NAT FAQs

7/30/2019 NAT FAQs

1/11

NAT Frequently Asked Questions

Document ID: 26704

Questions

IntroductionWhat is NAT?

What are the main differences between Cisco IOS NAT and the Cisco PIX Firewall

implementation of NAT?

On which Cisco routing platforms is Cisco IOS NAT available? How do I order it?

Does NAT occur before or after routing?

How is routing awareness learned for IP addresses created using NAT?

How many concurrent NAT sessions are supported in Cisco IOS NAT?

What kind of routing performance can I expect when I use Cisco IOS NAT?

Can Cisco IOS NAT be applied to subinterfaces?

Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP?

Does Cisco IOS NAT support inbound translations on a serial trunk that runs FrameRelay and does it support outbound translations on the Ethernet side?

Can a single NATenabled router allow some users to utilize NAT and allow other users

on the same Ethernet interface to continue with their own IP addresses?

What is PAT, or NAT overloading?

When I configure for PAT (NAT overloading), what is the maximum number of

translations that I can make for each inside global IP address?

How does PAT work?

What is the maximum number of configurable NAT IP pools (using the ip nat pool

command)?

What is IP address overlapping as discussed within the context of NAT?

Is it possible to build a configuration with both static and dynamic NAT translations?

Can IOS support multiple outside NAT tables?

Why do I need to specify a subnet mask when I configure a NAT address pool?

Can I allocate IP addresses from the NAT router's outside interface subnet to a dynamic

NAT pool?

Does a NAT router properly handle ICMP redirects?

Does Cisco NAT support all application traffic?

Why does Cisco IOS NAT not support SNMP traffic?

How are ARPs handled for IP addresses generated by NAT?

Does Cisco IOS NAT support DNS queries?

Does Cisco IOS NAT support ACLs that permit any or all packets?

Why does Active FTP work with static /extended (port forwarding) but it does not work

with PAT?NetPro Discussion Forums Featured Conversations

Related Information

Introduction

This document provides answers to some of the more frequently asked questions with regard to Cisco IOS

Network Address Translation (NAT).

Cisco NAT Frequently Asked Questions

7/30/2019 NAT FAQs

2/11

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Q. What is NAT?

A. NAT stands for Network Address Translation. NAT is designed for IP address

simplification and conservation. It enables private IP internetworks that use nonregistered

IP addresses to connect to the Internet. NAT operates on a router, usually connecting two

networks together, and translates the private (not globally unique) addresses in the internal

network into legal addresses before packets are forwarded onto another network. As part of

this functionality, NAT can be configured to advertise only one or a very few addresses for

the entire network to the outside world. This provides additional security and effectively hides

the entire internal network from the world behind that address. NAT has the dual

functionality of security and address conservation, and is typically implemented in remote

access environments. Refer to How NAT Works in order to learn how NAT works in more

detail.

Q. What are the main differences between Cisco IOS NAT and the CiscoPIX Firewall implementation of NAT?

A. Cisco IOS based NAT functionality is not fundamentally different from the NAT

functionality in the PIX Firewall. The main differences involve the different traffic types

supported in Cisco IOS NAT and the NAT implementation in the PIX. Refer to Cisco PIX

500 Series Firewalls and to the NAT Configuration Examples for detailed information on the

configuration of NAT functionality on the PIX (includes the traffic types supported).

Q. On which Cisco routing platforms is Cisco IOS NAT available? Howdo I order it?

A. The Cisco Software Advisor ( registered customers only) (search by feature) provides

customers with a tool to identify which release and platform any Cisco IOS feature isavailable on. In order to check if NAT is supported on a specific platform, go to Software

Advisor ( registered customers only) , choose the option Find software with the features I need,

enter the product and software information, and choose the feature NAT, and select the

platform. The tool then provides the minimum Cisco IOS software that supports the feature

on the platform.

For historical purposes:

When originally introduced in Cisco IOS Software Release 11.2, NAT is only

available in the Plus images.

With Cisco IOS Software Release 11.3, PAT is available in all IP images, with fullNAT (11 and PAT) available only in Plus images.

With Cisco IOS Software Release 12.0, all IP images provide full NAT functionality.

This table provides Cisco IOS and NAT support information.

Cisco

IOS

Software

Release

NAT

Support

in Base

Images

NAT

Support

in Plus

Images

Easy IP

SupportHardware Platforms Support

11.2None NAT None Cisco 1000, 2500, 4x00, AS5200, 7200, RSP7000, 7500


7/30/2019 NAT FAQs

3/11

11.2PNone NAT None

Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, AS530

RSP7000, 7500

11.3 PAT

onlyNAT Phase 1 Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, 7200, R

11.3T PAT

onlyNAT Phase 1

Cisco 1000, 1600, 2500, 2600, 3620, 3640, 4x00, AS5200, A

RSP7000, 7500

12.0 NAT NAT Phase 1 Cisco 1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5RSP7000, 7500

12.0TNAT NAT Phase 2

Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0,MC3810,

RSM, Cat5000 RSFC, 7100, 7200, uBR9x0, uBR72003, RSP

12.1NAT NAT Phase 2

Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0, MC3810,

RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP

12.1TNAT NAT Phase 2

Cisco 8001, 1400, 16004, 17002,4, 2500, 2600, 36x0, MC381

RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP

12.2 NAT NAT Phase2

Cisco1400, 16011604,

1601R1605R,1720,1750,25012525,2610XM2611XM,2

2620XM2621XM, 2650XM2651XM, 26502651, 3620,3

7200,7500,800,8850RPMPR,AS5300, AS5400,CAT4500

ICS7700,MC3810,SLT,UBR910, 920

12.2TNAT NAT Phase2

Cisco 1710,

1721,1751,1751V,1760,1720,1750,25012525,2610XM2

2620XM2621XM, 2650XM2651XM, 26502651, 3620,3

3725,3745,6400NPR1, 6400NPR2SV,6400NSP,7100

7200,7400,7500,800,8850RPMPR,AS5300, AS5350,AS54

CAT4500AGM, CVA 120, CAT5000RSM, ICS7700,MC

UBR7200,UBR905,925.

12.3NAT NAT Phase2

Cisco 1400, 16011604,1601R1605R,1710,1720,1721,1750,1751V,1751,1760,25

2620XM2621XM, 2650XM2651XM, 26502651,2691, 3

3725,3745,6400NRP1, 6400NRP2SV, 6400 NSP,

7200,7301,7400,7500,800,8850RPMPR,AS5300, AS5350

AS5850 RSC,CAT4224,CAT4500AGM, CVA120, ICS7

SOHO76,77,78, UBR905, 925.

12.3TNAT NAT Phase2

Cisco 1701,1710,1711, 1712,1720,1721,1751V,1751,1760

2620XM2621XM, 2650XM2651XM, 2691, 28X1,3620,3

3725,3745,6400NRP1, 6400NRP2SV, 6400 NSP,

7200,7301,7400,7500,800,8850RPMPR,AS5300, AS5350

AS5850 RSC,CAT4224,CAT4500AGM, CVA120, ICS7

SOHO91, 96,97, UBR905, 925, VG224.,

Note: This information is obtained from the Feature Navigator Tool ( registered customers only) .

No NAT functionality is available on uBR7200 in the service provider (p) software

image. Dynamic Host Configuration Protocol (DHCP) server functionality is

available on uBR7200 in the service provider (p) software image.

In the 2500 starting from Cisco IOS Software 11.2 major release in Enterprise plus

image. Enterprise images do not support NAT.


7/30/2019 NAT FAQs

4/11

In the 2600 starting from Cisco IOS Software 12.2T major release in Enterprise Base

image.

In the 3620 starting from Cisco IOS Software 11.2P major release in Enterprise plus






In the 4500 starting from Cisco IOS Software 11.2 major release in Enterprise plusimage. Enterprise images do not support NAT.

In the AS5300 starting from Cisco IOS Software 11.2P major release in Enterprise

image. AS5800 provides support for NAT. Support for SIP and NAT support for

NetMeeting Directory.

Catalyst 5000 RSM starting from Cisco IOS Software 11.3T major release in

Enterprise image. 7200 NAT is supported starting from Cisco IOS Software 11.2

major release.

7500 NAT is supported starting from 11.2 Major Release.

In the Cisco 3825 and 3845 in IP Base images beginning in Cisco IOS Software

Release 12.3T.

In the 1600 starting from Cisco IOS Software Release 11.3 IP base and the 2500starting from Cisco IOS Software Release 11.3 IP base, NAT is supported.

1 NAT is supported in all Cisco IOS software images for Cisco 800 beginning in

Cisco IOS Software Release 12.0(3)T.

2 NAT is supported in all Cisco IOS software images for Cisco 1700 beginning in

Cisco IOS Software Release 12.2ZH.

3 NAT and DHCP server functionality are only available on the uBR7200 platform in

the Service Provider Plus (ps) software image beginning in Cisco IOS Software

Release 12.0(3)T.

4 All platforms other than uBR7200 require either a J or an O image (Enterprise or

Cisco IOS Firewall respectively) to obtain support for Microsoft's NetMeeting

application within Cisco IOS NAT.

Q. Does NAT occur before or after routing?

A. Insidetooutside translation occurs after routing and outsidetoinside translation occurs

before routing. Refer to NAT Order of Operation for more information.

Q. How is routing awareness learned for IP addresses created usingNAT?

A. Routing for IP addresses created by NAT is learned if:

The inside global address pool is derived from the subnet of a next hop router.

The static route entry is configured in the next hop router and redistributed within

the routing network.

Q. How many concurrent NAT sessions are supported in Cisco IOSNAT?

A. The NAT session limit is bound by the amount of available DRAM in the router. Each

NAT translation consumes about 160 bytes in DRAM. As a result, 10,000 translations (more


7/30/2019 NAT FAQs

5/11

than would generally be handled on a single router) can consume about 1.6 MB. Therefore, a

typical routing platform has more than enough memory to support thousands of NAT

translations.

Q. What kind of routing performance can I expect when I use Cisco IOSNAT?

A. Cisco IOS NAT supports Cisco Express Forwarding (CEF) switching, Fast switching, andProcess switching.

Performance depends on these factors:

The type of application and its type of traffic (does it embed IP addresses?)

Do multiple messages get exchanged that need to be inspected?

Does it require a specific source port or does it negotiate one?

The number of translations.

What else runs on the box at the time?

The type of platform and processor.

For most applications, degradation of performance due to NAT should be negligible.

Q. Can Cisco IOS NAT be applied to subinterfaces?

A. Yes. You can apply source and/or destination NAT translations to any interface or

subinterface that has an IP address (includes dialer interfaces).

Q. Can Cisco IOS NAT be used with HSRP to provide redundant links toan ISP?

A. No. In this scenario and in earlier versions of Cisco IOS, the standby router does not have

the translation table of the active router. Therefore, when the cutover happens, connectionstime out and fail.

In Cisco IOS Software Release 12.2(13)T and later, the Stateful Failover of Network Address

Translation feature can be configured to operate with the Hot Standby Routing Protocol

(HSRP) in order to provide redundancy. Refer to NAT Static Mapping Support with HSRP

for High Availability for additional information.

Q. Does Cisco IOS NAT support inbound translations on a serial trunkthat runs Frame Relay and does it support outbound translations on theEthernet side?

A. Yes.

Q. Can a single NATenabled router allow some users to utilize NAT andallow other users on the same Ethernet interface to continue with theirown IP addresses?

A. Yes. You can accomplish this through the use of an ACL that describes the set of hosts or

networks that require NAT translation. All sessions on the same host are either translated or


7/30/2019 NAT FAQs

6/11

pass through the router and are not translated.

ACLs, extended ACLs, and route maps can be used to define rules for which IP device(s) get

translated. Always specify the network address and appropriate subnet mask. Do not use the

keyword any in place of the network address and subnet mask.

ip nat inside source static 10.1.1.10 140.16.1.254

! Static translation for ns.bar.com DNS server.

ip nat outside source static 10.1.1.10 192.168.1.254

! Static translation for ns.foo.com DNS server.

ip nat pool iga 140.16.1.1 140.16.1.253 netmask 255.255.255.0

! Dynamic IL>IG address xlations.

ip nat pool ola 192.168.1.1 192.168.1.253 netmask 255.255.255.0

! Dynamic OG>OL address xlations.

ip nat inside source list 1 pool iga

ip nat outside source list 2 pool ola

accesslist 1 permit 10.2.17.0 .255.255.255.0

! Translate all traffic from 10.2.17 internal hosts.

accesslist 2 permit 10.0.0.0 255.0.0.0

! Translate all externally originated traffic.

Q. What is PAT, or NAT overloading?

A. PAT, or NAT overloading, is a feature of Cisco IOS NAT and can be used to translate

many internal (inside local) private addresses to one or more outside (inside globalusually

registered) IP addresses. Unique source port numbers on each translation are used to

distinguish between the conversations.

With NAT overload, a translation table entry that contains full address and source port

information is created.

Q. When I configure for PAT (NAT overloading), what is the maximumnumber of translations that I can make for each inside global IPaddress?

A. PAT (NAT overloading) divides the available ports per global IP address into three ranges

of 0511, 5121023, and 102465535. PAT (NAT overloading), assigns a unique source port

for each User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) sessions. It


7/30/2019 NAT FAQs

7/11

attempts to assign the same port value of the original request. However, if the original source

port has already been used, it starts to scan from the start of the particular port range to find

the first available port and assign it to the conversation.

Q. How does PAT work?

A. PAT with one IP address:

NAT/PAT inspects traffic and matches to a translation rule.1.

The rule matches to a PAT configuration.2.

Does PAT know about the traffic type and does that traffic type have a specific set of

ports, or ports it negotiates that it will use? If so, set them aside and do not allocate

them as unique identifiers.

3.

Sessions with no special port requirements attempt to connect out. PAT translates the

IP source address and checks the availability of the originated source port (for

example, 433). Groups are 1511, 5121023, and 102465535.

Note: For TCP and UDP, groups are 1511, 5121023, 102465535. For ICMP the

first group starts at 0.

4.

If the requested source port is available, it assigns the source port and the sessioncontinues.

5.

If the requested source port is not available, NAT starts to search from the beginning

of the relevant group. In this example, starting at 1 for TCP or UDP applications and

0 for ICMP.

6.

If a port is available, it is assigned and the session continues.7.

If no ports are available, the packet is dropped.8.

A2. PAT with multiple IP addresses:

Use the same logic as with a single IP address (steps 1 8) and:

If no ports are available in the relevant group on the first IP address, NAT flips to thenext IP address in the pool and tries to allocate the original source port requested.

1.

If the requested source port is available, it assigns the source port and the session

continues.

2.

If the requested source port is not available, NAT starts to search from the beginning

of the relevant group. This example starts at 1 for TCP or UDP applications and 0 for

ICMP.

3.

If a port is available, it is assigned and the session continues.4.

If no ports are available, the packet is dropped unless another IP address is available

in the pool and until all IP addresses are checked.

5.

Q. What is the maximum number of configurable NAT IP pools (using theip nat pool command)?

A. There is no actual limit. In practical use, however, the maximum number of configurable

IP pools is limited by the amount of available DRAM in the particular router being used.

Q. What is IP address overlapping as discussed within the context ofNAT?


7/30/2019 NAT FAQs

8/11

A. IP address overlapping refers to the situation where two locations that want to

interconnect both use the same IP address scheme. This is not an unusual occurrence, and

often happens when companies merge or are acquired. Without special support, the two

locations are not able to connect and establish sessions. The overlapped IP addresses can be

public addresses assigned to other companies, private addresses assigned to other companies

already, or from the range of private addresses as defined in RFC 1918 . Private IP addresses

are unroutable and require NAT translations to allow for connections to the outside world.

The solution involves intercepting DNS name query responses from the outside to the inside,

setting up a translation for the outside address, and fixing up the DNS response beforeforwarding it onto the inside host. A DNS server is required to be involved on both sides of

the NAT device, to resolve users wanting to connect between both networks.

NAT is able to inspect and perform address translation on the contents of DNS A and PTR

records. Refer to Using NAT in Overlapping Networks for more information.

Q. Is it possible to build a configuration with both static and dynamicNAT translations?

A. Yes, this is possible. The caveat that the global addresses use in static translations are not

automatically excluded with dynamic pools that contain those global addresses. You must

create your dynamic pools to exclude addresses assigned via static entries.

Q. Can IOS support multiple outside NAT tables?

A. Yes, you can do this through the use of route maps. The dynamic translation command

can now specify a route map to be processed instead of an ACL. A route map allows the user

to match any combination of ACLs, nexthop IP addresses, and output interfaces to

determine which pool to use. Refer to NAT Support for Multiple Pools Using Route Maps for

more information on configuring NAT using route maps.

Q. Why do I need to specify a subnet mask when I configure a NATaddress pool?

A. The subnet mask is used to check the addresses allocated from the pool (so you do not

allocate the subnet broadcast address, for example). The subnet mask must match the size of

the subnet into which you translate.

Q. Can I allocate IP addresses from the NAT router's outside interfacesubnet to a dynamic NAT pool?

A. Yes. The NAT router answers ARP requests for these IP addresses in the dynamic pool.

Q. Does a NAT router properly handle ICMP redirects?

A. Yes

Q. Does Cisco NAT support all application traffic?

A. Application traffic is transparent to Cisco IOS NAT unless:


7/30/2019 NAT FAQs

9/11

There are embedded IP addresses in the data portion.

An application requires preset or negotiated source/destination port values.

Cisco IOS NAT performs stateful inspection and needs to have previous knowledge of all

applications that embed and/or require specific source ports.

For instance, Cisco supports the translation of embedded IP addresses in DNS A and PTR

records, and Cisco supports FTP and NetMeeting version 2.11 (4.3.2519) and 3.01 (4.4.3385)

by setting aside the source port values they require. Cisco does not assign those source port

values when using the PAT or overload feature of Cisco IOS NAT.

With embedded IP addresses, Cisco IOS NAT needs to know messages that contain

embedded addresses and the offset within these messages. If the embedded address(es) match

the configured rules, they are translated based on the configuration. An application that

embeds IP addresses (which Cisco IOS NAT does not know about) do not work properly in a

Cisco IOS NAT configuration.

One exception might be where a tunneling protocol such as PointtoPoint Tunneling

Protocol (PPTP) is used. In this case, you do not translate the embedded IP addresses of the

tunneled packets. However, the user has a virtual extension of their home network and uses

the home networks addressing scheme. If this user were to access the outside through theirhome network, the user might choose to apply NAT at this point.

Embedded IP addresses are an issue regardless of the type of translation you have configured

with Cisco IOS NAT (simple, extended, overload, and so forth).

When packets destined to wellknown ports are translated, NAT inspects the packet payload,

translates the embedded IP addresses and creates a full extended translation. This happens

with static and dynamic NAT configurations. This functionality is performed in the

processswitched path and is normal behavior for all protocols that require translation of

embedded IP addresses, including FTP, DNS, Internet Relay Chat (IRC), Simple Network

Management Protocol (SNMP), Lightweight Directory Access Protocol (LDAP), H.323, and

Session Initiation Protocol (SIP).

Preset or negotiated source port values is an issue only when you use the PAT or overload

feature of Cisco IOS NAT. PAT multiplexes multiple IP conversations over one or more IP

addresses, and uses the source port to uniquely identify conversations on each IP address. The

PAT feature needs to set aside all specific port values that you have awareness for in case you

get a conversation for those application types (FTP, NetMeeting, and so forth).

Q. Why does Cisco IOS NAT not support SNMP traffic?

A. The SNMP packet format depends on the particular MIB that is used and is not

selfdescribing. There is no single format for SNMP requests and responses that can be

processed in a general fashion.

Q. How are ARPs handled for IP addresses generated by NAT?

A. Cisco IOS NAT generates an ARP entry for IP addresses created by the NAT that point to

the MAC address of the interface the NAT IP address pool is associated with.

For example, when inside source translation is performed, if the inside global address pool is

associated to the subnet of an outside interface (S0, for example) then ARP entries for these


7/30/2019 NAT FAQs

10/11

IP addresses use the MAC address of S0.

Q. Does Cisco IOS NAT support DNS queries?

A. Yes, Cisco IOS NAT does translate the address(es) which appear in DNS responses to

name lookups (A queries) and inverse lookups (PTR queries). If an outside host sends a

namelookup to a DNS server on the inside, and that server responds with a local address, the

NAT code translates that local address to a global address. The opposite is also true, and is

how Cisco supports IP addresses that overlap. An inside host queries an outside DNS server,

the response contains an address that matches the ACL specified on the outside source

command, and the code translates the outside global address to an outside local address.

Timetolive (TTL) values on all DNS resource records (RRs) which receive address

translations in RR payloads are automatically set to zero.

Cisco IOS NAT does not translate IP addresses embedded in DNS zone transfers.

Q. Does Cisco IOS NAT support ACLs that permit any or all packets?

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to

identify packets that can be translated. The current NAT architecture does not support the use

of any or all packets in the ACLs used by NAT. If any or all packets are used, then

unexpected behavior can occur.

Q. Why does Active FTP work with static /extended (port forwarding) butit does not work with PAT?

A. The reason is that when you open up the FTP connection you connect to port 21 at the

remote FTP server. But when you do a "ls", "put", get", or anything that needs to use a data

port, the server opens up another connection back to the client. When you open your originalFTP connection from the inside and the router pretends that you are a specific outside IP, and

picks a random port number to use, the FTP server thinks it is talking to that IP address and

that port number. Therefore, when it needs to open up the data connection back, due to the

"get" or "ls", and so forth, it then attempts to open a TCP connection from port 20 to some

random port that the server decides. While on the outside IP it thinks it is talking to, the router

hears traffic directed at its outside IP, but does not have any PAT mapping for that random

port number that the server picked. Therefore, it does not know that this traffic is supposed to

go back to the client.

The port 20 never gets established. The fix is to use "passive FTP" mode. Passive FTP has the

client open both port 21 and port 20 connections from the start. The router knows about both

of them rather than just port 21, and allows the server to open port 20.

Refer to Analysis of the File Transfer Protocol (FTP) for more information on FTP.

You need extended translations for port 20 and 21 with static mappings (example address)

ip nat inside source static tcp 192.168.0.4 20 66.46.64.82 20 extendable

ip nat inside source static tcp 192.168.0.4 21 66.46.64.82 21 extendable

The way that active FTP works does not allow for the use of dynamic NAT. Only static NAT

can be used in this case. This is a limitation of FTP.


7/30/2019 NAT FAQs

11/11

NetPro Discussion Forums Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions,

and information about networking solutions, products, and technologies. The featured links are some of the

most recent conversations available in this technology.

NetPro Discussion Forums Featured Conversations for RP

Service Providers: MPLS

Virtual Private Networks: Services

Virtual Private Networks: Security

Related Information

NAT Technology Support Pages

Technical Support & Documentation Cisco Systems

All contents are Copyright 19922006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Nov 16, 2006 Document ID: 26704


NAT FAQs

Documents

Transcript of NAT FAQs