[Top] [Prev] [Next] [Bottom]

Using IP Network Address Translation (NAT)

This document describes Network Address Translation (NAT) and provides configuration and monitoring information. It includes the following sections:

Using Fixed IP Address Mappings

NAT Overview

NAT lets a router represent an entire LAN to the Internet as a single, global IP address. The Internet sees all traffic from the local network as originating from the global IP address. Likewise, all traffic coming into the local network from the Internet is addressed to the global IP address. This allows your ISP to assign one IP address to your LAN, instead of allocating a block of IP addresses, one for each computer on the network.

NAT provides added security for network connections because it hides internal IP addresses from the Internet side of the NAT router. Also, like a firewall, NAT only accepts packets that are in response to internal requests or packets destined for officially published services.

This implementation of NAT is compliant with RFC 1631, The IP Network Address Translator (NAT).

IP Addressing

Since the outside world cannot see the inside network, you do not need to use registered IP addresses on the inside network. You can use any IP address range that does not exist in the outside network. The Internet Assigned Numbers Authority (IANA) has reserved the following blocks of IP addresses for private networks.

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

For more information, see RFC 1597, Address Allocation for Private Internets.

If you are unfamiliar with IP addressing, see IP Addresses.

Terminology

This discussion of NAT uses the following terminology.


Interface	A logical object over which the router sends or receives packets. IP routes packets between interfaces. You set up NAT on interfaces.
Device	Physical device on the router. Each WAN device can have multiple interfaces.
Global IP Address	A registered IP address assigned to the NAT interface. You can use a fixed IP address or a dynamically assigned IP address.
Inside Network	Your private network. You can assign unregistered IP addresses to the inside network.
Outside Network	The outside network to which you connect your network. This can be a public network, such as the Internet.
NAT Interface	The router interface on which you set up NAT. The outside network sends packets to or receives packets from the global IP address assigned to the NAT interface.
Proxy	Sometimes NAT is referred to as proxy addressing or proxy routing.

How NAT Works

A basic NAT application consists of an inside network, such as a LAN in a small office, and an outside network, such as the Internet.

Figure 21 Basic NAT Configuration

The NAT interface uses a global registered IP address. It can use a dynamic IP address or you can assign a fixed IP address. The NAT interface cannot use an unnumbered IP address.

In this basic configuration, when a user on the

inside network sends a packet to the outside network, the NAT interface translates the user's inside address into the global IP address, and it translates the source port number to a unique port number.

This translation makes it look to the outside network as if all traffic on the inside network comes from one station.
outside network sends a packet to the inside network, the user sends the packet to the global IP address. The NAT interface translates the global IP address into an inside address and sends the packet to the appropriate device on the inside network.

If the packet is not in response to a request from the inside network, or it is not a packet destined for a service or IP address that you have specifically allowed, the NAT interface drops the packet and does not pass it to the inside network.

To set up this basic configuration, you simply enable NAT on an interface. NAT uses a dynamic cache to perform the address translations.

To do one of the following, you need to set up service table entries or fixed IP address mappings.

Offer services on the inside network to users on the outside.
Allow certain addresses on the inside network to be visible to the outside.

The next sections explain each of the components of the NAT software.

Dynamic Cache

When an inside user generates packets for the outside network,

: 1. The NAT interface translates the user's IP address and the source port number of the packet to the global IP address and a unique port number and forwards the packet to the outside network.
: 2. The NAT interface stores the translation information in a cache.
: 3. When response packets for the inside user arrive from the outside network, the NAT interface translates them back to the original address and protocol port using the information stored in the cache.

The NAT interface also creates a cache entry when it receives a packet that matches a Service Table entry.

Service Table

A NAT interface lets only packets that are in response to internal requests into the inside network. To let outside users access services on your inside network, you specifically allow each service by adding entries to the NAT service table or you set up Fixed IP Address Mapping.

Service table entries consist of the inside IP address of the device that provides the service and the protocol over which the service runs. TCP and UDP entries must also include a port number or range of port numbers. ICMP entries can include a packet type number.

For example, you can add a service table entry that causes the NAT interface to send all FTP packets to a particular server on the inside network. Using service table entries, only one device on the inside network can provide a service on a particular port number because the NAT interface cannot tell one from the other. To offer a service on more than one device, you need to use Fixed IP Address Mapping or Port Number Translation, or you need to set up different port numbers for the service.

Global versus Per Interface Service Tables

The NAT software maintains a global service table, as well as a service table for each NAT interface. When you add a service to your NAT configuration, you can add the service to the global service table or to the service table for a specific interface.

One reason to add service entries for a specific interface rather than to the global table is to provide added security. For example, you could add a service for traffic coming in through a VPN tunnel without giving anyone else access to that service.

Services that NAT Automatically Adds

If NAT is running on a router that has IP Tunnels, the NAT software automatically creates services necessary to run SKIP (Simple Key-Management for Internet Protocols). These services are

SKIP is IP protocol 57, which contains SKIP encrypted and authenticated data.
SKIPCDP is the SKIP Certificate Discovery Protocol.
DISCARD is UDP Discard port 9, which SKIP uses to test the reachability of remote tunnel endpoints.

Also, when you enable NAT on an interface, the software creates a service entry that allows Point-to-Point Tunneling Protocol (PPTP) client traffic to pass through the NAT interface.

Fixed IP Address Mapping

Fixed IP address mapping lets you have more than one outside IP address visible to the outside network. You can use fixed IP address mapping to offer a service on more than one inside device.

To use fixed IP address mapping, you set up a table where one outside address corresponds to one inside address. For example, each of the following outside addresses has a corresponding inside address.

Outside         Inside          Mask
128.185.22.16   10.1.5.1         255.255.255.255
128.185.22.34   10.1.5.2         255.255.255.255
128.185.22.92   10.1.5.3         255.255.255.255

When the NAT interface receives a packet from the outside destined for 128.185.22.16, it forwards the packet to inside address 10.1.5.1. Likewise, when the NAT interface receives a packet from inside address 10.1.5.1 that is destined for the outside, it changes the packet's source IP address to 128.185.22.16. Therefore, anyone on the outside who is communicating with 10.1.5.1 sees only the outside address of 128.185.22.16.

See Using Fixed IP Address Mappings for some examples.

How NAT Handles IP Packets

The following figures show how the NAT interface handles packets it receives from

the outside network that are destined to the global IP address
the outside network that are not destined to the global IP address
the inside network

Figure 22 How the NAT Interface Handles Packets It Receives from the Outside Network Destined to the Global IP Address

Figure 23 How the NAT Interface Handles Packets It Receives from the Outside Network That Are Not Destined to the Global IP Address

Figure 24 How the NAT Interface Handles Packets It Receives From the Inside Network

Using Routing Protocols with NAT

You can enable RIP to run on the NAT router so that it learns routes in the inside network. However, the NAT interface does not forward RIP packets from the inside network to the outside network. The NAT interface also does not advertise OSPF routes from the inside network to the outside network.

Sample NAT Configuration

Figure 25 is a small office setup using NAT. In this example, the inside network has two users (clients) and an FTP server.

Figure 25 Sample NAT Configuration

To set up the NAT configuration in Figure 25,

Enable NAT on Interface 1, the WAN interface.
Add an entry in the service table for FTP and assign the FTP server's inside IP address to the service.

The ISP assigns an IP address of 50.19.2.1 to the NAT interface.

The following list describes what happens when Client 1 and Client 2 in Figure 25 browse the same outside Web site, which has an IP address of 128.185.5.6.

: 1. The NAT interface receives a packet from Client 1 and creates a cache entry that associates the Client 1 inside IP address and a unique port number (1025) with the Web server IP address and the port number of the service (80). The interface then forwards the packet to the Web server.
: 2. The NAT interface receives a packet from Client 2 and creates a cache entry that associates the Client 2 inside IP address to the same Web server IP address and port number (80), but associates a different port number with the inside address (1026). The interface then forwards the packet to the Web server.
: 3. The Web server sends response packets for both clients to the same IP address (50.19.2.1), but to different port numbers (1025 and 1026). The NAT interface associates the unique port number with the inside IP address in the cache and sends the packet to the correct client.

When an outside user in Figure 25 runs FTP to the inside FTP server, the NAT interface does the following:

1. It compares the destination address to the outside addresses in the fixed IP address mapping table.

If it finds a match, the NAT interface translates the destination address to the inside IP address of the FTP server (10.1.1.4) and forwards the packet to the FTP server.
If it does not find a match, the NAT interface proceeds to step 2.

2. It compares the packet's protocol and port number to entries in the cache.

If it finds a match, the NAT interface translates the global IP address (50.19.2.1) to the inside IP address of the FTP server (10.1.1.4) and forwards the packet to the FTP server.
If it does not find a match, the NAT interface proceeds to step 3.

3. The NAT interface compares the packet's protocol and port number to entries in the service table.

If it finds a match, the NAT interface translates the global IP address (50.19.2.1) to the inside IP address of the FTP server (10.1.1.4) and forwards the packet to the FTP server. It then creates a cache entry for this connection and forwards the packet.
If it does not find a match, the software drops the packet.

Using Fixed IP Address Mappings

You can set up fixed IP address translations, each from one outside IP address to one inside IP address.

This section gives some examples of situations where you might want to use fixed IP address mapping and how to set it up.

Fixed IP address mappings apply to all NAT interfaces on the router.

Allowing Multiple Servers on the Inside Network

In Figure 26, there are three servers on the inside network, each offering multiple services. Using fixed IP address mapping, you can allow

clients on the outside network to access the three servers,
each server to be known by a unique outside IP address, and
each server to have its own private inside address.

Figure 26 Multiple Servers on the Inside Network

To set up this fixed address mapping, add a mapping for each outside and each inside address. For example:

NAT Config>add fixed-ip-mappings
Public outside address [0.0.0.0]? 128.185.142.6
Mask [255.255.255.255]?
Private inside address [0.0.0.0]? 10.1.5.1

Mapping a Subnet

Another way to use the fixed IP address mapping feature is to map all computers on an inside subnet to a range of corresponding outside addresses. This is useful if you have servers on a subnet, and you want all of the servers visible to the outside.

For example, to map all addresses on the inside subnet of 10.2.1.0 through 10.2.1.254 to a corresponding outside address in the outside subnet of 128.185.227.0 through 128.185.227.254, enter the following command.

NAT Config>add fixed-ip-mappings
Public outside address [0.0.0.0]? 128.185.227.0
Mask [255.255.255.255]?  255.255.255.0
Private inside address [0.0.0.0]? 10.2.1.0

By specifying a subnet mask, you can set up a fixed mapping translation of an entire subnet of outside addresses to an entire subnet of inside addresses using only one command.

Allowing a Subnet to be Visible to the Outside Network

Another use for fixed IP addressing is to allow a group of users on a subnet to have their addresses visible to the outside. For example, to cause addresses in the range of 128.185.228.x to have their address visible to the outside, enter

NAT Config>add fixed-ip-mappings 
Public outside address [0.0.0.0]? 128.185.228.0
Mask [255.255.255.255]? 
Private inside address [0.0.0.0]? 128.185.228.0

By setting the outside and inside addresses to the same value, you essentially cause NAT to not translate certain ranges of IP addresses. This lets you partially run NAT, where NAT translates some, but not all, of your inside network addresses.

Translating Port Numbers

Using service table entries, only one device on the inside network can provide a service on a particular outside port number. To offer a service on more than one device, you need to set up different outside port numbers for the service, use fixed IP address mapping, or set up the NAT interface to translate port numbers. Translating port numbers instead of using fixed IP address mapping, allows you to have only one IP address visible to the outside.

For example, in Figure 27 there are two Web servers. Web Server 1 runs on port 80, and Web Server 2 runs on port 81. The service table entries cause the NAT interface to send all packets destined for port 80 to Web Server 1 and all packets destined for port 81 to Web Server 2. The NAT interface does not translate port numbers.

Figure 27 Publishing the Same Service Using Different Port Numbers

Alternatively, in Figure 28, there are two Web servers that both run on port 80. In this case, you need to set up the NAT interface to translate port numbers. One service table entry offers Web Server 1 on port 80 and another entry offers Web Server 2 on port 81. However, before the NAT interface sends packets to Web Server 2, it translates the port number from 81 to 80.

Figure 28 Publishing the Same Service Using Port Number Translation

Displaying NAT Prompts

NAT commands are available at the NAT Config> prompt and the NAT> prompt.

At the NAT Config> prompt, changes that you make are saved in the router's configuration memory. These changes take effect when you restart the router.

Display the NAT Config> prompt as follows:

*config

Config>protocol ip
Internet protocol user configuration

IP config>nat
Network Address Translation Configuration

NAT Config>

At the NAT> prompt, changes that you make take effect immediately. Unless you explicitly save your changes using the save command, they are not saved when you restart the router.

Display the NAT> prompt as follows:

*monitor

Monitor>protocol ip

IP>nat
Network Address Translation Console

NAT>

Configuring NAT

Follow these steps to configure NAT.

1. Display either the NAT Config> prompt or the NAT> prompt as described in Displaying NAT Prompts. This example uses the NAT Config> prompt.

2. Enable NAT on each interface over which you want to run NAT.

NAT Config>enable nat
Interface # [0]? 1
NAT enabled on interface 1

3. (Optional.) To offer inside services to outside users, add a service table entry for each inside service that you want to offer. See Service Table and the add service command.

Service table involved is the global table([Yes] or No):  [yes]? yes
Service name ([CR] to get a list of well-known-services)? ftp
Server's IP address [0.0.0.0]?  10.12.1.1
Server's local port (0 = no port translation) [0]?

4. (Optional.) Set up fixed IP address mappings. See Fixed IP Address Mapping and the add fixed-ip-mappings command.

5. If you set up NAT at the configuration prompt, restart the router for your configuration to take effect.

NAT Config>exit
IP config>exit
Config> Ctrl P
*restart

If you set up NAT at the monitoring prompt, the configuration takes effect immediately. To make the changes permanent, enter save.

NAT>save

When to Set a Global IP Address

The NAT global IP address is key to the way your NAT setup works. For an outgoing packet, NAT translates the packet's source IP address to the global IP address, unless there is a matching fixed IP translation. For an incoming packet destined for the global IP address, NAT either translates the packet using a cache entry or translates the packet using service table entries.

If you do not explicitly set the NAT global IP address, the NAT interface uses the IP address of the interface on which NAT is enabled. It does not matter whether you assigned an IP address to the interface or are using a dynamically assigned address.

You can explicitly assign another outside address as the NAT global IP address by using the set nat-interface ip-address command.

Set a global IP address in the following situations.

You have a Web server and your ISP wants the outside address of your WAN interface and the outside address of the Web server to be different.
You require more than one outside IP address. In this case, setting a global IP address instead of using the default address ensures that NAT uses the address that you want to have as the global IP address.

Notes:

You cannot use an unnumbered IP address as the global IP address.
You should not use an IP address mapped with the NAT fixed IP mapping feature as the global IP address.

NAT Commands

This section describes NAT commands.

Press Space twice after you type a command to display the available options for each command. Enter help for information about using the command line interface.

[C] means the command is available at the NAT Config> prompt.

[M] means the command is available at the NAT> prompt.

Table 37 NAT Commands

Command Function

Add [C] [M] Adds fixed IP address mappings and service table entries to the NAT configuration.

Clear [C] [M] Clears NAT configuration information and the cache of a NAT interface.

Delete [C] [M] Deletes specific fixed IP address mappings, service table entries, NAT interface configurations, or cache entries.

Disable NAT [C] [M] Disables NAT on an interface.

Enable NAT [C] [M] Enables NAT on an interface.

Exit [C] [M] Returns to the previous prompt.

List [C] [M] Lists the NAT configuration and service table entries. At the NAT> prompt, also lists cache entries.

Restore [M] Restores the configuration that is in permanent memory.

Save [M] Saves the current (running) configuration to permanent memory.

Set [C] [M] Sets timers, cache size, global IP address, and lets you change service table entries.

Zero [M] Clears the fixed IP address usage counters.

Table 37 NAT Commands
Command	Function
Add [C] [M]	Adds fixed IP address mappings and service table entries to the NAT configuration.
Clear [C] [M]	Clears NAT configuration information and the cache of a NAT interface.
Delete [C] [M]	Deletes specific fixed IP address mappings, service table entries, NAT interface configurations, or cache entries.
Disable NAT [C] [M]	Disables NAT on an interface.
Enable NAT [C] [M]	Enables NAT on an interface.
Exit [C] [M]	Returns to the previous prompt.
List [C] [M]	Lists the NAT configuration and service table entries. At the `NAT>` prompt, also lists cache entries.
Restore [M]	Restores the configuration that is in permanent memory.
Save [M]	Saves the current (running) configuration to permanent memory.
Set [C] [M]	Sets timers, cache size, global IP address, and lets you change service table entries.
Zero [M]	Clears the fixed IP address usage counters.

Add [C] [M]

Adds fixed IP address mappings and service table entries to your NAT configuration.

Syntax: add

fixed-ip-mappings
service

fixed-ip-mappings

Adds fixed IP address mappings to a NAT interface. See Fixed IP Address Mapping.

Example: add fixed-ip-mappings

Interface number [0]? 1
Public outside address [0.0.0.0]? 128.185.2.45
Mask [255.255.255.255]?
Private inside address [0.0.0.0]? 10.34.34.2


Interface number	The number of the NAT interface to which you want this mapping to apply.
Public outside address	The address you want visible to the outside.
Mask	Subnet mask of the outside address.
Private inside address	The address this device uses on the inside LAN.

service

Adds a service table entry to the NAT configuration. You can add global service table entries, which apply to all NAT interfaces in the router. Or you can add entries that apply to a specific NAT interface. One reason to add service entries for a specific interface rather than to the global table is to provided added security. For example, you could add a service for traffic coming in through a VPN tunnel without giving anyone else access to that service.

Add an entry for each service that the inside network offers to the outside network. You must also add services that the NAT interface itself offers, such as Telnet or Web authentication. See Service Table.

You can change service table entries using the set service commands.

If NAT is running on a router that has IP Tunnels, the NAT software automatically creates services necessary to run SKIP: Discard, SKIP, SKIPCDP.

Also, when you enable NAT on an interface, the software creates a service entry that allows Point-to-Point Tunneling Protocol (PPTP) client traffic to pass through the NAT interface.

Example: add service

Service table involved is the global table([Yes] or No):  [yes]? no
Interface number [0]? 1
Service name ([CR] to get a list of well-known-services)? http
Server's IP address [0.0.0.0]?  10.12.1.1
Server's local port (0 = no port translation) [0]?

Example: add service

Service table involved is the global table([Yes] or No): [yes]?  
Service name ([CR] to get a list of well-known-services)? admin
Server's IP address [0.0.0.0]? 10.1.2.1
Server's local port (0 = no port translation) [0]?
Enter protocol [TCP]?
Enter starting port number ([CR] for all) [-1]? 90
Enter ending port number [1]?90


Service table involved is the global table?	To apply this service table entry to all NAT interfaces in the router answer Yes. To apply this entry to a specific NAT interface, answer No.
Interface number	If you answered No to the previous question, the software prompts you for the interface to which you want to apply this service table entry.
Service name	You can enter a well-known service name from the list below or you can define your own service name. If you enter a well-known service name, the software fills in the protocol and port range.
	Service Name Protocol Port Range DEFAULT ANY 0-65535 DISCARD UDP 9-9 DNS UDP 53 DNS-ZONE TCP 53 FTP TCP 20-21 HTTP TCP 80 NFS UDP 0-65535 NNTP TCP 119 PING ICMP 0-65535 POP2 TCP 109 POP3 TCP 110 PPTP TCP 1723 RLOGIN TCP 513 SKIP SKIP 0-65535 SKIPCDP UDP 1639-1640 SMTP UDP 25 SNMP UDP 161 SNMP-TRAP UDP 162 TELNET TCP 23 TFTP UDP 69 TIME UDP 37
Server's IP Address	The IP address of the host in the inside network that provides the service. If the NAT router provides the service, enter one of the router's own IP addresses.
Server's local port	You can set up NAT to translate the destination port number that it receives from the outside network. When the NAT interface forwards the packet to the server, it sends the packet to this port number. The default is 0 (zero), which means the NAT interface does not translate the port number.
Protocol	The protocol associated with this service. Enter ICMP, UDP, TCP, or All. Nx Networks recommends that you do not use All because All causes the NAT interface to send all IP packets that it receives to this server.
Starting Port number	The lowest port number associated with this service. For protocol ICMP, this value represents the packet type. The default is 8, which is an ICMP Echo Request. To change the default, use the set service port-range command.
Ending Port number	The highest port number associated with this service. To match a single port, enter the same number for the starting port and the ending port. For protocol ICMP, this value represents the packet type. The default is 8, which is an ICMP Echo Request. To change the default, use the set service port-range command.

Clear [C] [M]

Clears NAT configuration information. At the NAT> prompt, you can also clear the NAT cache.

Syntax: clear

all
cache
fixed-ip-mappings
nat-interfaces
services

all

Clears all NAT configuration information including service table entries and fixed IP address mappings.

Example: clear all

cache

Clears the cache of a NAT interface. This command is available only at the NAT> prompt.

Example: clear cache

Interface number [0]? 1

fixed-ip-mappings

Clears all fixed IP address mappings.

Example: clear fixed-ip-mappings

All fixed mappings have been cleared

nat-interfaces

Clears all NAT configuration information except the service table entries. This command is available only at the NAT Config> prompt.

Example: clear nat-interfaces

services

Clears all service table entries.

Example: clear services

Delete [C] [M]

Deletes fixed IP address mappings, service table entries, or NAT interface configurations. At the NAT> prompt, also deletes cache entries.

Syntax: delete

cache-entry
fixed-ip-mappings
nat-interface
service

cache-entry

Deletes cache entries. This command is available only at the NAT> prompt. Enter list cache at the NAT> prompt to display a list of ID numbers.

Example: delete cache-entry

Interface # [0]? 1
Id number [0]?

fixed-ip-mappings

Deletes a fixed IP mapping that you added with the add fixed-ip-mappings command.

Example: delete fixed-ip-mappings

Interface number [5]? 
Public outside address [0.0.0.0]? 128.185.1.1
Mask [255.255.255.255]?

nat-interface

Deletes a NAT interface configuration. If you enabled NAT on more than one interface, the software prompts you for the interface configuration to delete.

Example: delete nat-interface

Interface # [0]? 1
NAT deleted from interface 1

service name

Deletes a service from the service table. The software prompts you as to whether the service is part of the global service table or applies to a specific interface. Enter the name of a service entry that you created with the add service command.

Example: delete service

Service table involved is the global table([Yes] or No):  [yes]?  Service name? http

Disable NAT [C] [M]

Disables a NAT interface, but leaves the configuration information intact. If you enabled NAT on more than one interface, the software prompts you for which interface to disable.

Syntax: disable nat

Example: disable nat

Interface # [0]? 1
NAT is disabled

Enable NAT [C] [M]

Enables a NAT configuration on an interface. If you previously defined a NAT interface, this command enables it. Otherwise, this command adds a default NAT configuration to the interface and enables it. You can use the set nat-interface commands to change ageout timers and cache size.

Syntax: enable nat

Example: enable nat

Interface # [0]? 1
Default NAT interface created 
NAT enabled on interface 1

Exit [C] [M]

Returns to the previous prompt.

Syntax: exit

Example: exit

List [C] [M]

Displays the current NAT interface configuration, fixed IP address mappings, and service table entries. At the NAT> prompt, also displays a summary of the current cache entries.

Syntax: list

all
cache
fixed-ip-mappings
nat-interface
services

all

Lists the complete NAT configuration.

Example: list all

NAT Enabled on interface 5
  Address is:        Automatic      Service Table Used:  Global
  Maximum # entries: 500            Global ageout:       1800 secs
  TCP ageout (secs): 9000           TCP closed ageout:   30 secs
NAT Enabled on interface 4
  Address is:        Automatic      Service Table Used:  Global
  Maximum # entries: 500            Global ageout:       1800 secs
  TCP ageout (secs): 9000           TCP closed ageout:   30 secs

 Global Service Table:
Name        Protocol  Port Range   Server Address/Port Translation
---------   --------  ----------   -------------------------------
TIME        UDP       37-37        10.10.2.2/None

Interface 5 - Interface-specific Service Table:
Name        Protocol  Port Range   Server Address/Port Translation
---------   --------  ----------   -------------------------------
HTTP        TCP       80-80        10.10.2.2/None
Interface 4 - No interface-specific service entries defined 
 
Fixed IP Address Translation mappings for interface 5:
Outside         Inside          Mask
128.185.2.2     10.10.1.1       255.255.255.255
No fixed IP Address Translations for interface 4

cache interface#

Shows a summary of all cache entries for a NAT interface. If you have NAT enabled on more than one interface, the software prompts you for an interface number. You can use the NAT ID numbers to delete individual cache entries.

This command is available at the NAT> prompt.

Note: Cache entries for the ICMP protocol age out after 10 seconds regardless of the ageout time you have set. This prevents ICMP traffic, such as PING and TRACEROUTE packets, from filling the cache with unnecessary entries.

Example: list cache

NAT Cache - Interface 0

ID   Proto Inside Address     Outside Address     NAT's source address
---- ----- ----------------   ------------------- --------------------
1    TCP   192.168.3.20:26476  192.168.3.3:23     192.168.3.20:26476

fixed-ip-mappings

Lists the IP address mappings that you set up with the add fixed-ip-mappings command.

Example: list fixed-ip-mappings

Interface number [5]?
Fixed IP Address Translation mappings for interface 5:      
Fixed IP Address Translation mappings:
Outside         Inside          Mask
128.185.23.23   10.10.50.1      255.255.255.255

At the NAT> prompt, this command also displays a count of how many times NAT used each mapping on packets from outside to inside and from inside to outside. Clear the usage counters using the zero command.

Example: list fixed-ip-mappings

Interface number [5]?
Fixed IP Address Translation mappings-ifc 5:    Translation Usage Counts
Outside         Inside        Mask              Out->In    In->Out  
128.185.23.23   10.10.50.1    255.255.255.255   0          0

nat-interface interface#

Lists a NAT interface configuration. If you configured more than one interface for NAT, the software prompts you for the interface configuration you want to display.

Example: list nat-interface

Interface # [0]? 1
NAT Enabled on interface 1
              Address is Auto
              Maximum # entries 500
              Global ageout 1800 secs
              TCP ageout 9000 secs, closed 30 secs

services

Lists the service table entries. You can list the global service table or the service table for a specific interface.

Example: list services

Service table involved is the global table([Yes] or No):  [yes]?

Global Service Table:
Name        Protocol  Port Range   Server Address/Port Translation
----------  --------  -----------  --------------------------------
HTTP          TCP     80-80        10.1.2.1/  81
TELNET        TCP     23-23        10.1.1.1/None
FTP           TCP     20-21        10.1.2.3/None

Example: list services

Service table involved is the global table([Yes] or No):  [yes]? no
Interface number [5]? 5

Interface 5 - Interface-specific Service Table:
Name        Protocol  Port Range   Server Address/Port Translation
---------   --------  ----------   -------------------------------
HTTP        UDP       80-80        10.10.2.2/None

Restore [M]

Restores the saved configuration after you make changes at the NAT> prompt.

Syntax: restore

Example: restore

This will overwrite your existing runtime configuration.
Continue? (Yes or [No]): yes
Restore complete

Save [M]

Saves changes you make at the NAT> prompt to permanent memory so they are still present after you restart the router.

Syntax: save

Example: save

This will overwrite your existing saved configuration.
Continue? (Yes or [No]): yes
Save complete

Set [C] [M]

Sets ageout timers for TCP and non-TCP cache entries, global IP address, and the maximum number of entries kept in the cache for each NAT interface. It also lets you make changes to entries in the service table.

Syntax: set

nat-interface ageout
nat-interface ip-address
nat-interface max-entries
nat-interface tcp-ageout
service address
service local-port
service port-range
service protocol

nat-interface ageout

Sets the ageout timer for non-TCP cache entries. The timer deletes non-TCP cache entries if they are idle for this time period. Setting this value too low causes the timer to close sessions prematurely. Setting this value too high causes the cache to have too many entries and impacts router performance. The range is 10 to 36000 seconds. The default of 1800 seconds (30 minutes) is ample for most applications.

Example: set nat-interface ageout

Interface # [0]?
Ageout time (secs) [1800]?

nat-interface ip address

Sets the global IP address and IP mask of a NAT interface. If you do not use this command to set a global IP address, NAT uses the IP address of the NAT interface, whether it's an address that you assigned to the interface or a dynamic IP address. See When to Set a Global IP Address.

This command is available at the NAT Config> prompt.

Note: You cannot use unnumbered IP on a NAT interface.

Example: set nat-interface ip-address

Interface number [1]?
NAT IP address (0.0.0.0 = use automatic default) [0.0.0.0]

nat-interface max-entries

Sets the maximum number of entries that the interface keeps in cache. The NAT cache is dynamically allocated so you can set this parameter quite high without tying up memory. However, if you set this parameter too high, it may affect router performance during times of heavy usage. The range is 20 to 1000. The default is 500.

Example: set nat-interface max-entries

Interface # [0]?
Maximum Cache Entries [500]?

nat-interface tcp-ageout

Controls how long the NAT interface keeps TCP entries in its cache.

Example: set nat-interface tcp-ageout

Interface # [0]?
TCP Ageout time (secs) [9000]?
TCP Closed time (secs) [30]?


TCP Ageout time	If the NAT software does not use a TCP cache entry for this amount of time, it deletes the entry. This timer clears TCP sessions that end abnormally, such as when a user powers off a PC during a TCP session. Setting this value too low prematurely closes sessions. If you set this parameter to a lower value than the keepalive timer, the ageout timer could clear cache entries before users close TCP sessions. Setting this value too high causes too many entries in the cache and impacts router performance. The range is 10 to 36000. The default ageout time of 9000 seconds (2.5 hours) is ample for most applications.
TCP Closed Time	Clears the cache entry when a TCP session shuts down normally, either through a reset or a normal session close. Once the NAT interface determines that the TCP session ended, it waits this amount of time and clears the cache entry. The default is 30 seconds. The range is 10 to 36000 seconds.

service address

Changes the inside IP address of a service table entry.

Example: set service address

Service table involved is the global table([Yes] or No):  [yes]?
Service name? database
Server's IP address [10.1.99.8]?


Service table involved is the global table	To change an entry in the global service table, answer Yes. applied to a specific entry, answer No. The software prompts you for the interface number.
Service name	The name of the service that you want to change.
Server's IP address	The IP address of the host in the inside network that provides the service. If the NAT router provides the service, enter one of the router's own addresses.

service local-port name port#

Changes the local port number of a service table entry.

Example: set service local-port

Service table involved is the global table([Yes] or No):  [yes]?           Service name? rtradmin
Server's local port [0]?


Service table involved is the global table	To change an entry in the global service table, answer Yes. applied to a specific entry, answer No. The software prompts you for the interface number.
Service name	The name of the service that you want to change.
Server's local port	You can set up NAT to translate the port number that it receives from the outside network. When the NAT interface forwards the packet to the server, it sends the packet to this port number. If you set the local port number to 0 (zero), which is the default, the NAT interface does not translate the port number.

service port-range name starting-port ending-port

Changes the range of ports for a service table entry.

Example: set service port-range

Service table involved is the global table([Yes] or No):  [yes]? 
Service name? http
Enter starting port number ([CR] for all) [-1]? 81
Enter ending port number [81]?


Service table involved is the global table	To change an entry in the global service table, answer Yes. applied to a specific entry, answer No. The software prompts you for the interface number.
Service name	The name of the service that you want to change.
Starting port	The lowest port number associated with this service. For protocol ICMP, the value represents the packet type. For example, packet type 8 is an ICMP Echo Request.
Ending port	The highest port number matched to this service. To match a single port, enter the same number for the starting port and the ending port. For protocol ICMP, the value represents the packet type.

service protocol name protocol

Changes the protocol for a service table entry.

Example: set service protocol

Service table involved is the global table([Yes] or No):  [yes]? 
Service name? 
Enter protocol [TCP]?


Service table involved is the global table	To change an entry in the global service table, answer Yes. applied to a specific entry, answer No. The software prompts you for the interface number.
Service name	The service name of the service that you want to change.
Protocol	The protocol associated with this service. Values are ICMP, UDP, TCP or All.

Zero [M]

At the NAT> prompt, list fixed-ip-mappings displays a count of how many times NAT used each mapping on packets coming from outside to inside and from inside to outside. The zero command clears these counters.

Syntax: zero

Example: zero

[Top] [Prev] [Next] [Bottom]