NAT Frequently Asked Questions

Document ID: 26704

Questions
Introduction What is NAT? What are the main differences between Cisco IOS NAT and the Cisco PIX Firewall implementation of NAT? On which Cisco routing platforms is Cisco IOS NAT available? How do I order it? Does NAT occur before or after routing? How is routing awareness learned for IP addresses created using NAT? How many concurrent NAT sessions are supported in Cisco IOS NAT? What kind of routing performance can I expect when I use Cisco IOS NAT? Can Cisco IOS NAT be applied to subinterfaces? Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP? Does Cisco IOS NAT support inbound translations on a serial trunk that runs Frame Relay and does it support outbound translations on the Ethernet side? Can a single NATenabled router allow some users to utilize NAT and allow other users on the same Ethernet interface to continue with their own IP addresses? What is PAT, or NAT overloading? When I configure for PAT (NAT overloading), what is the maximum number of translations that I can make for each inside global IP address? How does PAT work? What is the maximum number of configurable NAT IP pools (using the ip nat pool <name> command)? What is IP address overlapping as discussed within the context of NAT? Is it possible to build a configuration with both static and dynamic NAT translations? Can IOS support multiple outside NAT tables? Why do I need to specify a subnet mask when I configure a NAT address pool? Can I allocate IP addresses from the NAT router's outside interface subnet to a dynamic NAT pool? Does a NAT router properly handle ICMP redirects? Does Cisco NAT support all application traffic? Why does Cisco IOS NAT not support SNMP traffic? How are ARPs handled for IP addresses generated by NAT? Does Cisco IOS NAT support DNS queries? Does Cisco IOS NAT support ACLs that permit any or all packets? Why does Active FTP work with static /extended (port forwarding) but it does not work with PAT? NetPro Discussion Forums Featured Conversations Related Information

Introduction
This document provides answers to some of the more frequently asked questions with regard to Cisco IOS Network Address Translation (NAT).

Cisco NAT Frequently Asked Questions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Q. What is NAT?
A. NAT stands for Network Address Translation. NAT is designed for IP address simplification and conservation. It enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded onto another network. As part of this functionality, NAT can be configured to advertise only one or a very few addresses for the entire network to the outside world. This provides additional security and effectively hides the entire internal network from the world behind that address. NAT has the dual functionality of security and address conservation, and is typically implemented in remote access environments. Refer to How NAT Works in order to learn how NAT works in more detail.

Q. What are the main differences between Cisco IOS NAT and the Cisco PIX Firewall implementation of NAT?
A. Cisco IOS based NAT functionality is not fundamentally different from the NAT functionality in the PIX Firewall. The main differences involve the different traffic types supported in Cisco IOS NAT and the NAT implementation in the PIX. Refer to Cisco PIX 500 Series Firewalls and to the NAT Configuration Examples for detailed information on the configuration of NAT functionality on the PIX (includes the traffic types supported).

Q. On which Cisco routing platforms is Cisco IOS NAT available? How do I order it?
A. The Cisco Software Advisor ( registered customers only) (search by feature) provides customers with a tool to identify which release and platform any Cisco IOS feature is available on. In order to check if NAT is supported on a specific platform, go to Software Advisor ( registered customers only) , choose the option Find software with the features I need, enter the product and software information, and choose the feature NAT, and select the platform. The tool then provides the minimum Cisco IOS software that supports the feature on the platform. For historical purposes: When originally introduced in Cisco IOS Software Release 11.2, NAT is only available in the Plus images. With Cisco IOS Software Release 11.3, PAT is available in all IP images, with full NAT (11 and PAT) available only in Plus images. With Cisco IOS Software Release 12.0, all IP images provide full NAT functionality. This table provides Cisco IOS and NAT support information. Cisco IOS Software NAT NAT Release Support Support Easy IP Hardware Platforms Supported in Base in Plus Support 11.2 None Cisco 1000, 2500, 4x00, AS5200, 7200, RSP7000, 7500 Images NAT Images None Cisco NAT Frequently Asked Questions

11.2P 11.3 11.3T 12.0 12.0T 12.1 12.1T

None PAT only PAT only NAT NAT NAT NAT

NAT NAT NAT NAT NAT NAT NAT

None Phase 1 Phase 1 Phase 1 Phase 2 Phase 2 Phase 2

Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, AS5300, Ca RSP7000, 7500

Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, 7200, RSP7

Cisco 1000, 1600, 2500, 2600, 3620, 3640, 4x00, AS5200, AS53 RSP7000, 7500

Cisco 1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5x00, RSP7000, 7500

Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0,MC3810, C4x0 RSM, Cat5000 RSFC, 7100, 7200, uBR9x0, uBR72003, RSP700

Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0, MC3810, C4x RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP7000

Cisco 8001, 1400, 16004, 17002,4, 2500, 2600, 36x0, MC3810, C4 RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP7000

12.2

NAT

NAT

Phase2

Cisco1400, 16011604, 1601R1605R,1720,1750,25012525,2610XM2611XM,2620 2620XM2621XM, 2650XM2651XM, 26502651, 3620,3640, 7200,7500,800,8850RPMPR,AS5300, AS5400,CAT4500AGM ICS7700,MC3810,SLT,UBR910, 920

12.2T

NAT

NAT

Phase2

Cisco 1710, 1721,1751,1751V,1760,1720,1750,25012525,2610XM2611X 2620XM2621XM, 2650XM2651XM, 26502651, 3620,3640, 3725,3745,6400NPR1, 6400NPR2SV,6400NSP,7100, 7200,7400,7500,800,8850RPMPR,AS5300, AS5350,AS5400,A CAT4500AGM, CVA 120, CAT5000RSM, ICS7700,MC3810 UBR7200,UBR905,925.

12.3

NAT

NAT

Phase2

Cisco 1400, 16011604, 1601R1605R,1710,1720,1721,1750,1751V,1751,1760,25012 2620XM2621XM, 2650XM2651XM, 26502651,2691, 3620, 3725,3745,6400NRP1, 6400NRP2SV, 6400 NSP, 7200,7301,7400,7500,800,8850RPMPR,AS5300, AS5350, AS5 AS5850 RSC,CAT4224,CAT4500AGM, CVA120, ICS7700,M SOHO76,77,78, UBR905, 925.

12.3T

NAT

NAT

Phase2

Cisco 1701,1710,1711, 1712,1720,1721,1751V,1751,1760, 261 2620XM2621XM, 2650XM2651XM, 2691, 28X1,3620,3631, 3725,3745,6400NRP1, 6400NRP2SV, 6400 NSP, 7200,7301,7400,7500,800,8850RPMPR,AS5300, AS5350, AS5 AS5850 RSC,CAT4224,CAT4500AGM, CVA120, ICS7700,M SOHO91, 96,97, UBR905, 925, VG224.,

Note: This information is obtained from the Feature Navigator Tool ( registered customers only) . No NAT functionality is available on uBR7200 in the service provider (p) software image. Dynamic Host Configuration Protocol (DHCP) server functionality is available on uBR7200 in the service provider (p) software image. In the 2500 starting from Cisco IOS Software 11.2 major release in Enterprise plus image. Enterprise images do not support NAT. Cisco NAT Frequently Asked Questions

 In the 2600 starting from Cisco IOS Software 12.2T major release in Enterprise Base image. In the 3620 starting from Cisco IOS Software 11.2P major release in Enterprise plus image. Enterprise images do not support NAT. In the 3640 starting from Cisco IOS Software 11.3 major release in Enterprise plus image. Enterprise images do not support NAT. In the 4000 starting from Cisco IOS Software 11.2 major release in Enterprise plus image. Enterprise images do not support NAT. In the 4500 starting from Cisco IOS Software 11.2 major release in Enterprise plus image. Enterprise images do not support NAT. In the AS5300 starting from Cisco IOS Software 11.2P major release in Enterprise image. AS5800 provides support for NAT. Support for SIP and NAT support for NetMeeting Directory. Catalyst 5000 RSM starting from Cisco IOS Software 11.3T major release in Enterprise image. 7200 NAT is supported starting from Cisco IOS Software 11.2 major release. 7500 NAT is supported starting from 11.2 Major Release. In the Cisco 3825 and 3845 in IP Base images beginning in Cisco IOS Software Release 12.3T. In the 1600 starting from Cisco IOS Software Release 11.3 IP base and the 2500 starting from Cisco IOS Software Release 11.3 IP base, NAT is supported. 1 NAT is supported in all Cisco IOS software images for Cisco 800 beginning in Cisco IOS Software Release 12.0(3)T. 2 NAT is supported in all Cisco IOS software images for Cisco 1700 beginning in Cisco IOS Software Release 12.2ZH. 3 NAT and DHCP server functionality are only available on the uBR7200 platform in the Service Provider Plus (ps) software image beginning in Cisco IOS Software Release 12.0(3)T. 4 All platforms other than uBR7200 require either a J or an O image (Enterprise or Cisco IOS Firewall respectively) to obtain support for Microsoft's NetMeeting application within Cisco IOS NAT.

Q. Does NAT occur before or after routing?

A. Insidetooutside translation occurs after routing and outsidetoinside translation occurs before routing. Refer to NAT Order of Operation for more information.

Q. How is routing awareness learned for IP addresses created using NAT?

A. Routing for IP addresses created by NAT is learned if: The inside global address pool is derived from the subnet of a next hop router. The static route entry is configured in the next hop router and redistributed within the routing network.

Q. How many concurrent NAT sessions are supported in Cisco IOS NAT?
A. The NAT session limit is bound by the amount of available DRAM in the router. Each NAT translation consumes about 160 bytes in DRAM. As a result, 10,000 translations (more Cisco NAT Frequently Asked Questions

than would generally be handled on a single router) can consume about 1.6 MB. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations.

Q. What kind of routing performance can I expect when I use Cisco IOS NAT?
A. Cisco IOS NAT supports Cisco Express Forwarding (CEF) switching, Fast switching, and Process switching. Performance depends on these factors: The type of application and its type of traffic (does it embed IP addresses?) Do multiple messages get exchanged that need to be inspected? Does it require a specific source port or does it negotiate one? The number of translations. What else runs on the box at the time? The type of platform and processor. For most applications, degradation of performance due to NAT should be negligible.

Q. Can Cisco IOS NAT be applied to subinterfaces?

A. Yes. You can apply source and/or destination NAT translations to any interface or subinterface that has an IP address (includes dialer interfaces).

Q. Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP?
A. No. In this scenario and in earlier versions of Cisco IOS, the standby router does not have the translation table of the active router. Therefore, when the cutover happens, connections time out and fail. In Cisco IOS Software Release 12.2(13)T and later, the Stateful Failover of Network Address Translation feature can be configured to operate with the Hot Standby Routing Protocol (HSRP) in order to provide redundancy. Refer to NAT Static Mapping Support with HSRP for High Availability for additional information.

Q. Does Cisco IOS NAT support inbound translations on a serial trunk that runs Frame Relay and does it support outbound translations on the Ethernet side?
A. Yes.

Q. Can a single NATenabled router allow some users to utilize NAT and allow other users on the same Ethernet interface to continue with their own IP addresses?
A. Yes. You can accomplish this through the use of an ACL that describes the set of hosts or networks that require NAT translation. All sessions on the same host are either translated or Cisco NAT Frequently Asked Questions

pass through the router and are not translated. ACLs, extended ACLs, and route maps can be used to define rules for which IP device(s) get translated. Always specify the network address and appropriate subnet mask. Do not use the keyword any in place of the network address and subnet mask.
ip nat inside source static 10.1.1.10 140.16.1.254 ! Static translation for ns.bar.com DNS server.

ip nat outside source static 10.1.1.10 192.168.1.254 ! Static translation for ns.foo.com DNS server.

ip nat pool iga 140.16.1.1 140.16.1.253 netmask 255.255.255.0 ! Dynamic IL>IG address xlations.

ip nat pool ola 192.168.1.1 192.168.1.253 netmask 255.255.255.0 ! Dynamic OG>OL address xlations.

ip nat inside source list 1 pool iga ip nat outside source list 2 pool ola accesslist 1 permit 10.2.17.0 .255.255.255.0 ! Translate all traffic from 10.2.17 internal hosts.

accesslist 2 permit 10.0.0.0 255.0.0.0 ! Translate all externally originated traffic.

Q. What is PAT, or NAT overloading?

A. PAT, or NAT overloading, is a feature of Cisco IOS NAT and can be used to translate many internal (inside local) private addresses to one or more outside (inside globalusually registered) IP addresses. Unique source port numbers on each translation are used to distinguish between the conversations. With NAT overload, a translation table entry that contains full address and source port information is created.

Q. When I configure for PAT (NAT overloading), what is the maximum number of translations that I can make for each inside global IP address?
A. PAT (NAT overloading) divides the available ports per global IP address into three ranges of 0511, 5121023, and 102465535. PAT (NAT overloading), assigns a unique source port for each User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) sessions. It Cisco NAT Frequently Asked Questions

attempts to assign the same port value of the original request. However, if the original source port has already been used, it starts to scan from the start of the particular port range to find the first available port and assign it to the conversation.

Q. How does PAT work?

A. PAT with one IP address: 1. NAT/PAT inspects traffic and matches to a translation rule. 2. The rule matches to a PAT configuration. 3. Does PAT know about the traffic type and does that traffic type have a specific set of ports, or ports it negotiates that it will use? If so, set them aside and do not allocate them as unique identifiers. 4. Sessions with no special port requirements attempt to connect out. PAT translates the IP source address and checks the availability of the originated source port (for example, 433). Groups are 1511, 5121023, and 102465535. Note: For TCP and UDP, groups are 1511, 5121023, 102465535. For ICMP the first group starts at 0. 5. If the requested source port is available, it assigns the source port and the session continues. 6. If the requested source port is not available, NAT starts to search from the beginning of the relevant group. In this example, starting at 1 for TCP or UDP applications and 0 for ICMP. 7. If a port is available, it is assigned and the session continues. 8. If no ports are available, the packet is dropped. A2. PAT with multiple IP addresses: Use the same logic as with a single IP address (steps 1 8) and: 1. If no ports are available in the relevant group on the first IP address, NAT flips to the next IP address in the pool and tries to allocate the original source port requested. 2. If the requested source port is available, it assigns the source port and the session continues. 3. If the requested source port is not available, NAT starts to search from the beginning of the relevant group. This example starts at 1 for TCP or UDP applications and 0 for ICMP. 4. If a port is available, it is assigned and the session continues. 5. If no ports are available, the packet is dropped unless another IP address is available in the pool and until all IP addresses are checked.

Q. What is the maximum number of configurable NAT IP pools (using the ip nat pool <name> command)?
A. There is no actual limit. In practical use, however, the maximum number of configurable IP pools is limited by the amount of available DRAM in the particular router being used.

Q. What is IP address overlapping as discussed within the context of NAT?

Cisco NAT Frequently Asked Questions

A. IP address overlapping refers to the situation where two locations that want to interconnect both use the same IP address scheme. This is not an unusual occurrence, and often happens when companies merge or are acquired. Without special support, the two locations are not able to connect and establish sessions. The overlapped IP addresses can be public addresses assigned to other companies, private addresses assigned to other companies already, or from the range of private addresses as defined in RFC 1918 . Private IP addresses are unroutable and require NAT translations to allow for connections to the outside world. The solution involves intercepting DNS name query responses from the outside to the inside, setting up a translation for the outside address, and fixing up the DNS response before forwarding it onto the inside host. A DNS server is required to be involved on both sides of the NAT device, to resolve users wanting to connect between both networks. NAT is able to inspect and perform address translation on the contents of DNS A and PTR records. Refer to Using NAT in Overlapping Networks for more information.

Q. Is it possible to build a configuration with both static and dynamic NAT translations?
A. Yes, this is possible. The caveat that the global addresses use in static translations are not automatically excluded with dynamic pools that contain those global addresses. You must create your dynamic pools to exclude addresses assigned via static entries.

Q. Can IOS support multiple outside NAT tables?

A. Yes, you can do this through the use of route maps. The dynamic translation command can now specify a route map to be processed instead of an ACL. A route map allows the user to match any combination of ACLs, nexthop IP addresses, and output interfaces to determine which pool to use. Refer to NAT Support for Multiple Pools Using Route Maps for more information on configuring NAT using route maps.

Q. Why do I need to specify a subnet mask when I configure a NAT address pool?
A. The subnet mask is used to check the addresses allocated from the pool (so you do not allocate the subnet broadcast address, for example). The subnet mask must match the size of the subnet into which you translate.

Q. Can I allocate IP addresses from the NAT router's outside interface subnet to a dynamic NAT pool?
A. Yes. The NAT router answers ARP requests for these IP addresses in the dynamic pool.

Q. Does a NAT router properly handle ICMP redirects?

A. Yes

Q. Does Cisco NAT support all application traffic?

A. Application traffic is transparent to Cisco IOS NAT unless:

Cisco NAT Frequently Asked Questions

 There are embedded IP addresses in the data portion. An application requires preset or negotiated source/destination port values. Cisco IOS NAT performs stateful inspection and needs to have previous knowledge of all applications that embed and/or require specific source ports. For instance, Cisco supports the translation of embedded IP addresses in DNS A and PTR records, and Cisco supports FTP and NetMeeting version 2.11 (4.3.2519) and 3.01 (4.4.3385) by setting aside the source port values they require. Cisco does not assign those source port values when using the PAT or overload feature of Cisco IOS NAT. With embedded IP addresses, Cisco IOS NAT needs to know messages that contain embedded addresses and the offset within these messages. If the embedded address(es) match the configured rules, they are translated based on the configuration. An application that embeds IP addresses (which Cisco IOS NAT does not know about) do not work properly in a Cisco IOS NAT configuration. One exception might be where a tunneling protocol such as PointtoPoint Tunneling Protocol (PPTP) is used. In this case, you do not translate the embedded IP addresses of the tunneled packets. However, the user has a virtual extension of their home network and uses the home networks addressing scheme. If this user were to access the outside through their home network, the user might choose to apply NAT at this point. Embedded IP addresses are an issue regardless of the type of translation you have configured with Cisco IOS NAT (simple, extended, overload, and so forth). When packets destined to wellknown ports are translated, NAT inspects the packet payload, translates the embedded IP addresses and creates a full extended translation. This happens with static and dynamic NAT configurations. This functionality is performed in the processswitched path and is normal behavior for all protocols that require translation of embedded IP addresses, including FTP, DNS, Internet Relay Chat (IRC), Simple Network Management Protocol (SNMP), Lightweight Directory Access Protocol (LDAP), H.323, and Session Initiation Protocol (SIP). Preset or negotiated source port values is an issue only when you use the PAT or overload feature of Cisco IOS NAT. PAT multiplexes multiple IP conversations over one or more IP addresses, and uses the source port to uniquely identify conversations on each IP address. The PAT feature needs to set aside all specific port values that you have awareness for in case you get a conversation for those application types (FTP, NetMeeting, and so forth).

Q. Why does Cisco IOS NAT not support SNMP traffic?

A. The SNMP packet format depends on the particular MIB that is used and is not selfdescribing. There is no single format for SNMP requests and responses that can be processed in a general fashion.

Q. How are ARPs handled for IP addresses generated by NAT?

A. Cisco IOS NAT generates an ARP entry for IP addresses created by the NAT that point to the MAC address of the interface the NAT IP address pool is associated with. For example, when inside source translation is performed, if the inside global address pool is associated to the subnet of an outside interface (S0, for example) then ARP entries for these Cisco NAT Frequently Asked Questions

IP addresses use the MAC address of S0.

Q. Does Cisco IOS NAT support DNS queries?

A. Yes, Cisco IOS NAT does translate the address(es) which appear in DNS responses to name lookups (A queries) and inverse lookups (PTR queries). If an outside host sends a namelookup to a DNS server on the inside, and that server responds with a local address, the NAT code translates that local address to a global address. The opposite is also true, and is how Cisco supports IP addresses that overlap. An inside host queries an outside DNS server, the response contains an address that matches the ACL specified on the outside source command, and the code translates the outside global address to an outside local address. Timetolive (TTL) values on all DNS resource records (RRs) which receive address translations in RR payloads are automatically set to zero. Cisco IOS NAT does not translate IP addresses embedded in DNS zone transfers.

Q. Does Cisco IOS NAT support ACLs that permit any or all packets?
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support the use of any or all packets in the ACLs used by NAT. If any or all packets are used, then unexpected behavior can occur.

Q. Why does Active FTP work with static /extended (port forwarding) but it does not work with PAT?
A. The reason is that when you open up the FTP connection you connect to port 21 at the remote FTP server. But when you do a "ls", "put", get", or anything that needs to use a data port, the server opens up another connection back to the client. When you open your original FTP connection from the inside and the router pretends that you are a specific outside IP, and picks a random port number to use, the FTP server thinks it is talking to that IP address and that port number. Therefore, when it needs to open up the data connection back, due to the "get" or "ls", and so forth, it then attempts to open a TCP connection from port 20 to some random port that the server decides. While on the outside IP it thinks it is talking to, the router hears traffic directed at its outside IP, but does not have any PAT mapping for that random port number that the server picked. Therefore, it does not know that this traffic is supposed to go back to the client. The port 20 never gets established. The fix is to use "passive FTP" mode. Passive FTP has the client open both port 21 and port 20 connections from the start. The router knows about both of them rather than just port 21, and allows the server to open port 20. Refer to Analysis of the File Transfer Protocol (FTP) for more information on FTP. You need extended translations for port 20 and 21 with static mappings (example address)
ip nat inside source static tcp 192.168.0.4 20 66.46.64.82 20 extendable ip nat inside source static tcp 192.168.0.4 21 66.46.64.82 21 extendable

The way that active FTP works does not allow for the use of dynamic NAT. Only static NAT can be used in this case. This is a limitation of FTP. Cisco NAT Frequently Asked Questions

NetPro Discussion Forums Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology. NetPro Discussion Forums Featured Conversations for RP Service Providers: MPLS Virtual Private Networks: Services Virtual Private Networks: Security

Related Information
NAT Technology Support Pages Technical Support & Documentation Cisco Systems

All contents are Copyright 19922006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Nov 16, 2006

Document ID: 26704

Cisco NAT Frequently Asked Questions