Configuring Static and Dynamic NAT Translation

Configuring Static and Dynamic NAT Translation
Configuring Static and Dynamic NAT Translation
This chapter contains the following sections:
• Network Address Translation Overview, page 1
• Information About Static NAT, page 2
• Static Twice NAT Overview, page 3
• Dynamic NAT Overview, page 3
• Licensing Requirements for Static NAT, page 4
• Guidelines and Limitations for Static NAT, page 4
• Restrictions for Dynamic NAT, page 5
• Configuring Static NAT, page 6
• Configuring Dynamic NAT, page 14
Network Address Translation Overview
Network Address Translation (NAT) enables private IP internetworks that use nonregistered IP addresses to
connect to the Internet. NAT operates on a device, usually connecting two networks, and translates private
(not globally unique) IP addresses in the internal network into legal IP addresses before packets are forwarded
to another network. You can configure NAT to advertise only one IP address for the entire network to the
outside world. This ability provides additional security, effectively hiding the entire internal network behind
one IP address.
A device configured with NAT has at least one interface to the inside network and one to the outside network.
In a typical environment, NAT is configured at the exit router between a stub domain and a backbone. When
a packet leaves the domain, NAT translates the locally significant source IP address into a globally unique IP
address. When a packet enters the domain, NAT translates the globally unique destination IP address into a
local IP address. If more than one exit point exists, NAT configured at each point must have the same translation
table.
NAT is described in RFC 1631.
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
1
Configuring Static and Dynamic NAT Translation
Information About Static NAT
Information About Static NAT
Static Network Address Translation (NAT) allows the user to configure one-to-one translations of the inside
local addresses to the outside global addresses. It allows both IP addresses and port number translations from
the inside to the outside traffic and the outside to the inside traffic. The Cisco Nexus device supports Hitless
NAT, which means that you can add or remove a NAT translation in the NAT configuration without affecting
the existing NAT traffic flows.
Static NAT creates a fixed translation of private addresses to public addresses. Because static NAT assigns
addresses on a one-to-one basis, you need an equal number of public addresses as private addresses. Because
the public address is the same for each consecutive connection with static NAT, and a persistent translation
rule exists, static NAT enables hosts on the destination network to initiate traffic to a translated host if an
access list exists that allows it .
With dynamic NAT and Port Address Translation (PAT), each host uses a different address or port for each
subsequent translation. The main difference between dynamic NAT and static NAT is that static NAT allows
a remote host to initiate a connection to a translated host if an access list exists that allows it, while dynamic
NAT does not.
The figure shows a typical static NAT scenario. The translation is always active so both translated and remote
hosts can originate connections, and the mapped address is statically assigned by the static command.
Figure 1: Static NAT
These are key terms to help you understand static NAT:
• NAT inside interface—The Layer 3 interface that faces the private network.
• NAT outside interface—The Layer 3 interface that faces the public network.
• Local address—Any address that appears on the inside (private) portion of the network.
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
2
OL-30916-01
Configuring Static and Dynamic NAT Translation
Static Twice NAT Overview
• Global address—Any address that appears on the outside (public) portion of the network.
• Legitimate IP address—An address that is assigned by the Network Information Center (NIC) or service
provider.
• Inside local address—The IP address assigned to a host on the inside network. This address does not
need to be a legitimate IP address.
• Outside local address—The IP address of an outside host as it appears to the inside network. It does not
have to be a legitimate address, because it is allocated from an address space that can be routed on the
inside network.
• Inside global address—A legitimate IP address that represents one or more inside local IP addresses to
the outside world.
• Outside global address—The IP address that the host owner assigns to a host on the outside network.
The address is a legitimate address that is allocated from an address or network space that can be routed.
Static Twice NAT Overview
When both the source IP address and the destination IP address are translated as a single packet that goes
through a Network Address Translation (NAT) device, it is referred to as twice NAT. Twice NAT is supported
only for static translations.
Twice NAT allows you to configure two NAT translations (one inside and one outside) as part of a group of
translations. These translations can be applied to a single packet as it flows through a NAT device. When you
add two translations as part of a group, both the individual translations and the combined translation take
effect.
A NAT inside translation modifies the source IP address and port number when a packet flows from inside
to outside. It modifies the destination IP address and port number when the packet returns from outside to
inside. NAT outside translation modifies the source IP address and port number when the packet flows from
outside to inside, and it modifies the destination IP address and port number when the packet returns from
inside to outside.
Without twice NAT, only one of the translation rules is applied on a packet, either the source IP address and
port number or the destination IP address and port number.
Static NAT translations that belong to the same group are considered for twice NAT configuration. If a static
configuration does not have a configured group ID, the twice NAT configuration will not work. All inside
and outside NAT translations that belong to a single group that is identified by the group ID are paired to
form twice NAT translations.
Dynamic NAT Overview
Dynamic Network Address Translation (NAT) translates a group of real IP addresses into mapped IP addresses
that are routable on a destination network. Dynamic NAT establishes a one-to-one mapping between
unregistered and registered IP addresses; however, the mapping can vary depending on the registered IP
address that is avkailable at the time of communication.
A dynamic NAT configuration automatically creates a firewall between your internal network and outside
networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain—a
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
3
Configuring Static and Dynamic NAT Translation
Licensing Requirements for Static NAT
device on an external network cannot connect to devices in your network, unless your device has initiated the
contact.
Dynamic NAT translations do not exist in the NAT translation table until a device receives traffic that requires
translation. Dynamic translations are cleared or timed out when not in use to make space for new entries.
Usually, NAT translation entries are cleared when the ternary content addressable memory (TCAM) entries
are limited. The default minimum timeout for dynamic NAT translations is 30 minutes.
When you create dynamic entries without timeouts configured, they take the default timeout of one hour. If
you enter the clear ip nat translations all command after configuring timeouts, the configured timeout take
effect. Timeout can be configured from 1 to 172800 seconds.
Dynamic NAT supports Port Address Translation (PAT) and access control lists (ACLs). PAT, also known
as overloading, is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered
IP address by using different ports. Your NAT configuration can have multiple dynamic NAT translations
with same or different ACLs. However, for a given ACL, only one interface can be specified.
For aging ,there are three different options that can be configured:
• 1-Time-out:This is applicable for all type of flows(both TCP and UDP)
• 2-TCP TIME-OUT: This is applicable for only TCP flows
• 3-UDP TIME-OUT: This is applicable for only UDP flows
Licensing Requirements for Static NAT
This table shows the licensing requirements for static NAT.
Product
License Requirement
Cisco NX-OS
Static and Dynamic NAT require a LAN BASE
SERVICES license.
Guidelines and Limitations for Static NAT
Static NAT has the following configuration guidelines and limitations:
• NAT supports up to 1024 translations which include both static and dynamic NAT.
• The Cisco Nexus device supports NAT on the following interface types:
◦Switch Virtual Interfaces (SVIs)
◦Routed ports
◦Layer 3 port channels and subinterface
◦Layer 3 and Layer 3 subinterfaces.
• NAT is supported on the default Virtual Routing and Forwarding (VRF) table only.
• NAT is supported for IPv4 Unicast only.
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
4
OL-30916-01
Configuring Static and Dynamic NAT Translation
Restrictions for Dynamic NAT
• The Cisco Nexus device does not support the following:
◦Software translation. All translations are done in the hardware.
◦Application layer translation. Layer 4 and other embedded IPs are not translated, including FTP,
ICMP failures, IPSec, and HTTPs.
◦NAT and VLAN Access Control Lists (VACLs) that are configured on an interface at the same
time.
◦PAT translation of fragmented IP packets.
◦NAT translation on software forwarded packets. For example, packets with IP-options are not
NAT translated.
• Egress ACLs are applied to the original packets and not the NAT translated packets.
• By default, NAT does not have any reservation in TCAM. You need to reserve the space for NAT in
the VACL region of TCAM by using the hardware profile tcam feature nat limit command .
• HSRP and VRRP are not supported on a NAT interface.
• Warp mode latency performance is not supported on packets coming from the outside to the inside
domain.
• If an IP address is used for Static NAT or PAT translations, it cannot be used for any other purpose. For
example, it cannot be assigned to an interface.
• For Static NAT, the outside global IP address should be different from the outside interface IP address.
• Twice NAT is not supported. (Twice NAT is a variation of NAT in that both the source and destination
addresses are modified by NAT as a datagram crosses address domains (inside to outside or outside to
inside.)
• NAT statistics are not available.
• When configuring a large number of translations (more than 100), it is faster to configure the translations
before configuring the NAT interfaces.
Restrictions for Dynamic NAT
The following restrictions apply to dynamic Network Address Translation (NAT):
• Fragmented packets are not supported.
• Application layer gateway (ALG) translations are not supported. ALG, also known as application-level
gateway, is an application that translates IP address information inside the payload of an application
packet.
• NAT and virtual access control lists (ACLs) are not supported together on an interface. You can configure
either NAT or virtual ACL on an interface.
• Egress ACLs are not applied to translated packets.
• Nondefault virtual routing and forwarding (VRF) instances are not supported.
• MIBs are not supported.
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
5
Configuring Static and Dynamic NAT Translation
Configuring Static NAT
• Cisco Data Center Network Manager (DCNM) is not supported.
• Multiple global virtual device contexts (VDCs) are not supported on Cisco Nexus devices.
• Dynamic NAT on traffic coming from outside domains is not supported.
• Dynamic NAT translations are not synchronized with active and standby devices.
• Stateful NAT is not supported. However, NAT and Hot Standby Router Protocol (HSRP) can coexist.
• Dynamic NAT translations are only supported for overloading to an interface.
• The Cisco Nexus device does not support dynamic translation with IP pool.
• The timeout value for take up to the configured time-out + 119 seconds.
• TCAM entries for dynamic translations are not deleted when you delete the ace in the ACL. When you
delete the dynamic ACE, no new translations take place. Whatever translations were done stay until
they are timed out or manually cleared.
Configuring Static NAT
Enabling Static NAT
Procedure
Command or Action
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# feature nat
Enables the static NAT feature on the device.
Step 3
switch(config)# copy running-config (Optional)
Saves the change persistently through reboots and
startup-config
restarts by copying the running configuration to the
startup configuration.
Configuring Static NAT on an Interface
Procedure
Command or Action
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# interface type
slot/port
Specifies an interface to configure, and enters interface
configuration mode.
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
6
OL-30916-01
Configuring Static and Dynamic NAT Translation
Enabling Static NAT for an Inside Source Address
Step 3
Step 4
Command or Action
Purpose
switch(config-if)# ip nat {inside |
outside}
Specifies the interface as inside or outside.
Note
Only packets that arrive on a marked interface
can be translated.
switch(config)# copy running-config (Optional)
Saves the change persistently through reboots and
startup-config
restarts by copying the running configuration to the
startup configuration.
This example shows how to configure an interface with static NAT from the inside:
switch# configure terminal
switch(config)# interface ethernet 1/4
switch(config-if)# ip nat inside
Enabling Static NAT for an Inside Source Address
For inside source translation, the traffic flows from inside interface to the outside interface. NAT translates
the inside local IP address to the inside global IP address. On the return traffic, the destination inside global
IP address gets translated back to the inside local IP address.
Note
When the Cisco Nexus device is configured to translate an inside source IP address (Src:ip1) to an outside
source IP address (newSrc:ip2), the Cisco Nexus device implicitly adds a translation for an outside
destination IP address (Dst: ip2) to an inside destination IP address (newDst: ip1).
Procedure
Command or Action
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# ip nat inside source
static local-ip-address
global-ip-address
Configures static NAT to translate the inside global
address to the inside local address or to translate the
opposite (the inside local traffic to the inside global
traffic).
Step 3
switch(config)# copy running-config (Optional)
Saves the change persistently through reboots and
startup-config
restarts by copying the running configuration to the
startup configuration.
This example shows how to configure static NAT for an inside source address:
switch# configure terminal
switch(config)# ip nat inside source static 1.1.1.1 5.5.5.5
switch(config)# copy running-config startup-config
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
7
Configuring Static and Dynamic NAT Translation
Enabling Static NAT for an Outside Source Address
Enabling Static NAT for an Outside Source Address
For outside source translation, the traffic flows from the outside interface to the inside interface. NAT translates
the outside global IP address to the outside local IP address. On the return traffic, the destination outside local
IP address gets translated back to outside global IP address.
Procedure
Command or Action
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# ip nat outside
source static global-ip-address
local-ip-address [add-route]
Configures static NAT to translate the outside global address
to the outside local address or to translate the opposite (the
outside local traffic to the outside global traffic). When an
inside translation without ports is configured, an implicit add
route is performed. The original add route functionality is
an option while configurating an outside translation.
Step 3
switch(config)# copy
running-config startup-config
(Optional)
Saves the change persistently through reboots and restarts
by copying the running configuration to the startup
configuration.
This example show how to configure static NAT for an outside source address:
switch# configure terminal
switch(config)# ip nat outside source static 2.2.2.2 6.6.6.6
switch(config)# copy running-config startup-config
Configuring Static PAT for an Inside Source Address
You can map services to specific inside hosts using Port Address Translation (PAT).
Procedure
Command or Action
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# ip nat inside source static
Maps static NAT to an inside local port to an
{inside-local-address outside-local-address | {tcp| inside global port.
udp} inside-local-address {local-tcp-port |
local-udp-port} inside-global-address
{global-tcp-port | global-udp-port}}
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
8
OL-30916-01
Configuring Static and Dynamic NAT Translation
Configuring Static PAT for an Outside Source Address
Step 3
Command or Action
Purpose
switch(config)# copy running-config
startup-config
(Optional)
Saves the change persistently through reboots
and restarts by copying the running
configuration to the startup configuration.
This example shows how to map UDP services to a specific inside source address and UDP port:
switch# configure terminal
switch(config)# ip nat inside source static udp 20.1.9.2 63 35.48.35.48 130
switch(config)# copy running-config startup-config
Configuring Static PAT for an Outside Source Address
You can map services to specific outside hosts using Port Address Translation (PAT).
Procedure
Command or Action
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# ip nat outside source static
{outside-global-address outside-local-address |
{tcp | udp} outside-global-address
{global-tcp-port | global-udp-port}
outside-local-address {global-tcp-port |
global-udp-port}}
Maps static NAT to an outside global port
to an outside local port.
Step 3
switch(config)# copy running-config
startup-config
(Optional)
Saves the change persistently through reboots
and restarts by copying the running
configuration to the startup configuration.
This example shows how to map TCP services to a specific outside source address and TCP port:
switch# configure terminal
switch(config)# ip nat outside source static tcp 20.1.9.2 63 35.48.35.48 130
switch(config)# copy running-config startup-config
Configuring Static Twice NAT
All translations within the same group are considered for creating static twice Network Address Translation
(NAT) rules.
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
9
Configuring Static and Dynamic NAT Translation
Configuring Static Twice NAT
Procedure
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Switch> enable
Step 2
configure terminal
Enters privileged EXEC mode.
Example:
Switch# configure terminal
Step 3
ip nat inside source static
inside-local-ip-address
outside-global-ip-address [group group-id]
Example:
Switch(config)# ip nat inside source
static 10.1.1.1 192.168.34.4 group 4
Step 4
ip nat outside source static
inside-local-ip-address
outside-global-ip-address [group group-id]
[add-route]
Example:
Switch(config)# ip nat outside source
static 209.165.201.1 10.3.2.42 group
4 add-route
Step 5
interface type number
Configures static twice NAT to translate an inside
global address to an inside local address or to
translate inside local traffic to inside global traffic.
• The group keyword determines the group
to which a translation belongs.
Configures static twice NAT to translate an
outside global address to an inside local address
or to translate inside local traffic to inside global
traffic.
• The group keyword determines the group
to which a translation belongs.
Configures an interface and enters interface
configuration mode.
Example:
Switch(config)# interface ethernet 1/2
Step 6
ip address ip-address mask
Sets a primary IP address for an interface.
Example:
Switch(config-if)# ip address 10.2.4.1
255.255.255.0
Step 7
ip nat {inside | outside}
Connects the interface to an inside network, which
is subject to NAT.
Example:
Switch(config-if)# ip nat inside
Step 8
end
Exits interface configuration mode and returns to
privileged EXEC mode.
Example:
Switch(config-if)# end
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
10
OL-30916-01
Configuring Static and Dynamic NAT Translation
Configuring Static Twice NAT for an Outside Source Address
Configuring Static Twice NAT for an Outside Source Address
All translations within the same group are considered for creating the static Twice Network Address Translation
(NAT) rules. You can use all combinations for inside and outside NAT translation as Twice NAT rules.
Procedure
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
• Enter you password if prompted.
Example:
switch> enable
Step 2
configure terminal
Enters privileged EXEC mode.
Example:
switch# configure terminal
Step 3
ip nat outside source static local-ip-address Configures static twice NAT to translate the
inside global address to the inside local address
global-ip-address [group group-id]
or to translate the outside local traffic to the
outside global traffic.
Example:
switch(config)# ip nat outside source
static 10.1.1.1 192.168.34.4 group 4
Step 4
interface type number
• The group keyword determines the group
to which a translation belongs.
Configures an interface and enters interface
configuration mode.
Example:
switch(config)# interface ethernet 1/2
Step 5
ip address ip-address mask
Sets a primary IP address for the interface.
Example:
switch(config-if)# ip address 10.2.4.1
255.255.255.0
Step 6
ip nat {inside | outside}
Connects the interface to the inside network,
which is subject to NAT.
Example:
switch(config-if)# ip nat outside
Step 7
Exits interface configuration mode and returns to
privileged EXEC mode.
end
Example:
switch(config-if)# end
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
11
Configuring Static and Dynamic NAT Translation
Configuring the NAT Limit
Configuring the NAT Limit
To configure the NAT limit to a specific value, the VACL region of the TCAMs in all of the ASICs cannot
have any VACLs configured below that value. For example, to configure the NAT limit to 400 the VACL
region of the TCAMs in all of the ASICs cannot have any VACL configured below offset 400. If there are
any VACLs below the NAT limit, the command checks if all current VACLs can be accommodated with the
NAT limit upon switch reload. If the command completes, you are asked to reload the switch.
Procedure
Command or Action
Purpose
Step 1
switch# configure terminal
Enters global configuration mode.
Step 2
switch(config)# hardware profile tcam
feature nat limit tcam-size
Configures the NAT TCAM limit. The valid
range of tcam-size is from 2 to 2048.
Step 3
switch(config)# show hardware profile
tcam feature nat limit tcam-size
Displays the NAT limit.
Step 4
switch(config)# copy running-config
startup-config
(Optional)
Saves the change persistently through reboots
and restarts by copying the running configuration
to the startup configuration.
The following example shows how to configure the NAT limit to 400.
switch# configure terminal
switch(config)# hardware profile tcam feature nat limit 400
switch(config)# show hardware profile tcam feature nat limit 400
switch(config)# copy running-config startup-config
Configuration Example for Static NAT and PAT
This example shows the configuration for static NAT:
ip
ip
ip
ip
ip
ip
ip
ip
ip
ip
nat
nat
nat
nat
nat
nat
nat
nat
nat
nat
inside source static 103.1.1.1 11.3.1.1
inside source static 139.1.1.1 11.39.1.1
inside source static 141.1.1.1 11.41.1.1
inside source static 149.1.1.1 95.1.1.1
inside source static 149.2.1.1 96.1.1.1
outside source static 95.3.1.1 95.4.1.1
outside source static 96.3.1.1 96.4.1.1
outside source static 102.1.2.1 51.1.2.1
outside source static 104.1.1.1 51.3.1.1
outside source static 140.1.1.1 51.40.1.1
This example shows the configuration for static PAT:
ip
ip
ip
ip
ip
ip
ip
nat
nat
nat
nat
nat
nat
nat
inside
inside
inside
inside
inside
inside
inside
source
source
source
source
source
source
source
static
static
static
static
static
static
static
tcp
tcp
tcp
tcp
tcp
tcp
tcp
10.11.1.1
10.11.1.1
10.11.1.1
10.11.1.1
10.11.1.1
10.11.1.1
10.11.1.1
1
2
3
4
5
6
7
210.11.1.1
210.11.1.1
210.11.1.1
210.11.1.1
210.11.1.1
210.11.1.1
210.11.1.1
101
201
301
401
501
601
701
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
12
OL-30916-01
Configuring Static and Dynamic NAT Translation
Example: Configuring Static Twice NAT
ip
ip
ip
ip
ip
nat
nat
nat
nat
nat
inside
inside
inside
inside
inside
source
source
source
source
source
static
static
static
static
static
tcp
tcp
tcp
tcp
tcp
10.11.1.1
10.11.1.1
10.11.1.1
10.11.1.1
10.11.1.1
8 210.11.1.1 801
9 210.11.1.1 901
10 210.11.1.1 1001
11 210.11.1.1 1101
12 210.11.1.1 1201
Example: Configuring Static Twice NAT
The following example shows how to configure the inside source and outside source static twice NAT
configurations:
Switch> enable
Switch# configure terminal
Switch(config)# ip nat inside source static 10.1.1.1 192.168.34.4 group 4
Switch(config)# ip nat outside source static 209.165.201.1 10.3.2.42 group 4
Switch(config)# interface ethernet 1/2
Switch(config-if)# ip address 10.2.4.1 255.255.255.0
Switch(config-if)# ip nat inside
Switch(config-if)# end
Example: Configuring Static Twice NAT for an Outside Source Address
This example shows how to configure static twice NAT for outside local IP address 10.1.1.2 and outside
global IP address 192.168.34.4:
switch> enable
switch# configure terminal
switch(config)# ip nat outside source static 10.1.1.2 192.168.34.4 group 4
switch(config)# interface ethernet 1/2
switch(config-if)# ip address 10.2.4.1 255.255.255.0
switch(config-if)# ip nat outside
switch(config-if)# end
Verifying the Static NAT Configuration
To display the static NAT configuration, perform this task:
Procedure
Step 1
Command or Action
Purpose
switch# show ip nat translations
Shows the translations for the inside global, inside local,
outside local, and outside global IP addresses.
This example shows how to display the static NAT configuration:
switch# sh ip nat translations
Pro Inside global
Inside local
Outside local
Outside global
---------------
51.3.1.1
95.4.1.1
96.4.1.1
51.40.1.1
51.42.1.1
51.1.2.1
---
104.1.1.1
95.3.1.1
96.3.1.1
140.1.1.1
142.1.2.1
102.1.2.1
---
------------11.1.1.1
------------101.1.1.1
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
13
Configuring Static and Dynamic NAT Translation
Configuring Dynamic NAT
-----------
11.3.1.1
11.39.1.1
11.41.1.1
95.1.1.1
96.1.1.1
130.1.1.1:590
130.2.1.1:590
130.3.1.1:590
130.4.1.1:590
130.1.1.1:591
103.1.1.1
139.1.1.1
141.1.1.1
149.1.1.1
149.2.1.1
30.1.1.100:5000
30.2.1.100:5000
30.3.1.100:5000
30.4.1.100:5000
30.1.1.101:5000
---------------------
---------------------
Configuring Dynamic NAT
Configuring Dynamic Translation and Translation Timeouts
Procedure
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Switch> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Switch# configure terminal
Step 3
ip access-list access-list-name
Defines an access list and enters access-list
configuration mode.
Example:
Switch(config)# ip access-list acl1
Step 4
permit protocol source source-wildcard
any
Sets conditions in an IP access list that permit
traffic matching the conditions.
Example:
Switch(config-acl)# permit ip
10.111.11.0/24 any
Step 5
deny protocol source source-wildcard any Sets conditions in an IP access list that deny
packets from entering a network.
Example:
Switch(config-acl)# deny udp
10.111.11.100/32 any
Step 6
exit
Exits access-list configuration mode and returns to
global configuration mode.
Example:
Switch(config-acl)# exit
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
14
OL-30916-01
Configuring Static and Dynamic NAT Translation
Configuring Dynamic Translation and Translation Timeouts
Command or Action
Step 7
Purpose
ip nat inside source list access-list-name Establishes dynamic source translation by
specifying the access list defined in Step 3.
interface type number overload
Example:
Switch(config)# ip nat inside source
list acl1 interface ethernet 1/1
overload
Step 8
interface type number
Configures an interface and enters interface
configuration mode.
Example:
Switch(config)# interface ethernet
1/4
Step 9
ip address ip-address mask
Sets a primary IP address for the interface.
Example:
Switch(config-if)# ip address
10.111.11.39 255.255.255.0
Step 10
Connects the interface to an inside network, which
is subject to NAT.
ip nat inside
Example:
Switch(config-if)# ip nat inside
Step 11
Exits interface configuration mode and returns to
global configuration mode.
exit
Example:
Switch(config-if)# exit
Step 12
interface type number
Configures an interface and enters interface
configuration mode.
Example:
Switch(config)# interface ethernet
1/1
Step 13
ip address ip-address mask
Sets a primary IP address for an interface.
Example:
Switch(config-if)# ip address
172.16.232.182 255.255.255.240
Step 14
Connects the interface to an outside network.
ip nat outside
Example:
Switch(config-if)# ip nat outside
Step 15
Exits interface configuration mode and returns to
global configuration mode.
exit
Example:
Switch(config-if)# exit
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
15
Configuring Static and Dynamic NAT Translation
Verifying Dynamic and Static Twice NAT Configurations
Step 16
Command or Action
Purpose
ip nat translation tcp-timeout seconds
Specifies the timeout value for TCP-based dynamic
NAT entries.
Example:
Switch(config)# ip nat translation
tcp-timeout 50000
Step 17
ip nat translation max-entries
number-of-entries
• Dynamically created NAT translations are
cleared when the configured timeout limit is
reached. All configured timeouts are triggered
after the timeout configured for the ip nat
translation sampling-timeout command
expires.
Specifies the maximum number of dynamic NAT
translations. The number of entries can be between
1 and 1023.
Example:
Switch(config)# ip nat translation
max-entries 300
Step 18
ip nat translation udp-timeout seconds
Example:
Switch(config)# ip nat translation
udp-timeout 45000
Step 19
ip nat translation timeout seconds
Example:
switch(config)# ip nat translation
timeout 13000
Step 20
end
Specifies the timeout value for UDP-based dynamic
NAT entries.
• Dynamically created NAT translations are
cleared when the configured timeout limit is
reached. All configured timeouts are triggered
after the timeout configured for the ip nat
translation sampling-timeout command
expires.
Specifies the timeout value for dynamic NAT
translations.
• NAT uses this timeout value only if the
tcp-timeout or udp-timeout keywords are
not configured.
Exits global configuration mode and returns to
privileged EXEC mode.
Example:
Switch(config)# end
Verifying Dynamic and Static Twice NAT Configurations
Procedure
Step 1
enable
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
16
OL-30916-01
Configuring Static and Dynamic NAT Translation
Example: Configuring Dynamic Translation and Translation Timeouts
Example:
Switch> enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Step 2
show ip nat translations
Example:
Switch# show ip nat translations
Displays active Network Address Translation (NAT) translations.
• Displays additional information for each translation table entry, including when an entry was created
and used.
Example
The following is sample output from the show ip nat translations command:
switch# show ip nat translations
Pro
any
tcp
any
any
tcp
tcp
Inside global
----192.168.1.140
192.168.1.140
172.16.9.142:777
172.16.9.142:777
Inside local
----10.1.1.40
10.1.1.40
10.2.2.42:444
10.2.2.42:444
Outside local
10.4.4.40
10.24.1.133:333
--10.4.4.40
--10.24.1.133:333
Outside global
203.2.133.20
198.5.133:555
--203.2.133.20
--198.5.133:555
Example: Configuring Dynamic Translation and Translation Timeouts
The following example shows how to configure dynamic overload Network Address Translation (NAT) by
specifying an access list:
Switch> enable
Switch# configure terminal
Switch(config)# ip access-list acl1
Switch(config-acl)# permit ip 10.111.11.0/24 any
Switch(config-acl)# deny udp 10.111.11.100/32 any
Switch(config-acl)# exit
Switch(config)# ip nat inside source list acl1 interface ethernet 1/1 overload
Switch(config)# interface ethernet 1/4
Switch(config-if)# ip address 10.111.11.39 255.255.255.0
Switch(config-if)# ip nat inside
Switch(config-if)# exit
Switch(config)# interface ethernet 1/1
Switch(config-if)# ip address 172.16.232.182 255.255.255.240
Switch(config-if)# ip nat outside
Switch(config-if)# exit
Switch(config)# ip nat translation tcp-timeout 50000
Switch(config)# ip nat translation max-entries 300
Switch(config)# ip nat translation udp-timeout 45000
Switch(config)# ip nat translation timeout 13000
Switch(config)# end
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
OL-30916-01
17
Configuring Static and Dynamic NAT Translation
Example: Configuring Dynamic Translation and Translation Timeouts
Cisco Nexus 6000 Series NX-OS Interfaces Configuration Guide, Release 7.x
18
OL-30916-01
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising