Common commands for IP nat

Common IP nat command syntax: ip nat {inside | outside} no ip nat {inside | outside} this command is used to set the Intranet and Internet interfaces of NAT. Use the no option to stop the interface from applying NAT. Parameter: inside: indicates that the interface connects to the internal network. Outside: indicates that the interface connects to the external network. Default Value: NAT is not applied on the interface. Command mode: interface configuration mode. Note: NAT translation is performed only when packets are routed between the outside interface and the inside interface and comply with certain rules. Therefore, you must configure at least one outside interface and one inside interface for the NAT router. You can also configure multiple interfaces. Example: Ruijie (config) # interface f0/0 Ruijie (config-if) # ip address 192.168.10.1 255.255.0 Ruijie (config-if) # ip nat inside Ruijie (config-if) # no shutdown Ruijie (config-if) # interface f0/1 Ruijie (config-if) # ip address 200.19.12.17 255.255.255.0 Ruijie (config-if) # ip nat outside Ruijie (config-if) # no shutdown the fastethernet 0/0 vro in this example connects to the Intranet and is defined as the inside interface. fastethernet 0/1 connects to the Internet, is defined as the outside interface. Related commands: show ip nat statistics view NAT statistics and rules, including the inside and outside interface ip nat inside destination Syntax: ip nat inside destination list access-list-number pool-name no ip nat inside destination list access-list-number pool-name enable NAT internal target address translation. Use the "no" option to disable translation of NAT internal destination addresses. Parameter: access-list-number: The table number of the access control list. It specifies the access control list to define the rules for the target address. Pool-name: IP address pool name. This address pool defines the internal local address used for NAT translation. Default Value: NAT internal target address translation is not enabled. Command mode: global configuration mode. Note: the destination address translation in NAT can be used to achieve TCP load balancing. You can use a virtual host to receive users' TCP requests instead of multiple actual hosts, NAT maps these requests to each actual host in turn to achieve load balancing. When configuring TCP load balancing, the access control list defines the address of the virtual host, and the address pool defines the address of each actual host. Example: Ruijie (config) # ip nat pool np 192.168.1.1 192.168.1.3 netmask 255.255.255.0 type rotary Ruijie (config) # access-list 1 permit 60.8.1.1 0.0.0.0 Ruijie (config) # ip nat inside destination list 1 pool np this example defines a TCP load balancing, the virtual host address is 60.8.1.1, defined by access-list 1, the actual host address is 192.168.1.1 ~ 192.168.1.3, defined by the address pool np. Related commands: Create a nat address pool access-list in the ip NAT pool to define the access control list ip nat inside source list Syntax: ip nat inside source list access-list-number {pool-name | interface-id} [overload] no ip nat inside source list access-list-number enable internal source address conversion dynamic NAT. Use the no option to disable the dynamic NAT. Parameter: access-list-number: The table number of the access control list. It specifies the access control list to define the source address rules. Pool-name: IP address pool name. This address pool defines the internal Global Address used for NAT translation. Interface-id: interface number. Use the IP address of this interface as the internal global address. Overload: enables port multiplexing so that each global address can be mapped to multiple local addresses. overload is used only in nat translation of multiple to one addresses, so that multiple addresses can communicate through one nat address at the same time. If this command is not added, only one internal address in a time slice can communicate. This command adds a subinterface to the nat address. Default Value: NAT is not enabled. Command mode: global configuration mode. Note: In ruijie vro, port multiplexing is enabled by default, and the keyword overload is the same. Keep this parameter for compatibility with Cisco commands. When configuring dynamic NAT for the internal source address, the access control list defines the rules for the internal local address, and the IP address pool defines the internal global address, which is usually the registered legal address. Example 1: Ruijie (config) # ip nat pool np 200.10.10.1 200.10.10.9 netmask 255.255.255.0 Ruijie (config) # access-list 1 permit 192.168.1.0 0.0.255 Ruijie (config) # access-list 1 permit 172.16.0.0 0.0.255.255 Ruijie (config) # ip nat inside source list 1 pool np overload this example defines an internal source address dynamic NAT with the internal local address 192.168.1. * and 172. 16. *. * format, which is defined by access-list 1. Only these two addresses can be converted to NAT. The internal global address is 200.10.10.1 ~ 200.10.10.9, a total of 9 addresses, defined by the address pool np. Each global address can be mapped to multiple local addresses, and each ing can be distinguished by port numbers. Example 2: Ruijie (config) # access-list 1 permit 192.168.0.0 0.255.255 Ruijie (config) # ip nat inside source list 1 interface s1/0 overload this example defines an internal source address dynamic NAT with an internal local address of 192. 168. *. * format, which is defined by access-list 1. The internal global address is the IP address of Serial 1/0. All local addresses are mapped to this IP address, and each ing is distinguished by the port number. Related commands: Create a nat address pool access-list to define the access control list ip NAT inside source static Syntax: ip nat inside source static local-address global-address [permit-inside] no ip nat inside source static local-address global-address [permit-inside] ip nat inside source static protocol local -address local-port global-address global-port [permit-inside] no ip nat inside source static protocol local-address local-port Global-address global-port [permit-inside] enables static NAT for internal source address translation. You can use the no option to delete the static NAT. Parameter: local-address: internal local address. It is the IP address of the host inside the network, generally an unregistered private address. Global-address: the internal global address. It is the address displayed by the internal host on the external network. It is generally a registered legal address. Protocol: protocol. It can be TCP or UDP. Local-port: the service port number of the local address. Global-port: the service port number of the global address, which can be different from the local-port. Permit-inside: Allows internal users to access the local host using a global address. Default Value: NAT is not enabled. Command mode: global configuration mode. Note: static NAT is mainly used for services that need to be opened to external users, such as Web servers. It can map local addresses to specified global addresses. The first format implements one-to-one NAT ing. The second format can implement one-to-multiple ing, that is, a global address can map multiple internal addresses and distinguish the mappings using port numbers. Example 1: Ruijie (config) # ip nat inside source static 192.168.1.6 200.10.10.2 this example defines an internal source address static NAT, the internal local address is 192.168.1.6, and the internal global address is 200.10.10.2. Internet users can only access this host with 200.10.10.2. Intranet users can only access this host with 192.168.1.6. If the permit-inside keyword is added, Intranet users can also access this host with 200.10.10.2. Example 2: Ruijie (config) # ip nat inside source static tcp 192.168.1.6 80 200.10.10.2 80 Ruijie (config) # ip nat inside source static tcp 192.168.1.8 80 200.10.10.2 8080 this example defines two internal source addresses static NAT. Both services are Web services and can be used by Intranet users. http://192.168.1.6 And http://192.168.1.8 To access these two websites, you must use http://200.10.10.2 And http://200.10.10.2 : 8080 visit these two websites. Ip nat outside source list Syntax: ip nat outside source list access-list-number pool-name no ip nat outside source list access-list-number Enable dynamic NAT for external source address translation. Use the no option to disable the dynamic NAT. Parameter: access-list-number: The table number of the access control list. It specifies the access control list to define the source address rules. Pool-name: IP address pool name. This address pool defines the external local address used for NAT translation. Default Value: NAT is not enabled. Command mode: global configuration mode. Note: external source address NAT is used when addresses overlap. When two private networks that need mutual access use the same IP address, or a private network and a public network use the same IP address, the addresses overlap. In this case, you need to map an external global address to an external local address that does not exist locally to achieve mutual access. When configuring dynamic NAT for the external source address, the access control list defines the format of the external global address, and the IP address pool defines the external local address, which should not overlap with the internal local address. Example: Ruijie (config) # ip nat pool outp 172.18.1.1 172.18.1.254 netmask 255.255.255.0 Ruijie (config) # access-list 1 permit 192.168.1.0 0.0.255 Ruijie (config) # ip nat outside source list 1 pool outp this example defines an external source address dynamic NAT with the external global address 192.168.1. * format, which is defined by access-list 1 and overlaps with internal addresses. The external local address is 172.18.1.1 ~ 172.18.1.254 is defined by the address pool outp. This group of addresses is not used in the internal network. When the source address of an external packet is in the format of 192.168.1. *, replace it with the address 172.18.1. * And then enter the internal network. Related commands: Create a nat address pool access-list to define the access control list ip NAT outside source static Syntax: ip nat outside source static global-address local-address no ip nat outside source static global-address local-address ip nat outside source static protocol global-address global-port local-address local- port no ip nat outside source static protocol global-address global-port local-address local-port enable static NAT for external source address translation. You can use the no option to delete the static NAT. Parameter: global-address: external global address. Is the address of the external host in the external network. Local-address: External local address. Is the IP address of the external host in the network. Protocol: protocol. It can be TCP or UDP. Global-port: the service port number of the external global address. Local-port: the service port number of the external local address. It can be different from global-port. Default Value: NAT is not enabled. Command mode: global configuration mode. Note: static NAT of external source addresses is used when addresses overlap. The first format implements one-to-one NAT ing. The second format can implement one-to-multiple ing, that is, a local address can map multiple global addresses and distinguish mappings by port numbers. Example: Ruijie (config) # ip nat outside source static 192.168.1.1 172.18.1.6 this example defines an external source address static NAT, the external global address is 192.168.1.1, and the external local address is 172.18.1.6. When the source address of an external packet is 192.168.1.1, replace it with the address 172.18.1.6 and then enter the internal network. Ip nat pool Syntax: ip nat pool-name start-address end-address {netmask subnet-mask | prefix-length} [type rotary] ip nat pool-name {netmask subnet-mask | prefix-length} [type rotary] no ip nat pool-name defines an ip address pool. You can use the no option to delete an address pool. Parameter: pool-name: address pool name. Use this name to reference the address pool in the dynamic NAT configuration command. Start-address: the starting IP address of the address block. End-address: end IP address of the address block. Subnet-mask: subnet mask Of the address block. Prefix-length: indicates the mask in length, which is a simplified form of mask. Type rotary: it is defined as a round-robin address pool. The probability of each address allocation is equal. The default address pool type of the ruijie router is the rotation type. Therefore, the rotary keyword is the same. This keyword is reserved for compatibility with Cisco commands. Default Value: No address pool is defined. Command mode: global configuration mode. Note: The first format defines an address pool containing address blocks. The second format defines an empty address pool, and then you can use the address command to add one or more address blocks to it. Example 1: Ruijie (config) # ip nat pool np1 200.10.10.1 200.10.10.9 netmask 255.255.255.0 this example defines an address pool named np. The address range is 200.10.10.1 ~ 200.10.10.9, mask 255.255.255.0. Example 2: Ruijie (config) # ip nat pool np2 200.10.10.1 200.10.10.9 prefix-length 24 the address pool defined in this example is exactly the same as in Example 1, but the mask is written in length. Example 3: Ruijie (config) # ip nat pool np3 netmask 255.255.255.0 Ruijie (config) # address 200.10.10.1 200.10.10.9 Ruijie (config) # address 201.15.8.17 201.15.8.25 this example first defines an empty address pool, use the addess command to add two address blocks to the block. Related commands: addess adds the ip address NAT translation syntax to the nat address pool: ip nat translation parameter name parameter value no ip nat translation parameter name configure the timeout time and number of translation records for NAT translation records. Use the no option to restore the default configuration. This command can be used in multiple ways: ip nat translation dns-timeout seconds defines the timeout time for DNS conversion records, measured in seconds. The default value is 60 seconds. Ip nat translation finrst-timeout seconds defines the timeout time for the conversion record after the TCP connection FIN and RESET, in seconds. The default value is 60 seconds. Ip nat translation icmp-timeout seconds defines the timeout time for ICMP conversion records, measured in seconds. The default value is 60 seconds. Ip nat translation syn-timeout seconds defines the timeout time for TCP to receive no response after syn is sent, in seconds. The default value is 60 seconds. Ip nat translation tcp-timeout seconds defines the timeout time for the TCP connection conversion record, in seconds. The default value is 1 day. Ip nat translation udp-timeout seconds defines the timeout time for UDP connection conversion records, measured in seconds. Default Value: 300 seconds. Ip nat translation max-entries number defines the maximum number of NAT translation records. The default value is 30000. Ip nat translation pre-user-ip [number] specifies the maximum number of conversion records allowed by a user on the Intranet. User-ip: the user's ip address. If it is 0.0.0.0, all users in the intranet use the same number of entries. The configuration priority of a specific IP address is higher than that of 0.0.0.0. If no specific value is given after user-ip, the value is 300. By default, no restrictions are imposed. Command mode: global configuration mode. Example 1: Ruijie (config) # ip nat translation pre-user 0.0.0.0 500 Ruijie (config) # ip nat translation pre-user 192.168.5.112 1000 this example limits the number of Intranet user conversion records. The number of user 192.168.5.112 is limited to 1000, and the number of other users is limited to 500. Example 2: Ruijie (config) # ip nat translation icmp-timeout 30 in this example, the timeout value of the NAT translation record of ICMP is set to 30 seconds. The main difference between using the ip nat outside source list Command (Dynamic NAT) instead of the ip nat outside source static command (static NAT) is that) there are no entries in the conversion table before the router checks the conversion standard of data packets. In the preceding example, the data packet with SA being 172.16.88.1 (external interface entering Router 2514x) complies with access list 1, that is, the standard used by the ip nat outside source list command. Therefore, packets in the internal network must be sent from the external network before they can communicate with the loopback0 interface of the Router 2514w. In this example, you need to pay attention to two points: first, when the data packet is transmitted from the external to the internal, first convert the data packet, and then check the route table of the destination. When a data packet is transmitted from the inside to the outside, the route table of the destination is checked and then switched. Second, when using each of the preceding commands, it is important to record which part of the IP packet is converted. The following table provides an outline: commands to convert ip nat outside source list to ip packet sources. These ip packets are being transferred from the external to the destination of the internal conversion ip packet, these ip packets are being transferred from the internal to the external ip nat inside source list to the source of the ip packet. These ip packets are being transferred from the internal to the destination of the external conversion ip packet, these IP packets are being transferred from the external to the internal, which indicates there are multiple methods to convert the package. According to your specific requirements, you should determine how to define the NAT interface (internal or external) And what routes should be included in the route table before or after the conversion. Remember that packet conversion depends on the packet transmission direction and how you configure NAT.