Defining Dynamic Translations
Dynamic translations use access list rules (to determine whether or not to apply NAT to incoming traffic) and NAT address pools (from which a NAT translation can allocate IP addresses). You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.
To configure dynamic translations:
- Define any access list rules that the NAT router uses to decide which packets need translation.
- Define an address pool from which the NAT router obtains addresses.
- Define inside and outside source translation rules for the NAT router to create NAT translations.
- Mark interfaces as inside or outside.
- (Optional) Modify any translation timeout values.
Creating Access List Rules
Before creating a dynamic translation, you should create the access list rules that you plan to apply to the translation. For information about configuring access lists, see Chapter 1, Configuring Routing Policy.
The router evaluates multiple commands for the same access list in the order they were created. An undefined access list implicitly contains a rule to "permit any." A defined access list implicitly ends with a rule to "deny any."
 |
NOTE: The access lists do not filter any packets; they determine whether or not the packet requires translation. |
For reference, you can configure an access list using the access-list command.
access-list
- Use to define an IP access list to permit or deny translation based on the addresses in the packets.
- Each access list is a set of permit or deny conditions for routes that are candidates for translation (that is, moving from the inside network to the outside network).
- A zero in the wildcard mask means that the route must exactly match the corresponding bit in the address. A one in the wildcard mask means that the route does not have to match the corresponding bit in the address.
- Use the log keyword to log an Info event in the ipAccessList log whenever matching an access-list rule.
- Use the no version to delete the access list (by not specifying any other options), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
Defining Address Pools
Before you can configure dynamic translation, you should create an address pool. An address pool is a group of IP addresses from which the NAT router obtains an address when dynamically creating a new translation. You can create address pools with either a single range or multiple, nonoverlapping ranges.
When creating a single range, you specify the starting and ending IP address for the range in the root ip nat pool command. However, when creating multiple, nonoverlapping ranges, you omit the optional starting and ending IP address in the root ip nat pool command; this launches the IP NAT Pool Configuration (config-ipnat-pool) mode.
The config-ipnat-pool mode uses an address command to specify a range of IP addresses. You can repeat this command to create multiple, nonoverlapping ranges.
When creating or editing address pools, keep the following in mind:
- Starting and ending IP addresses for the specified range are inclusive and must reside on the same subnet.
- Address ranges are verified against other ranges in the specified pool to exclude range overlaps. Additional verification occurs when the pool is associated with a translation rule and the router can determine whether the rule is inside or outside.
- You cannot change the network mask if configured ranges already exist.
- The network mask (or prefix-length) is used to recognize host addresses that end in either all zeros or all ones. These addresses are reserved as broadcast addresses and are not allocated from an address pool, even if they are included in an address pool range.
- You cannot remove an address pool if the pool is part of a translation rule or if any of the ranges within the pool are still in use. You must issue the clear ip nat translation command to clear any ranges before you can remove the pool to which they apply.
ip nat pool
host (config) #ip nat pool singlerange 171.69.40.1 171.69.40.100 prefix-length 30
host (config) #ip nat pool multiplerange prefix-length 30
host (config-ipnat-pool)#address 171.69.40.110 171.69.40.112
host (config-ipnat-pool)#address 171.69.40.118 171.69.40.120
host (config-ipnat-pool)#exit
address
- Use to specify a range of IP addresses in config-ipnat-pool mode; you can repeat the address command to create multiple ranges.
- Example
host (config-ipnat-pool)#address 171.69.40.110 171.69.40.115
Defining Dynamic Translation Rules
The CLI allows you to define dynamic translation rules for inside and outside sources.
 |
CAUTION: You must mark interfaces that participate in NAT translation as on the inside or the outside network. See Specifying Inside and Outside Interfaces for details. |
You can create a dynamic translation rule to configure inside source or outside source translation. If the NAT router cannot locate a matching entry in its translation database for a given packet, it evaluates the access list of all applicable dynamic translation rules (inside source translation rules for outbound packets and vice versa) against the packet. If an access list permits translation, the NAT router tries to allocate an address from the associated address pool to install a new translation.
When creating dynamic translation rules, keep the following in mind:
- You can associate a list with one pool at any given time. Associating a list with a different pool replaces the previous association.
- The optional overload keyword for inside source translations specifies that the router employ NAPT translation.
- You can configure dynamic NAPT for inside source translation only; you cannot configure dynamic NAPT for outside source translation.
- When no match occurs for any dynamic translation rule, the NAT router does not translate the packet.
- When an address pool is empty, the NAT router drops the packet.
- Access lists and pools do not have to exist when you are defining dynamic translation rules; you may create them after defining the dynamic translations.
Creating Dynamic Inside Source Translation Rules
Use the ip nat inside source list command to create a dynamic inside source translation rule. This command creates a translation rule that translates inside local source addresses to inside global addresses when packets from the inside network are routed to the outside network (and vice versa when a packet returns before a translation table entry times out). Use the overload keyword to specify that the translation create NAPT entries (protocol, port, and address) in the NAT table.
The no version of this command removes the dynamic translation rule, but does not remove any previously created translations (resulting from the rule evaluation) from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations.
ip nat inside source list
- Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the inside network to the outside network.
- Example
host (config) #ip nat inside source list translation1 pool pool1
Creating Dynamic Outside Source Translation Rules
Use the ip nat outside source list command to create a dynamic outside source translation rule. This command dynamically translates outside global source addresses to outside local addresses when packets are routed from the outside network to the inside network (and "untranslates" the destination address when a packet returns before a translation table entry times out).
The no version of this command removes the dynamic translation rule, but does not remove any previously created translations from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations.
ip nat outside source list
- Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the outside network to the inside network.
- Example
host (config) # ip nat outside source list translation1 pool pool1
Defining Translation Timeouts
Dynamic translations in the translation table age out if the router does not use them. Use the ip nat translation command to change or disable NAT translation timeouts.
You can set the aging time (in seconds) for any one of the specified timers:
- timeout—Dynamic simple translations (not for overloaded translations); default is 86400 seconds (24 hours).
- dns-timeout—DNS-created protocol translations; default is 120 seconds. These dynamic translations are installed by the DNS but not yet used; as soon as the translation is used, the router applies the timeout value mentioned above.
- udp-timeout—UDP protocol extended translations; default is 300 seconds (5 minutes).
- tcp-timeout—TCP protocol extended translations; default is 86400 seconds (24 hours).
- finrst-timeout—TCP connections terminated with reset (RST) or bidirectional finished (FIN) flags; default is 120 seconds. This timeout applies only to TCP extended translations. It ages out closed TCP translations, allowing for retransmissions.
- icmp-timeout—ICMP protocol extended translations; default is 300 seconds (5 minutes).
All timeouts for this command support a maximum value of 2147483 seconds (about 25 days).
The no version of this command resets the timer to its default value.
ip nat translation
- Use to change translation timeouts for existing and newly-created translations in the translation table.
- All timeouts for this command support a maximum value of 2147483 seconds (about 25 days).
- Example
host1 (config) # ip nat translation timeout 23200