Address Translation Configuration

The remainder of this chapter focuses on the setup of basic address translation on your router. Some of the issues of address translation and configuration solutions to these issues are left for the next chapter. As you will see in the rest of this chapter, you need to perform two basic steps, no matter what type of address-translation solution(s) you will implement:

  • Define your address-translation policies.

  • Define which interfaces are considered internal and external.

The following sections cover how to configure address translation for NAT, PAT, port address redirection, overlapping addresses, and basic load balancing.

Configuration of NAT

You can perform NAT translation either statically or dynamically:

  • With a static NAT translation, you define a one-to-one mapping of inside local addresses to inside global addresses. Static inside NAT translation typically is done when you have an internal server with a private address, but you want to allow external users to access this service.

  • With a dynamic NAT translation, you create a pool of inside global addresses that your internal devices will use when translating their inside local addresses. This typically is used for internal users accessing external resources, especially for connections that experience problems with PAT.

The following two sections discuss how to configure these two types of NAT.

Static NAT

With static NAT, you need to perform two tasks:

Step 1. Define your static translations.

Step 2. Specify which interfaces are internal and external.

To define your static translations, use the ip nat inside source static command:






Router(config)# ip nat inside source static inside_local_IP_address

  inside_global_IP_address


This command creates the static mappings of inside local to inside global addresses. The first IP address that you list is the one that the Cisco IOS examines in the source of the IP packet. If it is found, the Cisco IOS translates the source address to the second address that you listed in this command.

Another form of this command enables you to map one network to another with the following syntax:






Router(config)# ip nat inside source static network

  inside_local_IP_network_number inside_global_IP_network_number subnet_mask


This command is more user friendly because you do not have to map individual IP addresses: You can map one network to another, address for address. For example, if you have a local network of 192.168.1.0/24 and a global network of 192.1.1.0/24, each host address in the local network is mapped to the corresponding host address in the global network. For example, 192.168.1.1 maps to 192.1.1.1, and 192.168.1.2 maps to 192.1.1.2. For the subnet mask value, you can enter it either in dotted decimal, as in 255.255.255.0, or by number of bits, as in /24.

After you have created your address-translation entries, you must specify what interfaces are considered to be internal (inside) and which are considered external (outside). This is done with the ip nat {inside | outside} Interface command:






Router(config)# interface type [slot_#/]port_#

Router(config-if)# ip nat {inside | outside}


NOTE

By specifying which interfaces are inside and which are outside, you are influencing how address translation is performed by the router.


To help illustrate the use of this command, take a look at the network shown in Figure 11-6. In this example, I want to make two servers inside the network available to the outside world.

Figure 11-6. Static NAT Example

[View full size image]
graphics/11fig06.gif


The basic static NAT configuration for this router is displayed in Example 11-1.

Example 11-1. Basic Example Using Static Inside NAT

Router(config)# ip nat inside source static 10.0.0.1 192.1.1.1

Router(config)# ip nat inside source static 10.0.0.2 192.1.1.2

Router(config)# interface ethernet0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip nat outside


As you can see, 10.0.0.1 is assigned an inside global IP address of 192.1.1.1, and 10.0.0.2 is assigned 192.1.1.2. You can create as many static mappings as you need.

For static NAT, I want to emphasize three important points:

  • Make sure that your external ACL, applied inbound, allows traffic to the destination inside global IP addresses, not the inside local addresses. It is important to point out that the router processes the ACL first and then performs the translation.

  • Make sure that your DNS server sends the inside global address to requesting outside users.

  • If an address is not specified in any translation rule, the Cisco IOS forwards it normally. If you want to prevent packets from entering or leaving your network, use an ACL to filter them.

Dynamic NAT

Configuration of dynamic NAT requires one more step than static NAT. With dynamic NAT, you need to perform the following steps:

Step 1. Define which internal (inside local) addresses are to be translated.

Step 2. Define a pool that specifies the inside global addresses that will be assigned to the inside local addresses.

Step 3. Specify which interfaces are internal and external.

To accomplish Step 1, use the following command:






Router(config)# ip nat inside source list standard_IP_access_list_#_or_name

  pool NAT_pool_name


The list parameter points to a standard IP ACL that specifies which inside local addresses should be translated; any addresses listed with a permit statement in the ACL will be translated. The pool parameter specifies the global address pool that should be used when performing the translation. This parameter actually points to the ip nat pool command that has the list of inside global IP addresses in the pool. With this parameter, specify the name of the NAT pool.

To accomplish Step 2, use the following command:






Router(config)# ip nat pool NAT_pool_name beginning_inside_global_IP_address

  ending_inside_global_IP_address {netmask subnet_mask_of_addresses |

  prefix-length #_of_bits}


The ip nat pool command specifies the list of inside global IP addresses that will be assigned to packets with inside local addresses. You need to name the pool, which must match the name in the ip nat inside source list command. Following this, specify the beginning and ending global IP addresses in the pool. Finally, you need to specify the subnet mask associated with the global address pool. This can be done as a dotted-decimal mask (netmask) or the number of bits in the mask (prefix-length).

NOTE

If you do not have enough global addresses in your address pool, the Cisco IOS will not be capable of performing any translations. In other words, the Cisco IOS will not switch dynamically from NAT to PAT based on availability of addresses in this pool. Therefore, you should consider carefully how many addresses you need. You also can manipulate timeouts for addresses so that idle address usage is freed up quicker and made available to other devices that need translation. This is discussed toward the end of this chapter in the section "Setting Timeout Limits."


To accomplish Step 3, use the ip nat {inside | outside} command to associate which interface(s) are internal and which are external. This command was discussed previously in the "Static NAT" section.

Now look at a simple example that illustrates the use of dynamic NAT, using the network shown previously in Figure 11-6. As you recall from this example, 10.0.0.1 and 10.0.0.2 were assigned through static NAT, so these are excluded in this configuration. Example 11-2 shows the configuration for the dynamic NAT example.

Example 11-2. Basic Example Using Dynamic Inside NAT

Router(config)# ip nat inside source list dynamic-nat-addresses   (1)

  pool dynamic-nat-pool

Router(config)# ip access-list standard dynamic-nat-addresses     (2)

Router(config-std-nacl)# deny 10.0.0.1

Router(config-std-nacl)# deny 10.0.0.2

Router(config-std-nacl)# permit 10.0.0.0 0.255.255.255

Router(config-std-nacl)# exit

Router(config)# ip nat pool dynamic-nat-pool 192.1.1.20           (3)

  192.1.1.254 netmask 255.255.255.0

Router(config)# interface ethernet0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip nat outside


Refer to the numbers on the right side of Example 11-2 for this explanation. In Example 11-2, Statement 1 associates the inside local addresses (in standard ACL dynamic-nat-addresses) that will be translated to inside global addresses (pool dynamic-nat-pool). Statement 2 defines the inside local addresses that will be translated. Notice that I am excluding 10.0.0.1 and 10.0.0.2 because these are the two servers that have static translations from the last section; otherwise, any other network 10.0.0.0/8 address will be translated. Statement 3 defines the inside global addresses that local addresses will be translated to. The addresses range from 192.1.1.20 to 192.1.1.254. At the bottom of the code listing is the definition of which interfaces are internal and external.

NOTE

Notice in Example 11-2 that the ACL has an implicit deny at the end, affecting which addresses are translated. Basically, any address in 10.0.0.0/8 is translated, except for 10.0.0.l and 10.0.0.2; all other addresses are not translated. Cisco recommends that you not have an explicit permit any to allow all addresses to be translated because this can cause connectivity problems in a small number of cases and also creates a security risk.

Also, the two explicit deny statements were not necessary, but I put them there for explanatory purposes. If you have configured both static and dynamic address translation, the Cisco IOS always uses the static configuration before using the dynamic ones.


Configuration of PAT

The configuration of PAT is very similar to the configuration of dynamic NAT. As with dynamic NAT, you perform three configuration steps:

Step 1. Define which internal (inside local) addresses are to be translated.

Step 2. Define a pool that specifies the inside global addresses that will be assigned to the inside local addresses.

Step 3. Specify which interfaces are internal and external.

To accomplish Step 1, use the following command:






Router(config)# ip nat inside source list standard_IP_access_list_#_or_name

  pool NAT_pool_name overload


This is the same command used with dynamic NAT; the main difference is the use of the overload parameter.

If your router has a connection to an ISP, your ISP dynamically is assigning an IP address to your router, and this is the only public address that your ISP is assigning to you, you can use the following command:






Router(config)# ip nat inside source list standard_IP_access_list_#_or_name

  interface interface_name overload


In this example, the Cisco IOS uses whatever IP address is assigned to your router's external interface to perform PAT. If you use this second option, you do not need to configure an address pool in Step 2, and you can go directly to Step 3.

CAUTION

You should reference the interface name with PAT even if the ISP has assigned you only one address and you have hard-coded this address on your router's external interface. Issues can arise in the Cisco IOS if you reference the IP address on the interface instead of referencing the interface name itself.


To accomplish Step 2, use the following command:






Router(config)# ip nat pool NAT_pool_name beginning_inside_global_IP_address

  ending_inside_global_IP_address {netmask subnet_mask_of_addresses | prefix-length

  #_of_bits}


The ip nat pool command specifies the list of inside global IP addresses that will be assigned to packets with inside local addresses. You need to name of the pool, which must match the name in the ip nat inside source list command. Following this, specify the beginning and ending global IP addresses in the pool. For PAT, if you are putting only one IP address in the pool, specify it as both the beginning and ending address. Finally, you need to specify the subnet mask associated with the global address pool.

To accomplish Step 3, use the ip nat {inside | outside} command to associate which interfaces are internal and which are external. This command was discussed previously in the "Static NAT" section.

Now look at a simple example that illustrates the use of dynamic NAT, using use the network shown previously in Figure 11-6. As you recall from this example, 10.0.0.1 and 10.0.0.2 were assigned through static NAT, so they are excluded in this configuration. Example 11-3 shows the configuration for PAT.

Example 11-3. Basic PAT Configuration

Router(config)# ip nat inside source list dynamic-pat-addresses   (1)

  pool dynamic-pat-pool overload

Router(config)# ip access-list standard dynamic-pat-addresses

Router(config-std-nacl)# permit 10.0.0.0 0.255.255.255

Router(config-std-nacl)# exit

Router(config)# ip nat pool dynamic-pat-pool 192.1.1.19           (2)

  192.1.1.19 netmask 255.255.255.0

Router(config)# interface ethernet0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip nat outside


Refer to the numbers on the right side of Example 11-3 for this explanation. In Example 11-3, Statement 1 associates the inside local addresses (in standard ACL dynamic-pat-addresses) that will be translated to inside global addresses (pool dynamic-pat-pool). Notice the overload statement, which indicates that PAT is used. Statement 2 defines the inside global addresses that local addresses will be translated to. In this example, I specified the same address as the beginning and ending address. However, you can specify multiple addresses; in this instance, the overload parameter in Statement 1 indicates that PAT is performed. At the bottom of the code listing is the definition of which interfaces are internal and external.

If your ISP assigned you only a single public IP address and did this through DHCP to assign this address to your external interface, the configuration in Example 11-3 would be changed to the configuration in Example 11-4.

Example 11-4. Basic PAT Configuration Using an Interface

Router(config)# ip nat inside source list dynamic-pat-addresses   (1)

  interface ethernet1 overload

Router(config)# ip access-list standard dynamic-pat-addresses

Router(config-std-nacl)# permit 10.0.0.0 0.255.255.255

Router(config-std-nacl)# exit

Router(config)# interface ethernet0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip address dhcp                                (2)

Router(config-if)# ip nat outside


Refer to the numbers on the right side of Example 11-4 for this explanation. First, notice in Statement 1 that I reference interface ethernet1 as the address to use for PAT. Second, notice that a global address pool is not needed in this example because the IP address assigned to ethernet1 will be used. Third, Statement 2 specifies that DHCP is used to assign an address to ethernet1; this also can be done through PPP for DSL connections that use PPPoE.

Configuration of Port Address Redirection

In port address redirection (PAR), an address-translation device redirects the connection for traffic directed to one device or port, to a different device or port. A new PAR enhancement, called NAT Default Inside Server, was introduced in Cisco IOS 12.2(13)T. NAT Default Inside Server is an augmentation to Port Static NAT that allows the router to send any requests that it receives from an external host on an unknown port to a default inside server. This was meant to help with people who connected an X-box and other unintelligent networking devices out through a Cisco IOS address-translation device so that the other users on the Internet could connect back to the internal device using a wide range of dynamic ports.

CAUTION

Use NAT Default Inside Server only when you do not know what port or ports need to be forwarded to an internal device. By using this feature, you allow all ports that are not statically redirected to be sent to the default server. Whenever possible, you want to limit your exposure by configuring static translations for PAR instead of using the default inside server option.


PAR is used when your ISP assigns you one public IP address that you have to configure on your perimeter router's external interface, but you want outside users to access services inside your network. In this situation, outside users direct traffic to your router's public address. PAR allows the Cisco IOS to change the addressing information in the packet header to redirect this traffic to an internal device, such as a web or e-mail server.

To set up PAR, use one of the following two commands:






Router(config)# ip nat inside source static local_IP_address

  interface external_interface



Router(config)# ip nat inside source static {tcp | udp}

  local_IP_address local_port_# interface external_interface global_port_#


With the first command, any traffic sent to the interface specified in the ip nat inside source static command is redirected to the inside local IP address. This is useful if all your public services are located on one server. If your public services are spread across multiple servers, you need to use the second command. If you are implementing NAT Default Inside Server, omit the second command in the configuration: You obviously do not know the port number or numbers that external users will use. When you have completed your PAR configuration, you also must specify the location of your interfaces with the ip nat {inside | outside} commands.

Take a look at an example in which PAR is useful. In the network in Figure 11-7, this company wants external users to access two internal servers: www (port 80 and 8080) and Telnet (port 23).

Figure 11-7. PAR Example

graphics/11fig07.gif


Example 11-5 shows the configuration to allow this access through PAR.

Example 11-5. Simple PAR Configuration

Router(config)# ip nat inside source static tcp 10.0.0.1 8080     (1)

  interface ethernet1 8080

Router(config)# ip nat inside source static tcp 10.0.0.1 8080     (2)

  interface ethernet1 80

Router(config)# ip nat inside source static tcp 10.0.0.2 23       (3)

  interface ethernet1 23

Router(config)# interface ethernet0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip nat outside


Refer to the numbers on the right side of Example 11-5 for this explanation. In Example 11-5, the first three statements set up PAR. Statements 1 and 2 define redirection to the web server. Notice that the internal web server is running on port 8080. The global port numbers have the Cisco IOS look for inbound traffic to either port 80 or 8080, which causes the router to redirect it to 10.0.0.1. The third statement redirects Telnet traffic to 10.0.0.2. One interesting thing about all three of these commands is that they specify the external interface, ethernet1, as the global IP address. If traffic is sent to this address and it does not match the conditions of the three PAR statements, the router itself tries to process the traffic.

NOTE

As of this writing, Cisco has not included a feature that supports dynamic DNS. This feature is useful if your ISP dynamically is assigning your router or firewall with a single IP address, through either DHCP or PPP, but you want external users to access your internal resources to use this address. Some router/firewall products actually go out and update the DNS record information with the new IP address; the Cisco IOS does not support this feature yet, but Cisco has promised that this will be available soon.


Dealing with Overlapping Addresses

Overlapping addresses is a common problem with some networks. Typically, you must deal with overlapping addresses in three situations:

  • You are merging two companies that have the same address space.

  • A previous administrator addressed your network with someone else's public addresses.

  • You are creating a VPN connection to an Extranet partner where either an overlapping address condition exists or one of the parties requires the use of address translation to conform to company security policies.

Of course the long-term solution to this problem is to readdress your network; however, to overcome connectivity problems in the short term, you can resort to address translation to solve your problem.

You can deploy two address-translation solutions for overlapping addresses: static and dynamic. In either solution, you need to perform translation in two directions:

  • Inside to outside

  • Outside to inside

Take a look at a quick example to illustrate the configuration complexity with overlapping addresses. In Figure 11-8, the network on the right (Company B) has been assigned network 200.1.1.0/24 by the IANA and is the rightful owner of this address space. The network on the left (Company A) also is using this address space. Apparently, before this network was connected to the Internet, a previous administrator randomly choose a Class C network and assigned this address space to all the internal devices. Now Company A wants to connect to the Internet, and its ISP has assigned it a Class C address space: 199.1.1.0/24. In this example, the Company A administrator does not have the time right now to change the addresses that manually were assigned to internal devices. Therefore, the current administrator decided to use address translation as a temporary solution.

Figure 11-8. Overlapping Addresses and Cisco IOS Configuration

[View full size image]
graphics/11fig08.gif


In this example, two translations must occur to solve the overlapping address problem:

  • Inside to outside? The source addresses of the internal machines must be changed to 199.1.1.x when leaving the network.

  • Outside to inside? On the off chance that the real owner of 200.1.1.x sends packets to Company A, these addresses must be changed to something else. One common solution is to change these addresses to the ones that the ISP assigned the company on the left. This creates confusion, so sometimes a company uses a private address space. The only issue here is that the internal network needs a route for this network number, which must point to the address-translation device.

The following two sections cover the use of static and dynamic configurations for dealing with overlapping addresses.

Static Translation

When you have overlapping addresses, static translations are used in two situations:

  • You have servers on one or both sides that the remote side needs access to.

  • You want to statically assign blocks of network addresses manually instead of dynamically, reducing the amount of configuration that needs to be done.

For inside-to-outside translation, use either of the following two commands:






Router(config)# ip nat inside source static inside_local_IP_address

  inside_global_IP_address



Router(config)# ip nat inside source static network inside_local_IP_network_number

  inside_global_IP_network_number subnet_mask


These two commands were discussed previously in the "Static NAT" section. For outside-to-inside translation, use either of the following two commands:






Router(config)# ip nat outside source static outside_global_IP_address

  inside_local_IP_address [add-route]



Router(config)# ip nat outside source static network outside_global_IP_network_number

  inside_local_IP_network_number subnet_mask [add-route]


As you can see from these two commands, the syntax is slightly different from that of the inside-to-outside configuration. The first address that you list is the address in the source IP address field in the IP packet header; this is what the remote network has placed in this field. The inside_local_IP address or network number is the address that this value will be changed to when it is transmitted from the outside interface to the inside interface. The optional add-route parameter adds a route for the translated network in the router's routing table.

Take a look at a quick example, based on Figure 11-8, to illustrate how to use static address translation to overcome an overlapping address problem. Example 11-6 shows the configuration for the router in Company A.

Example 11-6. Basic Static Configuration That Solves Overlapping Addresses

Router(config)# ip nat inside source static                       (1)

  network 200.1.1.0 199.1.1.0 /24

Router(config)# ip nat outside source static                      (2)

  network 200.1.1.0 199.1.1.0 /24

Router(config)# ip route 0.0.0.0 0.0.0.0 205.1.1.1

Router(config)# interface ethernet0

Router(config-if)# ip address 200.1.1.254 255.255.255.0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip address 205.1.1.2 255.255.255.0

Router(config-if)# ip nat outside


Refer to the numbers on the right side of Example 11-6 for this explanation. In the configuration in Example 11-6, Statement 1 converts the inside addresses from 200.1.1.0/24 to 199.1.1.0/24. Statement 2 converts outside addresses from 200.1.1.0/24 to 199.1.1.0/24.

One of the interesting things about this configuration is that, even though it appears confusing, it actually tricks the two networks regarding where the IP addresses?200.1.1.0/24 and 199.1.1.0/24?really are located:

  • Even though 199.1.1.0/24 is really Company A, from Company A's perspective, it looks like this network is located at Company B.

  • Even though 200.1.1.0/24 is really Company B, these addresses are translated to 199.1.1.0/24 as they enter Company A, making it appear that 199.1.1.0/24 is Company B's addresses.

TIP

As you can see from this example, the overlapping address configuration is confusing. Therefore, I highly recommend that you migrate as quickly as possible from using address translation to solving your connectivity problems with overlapping addresses, to readdressing either one or both networks. Using address translation to solve the problem introduces delay in traffic streams and makes it much more difficult to troubleshoot connectivity problems.


Dynamic Translation

Besides using static address translation to solve overlapping addresses, you can use dynamic address translation. As with static translation, you need to configure translation in both directions.

For inside-to-outside translation, use the configuration discussed in the "Dynamic NAT" section discussed previously. For outside-to-inside translation, use the following configuration syntax:






Router(config)# ip nat pool pool_name starting_global_IP_address ending_IP_address

  {netmask subnet_mask_of_addresses | prefix-length #_of_bits}

Router(config)# access-list ACL_# permit source_IP_address [wildcard_mask]

Router(config)# ip nat outside source list ACL_# pool pool_name


The ip nat pool command creates a pool of addresses that external addresses (outside) will be translated to. The access-list command specifies which external addresses will be translated; this can be a standard numbered or named ACL. The third command links the ACL and the NAT pool name?in other words, it links the outside addresses (ip nat outside source list) that will be translated to addresses specified in the global pool (ip nat pool).

Take a look at a quick example, based on Figure 11-8, to illustrate how to use dynamic address translation to overcome an overlapping address problem. Example 11-7 shows the configuration for the router in Company A.

Example 11-7. Basic Dynamic Configuration That Solves Overlapping Addresses

Router(config)# access-list 1 permit 200.1.1.0 0.0.0.255          (1)

Router(config)# ip nat pool inside-pool 199.1.1.1 199.1.1.127     (2)

  netmask 255.255.255.0

Router(config)# ip nat inside source list 1 pool inside-pool      (3)

Router(config)# ip nat pool outside-pool 199.1.1.128 199.1.1.254  (4)

  netmask 255.255.255.0

Router(config)# ip nat outside source list 1 pool outside-pool    (5)

Router(config)# ip route 0.0.0.0 0.0.0.0 205.1.1.1

Router(config)# interface ethernet0

Router(config-if)# ip address 200.1.1.254 255.255.255.0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip address 205.1.1.2 255.255.255.0

Router(config-if)# ip nat outside


Refer to the numbers on the right side of Example 11-7 for the following explanation of the configuration:

  1. This statement is used by both inside-to-outside and outside-to-inside translations; it defines the overlapping address space, 200.1.1.0/24

  2. This statement defines the address pool that inside addresses (from Company A) will be translated to.

  3. This statement associates the inside-to-outside translation: using ACL 1 and pool inside-pool. In this example internal addresses with any address of 200.1.1.0/24 will be translated to 199.1.1.1?199.1.1.127.

  4. This statement defines outside-to-inside translation, specifying the pool of addresses that will be used to translate the Company B's addresses.

  5. This statement binds the outside-to-inside translation process: Any source addresses found in ACL 1, as they are entering Company A's network, will be translated to something between 199.1.1.128 and 199.1.1.254.

Overlapping Addresses

The first time I dealt with overlapping addresses, I was nearly pulling out my hair trying to configure a router to perform this successfully. When I looked at the examples from the Ciscos web site, I was confused about why the configurations used the same network number for the address translation for internal and external access. In this instance, the network was using an already assigned public address space (192.x.x.x), and this company's ISP assigned it a new address space (202.x.x.x). With the configuration of address translation, I used 202.x.x.x as the address pool for both directions of translation. It took me a couple of days to straighten out all the problems with this configuration. Based on this experience, I began to readdress the network and update the DNS tables. When everything was set up correctly, I removed the overlapping address configuration. I learned that using address translation to solve overlapping addresses is not a fun and exciting solution?it is a tedious and hair-pulling one.


Configuration of Traffic Distribution

Traffic distribution redirects connection requests to different internal servers for traffic destined to one IP address, thus providing a load-balancing feature. The configuration of traffic distribution is similar to the configuration of dynamic NAT and PAT. With the configuration of traffic distribution, you need to perform three tasks:

Step 1. Create an address pool that has the list of internal servers that will be used for load balancing.

Step 2. Define what address or addresses external devices are using to access the internal resources, and associate this with the pool in Step 1.

Step 3. Specify which interfaces are on the inside and outside.

To accomplish Step 1, use the following command:






Router(config)# ip nat pool pool_name beginning_inside_local_IP_address

  ending_inside_local_IP_address {netmask subnet_mask_of_addresses | prefix-length

  #_of_bits} type rotary


As you can see from this command, this is similar to configuring NAT or PAT: The main difference is the use of the type rotary parameter. This parameter tells the Cisco IOS that it should round-robin the assignment of internal addresses specified in the beginning and ending inside local IP addresses in this command.

To accomplish Step 2, use the following configuration:






Router(config)# access-list ACL_# permit IP_address of_internal_server

Router(config)# ip nat inside destination list

  standard_IP_access_list_number_or_name pool pool_name


The standard ACL can be either named or numbered. The ACL references the destination IP address (or addresses) that external users are using to access your internal resource: This is the address that your DNS server is sending in DNS replies to the external users. Figure 11-9 shows a simple example, using a virtual IP address (199.1.1.1) to associate with the internal web servers (10.0.0.10 and 10.0.0.11). Using a virtual IP address is a common practice. You need to use this virtual address in your DNS server's resolution record.

Figure 11-9. Traffic Distribution Example

[View full size image]
graphics/11fig09.gif


The ip nat inside destination list command binds together the ACL and pool name: It tells the Cisco IOS that when traffic is sent to the address or addresses listed in the standard ACL, these destination addresses should be changed to those in the NAT pool, using a round-robin scheme.

Step 3, specifies which of your interfaces are internal and external. This is done with the ip nat inside and ip nat outside interface commands.

Using Figure 11-9, take a look at an example of configuring traffic distribution. In Example 11-8, 199.1.1.1 is the virtual server IP address; this is the IP address that your DNS server is sending to external users.

Example 11-8. Basic Traffic Distribution Configuration

Router(config)# ip nat pool inside-hosts 10.0.0.10 10.0.0.11

  prefix-length 24 type rotary

Router(config)# access-list 1 permit 199.1.1.1

Router(config)# ip nat inside destination list 1 pool inside-hosts

Router(config)# interface ethernet0

Router(config-if)# ip nat inside

Router(config-if)# exit

Router(config)# interface ethernet1

Router(config-if)# ip nat outside


In Example 11-8, the ip nat pool command specifies the two internal servers that will be handling traffic directed to 192.1.1.1. Notice that the type rotary parameter specifies that traffic distribution is used. The access-list statement specifies the address that external users are using when trying to access the internal web servers: 192.1.1.1. The ip nat inside destination command binds together the NAT pool and ACL: When outside users send traffic to 192.1.1.1, it is translated to the addresses in the NAT pool. In this example, the first external connection request will be redirected to 10.0.0.1, the second to 10.0.0.2, the third to 10.0.0.1, and so on. Below this, the location of NAT is specified on the interfaces with the ip nat {inside | outside} interface command.

CAUTION

When using this method of traffic distribution with the Cisco IOS, you should be forewarned that the Cisco IOS cannot detect whether one of the servers in the NAT pool has failed, nor can it detect the load on the respective servers. For example, if 10.0.0.10 failed in Figure 11-9, the Cisco IOS still would use this address in load balancing. Therefore, I recommend using this solution only in a very simple setup. Chapter 12 introduces a better solution to this problem.


Configuration of Translation Limits

When the Cisco IOS performs address translation, it stores its translation information in a translation table. These records are kept for a period of time before they are removed. This allows older entries to be aged out, to allow new connections. This is done primarily to age out older idle connections. You can specify two types of limits: the total number of connections and the timeout for connections. The following two sections discuss their configuration.

Setting Connection Limits

By default, there is no preconfigured limit to the number of entries that the Cisco IOS will store in its address translation table. You can specify a limit with the following command:






Router(config)# ip nat translation max-entries #_of_entries


The number of entries can range from 1 to 2,147,483,647. If you have hard-coded a limit and want to remove the limit (set it back to the factory default), just preface the previous command with the no parameter. Unless you are having memory issues on your router, you probably will leave this setting alone.

Setting Timeout Limits

Dynamic address-translation entries time out after their idle period expires. The Cisco IOS actually uses many different timeouts, based on the connection type, to time out idle connections. Here is the command to configure them:






Router(config)# ip nat translation timeout_parameter {seconds | never}


The timeout parameters, including their default timeout values, are listed in Table 11-4. The timeout value is specified either in a numerical seconds value or in the never parameter; the never parameter keeps an entry in the translation table until the router is rebooted.

Table 11-4. Address Translation Types

Timeout Parameter

Default Timeout (seconds)

Explanation

timeout

86,400

This timeout value applies to all dynamic translations except for address overload translations.

tcp-timeout

86,400

This timeout value applies to all TCP connections.

finrst-timeout

60

This timeout applies to FIN and RST packets, which are used to terminate a TCP connection. When this is reached, the translation entry is removed from the translation table.

syn-timeout

60

This timeout applies to half-open TCP connections (connections that go through the three-way handshake initiation). If a connection is not completed in this time frame, the translation entry is removed from the translation table.

udp-timeout

300

This timeout applies to all UDP idle connections, except for DNS UDP connections.

dns-timeout

60

This timeout applies to all DNS UDP connections.

port-timeout tcp | udp port_#

TCP or UDP default

With this parameter, you can specify a specific timeout for a TCP or UDP port number. If it is not configured, the default TCP or UDP timeout is used.

icmp-timeout

60

This timeout applies to all ICMP connections.

pptp-timeout

86,400

This timeout applies to all NAT Point-to-Point Tunneling Protocol (PPTP) connections.


Verifying and Troubleshooting Address Translation

When you have configured address translation on your router, you can use various show, clear, and debug commands to assist you in verifying and troubleshooting address translation. The following three sections cover these commands.

show Commands

To view your address-translation table, which displays static and dynamic entries, use the show ip nat translations command:






Router# show ip nat translations [esp] [icmp] [pptp] [tcp] [udp]

  [verbose] [vrf vrf_name]


Without any options to the show ip nat translations command, all entries in the table are displayed. Table 11-5 explains the options for this command.

Table 11-5. show ip nat translations Parameters

Parameter

Explanation

esp

Displays only the Encapsulation Security Payload (ESP) entries, which are used in IPSec

icmp

Displays only the ICMP entries

pptp

Displays only the PPTP entries

tcp

Displays only the TCP entries

udp

Displays only the UDP entries

verbose

Displays detailed information about each entry, including how long ago the entry was created in the table and how long it has been in use

vrf

Displays only VPN routing and forwarding (VRF) information


Take a look at a few examples of the use of this command. Example 11-9 shows an example of using the show ip nat translations command.

Example 11-9. Using the show ip nat translations Command

Router# show ip nat translations

Pro   Inside global   Inside local   Outside local  Outside global

---   199.1.1.1       10.0.0.1       ---            ---

---   199.1.1.1       10.0.0.2       ---            ---


Notice that Example 11-9 does not contain any port numbers, which shows that the Cisco IOS is performing NAT. If the Cisco IOS was performing PAT, the display would look like Example 11-10.

Example 11-10. Using the show ip nat translations Command to Display PAT Connections

Router# show ip nat translations

Pro  Inside global    Inside local    Outside local  Outside global

tcp  199.1.1.1:33348  10.0.0.1:33348  200.1.1.1:23   200.1.1.1:23

tcp  199.1.1.1:33348  10.0.0.2:33349  200.1.1.1:23   200.1.1.1:23


Example 11-11 shows sample output when you use the verbose parameter.

Example 11-11. Using the verbose Parameter in the show ip nat translations Command

Router# show ip nat translations verbose

Pro  Inside global   Inside local     Outside local  Outside global

tcp  199.1.1.1:2688  10.0.0.20:2688   200.1.1.1:23   200.1.1.1:23

    create 00:00:16, use 00:00:14, left 23:59:45, Map-Id(In): 1, flags:

extended, use_count: 0, entry-id: 3, lc_entries: 0


In Example 11-11, only one PAT entry is listed?from an internal device (10.0.0.20 199.1.1.1), which created a Telnet to 200.1.1.1. This entry was created 16 seconds ago and has been in use for 14 seconds.

To view statistics regarding the use of address translation, use the following command:






Router# show ip nat statistics


Example 11-12 shows the output of this command.

Example 11-12. Using the show ip nat statistics Command

Router# show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)    (1)

Outside interfaces:                                               (2)

  Ethernet1

Inside interfaces:

  Ethernet0

Hits: 121  Misses: 4                                              (3)

Expired translations: 3                                           (4)

Dynamic mappings:                                                 (5)

-- Inside Source

[Id: 1] access-list 1 pool dynamic-nat-pool refcount 1

 pool dynamic-nat-pool: netmask 255.255.255.0

   start 192.1.1.1 end 192.1.1.1

   type generic, total addresses 1, allocated 1 (100%), misses 0


Refer to the numbers on the right side of Example 11-12 for the following explanation of the output. In Example 11-12, Statement 1 shows the total number of active translations. In this example, there are no static translations, one dynamic translation, and one extended translation. An extended translation is one that uses port numbers, as PAT does.

Statement 2 shows which interfaces are associated with the inside and outside of the network. In Statement 3, "Hits," refers to the number of times the Cisco IOS looked in the address-translation table and found a matching entry; "Misses" refers to the number of times that the Cisco IOS did not find a matching entry in the translation table and had to create one. Statement 4 refers to the number of entries that were removed from the translation table because they expired (the corresponding idle timer elapsed).

Statement 5 refers to the address-translation policies that are configured on the router. The access-list 1 pool dynamic-nat-pool reference indicates that there has been one match on the ACL, resulting in an address translation. Below this is the address pool used. In this instance, only a single address is listed: 192.1.1.1. The "allocated" reference indicates that one address is being used from the pool and that no misses occur when looking up a reference in the address translation table.

clear Commands

You can remove a dynamically learned entry from the address-translation table using the clear ip nat translation command:






Router# clear ip nat translation *

Router# clear ip nat translation inside | outside

  global_IP_address local_IP_address

Router# clear ip nat translation protocol inside | outside

  global_IP_address global_port

  local_IP_address local_port


The first command removes all dynamic entries from the address-translation table. The second removes either inside or outside entries with the matching global and local address. The third command enables you to remove a specific entry, based on the protocol and port number.