Table of Contents

Usage Guidelines
Keywords
Examples
Related Commands

NAT Global

This section is used to modify parameters that affect the way NAT (Network Address Translation) operates. NAT allows internal networks which use private IP addresses to be translated into a valid external global IP address (or addresses). (See RFC 1918 "Address Allocation for Private Internets" for more information about private IP addresses.) This can allow a private network to provide Internet access through a single "official" IP address. It can also function as a minimal firewall by limiting access to the internal network from external networks while allowing the internal network easy access to the Internet. These parameters are global to the device and are not associated with a particular interface.

Usage Guidelines

For WAN interfaces, the "official" IP address must be assigned statically from the router's configuration. The WAN interface performing NAT cannot have its IP address dynamically assigned by a dialup-PPP negotiation.

Keywords

After entering the configure command for the section, enter one or more of the following keywords.

Enabled = {On | Off}	The Enabled keyword, when set to On, allows the router to perform NAT translations between the internal and external networks. The default is Off. Note   NAT must also be enabled for the external NAT port in the IP section for NAT to function on the router.
InternalRange = IP_address_range	The InternalRange keyword defines the address range of the internal NAT network. This range will be translated into the range of IP addresses defined by the ExternalRange keyword. It can be a single IP address or a range of addresses. The InternalRange must be part of the same IP network as the internal NAT port. The address range may be specified in several different ways: IP address(es) can be specified in normal dotted-decimal notation. If the rightmost components are 0, they are treated as wild cards (for example, 128.138.12.0 matches all hosts on the 128.138.12 subnet). An inclusive range of addresses can be specified using a "dash notation" in the form of #.#.#.{# -#}. For example, 10.5.3.{1-30} would be parsed as the IP addresses 10.5.3.1, 10.5.3.2, ..... 10.5.3.29, and 10.5.3.30 (and every IP address in between). Each of these parsed addresses would have a mask of /32 or 255.255.255.255 IP addresses may also be specified as a hexadecimal number (for example, 0x82cc0801 matches the host address 130.204.8.1). A bit field can also be used to indicate a range of addresses by denoting the top or most significant bits which define the range. For example, an address specified as 192.15.32.0/19 would indicate a range from 192.15.32.1 to 192.15.63.255. This keyword may appear multiple times within this section in order to specify several different ranges.
ExternalRange = IP_address_range	The ExternalRange keyword defines the address range of the external NAT network. This range will be translated into the range of IP addresses defined by the InternalRange keyword. It can be a single IP address or a range of addresses, but they must be valid global Internet addresses and the value(s) must be routable on the network. If only a single Internet IP address is available, then the ExternalRange must be the same as the IP address on the IP port communicating with the Internet. In this case, care must be taken not to create a one-to-one translation pair using this IP address in the NAT Mapping section. If a range of addresses is specified, the NAT software makes the decision about which Internet address is assigned to outgoing packets. The ExternalRange IP address has the same format as that for the InternalRange. This keyword may appear multiple times within this section in order to specify several different ranges.
PassThruRange = IP_address_range	The PassThruRange keyword defines an address range which may pass through the external NAT port without being translated. This is used when the NAT router has an IP interface (or interfaces), in addition to the NAT internal port and NAT external port, that is connected to part of the local network that is configured with global IP addresses. The PassThruRange IP address has the same format as that for the InternalRange. This keyword may appear multiple times within this section in order to specify several different ranges. However, you can only create one PassThruRange for each Class C network. The following example works alone: PassThruRange = 216.228.84.168/29 The following example invalidates both PassThruRanges: PassThruRange = 216.228.84.168/29 PassThruRange = 216.228.84.96/29 Note   If an IP address or range of addresses is included in both the ExternalRange and PassThruRange, NAT will treat the IP address(es) as being members of the ExternalRange only.
UDPTimeout = Number	The UDPTimeout keyword specifies the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active non-TCP NAT session. Values may range from 0 to 3600 seconds (1 hour). A value of zero will cause non-TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 300 seconds (5 minutes).
TCPTimeout = Number	The TCPTimeout keyword specifies the amount of time to lapse without any IP Network Address Translations using this NAT session before the router removes an active NAT session for TCP. The value may range from 0 to 172,800 seconds (48 hours). A value of zero will cause TCP NAT sessions to never be removed due to inactivity. Extending the amount of time will cause more router memory to be used by the NAT translation session database. The default is 86,400 seconds (24 hours).
TCPSynTimeout = Number	The TCPSynTimeout keyword specifies the amount of time to lapse without a response to a SYN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes).
TCPFinTimeout = Number	The TCPFinTimeout keyword specifies the amount of time to lapse without a response to a FIN TCP packet before the router removes an active NAT session for TCP. The value may range from 20 to 300 seconds. The default is 180 seconds (3 minutes).
RouterAddr = {On | Off}	The RouterAddr keyword, when set to On, allows communication with the router through the IP addresses of the router's ports. This allows the user to communicate with the router (e.g., establish a telnet session with the router). The default is On.
RespondICMP = {On | Off}	The RespondICMP keyword, when set to On, allows external workstations/routers to ping workstations/routers in the internal NAT network if a one-to-one translation pair in the NAT Mapping section will allow such a translation. The default is On. The workstation/router on the internal NAT network will not be allowed to respond to a ping if RespondICMP is Off.

Examples

The following example shows an internal subnetted network which has Internet access through 198.41.9.219. The internal network will also be able to respond to pings from external devices if a one-to-one translation pair has been configured in the NAT Mapping section.

[ NAT Global ]
Enabled 	      	= On
InternalRange	 	= 10.5.3.0/27
ExternalRange		 = 198.41.9.219                        
RespondICMP		   = On
 

The following example shows another internal subnetted network which has Internet access through a range of Internet addresses. The internal network will not be able to respond to pings from external devices.

[NAT Global ]
Enabled		       = On
InternalRange	 	= 10.5.3.0/29
ExternalRange		 = 198.41.9.200/29 
RespondICMP		   = Off

Related Commands

Command	Description
configure IP	Configures IP parameters for an interface
edit config NAT Mapping	Creates a NAT mapping
show ip	Shows IP configuration and statistics
show nat	Shows NAT configuration and statistics

Posted: Wed Sep 27 10:44:10 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.