Configuring Static and Dynamic NAT Translation

Network Address Translation Overview

Network Address Translation (NAT) enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a device, usually connecting two networks, and translates private (not globally unique) IP addresses in the internal network into legal IP addresses before packets are forwarded to another network. You can configure NAT to advertise only one IP address for the entire network to the outside world. This ability provides additional security, effectively hiding the entire internal network behind one IP address.

A device configured with NAT has at least one interface to the inside network and one to the outside network. In a typical environment, NAT is configured at the exit router between a stub domain and a backbone. When a packet leaves the domain, NAT translates the locally significant source IP address into a globally unique IP address. When a packet enters the domain, NAT translates the globally unique destination IP address into a local IP address. If more than one exit point exists, NAT configured at each point must have the same translation table.

NAT is described in RFC 1631.

Information About Static NAT

Static Network Address Translation (NAT) allows the user to configure one-to-one translations of the inside local IP addresses to inside global IP addresses. It allows both IP addresses and port number translations from the inside to the outside traffic and the outside to the inside traffic. The Cisco Nexus® device supports Hitless NAT, which means that you can add or remove a NAT translation in the NAT configuration without affecting the existing NAT traffic flows.

Static NAT creates a fixed translation of private addresses to public addresses. Because static NAT assigns addresses on a one-to-one basis, you need an equal number of public addresses as private addresses. Because the public address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT enables hosts on the destination network to initiate traffic to a translated host if an access list exists that allows it .

The main difference between static and dynamic NAT is that for dynamic NAT, translations do not exist in the NAT translation table until a device receives traffic that requires translation. Dynamic translations are cleared or timed out when not in use to make space for new entries based on configured and applicable NAT timeouts. Static entries exist all the time irrespective of the device receiving traffic. However, for both static and dynamic NAT, each host can use different address or port for each subsequent translation based on different configurations, like overload.

The figure shows a typical static NAT scenario. The translation is always active so both translated and remote hosts can originate connections, and the mapped address is statically assigned by the static command.

Figure 1. Static NAT

These are key terms to help you understand static NAT:

  • NAT inside interface—The Layer 3 interface that faces the private network.

  • NAT outside interface—The Layer 3 interface that faces the public network.

  • Local address—Any address that appears on the inside (private) portion of the network.

  • Global address—Any address that appears on the outside (public) portion of the network.

  • Legitimate IP address—An address that is assigned by the Network Information Center (NIC) or service provider.

  • Inside local address—The IP address assigned to a host on the inside network. This address does not need to be a legitimate IP address.

  • Outside local address—The IP address of an outside host as it appears to the inside network. It does not have to be a legitimate address, because it is allocated from an address space that can be routed on the inside network.

  • Inside global address—A legitimate IP address that represents one or more inside local IP addresses to the outside world.

  • Outside global address—The IP address that the host owner assigns to a host on the outside network. The address is a legitimate address that is allocated from an address or network space that can be routed.

Dynamic NAT Overview

Dynamic Network Address Translation (NAT) translates a group of real IP addresses into mapped IP addresses that are routable on a destination network. Dynamic NAT establishes a one-to-one mapping between unregistered and registered IP addresses; however, the mapping can vary depending on the registered IP address that is available at the time of communication.

A dynamic NAT configuration automatically creates a firewall between your internal network and outside networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain—a device on an external network cannot connect to devices in your network, unless your device has initiated the contact.

Dynamic NAT translations do not exist in the NAT translation table until a device receives traffic that requires translation. Dynamic translations are cleared or timed out when not in use to make space for new entries based on configured and applicable NAT timeouts. Usually, NAT translation entries are cleared based on timers. The default minimum timeout for dynamic NAT translations is 3600 seconds.


Note

The ip nat translation sampling-timeout command is not supported. Statistics are collected every 60 seconds for the installed NAT policies. These statistics are used to determine if the flow is active or not.

Dynamic NAT supports Port Address Translation (PAT) and access control lists (ACLs). PAT, also known as overloading, is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports.

Timeout Mechanisms

After dynamic NAT translations are created, they must be cleared when not in use so that newer translations can be created, especially because the number of TCAM entries is limited. This release supports syn-timeout and finrst-timeout . The following NAT translation timeout timers are supported on the switch:

The following NAT translation timeout timers are supported on the switch:

  • syn-timeout —Timeout value for TCP data packets that send the SYN request, but do not receive a SYN-ACK reply. The timeout value ranges from 1 second to 172800 seconds. The default value is 60 seconds.

  • finrst-timeout —Timeout value for the flow entries when a connection is terminated by receiving RST or FIN packets. Use the same keyword to configure the behavior for both RST and FIN packets. The timeout value ranges from 1 second to 172800 seconds. The default value is 60 seconds.

    If a FIN packet is received after the connection is established, SYN >SYN-ACK >FIN, the finrst timer starts.

    If a FIN-ACK is received from the other side, the translation entry is cleared immediately, else it clears after the timeout value completes.

    If an RST packet is received after the connection is established, SYN >SYN-ACK >RST, the translation entry is cleared immediately.

  • tcp-timeout —Timeout value for TCP translations for which connections have been established after a three-way handshake (SYN, SYN-ACK, ACK). If no active flow occurs after the connection has been established, the translations expire as per the configured timeout value.

    The timeout value ranges from 60 seconds to 172800 seconds; default is 3600 seconds.

  • udp-timeout —Timeout value for all NAT UDP packets.

    The timeout value ranges from 60 seconds to 172800 seconds; default is 3600 seconds.

  • timeout—Timeout value for dynamic NAT translations.

    The timeout value ranges from 60 seconds to 172800 seconds; default is 3600 seconds.

  • icmp-timeout— Timeout value for ICMP packets.

    The timeout value ranges from 60 seconds to 172800 seconds; default is 3600 seconds.


Note

When you create dynamic entries without timeouts configured, they take the default timeout of 3600 seconds. After you change the default timeout values to the new values, the translation entries created after will pick up the latest timeout values.

NAT Inside and Outside Addresses

NAT inside refers to networks owned by an organization that must be translated. When NAT is configured, hosts within this network will have addresses in one space (known as the local address space) that will appear to those outside the network as being in another space (known as the global address space).

Similarly, NAT outside refers to those networks to which the stub network connects. They are not generally under the control of the organization. Hosts in outside networks can be subject to translation and can have local and global addresses.

NAT uses the following definitions:

  • Local address—A local IP address that appears on the inside of a network.

  • Global address—A global IP address that appears on the outside of a network.

  • Inside local address—The IP address that is assigned to a host on the inside network. The address is probably not a legitimate IP address assigned by the Internet Network Information Center (InterNIC) or a service provider.

  • Inside global address—A legitimate IP address (assigned by InterNIC or a service provider) that represents one or more inside local IP addresses to the outside world.

  • Outside local address—The IP address of an outside host as it appears to the inside network. The address is not necessarily legitimate; it was allocated from the address space that is routable on the inside.

  • Outside global address—The IP address that is assigned to a host on the outside network by the owner of the host. The address was allocated from a globally routable address or a network space.

Pool Support for Dynamic NAT

Cisco NX-OS provides pool support for dynamic NAT. Dynamic NAT allows the configuration of a pool of global addresses that can be used to dynamically allocate a global address from the pool for every new translation. The addresses are returned to the pool after the session ages out or is closed. This allows for a more efficient use of addresses based on requirements.

Support for PAT includes the use of the global address pool. This further optimizes IP address utilization. PAT exhausts one IP address at a time with the use of port numbers. If no port is available from the appropriate group and more than one IP address is configured, PAT moves to the next IP address and gets the allocation based on the user defined pool (ignoring the source port or attempting to preserve it).

With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. The main difference between dynamic NAT and static NAT is that static NAT allows a remote host to initiate a connection to a translated host if an access list exists that allows it, while dynamic NAT does not.

Guidelines and Limitations for Static and Dynamic NAT

Static NAT has the following configuration guidelines and limitations:

  • NAT is supported for IPv4 Unicast only.

  • If the translated IP is part of the outside interface subnet, then use the ip proxy-arp command on the NAT outside interface. If the add-route keyword is used, ip proxy-arp should be enabled.

  • The Cisco Nexus device supports NAT on the following interface types:

    • Switch Virtual Interfaces (SVIs)

    • Physical layer 3 interfaces

    • Port channel layer 3 interfaces

  • Non-TCP/ UDP packets are always software translated.

  • show commands with the internal keyword are not supported.

  • If an IP address is used for Static NAT or PAT translations, it cannot be used for any other purpose. For example, it cannot be assigned to an interface.

  • When configuring a large number of translations (more than 100), it is faster to configure the translations before configuring the NAT interfaces.

  • Twice NAT is not supported.

  • Configuring NAT inside and outside rules together is not supported.

  • NAT configurations such as IP NAT inside or IP NAT outside are not supported on loopback interfaces.

Restrictions for Dynamic NAT

The following restrictions apply to dynamic Network Address Translation (NAT):

  • show commands with the internal keyword are not supported.

  • VXLAN routing is not supported on Cisco Nexus devices.

  • Fragmented packets are not supported.

  • Application layer gateway (ALG) translations are not supported. ALG, also known as application-level gateway, is an application that translates IP address information inside the payload of an application packet.

  • Egress ACLs are not applied to translated packets.

  • MIBs are not supported.

  • Cisco Data Center Network Manager (DCNM) is not supported.

  • Multiple global virtual device contexts (VDCs) are not supported on Cisco Nexus devices.

  • Dynamic NAT translations are not synchronized with active and standby devices.

  • Stateful NAT is not supported. However, NAT and Hot Standby Router Protocol (HSRP) can coexist.

  • The timeout value for take up to the configured time-out + 119 seconds.

  • For dynamic NAT, pool overload and interface overload are not supported for the outside NAT.

  • The Cisco Nexus devices does not support NAT and VLAN Access Control Lists (VACLs) that are configured on an interface at the same time.

  • NAT configurations such as ip nat inside or ip nat outside are not supported on loopback interfaces.

Configuring Static NAT

Enabling Static NAT

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# feature nat

Enables the static NAT feature on the device.

Step 3

switch(config)# copy running-config startup-config

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Configuring NAT on an Interface

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# interface type slot/port

Specifies an interface to configure, and enters interface configuration mode.

Step 3

switch(config-if)# ip nat {inside | outside}

Specifies the interface as inside or outside.

Note

 

Only packets that arrive on a marked interface can be translated.

Step 4

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

The following two examples show how to configure NAT from the inside: 


switch# configure terminal
switch(config)# interface ethernet 1/4
switch(config-if)# ip nat inside



switch# configure terminal
switch(config)# interface vlan 100
switch(config-if)# ip nat inside

The following two examples show how to configure NAT from the outside: 


switch# configure terminal
switch(config)# interface ethernet 1/5
switch(config-if)# ip nat outside



switch# configure terminal
switch(config)# interface vlan 102
switch(config-if)# ip nat ouside

Enabling Static NAT for an Inside Source Address

For inside source translation, the source address of the packet gets translated from the inside to the outside interface. On the return traffic, the destination inside global IP address gets translated back to the inside local IP address.


Note

When the Cisco Nexus device is configured to translate an inside source IP address (Src:ip1) to an outside source IP address (newSrc:ip2), the Cisco Nexus device implicitly adds a translation for an outside destination IP address (Dst: ip2) to an inside destination IP address (newDst: ip1).

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat inside source static local-ip-address global-ip-address [vrf vrf-name] [match-in-vrf] [add-route][group group-id ]

Configures static NAT to translate the inside local address to the inside global address or to translate the opposite (the inside global traffic to the inside local traffic).

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to configure static NAT for an inside source address: 

switch# configure terminal
switch(config)# ip nat inside source static 1.1.1.1 5.5.5.5
switch(config)# copy running-config startup-config

Enabling Static NAT for an Outside Source Address

For outside source translation, the destination address gets translated from inside to outside interfaces. On the return traffic, the destination outside global IP address gets translated back to the outside local IP address.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat outside source static outsideGlobalIP outsideLocalIP [vrf vrf-name [match-in-vrf] [add-route] ]

Configures static NAT to translate the outside global address to the outside local address or to translate the opposite (the outside local traffic to the outside global traffic). When an inside translation without ports is configured, an implicit add route is performed. The original add route functionality is an option while configuring an outside translation.

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example show how to configure static NAT for an outside source address: 

switch# configure terminal
switch(config)# ip nat outside source static 2.2.2.2 6.6.6.6
switch(config)# copy running-config startup-config

Configuring Static PAT for an Inside Source Address

You can map services to specific inside hosts using Port Address Translation (PAT).

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat inside source static {inside-local-address inside-global-address | {tcp| udp} inside-local-address {local-tcp-port | local-udp-port} inside-global-address {global-tcp-port | global-udp-port}} {vrf vrf-name {match-in-vrf} }

Maps static NAT to an inside local port to an inside global port.

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to map UDP services to a specific inside source address and UDP port: 

switch# configure terminal
switch(config)#  ip nat inside source static udp 20.1.9.2 63 35.48.35.48 130
switch(config)# copy running-config startup-config

Configuring Static PAT for an Outside Source Address

You can map services to specific outside hosts using Port Address Translation (PAT).

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat outside source static {outside-global-address outside-local-address | {tcp | udp} outside-global-address {global-tcp-port | global-udp-port} outside-local-address {global-tcp-port | global-udp-port}} {add-route} {vrf vrf-name {match-in-vrf}}

Maps static NAT to an outside global port to an outside local port.

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to map TCP services to a specific outside source address and TCP port: 

switch# configure terminal
switch(config)#  ip nat outside source static tcp 20.1.9.2 63 35.48.35.48 130
switch(config)# copy running-config startup-config

Enabling and Disabling no-alias Configuration

NAT devices own Inside Global (IG) and Outside Local (OL) addresses and they are responsible for responding to any ARP requests directed to these addresses. When the IG/OL address subnet matches with the local interface subnet, NAT installs an IP alias and an ARP entry, in this case the device uses local-proxy-arp to respond to ARP requests.

The no-alias feature responds to ARP requests of all the translated IPs from a given NAT pool address range if the address range is in same subnet of the outside interface.

If no-alias is enabled on an interface with NAT configuration, the outside interface will not respond to any ARP requests in its subnet. When no-alias is disabled, the ARP requests for IPs in same subnet as of outside interface are served.


Note

When you downgrade to any older releases that does not support this feature, configurations with no-alias option may be deleted.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# feature nat

Enables the static NAT feature on the device.

Step 3

switch(config)# show run nat

Displays NAT configuration.

Step 4

switch(config)# show ip nat-alias

Displays the information whether or not the alias is created.

Note

 

By default, alias is created. To disable the alias, you must append no-alias keyword to the command.

Step 5

switch(config)# clear ip nat-alias ip address/all

Removes entries from alias list. To remove a specific entry you must provide the IP address that you want to remove. To remove all entries, use the all keyword.

Example

This example shows the interface information:

switch# configure terminal
switch(config)# show ip int b
IP Interface Status for VRF "default"(1)
Interface            IP Address      Interface Status
Lo0                  100.1.1.1       protocol-up/link-up/admin-up       
Eth1/1               7.7.7.1         protocol-up/link-up/admin-up       
Eth1/3               8.8.8.1         protocol-up/link-up/admin-up

This example shows the running configuration:

switch# configure terminal
switch(config)# show running-config nat
!Command: show running-config nat
!Running configuration last done at: Thu Aug 23 11:57:01 2018
!Time: Thu Aug 23 11:58:13 2018

version 9.2(2) Bios:version 07.64 
feature nat
interface Ethernet1/1
  ip nat inside 
interface Ethernet1/3
  ip nat outside 
switch(config)#

This example shows how to configure alias:

switch# configure terminal
switch(config)# ip nat inside source static 1.1.1.2 8.8.8.3 
switch(config)# ip nat outside source static 2.2.2.1 7.7.7.3 
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
7.7.7.2          Ethernet1/1
8.8.8.2          Ethernet1/3
switch(config)#

This example shows the output of show ip nat-alias. By default, alias is enabled. 

switch# configure terminal
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
7.7.7.2          Ethernet1/1
8.8.8.2          Ethernet1/3
switch(config)#

This example shows how to disable alias:

switch# configure terminal
switch(config)# ip nat inside source static 1.1.1.2 8.8.8.3 no-alias
switch(config)# ip nat outside source static 2.2.2.1 7.7.7.3 no-alias
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
7.7.7.2          Ethernet1/1
8.8.8.2          Ethernet1/3
switch(config)# 

** None of the entry got appended as alias is disabled for above CLIs.
switch(config)#

This example shows how to clear alias. Use clear ip nat-alias to remove an entry from alias list. You can remove a single entry by specifying the IP address or remove all the alias entries. 

switch# configure terminal
switch(config)# clear ip nat-alias address 7.7.7.2
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
8.8.8.2          Ethernet1/3
switch(config)# 
switch(config)# clear ip nat-alias all
switch(config)# show ip nat-alias
switch(config)#

Configuration Example for Static NAT and PAT

This example shows the configuration for static NAT: 


ip nat inside source static 103.1.1.1 11.3.1.1 
ip nat inside source static 139.1.1.1 11.39.1.1 
ip nat inside source static 141.1.1.1 11.41.1.1 
ip nat inside source static 149.1.1.1 95.1.1.1 
ip nat inside source static 149.2.1.1 96.1.1.1 
ip nat outside source static 95.3.1.1 95.4.1.1 
ip nat outside source static 96.3.1.1 96.4.1.1 
ip nat outside source static 102.1.2.1 51.1.2.1
ip nat outside source static 104.1.1.1 51.3.1.1 
ip nat outside source static 140.1.1.1 51.40.1.1
This example shows the configuration for static PAT: 

ip nat inside source static tcp 10.11.1.1 1 210.11.1.1 101 
ip nat inside source static tcp 10.11.1.1 2 210.11.1.1 201 
ip nat inside source static tcp 10.11.1.1 3 210.11.1.1 301 
ip nat inside source static tcp 10.11.1.1 4 210.11.1.1 401 
ip nat inside source static tcp 10.11.1.1 5 210.11.1.1 501 
ip nat inside source static tcp 10.11.1.1 6 210.11.1.1 601 
ip nat inside source static tcp 10.11.1.1 7 210.11.1.1 701 
ip nat inside source static tcp 10.11.1.1 8 210.11.1.1 801 
ip nat inside source static tcp 10.11.1.1 9 210.11.1.1 901 
ip nat inside source static tcp 10.11.1.1 10 210.11.1.1 1001 
ip nat inside source static tcp 10.11.1.1 11 210.11.1.1 1101 
ip nat inside source static tcp 10.11.1.1 12 210.11.1.1 1201

Verifying the Static NAT Configuration

To display the static NAT configuration, perform this task:

Procedure

Command or Action Purpose

switch# show ip nat translations

Shows the translations for the inside global, inside local, outside local, and outside global IP addresses.

Example

This example shows how to display the static NAT configuration: 


switch# sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                51.3.1.1           104.1.1.1
--- ---                ---                95.4.1.1           95.3.1.1
--- ---                ---                96.4.1.1           96.3.1.1
--- ---                ---                51.40.1.1          140.1.1.1
--- ---                ---                51.42.1.1          142.1.2.1
--- ---                ---                51.1.2.1           102.1.2.1
--- 11.1.1.1           101.1.1.1          ---                ---
--- 11.3.1.1           103.1.1.1          ---                ---
--- 11.39.1.1          139.1.1.1          ---                ---
--- 11.41.1.1          141.1.1.1          ---                ---
--- 95.1.1.1           149.1.1.1          ---                ---
--- 96.1.1.1           149.2.1.1          ---                ---
    130.1.1.1:590      30.1.1.100:5000    ---                ---
    130.2.1.1:590      30.2.1.100:5000    ---                ---
    130.3.1.1:590      30.3.1.100:5000    ---                ---
    130.4.1.1:590      30.4.1.100:5000    ---                ---
    130.1.1.1:591      30.1.1.101:5000    ---                ---



switch# sh ip nat translations verbose 
Pro Inside global      Inside local       Outside local      Outside global
any ---                ---                22.1.1.3           22.1.1.2
    Flags:0x200009 time-left(secs):-1 id:0 state:0x0 grp_id:10
any 11.1.1.130         11.1.1.3           ---                ---
    Flags:0x1 time-left(secs):-1 id:0 state:0x0 grp_id:0
any 11.1.1.133         11.1.1.33          ---                ---
    Flags:0x1 time-left(secs):-1 id:0 state:0x0 grp_id:10
any 11.1.1.133         11.1.1.33          22.1.1.3           22.1.1.2
    Flags:0x200009 time-left(secs):-1 id:0 state:0x0 grp_id:0
tcp 10.1.1.100:64490   10.1.1.2:0         20.1.1.2:0         20.1.1.2:0
    Flags:0x82 time-left(secs):43192 id:31 state:0x3 grp_id:0 vrf: default
N3550T-1#

Configuring Dynamic NAT

Configuring Dynamic Translation and Translation Timeouts

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Switch> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Switch# configure terminal

Enters global configuration mode.

Step 3

ip access-list access-list-name

Example:

Switch(config)# ip access-list acl1

Defines an access list and enters access-list configuration mode.

Step 4

permit protocol source source-wildcard any

Example:

Switch(config-acl)# permit ip 10.111.11.0/24 any

Sets conditions in an IP access list that permit traffic matching the conditions.

Step 5

deny protocol source source-wildcard any

Example:

Switch(config-acl)# deny udp 10.111.11.100/32 any

Sets conditions which disallows NAT translation.

Step 6

exit

Example:

Switch(config-acl)# exit

Exits access-list configuration mode and returns to global configuration mode.

Step 7

ip nat inside source list access-list-name interface type number [vrf vrf-name [match-in-vrf] [add-route] [overload]

Example:

Switch(config)# ip nat inside source list acl1 interface ethernet 1/1 overload

Establishes dynamic source translation by specifying the access list defined in Step 3.

Step 8

interface type number

Example:

Switch(config)# interface ethernet 1/4

Configures an interface and enters interface configuration mode.

Step 9

ip address ip-address mask

Example:

Switch(config-if)# ip address 10.111.11.39 255.255.255.0

Sets a primary IP address for the interface.

Step 10

ip nat inside

Example:

Switch(config-if)# ip nat inside

Connects the interface to an inside network, which is subject to NAT.

Note

 

Configuration not supported on loopback interface.

Step 11

exit

Example:

Switch(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 12

interface type number

Example:

Switch(config)# interface ethernet 1/1

Configures an interface and enters interface configuration mode.

Step 13

ip address ip-address mask

Example:

Switch(config-if)# ip address 172.16.232.182 255.255.255.240

Sets a primary IP address for an interface.

Step 14

ip nat outside

Example:

Switch(config-if)# ip nat outside

Connects the interface to an outside network.

Note

 

Configuration not supported on loopback interface.

Step 15

exit

Example:

Switch(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 16

ip nat translation max-entries number-of-entries

Example:

Switch(config)# ip nat translation max-entries 300

Specifies the maximum number of dynamic NAT translations. The number of entries can be between 1 and 1023.

Step 17

ip nat translation timeout seconds

Example:

switch(config)# ip nat translation timeout 13000

Specifies the timeout value for dynamic NAT translations.

Step 18

end

Example:

Switch(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring Dynamic NAT Pool

You can create a NAT pool by either defining the range of IP addresses in a single ip nat pool command or by using the ip nat pool and address commands.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch (config)# feature nat

Enables the NAT feature on the device.

Step 3

switch (config)# ip nat pool pool-name [startip endip] {prefix prefix-length | netmask network-mask}

Creates a NAT pool with a range of global IP addresses. The IP addresses are filtered by using either a prefix length or a network mask.

Step 4

(Optional) switch (config-ipnat-pool)# address startip endip

(Optional)

Specifies the range of global IP addresses if they were not specified during creation of the pool.

Step 5

(Optional) switch (config)# no ip nat pool pool-name

(Optional)

Deletes the specified NAT pool.

Example

This example shows how to create a NAT pool with a prefix length: 

switch# configure terminal
switch(config)# ip nat pool pool1 30.1.1.1 30.1.1.2 prefix-length 24
switch(config)#

This example shows how to create a NAT pool with a network mask: 

switch# configure terminal
switch(config)# ip nat pool pool5 20.1.1.1 20.1.1.5 netmask 255.255.255.0
switch(config)#

This example shows how to create a NAT pool and define the range of global IP addresses using the ip nat pool and address commands: 

switch# configure terminal
switch(config)# ip nat pool pool7 netmask 255.255.0.0
switch(config-ipnat-pool)# address 40.1.1.1 40.1.1.5
switch(config-ipnat-pool)#

This example shows how to delete a NAT pool: 

switch# configure terminal
switch(config)# no ip nat pool pool4
switch(config)#

Configuring Source Lists

You can configure a source list of IP addresses for the inside interface and the outside interface.

Before you begin

Ensure that you configure a pool before configuring the source list for the pool.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

(Optional) switch# ip nat inside source list list-name pool pool-name [overload]

(Optional)

Creates a NAT inside source list with pool with or without overloading.

Step 3

(Optional) switch# ip nat outside source list list-name pool pool-name [add-route]

(Optional)

Creates a NAT outside source list with pool without overloading.

Example

This example shows how to create a NAT inside source list with pool without overloading: 

switch# configure terminal
switch(config)# ip nat inside source list list1 pool pool1
switch(config)#

This example shows how to create a NAT inside source list with pool with overloading: 

switch# configure terminal
switch(config)# ip nat inside source list list2 pool pool2 overload
switch(config)#

This example shows how to create a NAT outside source list with pool without overloading: 

switch# configure terminal
switch(config)# ip nat outside source list list3 pool pool3
switch(config)#

Clearing Dynamic NAT Translations

To clear dynamic translations, perform the following task:

Command Purpose
clear ip nat translation [ all | inside global-ip-address local-ip-address [outside local-ip-address global-ip-address] | outside local-ip-address global-ip-address ]

Deletes all or specific dynamic NAT translations.

Example

This example shows how to clear all dynamic translations: 

switch# clear ip nat translation all

This example shows how to clear dynamic translations for inside and outside addresses: 

switch# clear ip nat translation inside 2.2.2.2 4.4.4.4 outside 5.5.5.5 7.7.7.7

Verifying Dynamic NAT Configuration

To display dynamic NAT configuration, perform the following tasks:

Command Purpose

show ip nat translations

Displays active Network Address Translation (NAT) translations.

Displays additional information for each translation table entry, including when an entry was created and used.

show run nat

Displays NAT configuration.

show ip nat max

Displays active Network Address Translation (NAT) maximum values.

show ip nat statistics

Monitor NAT statistics.

Example

This example shows how to display IP NAT Max values: 

switch# show ip nat max

IP NAT Max values
====================
Max Dyn Translations:80
Max all-host:0
No.Static:0
No.Dyn:1
No.Dyn-ICMP:1
====================
Switch(config)#

This example shows how to display NAT Statistics: 

switch# show ip nat statistics

IP NAT Statistics
====================================================
Stats Collected since: Mon Feb 24 18:27:34 2020
----------------------------------------------------
Total active translations: 1
No.Static: 0
No.Dyn:    1
No.Dyn-ICMP:   1 
----------------------------------------------------
Total expired Translations: 0
SYN timer expired:          0 
FIN-RST timer expired:      0 
Inactive timer expired:     0 
----------------------------------------------------
Total Hits:  2                  Total Misses:  2
In-Out Hits: 0                  In-Out Misses: 2 
Out-In Hits: 2                  Out-In Misses: 0 
----------------------------------------------------
Total SW Translated Packets: 2 
In-Out SW Translated: 2
Out-In SW Translated: 0 
----------------------------------------------------
Total SW Dropped Packets: 0 
In-Out SW Dropped: 0
Out-In SW Dropped: 0 

Address alloc. failure drop:      0 
Port alloc.  failure drop:        0 
Dyn. Translation max limit drop:  0
ICMP max limit drop:              0
Allhost max limit drop:           0
----------------------------------------------------
Total TCP session established: 0
Total TCP session closed:      0
----------------------------------------------------
NAT Inside Interfaces:  1 
Ethernet1/34 

NAT Outside Interfaces: 1 
Ethernet1/32 
----------------------------------------------------
Inside source list:
++++++++++++++++++++

Access list: T2      
RefCount: 1
Pool: T2     Overload
Total addresses: 10
Allocated: 1    percentage: 10%
Missed: 0


Outside source list:
++++++++++++++++++++
----------------------------------------------------
====================================================
Switch(config)# 
Switch(config)#


**No.Dyn-ICMP  field is to display the no of icmp dynamic translations , its a subset of  "No.Dyn" field.

Note

Beginning with Cisco NX-OS Release 10.2(3u), the No.Dyn-ICMP field is a subset of No.Dyn field and it displays the number of ICMP dynamic translations.

This example shows how to display running configuration for NAT: 

switch# show run nat

!Command: show running-config nat
!Time: Wed Apr 23 11:17:43 2014

version 6.0(2)A3(1)
feature nat

ip nat inside source list list1 pool pool1
ip nat inside source list list2 pool pool2 overload
ip nat inside source list list7 pool pool7 overload
ip nat outside source list list3 pool pool3
ip nat pool pool1 30.1.1.1 30.1.1.2 prefix-length 24
ip nat pool pool2 10.1.1.1 10.1.1.2 netmask 255.0.255.0
ip nat pool pool3 30.1.1.1 30.1.1.8 prefix-length 24
ip nat pool pool5 20.1.1.1 20.1.1.5 netmask 255.0.255.0
ip nat pool pool7 netmask 255.255.0.0
  address 40.1.1.1 40.1.1.5

This example shows how to display active NAT translations:

Inside pool with overload 

switch# show ip nat translation
Pro  Inside global      Inside local       Outside local      Outside global
icmp 20.1.1.3:64762     10.1.1.2:133       20.1.1.1:0         20.1.1.1:0
icmp 20.1.1.3:64763     10.1.1.2:134       20.1.1.1:0         20.1.1.1:0

Outside pool without overload 

switch# show ip nat translation
Pro  Inside global      Inside local       Outside local      Outside global
any  ---                ---                177.7.1.1:0        77.7.1.64:0
any  ---                ---                40.146.1.1:0       40.46.1.64:0
any  ---                ---                10.4.146.1:0       10.4.46.64:0

Example: Configuring Dynamic Translation and Translation Timeouts

The following example shows how to configure dynamic overload Network Address Translation (NAT) by specifying an access list: 

Switch> enable
Switch# configure terminal
Switch(config)# ip access-list acl1
Switch(config-acl)# permit ip 10.111.11.0/24 any
Switch(config-acl)# deny udp 10.111.11.100/32 any
Switch(config-acl)# exit
Switch(config)# ip nat inside source list acl1 interface ethernet 1/1 overload
Switch(config)# interface ethernet 1/4
Switch(config-if)# ip address 10.111.11.39 255.255.255.0
Switch(config-if)# ip nat inside 
Switch(config-if)# exit
Switch(config)# interface ethernet 1/1
Switch(config-if)# ip address 172.16.232.182 255.255.255.240
Switch(config-if)# ip nat outside 
Switch(config-if)# exit
Switch(config)# ip nat translation max-entries 300
Switch(config)# ip nat translation timeout 13000
Switch(config)# end