Document ID: 12838
Contents
Introduction
Before You Begin
Conventions
Prerequisites
Components Used
Syntax for a Cisco 600 with PAT
Add a Static Entry in the PAT Table
Virtual Interfaces
Applications and PAT
Telnet
File Transfer Protocol (FTP)
Web Server
IRC, Mail, DNS, Windows, PC-Anywhere
NetMeeting
Multiple Inside Addresses
VPN Tunnels and PAT
PPTP
Layer 2 Tunnel Protocol (L2TP)/Layer 2 Forwarding (L2F)
IPSec
Related Information
Introduction
This document contains information about configuring Port Address Translation (PAT) on a Cisco 600 customer premises equipment (CPE). The information covers syntax, virtual interfaces, applications, and Virtual Private Network (VPN) tunnels.
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Syntax for a Cisco 600 with PAT
To enable PAT on a Cisco 600, issue the following commands:
-
set nat enabled
-
write
-
reboot
If you use RFC1483 routing, issue the set nat outside ip {address} command to set an outside IP address.
If you use Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA), then the IP Control Protocol (IPCP) address is the outside IP address. This is beneficial because you can use wildcard PAT entries when the IPCP address from the service provider changes every time the user logs onto the network.
By default, there are no static PAT entries and all traffic is overloaded using the outside Network Address Translation (NAT) address.
To see the PAT table on the Cisco 600, including the outside PAT address, issue the show nat command.
600#show nat NAT is currently enabled Port Network Global eth0 Inside wan0-0 Outside 200.1.1.1 !--- Current outside PAT address. vip0 Outside vip1 Outside vip2 Outside
Add a Static Entry in the PAT Table
Listed below are several ways to add a static entry to the PAT table on the Cisco 600:
-
Enter the full syntax, specifying source and destination addresses, port, and protocol.
set nat entry add {inside address} {port} {outside PAT address} {port} {ip protocol}For IP protocols Transport Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP), the keywords tcp, udp, and icmp are defined for the IP protocol tag. For example, to specify a TCP port, use the tcp keyword.
set nat entry add {inside address} {port} {outside PAT address} {port} tcpIn the following example, the TCP port of 25 is specified as both the inside and outside port.
set nat entry add 10.0.0.2 25 200.1.1.1 25 tcp
For an IP protocol other than TCP, UDP, or ICMP, use the protocol number and set the port values to 0. In the following example, the Generic Routing Encapsulation (GRE) IP protocol (protocol number 47) is added to the table.
set nat entry add 10.0.0.2 0 200.1.1.1 0 47
-
Use a wildcard method in which only the inside IP address, port, and IP protocol are defined. Using this method, the default outside IP address is assumed as the outside NAT address. Also, the outside port and IP protocol are the same as the inside port and IP protocol defined.
This method is especially useful when the default outside IP address changes due to a user running PPPoA and obtaining a new address from the service provider.
set nat entry add {inside address} {port} {protocol}The following example from method 1
set nat entry add 10.0.0.2 25 200.1.1.1 25 tcp
could also be written as
set nat entry add 10.0.0.2 25 tcp
-
Use a wildcard method in which only the inside IP address and port are defined.
Using this method, incoming traffic that matches the port (TCP, UDP, or ICMP) and is destined to the default IP outside address will be translated to the same port using the address of the inside PAT address.
set nat entry add {inside address} {port}In the following example, if the default outside IP address was 200.1.1.1, any TCP or UDP packets destined to port 80 and address 200.1.1.1 would be sent to 10.0.0.2.
set nat entry add 10.0.0.2 80
-
Use a wildcard method in which only the inside IP address is defined. This method can be used only when there is one PC or device behind the Cisco 600.
For example, if a PC behind the Cisco 600 was given the address of 10.0.0.2 and the default outside IP address was 200.1.1.1, traffic destined for 200.1.1.1 would be translated to 10.0.0.2 and the port and protocol values would remain the same.
set nat entry add 10.0.0.2
This method is useful when all the ports to be translated are not known. A packet destined to the default outside IP address is translated to the inside IP address. The port value and the IP protocol value stay the same after the translation.
set nat entry add {inside address} -
In Cisco Broadband Operating System (CBOS) versions 2.4(1) and later, you can use port ranges. The ports do not have to be the same, but the range of ports must be consistent.
set nat entry add {inside address} {port range} {outside NAT address} {port range} {protocol} set nat entry add 10.0.0.2 10-20 200.1.1.1 30-40 tcpIssue the show nat command to verify the static entries you added. The output of this command also shows the dynamic PAT entries that were created.
To remove an entry, issue the set nat entry delete command. The following options are available:
set nat entry delete all set nat entry delete {inside address} – match entries with same inside address set nat entry delete {outside address} – match entries with same outside address set nat entry delete {inside address} {port} {protocol} – match inside address, port, and protocol set nat entry delete {inside address} {port} {outside address} {port} {protocol} – match entire entry
Virtual Interfaces
The virtual interfaces on the Cisco 600 can be thought of as secondary IP addresses on a Cisco IOS® router. Configuring an IP address and mask on a virtual interface is essentially equivalent to configuring a secondary address on an Ethernet 0 interface.
Also, in Cisco Broadband Operating System (BOS) versions 2.3.0 and later, virtual interfacesw can be used as either inside or outside Network Address Translation (NAT) interfaces. This means that an IP network assigned to a virtual interface configured as an outside PAT interface will not be involved in PAT.
One configuration would be to use eth0 as an inside NAT interface and vip0 as an outside NAT interface. Devices that are configured to be in the same IP network as the VIP interface can then be reached without going through NAT on the Cisco 600 (if the ISP has the route set accordingly).
In this example, an IP address of 210.1.2.1 in the IP network of 210.1.2.0 was configured on the vip0 interface. Because the vip0 interface is an outside NAT interface, traffic to and from that network will not pass through NAT.
6xx#set int vip0 address 210.1.2.1
Virtual IP Address now changed
You must use "write" then reboot for changes to take effect
6xx#set int vip0 mask 255.255.255.0
Virtual Netmask now changed
You must use "write" then reboot for changes to take effect
6xx#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.
6xx#reboot
6xx#show int
IP Address Mask
eth0 10.0.0.1 255.255.255.0
vip0 210.1.2.1 255.255.255.0
vip1 0.0.0.0 255.255.255.0
vip2 0.0.0.0 255.255.255.0
wan0 Physical Port: Trained
Dest IP Address Mask
wan0-0 192.168.1.1 255.255.255.255
6xx#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 210.1.1.1
vip0 Outside
vip1 Outside
vip2 Outside
Local IP : Port Global IP : Port Timer Flags Proto Interface
10.0.0.2:0 210.1.1.1:0 0 0x00041 47 eth0 wan0-0
To toggle an interface from an outside to an inside PAT interface, issue the following command:
set interface {eth0 | wan0-0 | vip0 | vip1 | vip2 } {inside | outside }
For example, to change the vip0 interface from the default to an inside interface, issue the following command:
set interface vip0 inside
Applications and PAT
Telnet
To allow Telnetting to a device behind the Cisco 600, add one of the following commands:
set nat entry add {internal device address} 23 {outside NAT address} 23 tcp
or
set nat entry add {internal device address} 23 tcp
6xx#show nat NAT is currently enabled Port Network Global eth0 Inside wan0-0 Outside 210.1.1.1 vip0 Outside vip1 Outside vip2 Outside 6xx#set nat entry add 10.0.0.2 23 210.1.1.1 23 tcp 6xx#show nat NAT is currently enabled Port Network Global eth0 Inside wan0-0 Outside 210.1.1.1 vip0 Outside vip1 Outside vip2 Outside Local IP : Port Global IP : Port Timer Flags Proto Interface 10.0.0.2:23 210.1.1.1:23 0 0x00041 tcp eth0 wan0-0
Note that a Telnet to the outside NAT address will now reach the internal device and not the Cisco 600. You would not be able to Telnet to the Cisco 600 at this point.
A solution would be to set up an external port in addition to the default Telnet port of 23. As an example, you could use the following command:
set nat entry add {internal device address} 23 {outside NAT address} 2000 tcp
An inbound Telnet connection to port 2000 would then be forwarded to a Telnet to the internal device. An inbound Telnet connection to the default Telnet port of 23 would terminate on the Cisco 600.
Most Telnet applications allow a port specification. For example, to Telnet to port 2000 of IP address 198.1.1.1 on a UNIX device, you would issue the following command:
telnet 198.1.1.1 2000
File Transfer Protocol (FTP)
To allow an incoming FTP, you must configure a translation to ports 20 and 21.
set nat entry add {internal device address} 21 {outside NAT address} 21 tcp
set nat entry add {internal device address} 20 {outside NAT address} 20 tcp
Web Server
To allow an incoming connection to a Web server, you must configure a translation to port 80.
set nat entry add {internal device address} 80 {outside NAT address} 80 tcp
set nat entry add {internal device address} 80 {outside NAT address} 80 udp
IRC, Mail, DNS, Windows, PC-Anywhere
Because many applications can use several ports, it can be difficult and time-consuming to determine all the ports and IP protocols involved. You can add a wildcard entry if there is only one PC or device behind the Cisco 600. An inbound connection to the outside PAT address will be forwarded to the internal device address with the same port and protocol value. Use the following command:
set nat entry add {internal device address}
If a PC is behind the Cisco 600 and the outside PAT address of the Cisco 600 is 210.1.1.1, the following entry would forward all inbound connections to 210.1.1.1 to the PC address of 10.0.0.2.
For example, FTP to 210.1.1.1 would be forwarded to FTP to 10.0.0.2, and a ping to 210.1.1.1 would be translated to a ping to 10.0.0.2.
6xx#set nat entry add 10.0.0.2 6xx#show nat NAT is currently enabled Port Network Global eth0 Inside wan0-0 Outside 210.1.1.1 vip0 Outside vip1 Outside vip2 Outside Local IP : Port Global IP : Port Timer Flags Proto Interface 10.0.0.2:***** *****:***** 0 0x03041 *** eth0
NetMeeting
NetMeeting is an application that uses the H.323 voice over IP protocol. To allow NetMeeting sessions through PAT, the Cisco 600 must be NetMeeting-aware and must be able to perform operations in addition to port address translation.
The PAT implementation in CBOS is NetMeeting-aware, but not all NetMeeting versions may be supported in a particular version of CBOS. Please see CBOS release notes for the latest information.
CBOS version 2.4 supports NetMeeting 3.0.1. Issue the following command:
set nat entry add {inside ip address} 1720 tcp
Multiple Inside Addresses
When there are several devices behind the Cisco 600, you must specify the address and port.
For instance, if HTTP port 80 is already being translated to one internal address (for example, a Web server), that same port cannot be used again as a static translation to another internal address. A workaround for this is to change the default ports, which most applications allow you to do. In the case of the Web server, you could change the port to 8080 on the second device using the following commands:
set nat entry add 10.0.0.2 80 set nat entry add 10.0.0.3 8080
Another option is to change the outside port, with respect to the outside user, to port 8080 and translate it to port 80 on the second Web server. You can use the following commands:
set nat entry add 10.0.0.2 80 200.1.1.1 80 tcp set nat entry add 10.0.0.2 80 200.1.1.1 80 udp set nat entry add 10.0.0.3 80 200.1.1.1 8080 tcp set nat entry add 10.0.0.3 80 200.1.1.1 8080 udp
You cannot use the following commands:
set nat entry add 10.0.0.2 80 set nat entry add 10.0.0.3 80 set nat entry add 10.0.0.2 80 200.1.1.1 80 tcp set nat entry add 10.0.0.3 80 200.1.1.1 80 tcp
VPN Tunnels and PAT
When you set up a tunnel connection through the Cisco 600, it is important to note that other IP protocols may be used with TCP and UDP ports. When you configure the Cisco 600 to translate TCP and UDP ports, you also must configure it to translate IP protocols other than TCP or UDP.
To configure the translation of a protocol other than TCP or UDP, use the following command:
set nat entry add {internal device address} 0 {outside NAT address} 0 {IP Protocol Number}
To configure an IP protocol other than TCP or UDP, set the port values to 0 and enter the IP Protocol number as the last value. Refer to Syntax for a Cisco 600 with PAT for more detail.
PPTP
Point-to-Point Tunneling Protocol (PPTP) uses TCP port 1723 and IP Protocol 47 GRE.
Issue the set nat entry add command using the following syntax:
set nat entry add {internal device address} 0 {outside NAT address} 0 47
set nat entry add {internal device address} 1723 {outside NAT address} 1723 tcp
Layer 2 Tunnel Protocol (L2TP)/Layer 2 Forwarding (L2F)
L2TP and L2F both use UDP port 1701.
To allow an L2TP or L2F session through PAT, use the set nat entry add command with the following values:
set nat entry add {internal device address} 1701 {outside NAT address} 1701 udp
IPSec
There are many implementations of IP Security (IPSec), but not all of them can be used with PAT on the Cisco 600.
The following examples have been tested only with the Cisco Virtual Private Network (VPN) solution; success with other vendors' solutions is not guaranteed.
Some Cisco VPN clients can embed the IPSec packets into a UDP/TCP port that is specified on the client and server sides. In this scenario, a static PAT entry can be added that matches the ports used.
For example, if the VPN client and server are set to embed IPSec packets within UDP packets of port 8000, the following command would be added:
set nat entry add {inside client address} 8000 {outside PAT address} 8000 udp
To implement classic IPSec, you must:
-
Disable the Authentication Header protocol (IP protocol 51) on both the VPN client and the VPN server.
-
Use pre-shared keys.
Also, in a classic IPSec implementation using CBOS version 2.4(1), no NAT entries are required when the IPSec connection is made inside to outside.
After the connection from the client side, the following entries are added automatically to the PAT table.
6xx#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 210.1.1.1
vip0 Outside
vip1 Outside
vip2 Outside
Local IP : Port Global IP : Port Timer Flags Proto Interface
10.0.0.2:500 210.1.1.1:500 0 0x00041 udp eth0 wan0-0 10.0.0.2:0 210.1.1.1:0 300 0x00046 50 eth0 wan0-0
Port 500 for UDP and IP 50 is inserted into the table except when the connection is made from the Internet (outside) into the device behind the Cisco 600. In this case, you must manually add the two entries.
Important: The other side of the IPSec connection must use the outside NAT address for all peer IP address statements. This means that to the other IPSec peer, your address is the outside NAT address.
For this example, 10.0.0.2 is the VPN client, 210.1.1.1 is the outside PAT address, and the other VPN peer (or server) uses 210.1.1.1 as the address for the client.
set nat entry add 10.0.0.2 500 210.1.1.1 500 udp set nat entry add 10.0.0.2 0 210.1.1.1 0 50
or
set nat entry add 10.0.0.2 500 udp set nat entry add 10.0.0.2 0 50
Related Information
| Updated: Nov 23, 2007 | Document ID: 12838 |