Defining Dynamic Translations

Dynamic translations use access list rules, to determine whether or not to apply NAT to incoming traffic, and NAT address pools, from which a NAT translation can allocate IP addresses. You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.

To configure dynamic translations:

• Define any access list rules that the NAT router uses to decide which packets need translation.
• Define an address pool from which the NAT router obtains addresses.
• Define inside and outside source translation rules for the NAT router to create NAT translations.
• Mark interfaces as inside or outside.
• (Optional) Modify any translation timeout values.

Creating Access List Rules

Before you create a dynamic translation, create the access list rules that you plan to apply to the translation. For information about configuring access lists, see Configuring Routing Policy.

The router evaluates multiple commands for the same access list in the order they were created. An undefined access list implicitly contains a rule to permit any. A defined access list implicitly ends with a rule to deny any.

Note: The access lists do not filter any packets; they determine whether the packet requires translation.

You use the access-list command to create an access list.

access-list

• Use to define an IP access list to permit or deny translation based on the addresses in the packets.
• Each access list is a set of permit or deny conditions for routes that are candidates for translation (that is, moving from the inside network to the outside network).
• A zero in the wildcard mask means that the route must exactly match the corresponding bit in the address. A one in the wildcard mask means that the route does not have to match the corresponding bit in the address.
• Use the log keyword to log an Info event in the ipAccessList log whenever matching an access list rule.
• Example

  host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255

• Use the no version to delete the access list (by not specifying any other options), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
• See access-list.

Defining Address Pools

Before you can configure dynamic translation, create an address pool. An address pool is a group of IP addresses from which the NAT router obtains an address when dynamically creating a new translation. You can create address pools with either a single range or multiple, nonoverlapping ranges.

When you create a single range, you specify the starting and ending IP addresses for the range in the root ip nat pool command. However, when you create multiple, nonoverlapping ranges, you omit the optional starting and ending IP addresses in the root ip nat pool command; this launches the IP NAT Pool Configuration (config-ipnat-pool) mode.

The config-ipnat-pool mode uses an address command to specify a range of IP addresses. You can repeat this command to create multiple, nonoverlapping ranges.

When you create or edit address pools, keep the following in mind:

• Starting and ending IP addresses for the specified range are inclusive and must reside on the same subnet.
• Address ranges are verified against other ranges in the specified pool to exclude range overlaps. Additional verification occurs when the pool is associated with a translation rule and the router can determine whether the rule is inside or outside.
• You cannot change the network mask if configured ranges already exist.
• The network mask (or prefix length) is used to recognize host addresses that end in either all zeros or all ones. These addresses are reserved as broadcast addresses and are not allocated from an address pool, even if they are included in an address pool range.
• You cannot remove an address pool if the pool is part of a translation rule or if any of the ranges within the pool are still in use. You must issue the clear ip nat translation command to clear any ranges before you can remove the pool to which they apply.

address

• Use to specify a range of IP addresses in config-ipnat-pool mode; you can repeat the address command to create multiple ranges.
• Example

  host (config-ipnat-pool)#address 171.69.40.110 171.69.40.115

• Use the no version to remove the range for the current address pool.
• See address.

ip nat pool

• Use to create address pools.
• Example 1—Creating a single, continuous range

  host (config) #ip nat pool singlerange 171.69.40.1 171.69.40.100
  prefix-length 30

• Example 2—Creating multiple, discontinuous ranges

  host (config) #ip nat pool multiplerange prefix-length 30

  host (config-ipnat-pool)#address 171.69.40.110 171.69.40.112

  host (config-ipnat-pool)#address 171.69.40.118 171.69.40.120

  host (config-ipnat-pool)#exit

• Use the no version to remove the address range.
• See ip nat pool.

Defining Dynamic Translation Rules

You can use the CLI to define dynamic translation rules for inside and outside sources.

Caution: You must mark interfaces that participate in NAT translation as on the inside or the outside network. See Specifying Inside and Outside Interfaces for details.

You can create a dynamic translation rule to configure inside source or outside source translation. If the NAT router cannot locate a matching entry in its translation database for a given packet, it evaluates the access list of all applicable dynamic translation rules (inside source translation rules for outbound packets and outside source translation rules for inbound packets) against the packet. If an access list permits translation, the NAT router tries to allocate an address from the associated address pool to install a new translation.

When you create dynamic translation rules, keep the following in mind:

• You can associate a list with one pool at any given time. Associating a list with a different pool replaces the previous association.
• The optional overload keyword for inside source translation specifies that the router employ NAPT.
• You can configure dynamic NAPT for inside source translation only; you cannot configure dynamic NAPT for outside source translation.
• When no match occurs for any dynamic translation rule, the NAT router does not translate the packet.
• When an address pool is empty, the NAT router drops the packet.
• Access lists and pools do not have to exist when you are defining dynamic translation rules; you may create them after you define the dynamic translations.

Creating Dynamic Inside Source Translation Rules

Use the ip nat inside source list command to create a dynamic inside source translation rule. This command creates a translation rule that:

• Translates inside local source addresses to inside global addresses when packets from the inside network are routed to the outside network
• Translates outside local source addresses to outside global addresses when packets from the outside network are routed to the inside network.
• Use the overload keyword to specify that the translation create NAPT entries (protocol, port, and address) in the NAT table.

The no version of this command removes the dynamic translation rule, but does not remove any previously created translations (resulting from the rule evaluation) from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations.

ip nat inside source list

• Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the inside network to the outside network.
• Example

  host (config) #ip nat inside source list translation1 pool pool1

• Use the overload keyword to specify that the translation create extended entries (protocol, port, and address) in the translation table for NAPT.
• Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.
• See ip nat inside source list.

Creating Dynamic Outside Source Translation Rules

Use the ip nat outside source list command to create a dynamic outside source translation rule. This command dynamically translates outside global source addresses to outside local addresses when packets are routed from the outside network to the inside network (and untranslates the destination address when a packet returns before a translation table entry times out).

The no version of this command removes the dynamic translation rule, but does not remove any previously created translations from the translation table. To remove active translations from the translation table, see Clearing Dynamic Translations.

ip nat outside source list

• Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the outside network to the inside network.
• Example

  host (config) # ip nat outside source list translation1 pool pool1

• Use the no version to remove the dynamic translation rule; this command does not remove any dynamic translations from the translation table.
• See ip nat outside source list.

Defining Translation Timeouts

The router removes unused dynamic translations in the translation table. Use the ip nat translation command to change or disable NAT translation timeouts.

You can set the aging time (in seconds) never) for any of the specified timers:

• timeout—Dynamic simple translations (not for overloaded translations); default is 86400 seconds (24 hours).
• dns-timeout—DNS-created protocol translations; default is 120 seconds. These dynamic translations are installed by the DNS but not yet used; as soon as the translation is used, the router applies the timeout value mentioned above.
• udp-timeout—UDP protocol extended translations; default is 300 seconds (5 minutes).
• tcp-timeout—TCP protocol extended translations; default is 86400 seconds (24 hours).
• finrst-timeout—TCP connections terminated with reset (RST) or bidirectional finished (FIN) flags; default is 120 seconds. This timeout applies only to TCP extended translations. The timer removes unused, closed TCP translations, which allows for retransmissions.
• icmp-timeout—ICMP protocol extended translations; default is 300 seconds (5 minutes).
• gre-timeout—Aging time for GRE protocol translations; default value is 300 seconds (5 minutes)

All timeouts for this command support a maximum value of 2147483 seconds (about 25 days).

The no version of this command resets the timer to its default value.

ip nat translation

• Use to change translation timeouts for existing and newly created translations in the translation table.
• All timeouts for this command support a maximum value of 2147483 seconds (about 25 days).
• Example

  host1 (config) # ip nat translation timeout 23200

• Use the no version to reset the timer to its default value.
• See ip nat translation.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.