Contents

• What is NAT?
• What are the main differences between Cisco IOS NAT and Cisco's PIX firewall implementation of NAT?
• On which Cisco routing platforms is Cisco IOS NAT available? How do I order it?
• How many concurrent NAT sessions are supported in Cisco IOS NAT?
• What kind of routing performance can I expect when I use Cisco IOS NAT?
• Can Cisco IOS NAT be applied to subinterfaces?
• Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP?
• Does Cisco IOS NAT support inbound translations on a serial trunk running Frame Relay? Does it support outbound translations on the Ethernet side?
• What is NAT "overloading"?
• When configuring for overloading, what is the maximum number of translations that can be made with one inside global IP address?
• What is the maximum number of configurable NAT IP pools?
• What is IP address "overlapping" as discussed within the context of NAT?
• Is it possible to build a configuration with both static and dynamic NAT translations?
• Can Cisco IOS support multiple "outside" NAT tables?
• Does NAT occur before or after policy routing?
• What happens when a host, by chance, initiates a connection on a port that is in use by another host?
• Why do I need to specify a subnet mask when configuring a NAT address pool?
• Can I allocate IP addresses from NAT router's outside interface subnet to a dynamic NAT pool?
• Why doesn't Cisco IOS NAT support SNMP traffic?
• Does Cisco IOS NAT support DNS queries?

Note: For additional information about NAT, also see the Cisco IOS Network Address Translation (NAT) technical tips page.

---

Q: What is NAT?

A: Network Address Translation (NAT) is designed for IP address simplification and conservation, as it enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded onto another network. As part of this functionality, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security, effectively hiding the entire internal network from the world behind that address. NAT has the dual functionality of security and address conservation, and is typically implemented in remote access environments.
 

Q: What are the main differences between Cisco IOS NAT and Cisco's PIX firewall implementation of NAT?

A: Cisco IOS-based NAT functionality is not fundamentally different from the NAT functionality in the PIX Firewall. The main differences involve the different traffic types supported in Cisco IOS NAT and the NAT implementation in the PIX. For detailed information on NAT functionality in the PIX, see the PIX documentation.
 

Q: On which Cisco routing platforms is Cisco IOS NAT available? How do I order it?

A: In Cisco IOS software releases 11.2 and 11.2P, full NAT functionality including Port Address Translation (PAT), which is a subset of full NAT functionality, is available only in "Plus" images.

In Cisco IOS software releases 11.3 and 11.3T, PAT is available in all base images on selected platforms. Customers requiring only PAT functionality need not purchase a "Plus" image. Only customers requiring full NAT functionality need to purchase a "Plus" image.

Beginning with Cisco IOS software release 12.0, complete Cisco IOS NAT functionality, including PAT, is available in all software images for platforms that support Cisco IOS NAT at no extra charge. Although all "Plus" images will continue to deliver full NAT functionality, customers are not required to purchase "Plus" images in order to obtain full NAT functionality. Also, beginning with Cisco IOS release 12.0, customers need not purchase a NAT Feature License for the Cisco RSP7000, 7200, and 7500 platforms in order to use NAT functionality.

Beginning with Cisco IOS software releases 11.2(13)P, 11.3(3)T,  12.0(1), and 12.0(1)T, full NAT functionality is included in all 1600 and 2500 Cisco IOS Firewall images.

NAT support for H.323 traffic will be available on selected router platforms only in Enterprise images beginning with Cisco IOS software releases 12.0 and 12.0T.

Memory requirements may vary by platform and feature set.

Refer to the following table for Cisco IOS NAT Packaging details:
 

Cisco IOS software release	NAT Support in Base images	NAT Support in "Plus" images	Easy IP Support	Cisco Hardware Platforms Supported
11.2	None 1	Full NAT 3	None 1	1000, 2500, 4000, 4500, 4700, AS5200, 7200, RSP7000, 7500
11.2P	None 1	Full NAT 3	None 1	1000, 1600, 2500, 3620, 3640, 4000, 4500, 4700, AS5200, AS5300, Catalyst 5000 RSM, 7200, RSP7000, 7500
11.3	PAT only 2	Full NAT 3	Easy IP Phase 1 4	1000, 1600, 2500, 3620, 3640, 4000, 4500, 4700, AS5200, 7200, RSP7000, 7500
11.3T	PAT only 2	Full NAT 3	Easy IP Phase 1 4	1000, 1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5200, AS5300, Catalyst 5000 RSM, 7200, RSP7000, 7500
12.0	Full NAT 3	Full NAT 3	Easy IP Phase 1 4	1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5200, AS5300, Catalyst 5000 RSM, 7200, RSP7000, 7500
12.0T	Full NAT 3	Full NAT 3	Easy IP Phase 2 5	1600, 2500, 2600, 3620, 3640, 4000, 4500, 4700, AS5200, AS5300, Catalyst 5000 RSM, 7200, RSP7000, 7500

1. None

NAT/Easy IP is not supported in these Cisco IOS software images for this release.

2. PAT Only

Only PAT (Port Address Translations : "many-to-one" translations), a subset of full NAT functionality, is supported. Static and dynamic one-to-one translations are not supported in these Cisco IOS software images for this release.

3. Full NAT

Full NAT functionality, including static, dynamic one-to-one translations, and PAT, is supported in these Cisco IOS software images for this release.

4. Easy IP Phase 1

Includes PAT Only or Full NAT and PPP/IPCP WAN interface address negotiation functionality.

5. Easy IP Phase 2

Includes PAT Only or Full NAT, PPP/IPCP WAN interface address negotiation functionality, and Cisco IOS DHCP Server functionality.

Notes:

• 12.0/12.0T NAT Packaging on Cisco 1000 Series Platforms: Full NAT functionality is provided only in Cisco 1000 Plus images in Cisco IOS releases 12.0 and 12.0T. PAT-only functionality is available in all base images for Cisco 1000 series platforms. Customers must purchase a "Plus" image in order to obtain full NAT functionality for Cisco 1000 series when using Cisco IOS releases 12.0 or 12.0T.
• Cisco IOS NAT is not available on the Cisco 7000 or 7010 platforms.
   

Q: How many concurrent NAT sessions are supported in Cisco IOS NAT?

A: The NAT session limit is bounded by the amount of available DRAM in the router. Each NAT translation consumes about 160 bytes in DRAM. As a result, 10,000 translations (more than would generally be handled on a single router) would consume about 1.6MB. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations.
 

Q: What kind of routing performance can I expect when I use Cisco IOS NAT?

A: Cisco IOS NAT is fast-switched on all supported platforms. A low number of NAT translations will affect performance less than a high number of translations.

For most applications, degradation of performance due to NAT should be negligible.

Below are some NAT routing performance figures as determined in the lab in full-duplex mode, with 50 simultaneous active NAT translations, and with 10-second keepalives enabled on all interfaces:

 

Routing Platform	Packet Size (bytes)	Data Throughput (Mbps)
Cisco 7500 Series*	64	24
	200	50
	1000	89
	1500	96
Cisco 4700 Series**	64	10
	200	10
	1000	10
	1500	10.5
Cisco 4500 Series**	64	7.5
	200	7.5
	1000	7.5
	1500	8

* In this test on the 7500, both the "inside" and "outside" interfaces were Fast Ethernet.
** In these tests on both the 4500 and 4700, both the "inside" and "outside" interfaces were Ethernet

Based on these figures, we find that NAT performance on the 4500 series is such that, with NAT enabled, one can fill 2 Ethernets with any packet size, resulting in a throughput of at least 30,000 pps.

Q: Can Cisco IOS NAT be applied to subinterfaces?

A: Yes. Source and/or destination NAT translations can be applied to any interface or subinterface having an IP address (including dialer interfaces).
 

Q: Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP?

A: No. In this scenario, the standby router wouldn't have the translation table of the active router, so when the cutover happens, connections time out and fail.
 

Q: Does Cisco IOS NAT support inbound translations on a serial trunk running Frame Relay? Does it support outbound translations on the Ethernet side?

A: Yes to both questions.
 

Q: Can a single NAT-enabled router allow some users to utilize NAT and allow other users on the same Ethernet interface to continue with their own IP addresses?

A: Yes. This can be accomplished through the use of an access list describing the set of hosts or networks that require NAT translation. All sessions on the same host either will be translated or will pass through the router untranslated.
 

Q: What is Port Address Translation (PAT), or "NAT overloading"?

A: Also called Port Address Translation (PAT) or port-level multiplexed NAT, NAT "overload" is used to translate all "internal" (local) private addresses to a single "outside" (global - usually registered) IP address. Unique port numbers on each translation are used to distinguish between the conversations.
  With NAT overload, a translation entry containing full address and port information is created. A port translation may be created if another translation is using that port number with that outside/global address. This is necessary in order to eliminate any ambiguity about which translation needs to be applied to each packet traversing the router.
 

Q: When configuring for overloading, what is the maximum number of translations that can be made with one inside global IP address?

A: Theoretically, because the port number is encoded in 16 bits, you have 65,536 possible values. In practice, we try to preserve BSD semantics, and allocate port numbers in the same range as the original (1-511, 512-1023, and 1024-65535). BSD-based TCP/IP stacks allocate ephemeral port numbers from the third range; Solaris allocates from the third and fourth ranges. So, at a minimum you should have about 4000 local addresses that can be mapped to the same global address.
 

Q: What is the maximum number of configurable NAT IP pools (ip nat pool "name")?

A: There is no actual limit. In practical use, however, the maximum number of configurable IP pools is limited by the amount of available DRAM in the particular router being used.
 

Q: What is IP address "overlapping" as discussed within the context of NAT?

A: IP address overlapping refers to the situation where a site's IP address space is already being used by someone else on the Internet. Without special support, the illegally-addressed site will not be able to access the real owners of that address space. The 11.2 Update training slides and the 11.2 NAT documentation (in the 11.2 router configuration guide) give a detailed description of what happens, but it involves intercepting DNS name-query responses from the outside to the inside, setting up a translation for the OUTSIDE address, and fixing up the DNS response before forwarding it onto the inside host.
 

Q: Is it possible to build a configuration with both static and dynamic NAT translations?

A: Yes, this is possible, with the caveat that the global addresses used in static translations are not automatically excluded with dynamic pools containing those global addresses. Currently, one must keep the static addresses out of dynamic pools manually
 

Q: Can IOS support multiple "outside" NAT tables? The command for defining the "outside" NAT pool seems to allow for multiple pools by way of the name variable, but there does not appear to be a way to associate an interface with a particular "outside" address pool.

A: Yes, one can do this through the use of route-maps. The dynamic translation command can now specify a route-map to be processed instead of an access-list. A route-map allows the user to match any combination of access-list, next-hop IP address, and output interface to determine which pool to use.
 

Q: Does NAT occur before or after policy routing?

A: Routing occurs on the local addresses, which means that an outside-to-inside translation occurs before routing and inside-to-outside translation occurs after routing.
 

Q: Within the context of NAT "overloading," what happens when a host, by chance, initiates a connection on a port that is in use by another host?

A: If this happens, the local port will be translated as well as the source address.
 

Q: Why do I need to specify a subnet mask when configuring a NAT address pool?

A: The subnet mask is used to sanity-check the addresses allocated from the pool (so we don't allocate the subnet broadcast address, for example). The subnet mask must match the size of the subnet into which you are translating.
 

Q: Can I allocate IP addresses from NAT router's outside interface subnet to a dynamic NAT pool?

A: Yes. The NAT router will answer ARP requests for these IP addresses in the dynamic pool.
 

Q: Will a NAT router properly handle ICMP Redirects?

A: Yes.
 

Q: Why doesn't Cisco IOS NAT support SNMP traffic?

A: The SNMP packet format depends on the particular MIB being used and is not self-describing. There is no single format for SNMP requests and responses that can be processed in a general fashion.
 

Q: Does Cisco IOS NAT support DNS queries?

A: Yes, Cisco IOS NAT will translate the address(es) which appear in DNS responses to name lookups (A queries) and inverse lookups (PTR queries). Thus, if an outside host sends a name-lookup to a DNS server on the inside, and that server responds with a local address, the NAT code will translate that local address to a global address. The opposite is also true, and is how we support IP addresses overlapping: an inside host queries an outside DNS server, the response contains an address that matches the access-list specified on the "outside source" command, so the code translates the outside global address to an outside local address.

Time-to-live (TTL) values on all DNS resource records (RRs) which receive address translations in RR payloads are automatically set to zero.

Cisco IOS NAT does not translate IP addresses embedded in DNS zone transfers.

Go to the Cisco IOS Network Address Translation (NAT) technical tips page.