Tweet
Frequently Asked Questions about Cisco IOS NAT
Q. What is NAT?
A. Network Address Translation (NAT) is designed for IP address simplification and conservation, as it enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded onto another network. As part of this functionality, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security, effectively hiding the entire internal network from the world behind that address. NAT has the dual functionality of security and address conservation, and is typically implemented in remote access environments.
Q. What are the main differences between Cisco IOS NAT and Cisco's PIX firewall implementation of NAT?
A. Cisco IOS-based NAT functionality is not fundamentally different from the NAT functionality in the PIX Firewall. The main differences involve the different traffic types supported in Cisco IOS NAT and the NAT implementation in the PIX. For detailed information on NAT functionality in the PIX, including the traffic types supported, see http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/
Q. On which Cisco routing platforms is Cisco IOS NAT available? How do I order it?
A. Cisco's Feature Navigator provides customers with a tool to identify which release and platform any Cisco IOS feature is available on. Please refer to the following URL and follow the instructions provided:
For historical purposes:
when originally introduced in release 11.2 NAT was only available in the "Plus" images.
With release 11.3 Port Address Translation (PAT) was available in all IP images, with full NAT (1-1 and PAT) available only in "Plus" images.
With release 12.0 all IP images provided full NAT functionality
As outlined in the table below.
Cisco IOS software release NAT Support in Base images NAT Support in "Plus" images Easy IP Support Hardware Platforms Supported
11.2 None NAT None Cisco 1000, 2500, 4x00, AS5200, 7200, RSP7000, 7500
11.2P None NAT None Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, AS5300, Cat5000 RSM, 7200, RSP7000, 7500
11.3 PAT only NAT Phase 1 Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, 7200, RSP7000, 7500
11.3T PAT only NAT Phase 1 Cisco 1000, 1600, 2500, 2600, 3620, 3640, 4x00, AS5200, AS5300, Cat5000 RSM, 7200, RSP7000, 7500
12.0 NAT NAT Phase 1 Cisco 1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5x00, Cat5000 RSM, 7200, RSP7000, 7500
12.0T NAT NAT Phase 2 Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0,MC3810, C4x00, AS5x00,Cat5000 RSM, Cat5000 RSFC, 7100, 7200, uBR9x0, uBR72003, RSP7000, 7500
12.1 NAT NAT Phase 2 Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0, MC3810, C4x00, AS5x00, Cat5000 RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP7000, 7500, RPM
12.1T NAT NAT Phase 2 Cisco 8001, 1400, 16004, 17002,4, 2500, 2600, 36x0, MC3810, C4x00, AS5x00, Cat5000 RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP7000, 7500, RPM
No NAT functionality is available on uBR7200 in Service Provider (-p) software image. DHCP Server functionality is available on uBR7200 in the Service Provider (-p) software image.
On Cisco 2500, 2600, 3620, 3640, 4x00, Cisco AS5200, AS5300, AS5800, Catalyst® 5000 RSM, Cisco 7200, Cisco RSP7000, Cisco 7500, and MGX 8800 RPM platforms in Enterprise (-j) images beginning in 12.0(1) and 12.0(1)T
On Cisco 3800 Series in Enterprise (-j) images beginning in 12.0(3)T
In Cisco IOS Firewall images for Cisco 1600 and 2500 platforms beginning in 12.0(3) & 12.0(3)T, and Cisco 1700, 2600, 3600, and 7200 platforms beginning with 12.0(3)T
1NAT is supported in all Cisco IOS software images for Cisco 800 beginning in 12.0(3)T
2NAT is supported in all Cisco IOS software images for Cisco 1700 beginning in 12.0(3)T
3NAT and DHCP Server functionality are only available on the uBR7200 platform in the Service Provider Plus (-ps) software image beginning in 12.0(3)T.
4 All platforms other than uBR7200 require either a `J' or `O' image, Enterprise or Cisco IOS Firewall respectively, to obtain support for Microsoft's NetMeeting application within Cisco IOS NAT.
Q. Does NAT occur before or after routing?
A. Inside-to-Outside Translation occurs after routing and Outside-to-Inside Translation occurs before routing.
Q. How is routing awareness learned for IP Addresses created using NAT?
A. Routing for IP Addresses created by NAT is learned if:
The Inside Global address pool is derived from the subnet of a next hop router. Static Route entry is configured in the next hop router and re-distributed within the routing network
Q. How many concurrent NAT sessions are supported in Cisco IOS NAT?
A. The NAT session limit is bounded by the amount of available DRAM in the router. Each NAT translation consumes about 160 bytes in DRAM. As a result, 10,000 translations (more than would generally be handled on a single router) would consume about 1.6MB. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations.
Q. What kind of routing performance can I expect when I use Cisco IOS NAT?
A. Cisco IOS NAT supports Cisco Express Forwarding (CEF) switching, Fast-switching and of course Process switching.
Performance depends on a number of factors `type of application and it's type of traffic—is it embedding IP Addresses, do multiple messages get exchanged that need to be inspected, does it require a specific Source Port or negotiate one, number of translations, what else is running on the box at the time, and of course the type of platform and processor.
For most applications, degradation of performance due to NAT should be negligible.
Q. Can Cisco IOS NAT be applied to sub-interfaces?
A. Yes. Source and/or destination NAT translations can be applied to any interface or sub-interface having an IP address (including dialer interfaces).
Q. Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP?
A. No. In this scenario, the standby router wouldn't have the translation table of the active router, so when the cutover happens, connections time out and fail.
Q. Does Cisco IOS NAT support inbound translations on a serial trunk running Frame Relay? Does it support outbound translations on the Ethernet side?
A. Yes to both questions.
Q. Can a single NAT-enabled router allow some users to utilize NAT and allow other users on the same Ethernet interface to continue with their own IP addresses?
A. Yes. This can be accomplished through the use of an access list describing the set of hosts or networks that require NAT translation. All sessions on the same host either will be translated or will pass through the router and not be translated.
Access Lists, Extended Access Lists and Route Maps can be used to define your `rules' for which IP device(s) gets translated. You should ALWAYS specify the network address and appropriate subnet mask. You should NOT use the keyword `any' in place of the network address and subnet mask.
ip nat inside source static 10.1.1.10 140.16.1.254
Q. What is NAT?
A. Network Address Translation (NAT) is designed for IP address simplification and conservation, as it enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded onto another network. As part of this functionality, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security, effectively hiding the entire internal network from the world behind that address. NAT has the dual functionality of security and address conservation, and is typically implemented in remote access environments.
Q. What are the main differences between Cisco IOS NAT and Cisco's PIX firewall implementation of NAT?
A. Cisco IOS-based NAT functionality is not fundamentally different from the NAT functionality in the PIX Firewall. The main differences involve the different traffic types supported in Cisco IOS NAT and the NAT implementation in the PIX. For detailed information on NAT functionality in the PIX, including the traffic types supported, see http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/
Q. On which Cisco routing platforms is Cisco IOS NAT available? How do I order it?
A. Cisco's Feature Navigator provides customers with a tool to identify which release and platform any Cisco IOS feature is available on. Please refer to the following URL and follow the instructions provided:
For historical purposes:
when originally introduced in release 11.2 NAT was only available in the "Plus" images.
With release 11.3 Port Address Translation (PAT) was available in all IP images, with full NAT (1-1 and PAT) available only in "Plus" images.
With release 12.0 all IP images provided full NAT functionality
As outlined in the table below.
Cisco IOS software release NAT Support in Base images NAT Support in "Plus" images Easy IP Support Hardware Platforms Supported
11.2 None NAT None Cisco 1000, 2500, 4x00, AS5200, 7200, RSP7000, 7500
11.2P None NAT None Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, AS5300, Cat5000 RSM, 7200, RSP7000, 7500
11.3 PAT only NAT Phase 1 Cisco 1000, 1600, 2500, 3620, 3640, 4x00, AS5200, 7200, RSP7000, 7500
11.3T PAT only NAT Phase 1 Cisco 1000, 1600, 2500, 2600, 3620, 3640, 4x00, AS5200, AS5300, Cat5000 RSM, 7200, RSP7000, 7500
12.0 NAT NAT Phase 1 Cisco 1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5x00, Cat5000 RSM, 7200, RSP7000, 7500
12.0T NAT NAT Phase 2 Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0,MC3810, C4x00, AS5x00,Cat5000 RSM, Cat5000 RSFC, 7100, 7200, uBR9x0, uBR72003, RSP7000, 7500
12.1 NAT NAT Phase 2 Cisco 8001, 1400, 1600, 1700, 25002, 2600, 36x0, MC3810, C4x00, AS5x00, Cat5000 RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP7000, 7500, RPM
12.1T NAT NAT Phase 2 Cisco 8001, 1400, 16004, 17002,4, 2500, 2600, 36x0, MC3810, C4x00, AS5x00, Cat5000 RSM, Cat5000 RSFC, 7100, 7200, ubr9x0, uBR72003, RSP7000, 7500, RPM
No NAT functionality is available on uBR7200 in Service Provider (-p) software image. DHCP Server functionality is available on uBR7200 in the Service Provider (-p) software image.
On Cisco 2500, 2600, 3620, 3640, 4x00, Cisco AS5200, AS5300, AS5800, Catalyst® 5000 RSM, Cisco 7200, Cisco RSP7000, Cisco 7500, and MGX 8800 RPM platforms in Enterprise (-j) images beginning in 12.0(1) and 12.0(1)T
On Cisco 3800 Series in Enterprise (-j) images beginning in 12.0(3)T
In Cisco IOS Firewall images for Cisco 1600 and 2500 platforms beginning in 12.0(3) & 12.0(3)T, and Cisco 1700, 2600, 3600, and 7200 platforms beginning with 12.0(3)T
1NAT is supported in all Cisco IOS software images for Cisco 800 beginning in 12.0(3)T
2NAT is supported in all Cisco IOS software images for Cisco 1700 beginning in 12.0(3)T
3NAT and DHCP Server functionality are only available on the uBR7200 platform in the Service Provider Plus (-ps) software image beginning in 12.0(3)T.
4 All platforms other than uBR7200 require either a `J' or `O' image, Enterprise or Cisco IOS Firewall respectively, to obtain support for Microsoft's NetMeeting application within Cisco IOS NAT.
Q. Does NAT occur before or after routing?
A. Inside-to-Outside Translation occurs after routing and Outside-to-Inside Translation occurs before routing.
Q. How is routing awareness learned for IP Addresses created using NAT?
A. Routing for IP Addresses created by NAT is learned if:
The Inside Global address pool is derived from the subnet of a next hop router. Static Route entry is configured in the next hop router and re-distributed within the routing network
Q. How many concurrent NAT sessions are supported in Cisco IOS NAT?
A. The NAT session limit is bounded by the amount of available DRAM in the router. Each NAT translation consumes about 160 bytes in DRAM. As a result, 10,000 translations (more than would generally be handled on a single router) would consume about 1.6MB. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations.
Q. What kind of routing performance can I expect when I use Cisco IOS NAT?
A. Cisco IOS NAT supports Cisco Express Forwarding (CEF) switching, Fast-switching and of course Process switching.
Performance depends on a number of factors `type of application and it's type of traffic—is it embedding IP Addresses, do multiple messages get exchanged that need to be inspected, does it require a specific Source Port or negotiate one, number of translations, what else is running on the box at the time, and of course the type of platform and processor.
For most applications, degradation of performance due to NAT should be negligible.
Q. Can Cisco IOS NAT be applied to sub-interfaces?
A. Yes. Source and/or destination NAT translations can be applied to any interface or sub-interface having an IP address (including dialer interfaces).
Q. Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP?
A. No. In this scenario, the standby router wouldn't have the translation table of the active router, so when the cutover happens, connections time out and fail.
Q. Does Cisco IOS NAT support inbound translations on a serial trunk running Frame Relay? Does it support outbound translations on the Ethernet side?
A. Yes to both questions.
Q. Can a single NAT-enabled router allow some users to utilize NAT and allow other users on the same Ethernet interface to continue with their own IP addresses?
A. Yes. This can be accomplished through the use of an access list describing the set of hosts or networks that require NAT translation. All sessions on the same host either will be translated or will pass through the router and not be translated.
Access Lists, Extended Access Lists and Route Maps can be used to define your `rules' for which IP device(s) gets translated. You should ALWAYS specify the network address and appropriate subnet mask. You should NOT use the keyword `any' in place of the network address and subnet mask.
ip nat inside source static 10.1.1.10 140.16.1.254