Introduction
This document contains
information about configuring Port Address Translation (PAT) on a Cisco 600
customer premises equipment (CPE). The information includes syntax, Virtual
Interfaces (VIPs), applications, and Virtual Private Network (VPN) tunnels.
Syntax for a Cisco 600 with PAT
To enable PAT on a Cisco
600, issue the following commands:
If you use RFC1483
Routing, issue the set nat outside ip {address} command to set an outside
IP address.
If you use Point-to-Point
Protocol over Asynchronous Transfer Mode (PPPoA), then the IP Control Protocol (IPCP)
address is the outside IP address. This is beneficial because you can use
wildcard PAT entries when the IPCP address from the service provider changes
every time the user logs onto the network.
By default, there are no
static PAT entries and all traffic is overloaded using the outside Network
Address Translation (NAT) address.
To see the PAT table on
the Cisco 600, including the outside PAT address, issue the show nat
command.
600#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 200.1.1.1
!--- current outside PAT address
vip0 Outside
vip1 Outside
vip2 Outside
Add a Static Entry in the PAT
Table
Listed below are several
ways to add a static entry to the PAT table on the Cisco 600.
- Enter the full syntax,
specifiying source and destination addresses, port, and protocol.
set nat entry add
{inside address} {port} {outside PAT address} {port} {ip protocol}
For IP protocols TCP,
UDP, and ICMP, the keywords tcp, udp, and icmp are defined for the IP protocol
tag. For example, to specify a TCP port, use the tcp keyword.
set nat entry add
{inside address} {port} {outside PAT address} {port} tcp
In the following
example, the TCP port of 25 is specified as both the inside and outside port.
set nat entry add
10.0.0.2 25 200.1.1.1 25 tcp
For an IP protocol other
than TCP, UDP, or ICMP, use the protocol number and set the port values to 0.
In the following example, the Generic Routing Encapsulation (GRE) IP protocol
(protocol number 47) is added to the table.
set nat entry add
10.0.0.2 0 200.1.1.1 0 47
- Use a wildcard method
in which only the inside IP address, port, and IP protocol are defined. Using
this method, the default outside IP address is assumed as the outside NAT
address. Also, the outside port and IP protocol are the same as the inside
port and IP protocol defined.
This method is
especially useful when the default outside IP address changes due to a user
running PPPoA and obtaining a new address from the service provider.
set nat entry add
{inside address} {port} {protocol}
The following example
from method 1
set nat entry add
10.0.0.2 25 200.1.1.1 25 tcp
could also be written as
set nat entry add
10.0.0.2 25 tcp
- Use a wildcard method
in which only the inside IP address and port are defined.
Using this method,
incoming traffic that matches the port (TCP, UDP, or ICMP) and is destined to
the default IP outside address will be translated to the same port using the
address of the inside PAT address.
set nat entry add
{inside address} {port}
In the following
example, if the default outside IP address was 200.1.1.1, any TCP or UDP
packets destined to port 80 and address 200.1.1.1 would be sent to 10.0.0.2.
set nat entry add
10.0.0.2 80
- Use a wildcard method
in which only the inside IP address is defined. This method can be used only
when there is one PC or device behind the Cisco 600.
For example, if a PC
behind the Cisco 600 was given the address of 10.0.0.2 and the default outside
IP address was 200.1.1.1, traffic destined for 200.1.1.1 would be translated
to 10.0.0.2 and the port and protocol values would remain the same.
set nat entry add
10.0.0.2
This method is
useful when all the ports to be translated are not known. A packet destined to
the default outside IP address is translated to the inside IP address. The
port value and the IP protocol value stay the same after the translation.
set nat entry add
{inside address}
- In Cisco Broadband
Operating System (CBOS) versions 2.4(1) and later, you can use port ranges.
The ports do not have to be the same, but the range of ports must be
consistent.
set nat entry add
{inside address} {port range} {outside NAT address} {port range} {protocol}
set nat entry add 10.0.0.2 10-20 200.1.1.1 30-40 tcp
Issue the show nat
command to verify the static entries you added. The output of this command also
shows the dynamic PAT entries that were created.
To remove an entry, issue
the set nat entry delete command. The following options are available:
set nat entry delete
all
set nat entry delete {inside address} – match entries with same
inside address
set nat entry delete {outside address} – match entries with same
outside address
set nat entry delete {inside address} {port} {protocol} – match
inside address, port, and protocol
set nat entry delete {inside address} {port} {outside address} {port}
{protocol} – match entire entry
Virtual Interfaces
The Virtual Interfaces
(VIPs) on the Cisco 600 can be thought of as secondary IP addresses on a Cisco
IOS router. Configuring an IP address and mask on a VIP is essentially
equivalent to configuring a secondary address on an eth0 interface.
Also, in CBOS versions
2.3.0 and later, VIPs can be used as either inside or outside NAT interfaces.
This means that an IP network assigned to a VIP configured as an outside
PAT interface will not be involved in PAT.
One configuration would be
to use eth0 as an inside NAT interface and vip0 as an outside NAT
interface. Devices that are configured to be in the same IP network as the VIP
interface can then be reached without going through NAT on the Cisco 600 (if the
ISP has the route set accordingly).
In this example, an IP
address of 210.1.2.1 in the IP network of 210.1.2.0 was configured on the vip0
interface. Because the vip0 interface is an outside NAT interface, traffic to
and from that network will not pass through NAT.
6xx#set int vip0 address 210.1.2.1
Virtual IP Address now changed
You must use "write" then reboot for changes to take effect
6xx#set int vip0 mask 255.255.255.0
Virtual Netmask now changed
You must use "write" then reboot for changes to take effect
6xx#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.
6xx#reboot
6xx#show int
IP Address Mask
eth0 10.0.0.1 255.255.255.0
vip0
210.1.2.1 255.255.255.0 vip1 0.0.0.0 255.255.255.0
vip2 0.0.0.0 255.255.255.0 wan0 Physical Port: Trained
Dest IP
Address Mask wan0-0 192.168.1.1 255.255.255.255
6xx#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 210.1.1.1
vip0 Outside
vip1 Outside
vip2 Outside
Local IP :
Port Global IP : Port Timer Flags Proto Interface
10.0.0.2:0 210.1.1.1:0 0 0x00041 47 eth0 wan0-0
To toggle an interface
from an outside to an inside PAT interface, issue the following command:
set interface {eth0 |
wan0-0 | vip0 | vip1 | vip2 } {inside | outside }
For example, to change the
vip0 interface from the default to an inside interface, issue the following
command:
set interface vip0
inside
Applications and PAT
Telnet
To allow Telnetting
to a device behind the Cisco 600, add one of the following commands:
set nat entry add
{internal device address} 23 {outside NAT address} 23 tcp
or
set nat entry add {internal device address} 23 tcp
6xx#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 210.1.1.1
vip0 Outside
vip1 Outside
vip2 Outside
6xx#set nat entry add 10.0.0.2 23 210.1.1.1 23 tcp
6xx#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 210.1.1.1
vip0 Outside
vip1 Outside
vip2 Outside
Local IP : Port Global IP : Port Timer Flags Proto Interface
10.0.0.2:23 210.1.1.1:23 0 0x00041 tcp eth0 wan0-0
Note that a Telnet to the
outside NAT address will now reach the internal device and not the Cisco 600.
You would not be able to Telnet to the Cisco 600 at this point.
A solution would be to set
up an external port in addition to the default Telnet port of 23. As an example,
you could use the following command:
set nat entry add
{internal device address} 23 {outside NAT address} 2000 tcp
An inbound Telnet
connection to port 2000 would then be forwarded to a Telnet to the internal
device. An inbound Telnet connection to the default Telnet port of 23 would
terminate on the Cisco 600.
Most Telnet applications
allow a port specification. For example, to Telnet to port 2000 of IP address
198.1.1.1 on a UNIX device, you would issue the following command:
telnet 198.1.1.1 2000
FTP
To allow an incoming FTP,
you must configure a translation to ports 20 and 21.
set nat entry add
{internal device address} 21 {outside NAT address} 21 tcp
set nat entry add {internal device address} 20 {outside NAT address} 20 tcp
Web Server
To allow an incoming
connection to a Web server, you must configure a translation to port 80.
set nat entry add
{internal device address} 80 {outside NAT address} 80 tcp
set nat entry add {internal device address} 80 {outside NAT address} 80 udp
IRC, Mail, DNS, Windows,
PC-Anywhere
Because many applications can use
several ports it can be difficult and time consuming to determine
all the ports and IP protocols involved. You can add a wildcard entry if there
is only one PC or device behind the Cisco 600. An inbound connection to the
outside PAT address will be forwarded to the internal device address with the
same port and protocol value. Use the following command:
set nat entry add
{internal device address}
If a PC is behind the
Cisco 600 and the outside PAT address of the Cisco 600 is 210.1.1.1, the
following entry would forward all inbound connections to 210.1.1.1 to the PC
address of 10.0.0.2.
For example, FTP to
210.1.1.1 would be forwarded to FTP to 10.0.0.2, and a ping to 210.1.1.1 would
be translated to a ping to 10.0.0.2.
6xx#set nat entry add 10.0.0.2
6xx#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 210.1.1.1
vip0 Outside
vip1 Outside
vip2 Outside
Local IP : Port Global IP : Port Timer Flags Proto Interface
10.0.0.2:***** *****:***** 0 0x03041 *** eth0
NetMeeting
NetMeeting is an
application that uses the H.323 voice over IP protocol. To allow NetMeeting
sessions through PAT, the Cisco 600 must be NetMeeting-aware and must be able to
perform operations in addition to port address translation.
The PAT implementation in
CBOS is NetMeeting-aware, but not all NetMeeting versions may be supported in a
particular version of CBOS.
CBOS version 2.4 supports
NetMeeting 3.0.1. Issue the following command:
set nat entry add
{inside ip address} 1720 tcp
Multiple Inside Addresses
When there are several
devices behind the Cisco 600, you must specify the address and port.
For instance, if HTTP port
80 is already being translated to one internal address (for example, a Web
server), that same port cannot be used again as a static translation to another
internal address. A workaround for this is to change the default ports, which
most applications allow you to do. In the case of the Web server, you could
change the port to 8080 on the second device using the following commands:
set nat entry add
10.0.0.2 80
set nat entry add 10.0.0.3 8080
Another option is to
change the outside port, with respect to the outside user, to port 8080 and
translate it to port 80 on the second Web server. You can use the following
commands:
set nat entry add
10.0.0.2 80 200.1.1.1 80 tcp
set nat entry add 10.0.0.2 80 200.1.1.1 80 udp
set nat entry add 10.0.0.3 80 200.1.1.1 8080 tcp
set nat entry add 10.0.0.3 80 200.1.1.1 8080 udp
You cannot use the
following commands:
set nat entry add
10.0.0.2 80
set nat entry add 10.0.0.3 80
set nat entry add
10.0.0.2 80 200.1.1.1 80 tcp
set nat entry add 10.0.0.3 80 200.1.1.1 80 tcp
VPN Tunnels and PAT
When you set up a tunnel
connection through the Cisco 600, it is important to note that other IP
protocols may be used with TCP and UDP ports. When you configure the Cisco 600
to translate TCP and UDP ports, you also must configure it to translate IP
protocols other than TCP or UDP.
To configure the
translation of a protocol other than TCP or UDP, use the following command:
set nat entry add
{internal device address} 0 {outside NAT address} 0 {IP Protocol Number}
To configure an IP
protocol other than TCP or UDP, set the port values to 0 and enter the IP
Protocol number as the last value.
PPTP
Point-to-Point Tunneling
Protocol ( PPTP) uses TCP Port 1723 and IP Protocol 47 GRE.
Issue the set nat entry
add command using the following syntax:
set nat entry add
{internal device address} 0 {outside NAT address} 0 47
set nat entry add {internal device address} 1723 {outside NAT address} 1723
tcp
L2TP/L2F
L2TP and L2F both use UDP port
1701.
To allow an L2TP or L2F
session through PAT, use the set nat entry add command with the following
values:
set nat entry add
{internal device address} 1701 {outside NAT address} 1701 udp
IPsec
There are many
implementations of IP Security (IPsec) but not all of them can be used with PAT
on the Cisco 600.
The following examples
have been tested only with Cisco's VPN solution; success with other vendors'
solutions is not guaranteed.
Some Cisco VPN clients can
embed the IPsec packets into a UDP/TCP port that is specified on the client and
server sides. In this scenario, a static PAT entry can be added that matches
the ports used.
For example, if the VPN
client and server are set to embed IPsec packets within UDP packets of port
8000, the following command would be added:
set nat entry add
{inside client address} 8000 {outside PAT address} 8000 udp
To implement classic IPsec,
you must:
- Disable the
Authentication Header protocol (IP protocol 51) on both the VPN client and the
VPN server.
- Use pre-shared keys.
Also, in a classic IPsec
implementation using CBOS version 2.4(1), no NAT entries are required when the
IPsec connection is made inside to outside.
After the connection from
the client side, the following entries are added automatically to the PAT table.
6xx#show nat
NAT is currently enabled
Port Network Global
eth0 Inside
wan0-0 Outside 210.1.1.1
vip0 Outside
vip1 Outside
vip2 Outside
Local IP : Port Global IP : Port Timer Flags Proto Interface
10.0.0.2:500 210.1.1.1:500 0 0x00041 udp eth0 wan0-0
10.0.0.2:0 210.1.1.1:0 300 0x00046 50 eth0 wan0-0
Port 500 for UDP and IP
50 is inserted into the table except when the connection is made from the
Internet (outside) into the device behind the Cisco 600. In this case, you
must manually add the two entries.
Important: The
other side of the IPsec connection must use the outside NAT address for all peer
IP address statements. This means that to the other IPsec peer, your address is
the outside NAT address.
For this example, 10.0.0.2
is the VPN client, 210.1.1.1 is the outside PAT address, and the other VPN peer
(or server) uses 210.1.1.1 as the address for the client.
set nat entry add
10.0.0.2 500 210.1.1.1 500 udp
set nat entry add 10.0.0.2 0 210.1.1.1 0 50
or
set nat entry add 10.0.0.2 500 udp
set nat entry add 10.0.0.2 0 50
Be The First