Network Address Translation (NAT) is a method by which IP addresses are mapped from one address domain or realm to another, in an attempt to provide transparent routing to hosts. Traditionally, NAT devices are used to connect an isolated address realm with private unregistered addresses to an external realm with globally unique registered addresses.
In basic source NAT, the NAT router translates and replaces the IP address in the packet IP header.
In Example Network for NAT and NAPT, there are two address domains. The address domain 10.1.1.0/24 on the NAT router is an internal IP domain, and the address domain 20.1.1.0/24 is an external (public) domain. The NAT router has a pool of valid global IP addresses, one for each internal host that it expects to initiate sessions with external servers. The NAT router maintains a NAT table to map the internal IP address to the global IP address and vice versa. The administrator must configure the mapping of each internal host address to the external host IP address. For example, the administrator can configure internal IP addresses 10.1.1.1 and 10.1.1.2 to map to external IP address as 20.1.1.100 and 20.1.1.101, respectively. When hosts 10.1.1.1 and 10.1.1.2 want to communicate with an Internet host whose IP address is 30.1.1.1, the translations as shown in Address Translations During Basic NAT occur.
In the outbound direction, the NAT router performs SNAT (source NAT), and replaces the source IP address (SIP) of the packet. In the inbound direction, the NAT router performs DNAT (destination NAT), and replaces the destination IP address (DIP) of the packet. If the number of registered public IP addresses available to the NAT router is equal to or greater than the number of internal hosts, this mode of translation can be used. If the number of public IP addresses is less than the number of internal hosts, NAPT is used.
Do not use the primary IP address of the “out” VLAN for translation. The NAT router cannot differentiate if the traffic has to be translated and routed, or if it is destined to the NAT router and has to be processed.
Add the translation IP as a secondary address to the “out” VLAN. This secondary IP should never be used by any other protocols like BGP or OSPF. The translated IP address for each rule has to be unique for source NAT.
The translated IP can be configured as a secondary IP address or any IP address that is not "owned" by the NAT router. If the IP address is not "owned," then a proxy ARP entry should be added for this IP address so that the NAT router responds to the ARP requests.
Each VLAN can have 254 secondary IP addresses. If secondary IP addresses are used for translation, the number of source NAT rules is limited to 254 times the number of egress NAT VLANs.
Source Network Address Port Translation (NAPT) translates the transport identifier (for example, TCP and UDP port numbers or ICMP query identifiers) in addition to the IP addresses. This translation mechanism allows multiple hosts in the private network to share a single external address.
In the example shown in Example Network for NAT and NAPT, there are two address domains. The address domain 10.1.1.0/24 on the NAT router is an internal IP domain and the address domain 20.1.1.0/24 is an external (public) domain. The NAT router has only one valid Internet IP address for all the internal hosts to share. The NAT router maintains a NAT table that maps {Internal IP, IP protocol, L4 port} tuple to the the {global IP, IP protocol, modified L4 port} tuple, and vice versa.
The administrator has to configure a base NAPT rule giving the range of input IP addresses to be translated and the external IP to which these have to be translated. For each of the new flows that do not have a NAT rule setup in the hardware, a “NAT miss” is generated and the packets are lifted to the CPU. The application picks up an unused port number and programs the hardware with a dynamic NAT rule. After this, NAT translations happen in hardware.
NAPT Example depicts the translations that happen with NAPT for two hosts with IP addresses of 10.1.1.1 and 10.1.1.2. Host A is sending TCP packets destined to TCP port 1000 on Host X (30.1.1.1). Host B is sending UDP packets destined to UDP port 2000 on Host X (30.1.1.1).
In the outbound direction, the NAT router performs SNAT (source NAT), and replaces the source IP address (SIP) and source port (sport) of the packet. In the inbound direction, the NAT router performs DNAT (destination NAT) and replaces the destination IP address (DIP) and the destination port (dport) of the packet. Note that the source IP address of the outgoing packet for the streams from both hosts remains the same here. NAPT works only for traffic with a suitable Transport Layer identifier: specifically, TCP, UDP, and ICMP traffic. NAPT does not work with fragmented IP packets and are dropped when NAT is enabled. This is because the fragmented IP packet does not contain a valid TCP/UDP header unless it is the first fragment.
Software aging is performed for dynamically created entries. The entries that are not refreshed for the configured age interval are deleted. The default value of the age interval is 20 minutes.
Destination Network Address Port Translation (also known as Port forwarding) allows remote computers to initiate connections to specific servers within the private network. The private IP addresses of the servers within the private network cannot be used by the remote computers to directly access them. To access the internal servers, the remote computers typically connect to the NAT router on a configured port number. The NAT router modifies the destination IP address and the port number in the inward direction before sending it to the internal server. In the outward direction, it changes the source IP address and port number before sending it back to the remote computer.
In Example Network for NAT and NAPT, if Host X (30.1.1.1) wants to access the HTTP service on Host B (10.1.1.2), it has to send the traffic through the NAT router. A port is configured on the NAT router to redirect the traffic towards the internal host. Remote Host X has to use the IP address of NAT router along with this configured port number.
If the translation port is configured as 8080, the translations that happen in the packet are shown in Destination Network Address Port Translation (NAPT).
To enable or disable NAT globally, use the following commands:
enable ip nat
disable ip nat
To configure NAT VLANs, use the following commands:
configure ip nat add {vlan} vlan_name direction [ingress | egress | both]
configure ip nat delete {vlan} vlan_name
To clear NAT VLAN counters, use the following command:
clear ip nat counters vlan {vlan_name}
To create or delete NAT rules, use the following commands:
create ip nat rule rule_name type [ source-nat | napt | destination-napt]
delete ip nat rule rule_name
To configure NAT rules, use the following commands:
configure ip nat rule rule_name destination [[dst_ip_addr new-destination new_dst_ip_addr {{vr} vr_name}] | none]
configure ip nat rule rule_name destination protocol [[[tcp | udp | protocol_num] port port_num new-port new_port_num] | none]
configure ip nat rule rule_name egress {vlan} vlan_name
Note
All modes of NAT including destination NAPT should have the public VLAN configured as egress VLAN.configure ip nat rule rule_name monitor [on | off]
configure ip nat rule rule_name name new_rule_name
configure ip nat rule rule_name source [[[src_ip_addr src_mask | src_ipNetmask ] {{source-vr} src_vr_name} new-source new_src_ip_addr] | none]
To enable or disable NAT rules, use the following commands:
enable ip nat rule rule_name
Note
The rule is programmed in hardware only when global NAT and the NAT rule are enabled.Note
The rule configuration can be changed only when the rule is not enabled.disable ip nat rule rule_name
To configure NAT entry aging, use the following command:
configure ip nat aging-time [minutes | none]
To display NAT information, use the following commands:
show ip nat vlan counters {vlan_name}
show ip nat vlan {vlan_name}
show ip nat
show ip nat rule {rule_name} statistics {no-refresh}
show ip nat rule {detail}
Note
NAT can be configured on 4 VLANs.Note
1023 NAT rules are supported.Source NAT Rule
# create ip nat rule ipOnlyRule type source-nat # configure ip nat rule ipOnlyRule source 10.20.30.40/32 source-vr VR-user-in new-source 121.144.169.196 # configure ip nat rule ipOnlyRule egress vlan internetVlan
To remove the IP address configuration, you can use the following command:
# configure ip nat rule ipOnlyRule source none
Network Address Port Translation (NAPT) Rule
The following configures a base Network Address Port Translation (NAPT) rule where flows from the 10.0.0.0/8 subnet have the source IP address translated to 121.144.169.196. The L4 port number is generated internally to identify the flow:
# create ip nat rule naptRule type napt # configure ip nat rule naptRule egress vlan internetVlan # configure ip nat rule naptRule source 10.0.0.0/8 source-vr VR-user-in new-source 121.144.169.196
If there are flows from two hosts with IP addresses, for example, 10.1.1.214 and 10.6.9.12, two dynamic rules with names that start with SYS_NAT_RULE_XXX are created and programmed in the hardware.
If an internal server with an IP address of 10.1.1.1 listening on UDP port 80 has to be provided external access, external users can access this using an IP address of 70.1.1.254 and UDP port 8080:
Destination Network Address Port Translation Rule
# create ip nat rule DestNAPT type destination-napt # configure ip nat rule DestNAPT egress vlan outVLAN # configure ip nat rule DestNAPT destination 70.1.1.254 new-destination 10.1.1.1 vr vr-default # configure ip nat rule DestNAPT destination protocol udp port 8080 new-port 80
NAT is not supported for the following: VXLAN tenant VLANs, MPLS service VLANs, MAC based VLANs, Netlogin VLANs, VPEX switches.
NAT is not supported with MLAG.