[navbar] [Strip_TechTips] Frequently Asked Questions about NAT v2.1 Last Updated 10/17/97 --------------------------------------------------------------------------- Contents * What is NAT? * What are the main differences between Cisco IOS NAT and Cisco's PIX firewall implementation of NAT? * On which Cisco routing platforms is Cisco IOS NAT available? * How is Cisco IOS NAT packaged? How do I order it? * How many concurrent NAT sessions are supported in Cisco IOS release 11.2? * What kind of routing performance can I expect when I use Cisco IOS NAT? * Can Cisco IOS NAT be applied to subinterfaces? * Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP? * Does Cisco IOS NAT support inbound translations on a serial trunk running Frame Relay? Does it support outbound translations on the Ethernet side? * What is NAT "overloading"? * When configuring for overloading, what is the maximum number of translations that can be made with one inside global IP address? * What is the maximum number of configurable NAT IP pools? * What is IP address "overlapping" as discussed within the context of NAT? * Is it possible to build a configuration with both static and dynamic NAT translations? * Can IOS support multiple "outside" NAT tables? * Does NAT occur before or after policy routing? * What happens when a host, by chance, initiates a connection on a port that is in use by another host? * Why do I need to specify a subnet mask when configuring a NAT address pool? * Can I allocate IP addresses from NAT router's outside interface subnet to a dynamic NAT pool? * Why doesn't Cisco IOS NAT support SNMP traffic? * Does Cisco IOS NAT support DNS queries? Note: For additonal information about NAT, also see this Cisco IOS Network Address Translation (NAT) technical tip. --------------------------------------------------------------------------- Q: What is NAT? A: Network Address Translation (NAT) is designed for IP address simplification and conservation, as it enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded onto another network. As part of this functionality, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security, effectively hiding the entire internal network from the world behind that address. NAT has the dual functionality of security and address conservation, and is typically implemented in remote access environments. Q: What are the main differences between Cisco IOS NAT and Cisco's PIX firewall implementation of NAT? A: Cisco IOS-based NAT functionality is not fundamentally different from the NAT functionality in the PIX Firewall. The main differences involve the different traffic types supported in Cisco IOS NAT and the NAT implementation in the PIX. For detailed information on NAT functionality in the PIX, including the traffic types supported, please see: www.cisco.com/pix/. Q: On which Cisco routing platforms is Cisco IOS NAT available? A: Cisco IOS NAT in release 11.2 is available on the following Cisco platforms: o Cisco 1000 Series o Cisco 2500 Series o Cisco 4000 Series o Cisco 5200 o Cisco RSP1/RSP2/RSP7000 o Cisco 7200 o Cisco 7500 Cisco IOS NAT is not available on the Cisco 7000 or 7010 platforms. NAT support on the Cisco 1600 and Cisco 3600 series is available beginning with the 11.2(5)P Cisco IOS software release train. Q: How is Cisco IOS NAT packaged? How do I order it? A: NAT packaging will depend on the hardware platform. o For the 2500, 4000, 4500, 4700 NAT will be included in a "Plus" package that can be added to any of the four basic feature sets: IP, IP/IPX/AT/DEC, Enterprise, or Enterprise/APPN. o For the 7200 and 7500 (or RSP7000), although NAT is included in the four basic feature sets, for IP, Desktop, Enterprise, and Enterprise/APPN, a NAT Feature License is required. Memory requirements may vary by platform and feature set. See the Cisco Products Pricing Agent for Cisco IOS NAT pricing information. Q: How many concurrent NAT sessions are supported in Cisco IOS release 11.2? A: The NAT session limit is bounded by the amount of available DRAM in the router. Each NAT translation consumes about 160 bytes in DRAM. As a result, 10,000 translations (more than would generally be handled on a single router) would consume abou t 1.6MB. Therefore, a typical routing platform has more than enough memory to support thousands of NAT translations. Q: What kind of routing performance can I expect when I use Cisco IOS NAT? A: Cisco IOS NAT is fast-switched on all supported platforms. A low number of NAT translations will affect performance less than a high number of translations. For most applications, degradation of performance due to NAT should be negligible. Below are some NAT routing performance figures as determined in the lab in full-duplex mode, with 50 simultaneous active NAT translations, and with 10-second keepalives enabled on all interfaces: Routing Platform Packet Size (bytes) Data Throughput (Mbps) Cisco 7500 Series* 64 24 200 50 1000 89 1500 96 Cisco 4700 Series** 64 10 200 10 1000 10 1500 10.5 Cisco 4500 Series** 64 7.5 200 7.5 1000 7.5 1500 8 * In this test on the 7500, both the "inside" and "outside" interfaces were Fast Ethernet. ** In these tests on both the 4500 and 4700, both the "inside" and "outside" interfaces were Ethernet Based on these figures, we find that NAT performance on the 4500 series is such that, with NAT enabled, one can fill 2 Ethernets with any packet size, resulting in a throughput of at least 30,000 pps. Q: Can Cisco IOS NAT be applied to subinterfaces? A: Yes. Source and/or destination NAT translations can be applied to any interface or subinterface having an IP address (including dialer interfaces). Q: Can Cisco IOS NAT be used with HSRP to provide redundant links to an ISP? A: No. In this scenario, the standby router wouldn't have the translation table of the active router, so when the cutover happens, connections time out and fail. Q: Does Cisco IOS NAT support inbound translations on a serial trunk running Frame Relay? Does it support outbound translations on the Ethernet side? A: Yes to both questions. Q: Can a single NAT-enabled router allow some users to utilize NAT and allow other users on the same Ethernet interface to continue with their own IP addresses? A: Yes. This can be accomplished through the use of an access list describing the set of hosts or networks that require NAT translation. All sessions on the same host either will be translated or will pass through the router untranslated. Q: What is NAT "overloading"? A: Also called Port Address Translation (PAT) or port-level multiplexed NAT, NAT "overload" is used to translate all "internal" (local) private addresses to a single "outside" (global - usually registered) IP address. Unique port numbers on each translation are used to distinguish between the conversations. With NAT overload, a translation entry containing full address and port information is created. A port translation may be created if another translation is using that port number with that outside/global address. This is necessary in order to eliminate any ambiguity about which translation needs to be applied to each packet traversing the router. Q: When configuring for overloading, what is the maximum number of translations that can be made with one inside global IP address? A: Theoretically, because the port number is encoded in 16 bits, you have 65,536 possible values. In practice, we try to preserve BSD semantics, and allocate port numbers in the same range as the original (1–511, 512–1023, 1024–4999, 5000–65535). BSD-based TCP/IP stacks allocate ephemeral port numbers from the third range; Solaris allocates from the third and fourth ranges. So, at a minimum you should have about 4000 local addresses that can be mapped to the same global address. Q: What is the maximum number of configurable NAT IP pools (ip nat pool "name")? A: There is no actual limit. In practical use, however, the maximum number of configurable IP pools is limited by the amount of available DRAM in the particular router being used. Q: What is IP address "overlapping" as discussed within the context of NAT? A: IP address overlapping refers to the situation where a site's IP address space is already being used by someone else on the Internet. Without special support, the illegally-addressed site will not be able to access the real owners of that address space. The 11.2 Update training slides and the 11.2 NAT documentation (in the 11.2 router configuration guide) give a detailed description of what happens, but it involves intercepting DNS name-query responses from the outside to the inside, setting up a translation for the OUTSIDE address, and fixing up the DNS response before forwarding it onto the inside host. Q: Is it possible to build a configuration with both static and dynamic NAT translations? A: Yes, this is possible, with the caveat that the global addresses used in static translations are not automatically excluded with dynamic pools containing those global addresses. Currently, one must keep the static addresses out of dynamic pools manually Q: Can IOS support multiple "outside" NAT tables? The command for defining the "outside" NAT pool seems to allow for multiple pools by way of the name variable, but there does not appear to be a way to associate an interface with a particular "outside" address pool. A: Yes, one can do this through the use of route-maps. The dynamic translation command can now specify a route-map to be processed instead of an access-list. A route-map allows the user to match any combination of access-list, next-hop IP address, and output interface to determine which pool to use. Q: Does NAT occur before or after policy routing? A: Routing occurs on the local addresses, which means that an outside-to-inside translation occurs before routing and inside-to-outside translation occurs after routing. Q: Within the context of NAT "overloading," what happens when a host, by chance, initiates a connection on a port that is in use by another host? A: If this happens, the local port will be translated as well as the source address. Q: Why do I need to specify a subnet mask when configuring a NAT address pool? A: The subnet mask is used to sanity-check the addresses allocated from the pool (so we don't allocate the subnet broadcast address, for example). The subnet mask must match the size of the subnet into which you are translating. Q: Can I allocate IP addresses from NAT router's outside interface subnet to a dynamic NAT pool? A: Yes. The NAT router will answer ARP requests for these IP addresses in the dynamic pool. Q: Will a NAT router properly handle ICMP Redirects? A: Yes. Q: Why doesn't Cisco IOS NAT support SNMP traffic? A: The SNMP packet format depends on the particular MIB being used and is not self-describing. There is no single format for SNMP requests and responses that can be processed in a general fashion. Q: Does Cisco IOS NAT support DNS queries? A: Yes, Cisco IOS NAT will translate the address(es) which appear in DNS responses to name lookups (A queries) and inverse lookups (PTR queries). Thus, if an outside host sends a name-lookup to a DNS server on the inside, and that server responds with a local address, the NAT code will translate that local address to a global address. The opposite is also true, and is how we support IP addresses overlapping: an inside host queries an outside DNS server, the response contains an address that matches the access-list specified on the "outside source" command, so the code translates the outside global address to an outside local address. Time-to-live (TTL ) values on all DNS resource records (RRs) which receive address translations in RR payloads are automatically set to zero. Cisco IOS NAT does not translate IP addresses embedded in DNS zone transfers. Go to the Cisco IOS Network Address Translation (NAT) technical tip. --------------------------------------------------------------------------- Posted: Fri Oct 17 11:51:35 PDT 1997 Copyright 1996 © Cisco Systems Inc. All rights reserved.