Configuring Static NAT Translation

Network Address Translation Overview

Network Address Translation (NAT) enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a device, usually connecting two networks, and translates private (not globally unique) IP addresses in the internal network into legal IP addresses before packets are forwarded to another network. You can configure NAT to advertise only one IP address for the entire network to the outside world. This ability provides additional security, effectively hiding the entire internal network behind one IP address.

A device configured with NAT has at least one interface to the inside network and one to the outside network. In a typical environment, NAT is configured at the exit router between a stub domain and a backbone. When a packet leaves the domain, NAT translates the locally significant source IP address into a globally unique IP address. When a packet enters the domain, NAT translates the globally unique destination IP address into a local IP address. If more than one exit point exists, NAT configured at each point must have the same translation table.

NAT is described in RFC 1631.

Information About Static NAT

Static Network Address Translation (NAT) allows the user to configure one-to-one translations of the inside local addresses to the outside global addresses. It allows both IP addresses and port number translations from the inside to the outside traffic and the outside to the inside traffic. The Cisco Nexus® device supports Hitless NAT, which means that you can add or remove a NAT translation in the NAT configuration without affecting the existing NAT traffic flows.

Static NAT creates a fixed translation of private addresses to public addresses. Because static NAT assigns addresses on a one-to-one basis, you need an equal number of public addresses as private addresses. Because the public address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT enables hosts on the destination network to initiate traffic to a translated host if an access list exists that allows it .

The figure shows a typical static NAT scenario. The translation is always active so both translated and remote hosts can originate connections, and the mapped address is statically assigned by the static command.

Figure 1. Static NAT

These are key terms to help you understand static NAT:

  • NAT inside interface—The Layer 3 interface that faces the private network.

  • NAT outside interface—The Layer 3 interface that faces the public network.

  • Local address—Any address that appears on the inside (private) portion of the network.

  • Global address—Any address that appears on the outside (public) portion of the network.

  • Legitimate IP address—An address that is assigned by the Network Information Center (NIC) or service provider.

  • Inside local address—The IP address assigned to a host on the inside network. This address does not need to be a legitimate IP address.

  • Outside local address—The IP address of an outside host as it appears to the inside network. It does not have to be a legitimate address, because it is allocated from an address space that can be routed on the inside network.

  • Inside global address—A legitimate IP address that represents one or more inside local IP addresses to the outside world.

  • Outside global address—The IP address that the host owner assigns to a host on the outside network. The address is a legitimate address that is allocated from an address or network space that can be routed.

NAT Inside and Outside Addresses

NAT inside refers to networks owned by an organization that must be translated. When NAT is configured, hosts within this network will have addresses in one space (known as the local address space) that will appear to those outside the network as being in another space (known as the global address space).

Similarly, NAT outside refers to those networks to which the stub network connects. They are not generally under the control of the organization. Hosts in outside networks can be subject to translation and can have local and global addresses.

NAT uses the following definitions:

  • Local address—A local IP address that appears on the inside of a network.

  • Global address—A global IP address that appears on the outside of a network.

  • Inside local address—The IP address that is assigned to a host on the inside network. The address is probably not a legitimate IP address assigned by the Internet Network Information Center (InterNIC) or a service provider.

  • Inside global address—A legitimate IP address (assigned by InterNIC or a service provider) that represents one or more inside local IP addresses to the outside world.

  • Outside local address—The IP address of an outside host as it appears to the inside network. The address is not necessarily legitimate; it was allocated from the address space that is routable on the inside.

  • Outside global address—The IP address that is assigned to a host on the outside network by the owner of the host. The address was allocated from a globally routable address or a network space.

Guidelines and Limitations for Static NAT

Static NAT has the following configuration guidelines and limitations:

  • show commands with the internal keyword are not supported.

  • If the translated IP is part of the outside interface subnet, then use the ip proxy-arp command on the NAT outside interface. If the add-route keyword is used, ip proxy-arp should be enabled.

  • The Cisco Nexus device supports NAT on the following interface types:

    • Routed ports

  • NAT is supported on the default Virtual Routing and Forwarding (VRF) table only.

  • NAT is supported for IPv4 Unicast only.

  • The Cisco Nexus device does not support the following:

    • Software translation. All translations are done in the hardware.

    • NAT routing.

    • Application layer translation. Layer 4 and other embedded IPs are not translated, including FTP, ICMP failures, IPSec, and HTTPs.

    • NAT and VLAN Access Control Lists (VACLs) that are configured on an interface at the same time.

    • PAT translation of fragmented IP packets.

    • NAT translation on software forwarded packets. For example, packets with IP-options are not NAT translated.

  • If an IP address is used for Static NAT or PAT translations, it cannot be used for any other purpose. For example, it cannot be assigned to an interface.

  • For Static NAT, the outside global IP address should be different from the outside interface IP address.

  • When configuring a large number of translations (more than 100), it is faster to configure the translations before configuring the NAT interfaces.

  • ECMP NAT is not supported on Cisco Nexus® 3550-T switches.

Configuring Static NAT

Enabling Static NAT

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# feature nat

Enables the static NAT feature on the device.

Step 3

switch(config)# copy running-config startup-config

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Configuring Static NAT on an Interface

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# interface type slot/port

Specifies an interface to configure, and enters interface configuration mode.

Step 3

switch(config-if)# ip nat {inside | outside}

Specifies the interface as inside or outside.

Note

 

Only packets that arrive on a marked interface can be translated.

Step 4

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to configure an interface with static NAT from the inside:


switch# configure terminal
switch(config)# interface ethernet 1/4
switch(config-if)# ip nat inside

Enabling Static NAT for an Inside Source Address

For inside source translation, the traffic flows from inside interface to the outside interface. NAT translates the inside local IP address to the inside global IP address. On the return traffic, the destination inside global IP address gets translated back to the inside local IP address.


Note


When the Cisco Nexus device is configured to translate an inside source IP address (Src:ip1) to an outside source IP address (newSrc:ip2), the Cisco Nexus device implicitly adds a translation for an outside destination IP address (Dst: ip2) to an inside destination IP address (newDst: ip1).


Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat inside source static local-ip-address global-ip-address [group group-id ]

Configures static NAT to translate the inside local address to the inside global address or to translate the opposite (the inside global traffic to the inside local traffic). Specifying group specifies the group to which this translation belongs on the static twice NAT.

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to configure static NAT for an inside source address:

switch# configure terminal
switch(config)# ip nat inside source static 1.1.1.1 5.5.5.5
switch(config)# copy running-config startup-config

Enabling Static NAT for an Outside Source Address

For outside source translation, the traffic flows from the outside interface to the inside interface. NAT translates the outside global IP address to the outside local IP address. On the return traffic, the destination outside local IP address gets translated back to outside global IP address.

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat outside source static outsideGlobalIP outsideLocalIP [dynamic] [add-route] ]

Configures static NAT to translate the outside global address to the outside local address or to translate the opposite (the outside local traffic to the outside global traffic). When an inside translation without ports is configured, an implicit add route is performed. The original add route functionality is an option while configuring an outside translation.

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example show how to configure static NAT for an outside source address:

switch# configure terminal
switch(config)# ip nat outside source static 2.2.2.2 6.6.6.6
switch(config)# copy running-config startup-config

Configuring Static PAT for an Inside Source Address

You can map services to specific inside hosts using Port Address Translation (PAT).

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat inside source static {inside-local-address inside-global-address | {tcp| udp} inside-local-address {local-tcp-port | local-udp-port} inside-global-address {global-tcp-port | global-udp-port}}

Maps static NAT to an inside local port to an inside global port.

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to map UDP services to a specific inside source address and UDP port:

switch# configure terminal
switch(config)#  ip nat inside source static udp 20.1.9.2 63 35.48.35.48 130
switch(config)# copy running-config startup-config

Configuring Static PAT for an Outside Source Address

You can map services to specific outside hosts using Port Address Translation (PAT).

Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# ip nat outside source static {outside-global-address outside-local-address | {tcp | udp} outside-global-address {global-tcp-port | global-udp-port} outside-local-address {global-tcp-port | global-udp-port}} {add-route}

Maps static NAT to an outside global port to an outside local port.

Step 3

(Optional) switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

This example shows how to map TCP services to a specific outside source address and TCP port:

switch# configure terminal
switch(config)#  ip nat outside source static tcp 20.1.9.2 63 35.48.35.48 130
switch(config)# copy running-config startup-config

Enabling and Disabling no-alias Configuration

NAT devices own Inside Global (IG) and Outside Local (OL) addresses and they are responsible for responding to any ARP requests directed to these addresses. When the IG/OL address subnet matches with the local interface subnet, NAT installs an IP alias and an ARP entry, in this case the device uses local-proxy-arp to respond to ARP requests.

The no-alias feature responds to ARP requests of all the translated IPs from a given NAT pool address range if the address range is in same subnet of the outside interface.

If no-alias is enabled on an interface with NAT configuration, the outside interface will not respond to any ARP requests in its subnet. When no-alias is disabled, the ARP requests for IPs in same subnet as of outside interface are served.


Note


When you downgrade to any older releases that does not support this feature, configurations with no-alias option may be deleted.


Procedure

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# feature nat

Enables the static NAT feature on the device.

Step 3

switch(config)# show run nat

Displays NAT configuration.

Step 4

switch(config)# show ip nat-alias

Displays the information whether or not the alias is created.

Note

 

By default, alias is created. To disable the alias, you must append no-alias keyword to the command.

Step 5

switch(config)# clear ip nat-alias ip address/all

Removes entries from alias list. To remove a specific entry you must provide the IP address that you want to remove. To remove all entries, use the all keyword.

Example

This example shows the interface information:

switch# configure terminal
switch(config)# show ip int b
IP Interface Status for VRF "default"(1)
Interface            IP Address      Interface Status
Lo0                  100.1.1.1       protocol-up/link-up/admin-up       
Eth1/1               7.7.7.1         protocol-up/link-up/admin-up       
Eth1/3               8.8.8.1         protocol-up/link-up/admin-up 

This example shows the running configuration:

switch# configure terminal
switch(config)# show running-config nat
!Command: show running-config nat
!Running configuration last done at: Thu Aug 23 11:57:01 2018
!Time: Thu Aug 23 11:58:13 2018

version 9.2(2) Bios:version 07.64 
feature nat
interface Ethernet1/1
  ip nat inside 
interface Ethernet1/3
  ip nat outside 
switch(config)#  

This example shows how to configure alias:

switch# configure terminal
switch(config)# ip nat pool p1 7.7.7.2 7.7.7.20 prefix-length 24 
switch(config)# ip nat inside source static 1.1.1.2 8.8.8.3 
switch(config)# ip nat outside source static 2.2.2.1 7.7.7.3 
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
7.7.7.2          Ethernet1/1
8.8.8.2          Ethernet1/3
switch(config)#  

This example shows the output of show ip nat-alias. By default, alias is enabled.

switch# configure terminal
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
7.7.7.2          Ethernet1/1
8.8.8.2          Ethernet1/3
switch(config)#  

This example shows how to disable alias:

switch# configure terminal
switch(config)# ip nat pool p1 7.7.7.2 7.7.7.20 prefix-length 24 no-alias
switch(config)# ip nat inside source static 1.1.1.2 8.8.8.3 no-alias
switch(config)# ip nat outside source static 2.2.2.1 7.7.7.3 no-alias
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
7.7.7.2          Ethernet1/1
8.8.8.2          Ethernet1/3
switch(config)# 

** None of the entry got appended as alias is disabled for above CLIs.
switch(config)#  

This example shows how to clear alias. Use clear ip nat-alias to remove an entry from alias list. You can remove a single entry by specifying the IP address or remove all the alias entries.

switch# configure terminal
switch(config)# clear ip nat-alias address 7.7.7.2
switch(config)# show ip nat-alias
Alias Information for Context: default
Address         Interface
8.8.8.2          Ethernet1/3
switch(config)# 
switch(config)# clear ip nat-alias all
switch(config)# show ip nat-alias
switch(config)#  

Configuration Example for Static NAT and PAT

This example shows the configuration for static NAT:


ip nat inside source static 103.1.1.1 11.3.1.1 
ip nat inside source static 139.1.1.1 11.39.1.1 
ip nat inside source static 141.1.1.1 11.41.1.1 
ip nat inside source static 149.1.1.1 95.1.1.1 
ip nat inside source static 149.2.1.1 96.1.1.1 
ip nat outside source static 95.3.1.1 95.4.1.1 
ip nat outside source static 96.3.1.1 96.4.1.1 
ip nat outside source static 102.1.2.1 51.1.2.1
ip nat outside source static 104.1.1.1 51.3.1.1 
ip nat outside source static 140.1.1.1 51.40.1.1 
This example shows the configuration for static PAT:

ip nat inside source static tcp 10.11.1.1 1 210.11.1.1 101 
ip nat inside source static tcp 10.11.1.1 2 210.11.1.1 201 
ip nat inside source static tcp 10.11.1.1 3 210.11.1.1 301 
ip nat inside source static tcp 10.11.1.1 4 210.11.1.1 401 
ip nat inside source static tcp 10.11.1.1 5 210.11.1.1 501 
ip nat inside source static tcp 10.11.1.1 6 210.11.1.1 601 
ip nat inside source static tcp 10.11.1.1 7 210.11.1.1 701 
ip nat inside source static tcp 10.11.1.1 8 210.11.1.1 801 
ip nat inside source static tcp 10.11.1.1 9 210.11.1.1 901 
ip nat inside source static tcp 10.11.1.1 10 210.11.1.1 1001 
ip nat inside source static tcp 10.11.1.1 11 210.11.1.1 1101 
ip nat inside source static tcp 10.11.1.1 12 210.11.1.1 1201 

Verifying the Static NAT Configuration

To display the static NAT configuration, perform this task:

Procedure

Command or Action Purpose

switch# show ip nat translations

Shows the translations for the inside global, inside local, outside local, and outside global IP addresses.

Example

This example shows how to display the static NAT configuration:


switch# sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                51.3.1.1           104.1.1.1
--- ---                ---                95.4.1.1           95.3.1.1
--- ---                ---                96.4.1.1           96.3.1.1
--- ---                ---                51.40.1.1          140.1.1.1
--- ---                ---                51.42.1.1          142.1.2.1
--- ---                ---                51.1.2.1           102.1.2.1
--- 11.1.1.1           101.1.1.1          ---                ---
--- 11.3.1.1           103.1.1.1          ---                ---
--- 11.39.1.1          139.1.1.1          ---                ---
--- 11.41.1.1          141.1.1.1          ---                ---
--- 95.1.1.1           149.1.1.1          ---                ---
--- 96.1.1.1           149.2.1.1          ---                ---
    130.1.1.1:590      30.1.1.100:5000    ---                ---
    130.2.1.1:590      30.2.1.100:5000    ---                ---
    130.3.1.1:590      30.3.1.100:5000    ---                ---
    130.4.1.1:590      30.4.1.100:5000    ---                ---
    130.1.1.1:591      30.1.1.101:5000    ---                ---


switch# sh ip nat translations verbose 
Pro Inside global      Inside local       Outside local      Outside global
any ---                ---                22.1.1.3           22.1.1.2
    Flags:0x200009 time-left(secs):-1 id:0 state:0x0 grp_id:10
any 11.1.1.130         11.1.1.3           ---                ---
    Flags:0x1 time-left(secs):-1 id:0 state:0x0 grp_id:0
any 11.1.1.133         11.1.1.33          ---                ---
    Flags:0x1 time-left(secs):-1 id:0 state:0x0 grp_id:10
any 11.1.1.133         11.1.1.33          22.1.1.3           22.1.1.2
    Flags:0x200009 time-left(secs):-1 id:0 state:0x0 grp_id:0
tcp 10.1.1.100:64490   10.1.1.2:0         20.1.1.2:0         20.1.1.2:0
    Flags:0x82 time-left(secs):43192 id:31 state:0x3 grp_id:0 vrf: default
N3550T-1#