Step 1
|
enable
|
Enables privileged EXEC mode.
|
Step 2
|
configure terminal
Switch# configure terminal
|
Enters global
configuration mode.
|
Step 3
|
ip access-list
access-list-name
Switch(config)# ip access-list acl1
|
Defines an
access list and enters access-list configuration mode.
|
Step 4
|
permit
protocol source source-wildcard
any
Switch(config-acl)# permit ip 10.111.11.0/24 any
|
Sets conditions
in an IP access list that permit traffic matching the conditions.
|
Step 5
|
deny
protocol source source-wildcard
any
Switch(config-acl)# deny udp 10.111.11.100/32 any
|
Sets conditions
in an IP access list that deny packets from entering a network.
The
deny rule is treated as
a
permit rule, and the
packets matching the criteria mentioned in the deny rule are forwarded without
NAT translation.
|
Step 6
|
exit
|
Exits
access-list configuration mode and returns to global configuration mode.
|
Step 7
|
ip nat inside source list access-list-name interface type number [vrf
vrf-name [match-in-vrf] [add-route] [overload]
Switch(config)# ip nat inside source list acl1 interface ethernet 1/1 overload
|
Establishes dynamic source translation by specifying the access list defined in Step 3.
|
Step 8
|
hardware profile racl priority toggle
Switch(config)# hardware profile racl priority toggle
|
Increases RACL priority over NAT/VACL You need to reload the device after configuring this command.
|
Step 9
|
interface
type
number
Switch(config)# interface ethernet 1/4
|
Configures an
interface and enters interface configuration mode.
|
Step 10
|
ip
address
ip-address
mask
Switch(config-if)# ip address 10.111.11.39 255.255.255.0
|
Sets a primary
IP address for the interface.
|
Step 11
|
ip
nat
inside
Switch(config-if)# ip nat inside
|
Connects the
interface to an inside network, which is subject to NAT.
Note
|
Configuration not supported on loopback interface.
|
|
Step 12
|
exit
|
Exits interface
configuration mode and returns to global configuration mode.
|
Step 13
|
interface
type
number
Switch(config)# interface ethernet 1/1
|
Configures an
interface and enters interface configuration mode.
|
Step 14
|
ip
address
ip-address
mask
Switch(config-if)# ip address 172.16.232.182 255.255.255.240
|
Sets a primary
IP address for an interface.
|
Step 15
|
ip
nat
outside
Switch(config-if)# ip nat outside
|
Connects the
interface to an outside network.
Note
|
Configuration not supported on loopback interface.
|
|
Step 16
|
exit
|
Exits
interface configuration mode and returns to global configuration mode.
|
Step 17
|
ip
nat
translation
tcp-timeout
seconds
Switch(config)# ip nat translation tcp-timeout 50000
|
Specifies the timeout value for TCP-based dynamic NAT entries.
|
Step 18
|
ip
nat
translation
max-entries
[all-host]
number-of-entries
Switch(config)# ip nat translation max-entries 300
|
Specifies the
maximum number of dynamic NAT translations. The number of entries can be
between 1 and 1023.
The
all-host keyword
enforces this translation limit on all hosts. The number of entries per host
can be between 1 and 1023.
|
Step 19
|
ip
nat
translation
udp-timeout
seconds
Switch(config)# ip nat translation udp-timeout 45000
|
Specifies the timeout value for UDP-based dynamic NAT entries.
|
Step 20
|
ip
nat
translation
timeout
seconds
switch(config)# ip nat translation timeout 13000
|
Specifies the timeout value for dynamic NAT translations.
|
Step 21
|
ip nat translation creation-delay seconds
switch(config)# ip nat translation creation-delay 250
|
Specifies the ICMP timeout value for dynamic NAT translations.
Note
|
To reduce the frequency of programming the NAT entries in the hardware, NAT batches and programs the translations for one
second. Frequently programming the hardware burdens the CPU but delaying the programming delays establishing sessions. You
can disable batching or reduce the creation delay using this command. It is not recommended to set creation delay to 0.
|
|
Step 22
|
ip nat translation icmp-timeout seconds
switch(config)# ip nat translation icmp-timeout 100
|
Specifies the ICMP timeout value for dynamic NAT translations.
|
Step 23
|
ip
nat
translation
syn-timeout {seconds |
never}
switch(config)# ip nat translation syn-timeout 20
|
Specifies the
timeout value for TCP data packets that send the SYN request, but do not
receive a SYN-ACK reply.
The timeout
value ranges from 1 second to 172800 seconds. The default value is 60 seconds.
The
never keyword
specifies that the SYN timer will not be run.
|
Step 24
|
ip
nat
translation
finrst-timeout {seconds |
never}
switch(config)# ip nat translation finrst-timeout 30
|
Specifies the
timeout value for the flow entries when a connection is terminated by receiving
finish (FIN) or reset (RST) packets. Use the same keyword to configure the
behavior for both RST and FIN packets.
The timeout
value ranges from 1 second to 172800 seconds. The default value is 60 seconds.
The
never keyword
specifies that the FIN or RST timer will not be run.
|
Step 25
|
end
|
Exits global
configuration mode and returns to privileged EXEC mode.
|