NAT overview:
-----------------------------------------------------------------
NAT on stick:
Ref: link - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
-----------------------------------------------------------------
NAT extendable:
ip nat inside source static 10.1.1.1 200.2.2.2 extendable
ip nat inside source static 10.1.1.1 200.3.3.3 extendable
Note: Don't forget ip nat inside, ip nat outside interface command.
Keyword "Extendable is used for the IOS will allow you to have TWO NAT entries for the same source ip address.
-----------------------------------------------------------------
NAT Stateful failover:
# ip nat stateful id 1 <--router br="" group="" in="" snat=""># redundancy HSRP-1 (standby 1 group name) <--specifies br="" group="" hsrp="" the=""># mapping id 100 <--uniquely active="" br="" hsrp="" indentifies="" s="" send="" standby="" that="" the="" to="" translation="">
# access-list 100 permit ip host 10.1.1.1 host 20.1.1.4 <--communication and="" between="" br="" destination="" source=""># route-map TST permit 10
# match ip add 100
# ip nat pool TST-POOL 192.1.1.1 192.1.1.2 prefix-length 24 <--create br="" dynamic="" nat="" pool="">
# ip nat inside source route-map TST pool POOL mapping-id 100-----------------------------------------------------------------
| Inside-to-Outside | Outside-to-Inside | |
| If IPSec then check input access list | If IPSec then check input access list | |
| decryption - for CET (Cisco Encryption Technology) or IPSec | decryption - for CET or IPSec | |
| check input access list | check input access list | |
| check input rate limits | check input rate limits | |
| input accounting | input accounting | |
| redirect to web cache | redirect to web cache | |
| policy routing | NAT outside to inside (global to local translation) | |
| routing | policy routing | |
| NAT inside to outside (local to global translation) | routing | |
| crypto (check map and mark for encryption) | crypto (check map and mark for encryption) | |
| check output access list | check output access list | |
| inspect (Context-based Access Control (CBAC)) | inspect CBAC | |
| TCP intercept | TCP intercept | |
| encryption | encryption | |
| Queueing | Queueing | |
| Note: NAT inside to ouside-> check routing before take place of NAT | Note: NAT outside to inside -> Translation occurs before routing |
-----------------------------------------------------------------
NAT on stick:
Ref: link - http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
-----------------------------------------------------------------
NAT extendable:
ip nat inside source static 10.1.1.1 200.2.2.2 extendable
ip nat inside source static 10.1.1.1 200.3.3.3 extendable
Note: Don't forget ip nat inside, ip nat outside interface command.
Keyword "Extendable is used for the IOS will allow you to have TWO NAT entries for the same source ip address.
-----------------------------------------------------------------
NAT Stateful failover:
# ip nat stateful id 1 <--router br="" group="" in="" snat=""># redundancy HSRP-1 (standby 1 group name) <--specifies br="" group="" hsrp="" the=""># mapping id 100 <--uniquely active="" br="" hsrp="" indentifies="" s="" send="" standby="" that="" the="" to="" translation="">
# access-list 100 permit ip host 10.1.1.1 host 20.1.1.4 <--communication and="" between="" br="" destination="" source=""># route-map TST permit 10
# match ip add 100
# ip nat pool TST-POOL 192.1.1.1 192.1.1.2 prefix-length 24 <--create br="" dynamic="" nat="" pool="">
# ip nat inside source route-map TST pool POOL mapping-id 100-----------------------------------------------------------------
No comments:
Post a Comment