-list 100 deny ip 192.168.109.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 192.168.109.0 0.0.0.255 any

no cdp run

this is where i was thinking i should put the cahnge

interface FastEthernet0/1

ip address 70.2.2.3 255.255.255.0 secondary

i tried what you have but it didnt work, maybe i type it out wrong. can you edit my config and re-post ..so i can try that, thanks

922
Views
24
Helpful
92
Replies
CreatePlease to create content