CISCO 17.X NAT About Stateless Static Instruction Manual

CISCO 17.X NAT About Stateless Static

Product Information

Specifications

• Product Name : Stateless Static NAT
• Version : IOS XE Bengaluru 17.4.1a

Product Usage Instructions

Configuring Stateless Static Inside and Outside NAT
To configure a static NAT translation with static mapping set to stateless, follow these steps

1. Enable privileged EXEC mode by entering the command:
   enable

2. Enter global configuration mode by entering the command:
   configure terminal

3. Configure the inside source static NAT translation by entering
   the command: ip nat inside source static local-ip global-ip stateless

4. Configure the outside source static NAT translation by entering
   the command: ip nat outside source static global-ip local-ip stateless

5. Exit global configuration mode by entering the command:
   exit

6. Save the configuration and exit by entering the command:
   end

Configuring Stateless Static NAT Port Forwarding
To configure stateless static NAT port forwarding, follow these steps

1. Enable privileged EXEC mode by entering the command:
   enable

2. Enter global configuration mode by entering the command:
   configure terminal

3. Configure the inside source static NAT translation with port
   forwarding by entering the command: ip nat inside source static local-ip global-ip stateless

4. Configure the outside source static NAT translation with port
   forwarding by entering the command: ip nat outside source static global-ip local-ip stateless

5. Exit global configuration mode by entering the command:
   exit

6. Save the configuration and exit by entering the command:
   end

FAQ

• What is Stateless Static NAT?
  Stateless Static NAT allows for one-to-one translations of inside local addresses to outside global addresses, including IP addresses and port number translations.

• What is the purpose of Stateless Static NAT?
  The purpose of Stateless Static NAT is to create fixed translations of private addresses to public addresses, enabling hosts on the destination network to initiate traffic to a translated host if allowed by an access list.

• What is the difference between Stateless and Stateful NAT?
  In Stateless NAT, no sessions are created for the traffic flow, while in Stateful NAT, sessions are created for each flow.

Information About Stateless Static NAT

• Static Network Address Translation (NAT) allows the user to configure one-to-one translations of the inside local addresses to the outside global addresses. It allows both IP addresses and port number translations from the inside to the outside traffic and the outside to the inside traffic.
• Static NAT creates a fixed translation of private addresses to public addresses. Because static NAT assigns addresses on a one-to-one basis, you need an equal number of public addresses as private addresses. Because the public address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT enables hosts on the destination network to initiate traffic to a translated host if an access list exists that allows it .

In IOS XE Bengaluru 17.4.1a release, a new keyword stateless is introduced for the Cisco IOS XE static NAT configuration options. This option applies only to static NAT command. When the static mapping is set to stateless, no sessions are created for that traffic flow.

• NAT Mappings and Translation Entry, on page 1
• Restrictions for Stateless Static Network Address Translation, on page 2
• Configuring Stateless Static NAT, on page 2
• Configuring Static Stateful NAT with Static Stateless NAT in Redundant Device , on page 8
• Example : Configuring Stateless Static NAT , on page 9
• Feature Information for Statless Static NAT, on page 10

NAT Mappings and Translation Entry

If a stateless NAT mapping co-exists with other NAT mappings which are not stateless, a NAT flow entry is created in NAT translation table. Following table explains the flow creation possibilities when a flow is a match for two NAT mapping and also in redundancy and no redundancy scenario.

Table 1: NAT Mappings and Translation Entry

Mapping 1 with

No Redundancy

| Mapping 2 with

No Redundancy

| Mapping 1

with Redundancy

| Mapping 2 with

Redundancy

| Flow Creation
---|---|---|---|---
Stateless| Stateful| NA| NA| Yes
Stateless| Stateless| NA| NA| No
NA| NA| Stateful| Stateless| On both active and standby
Mapping 1 with No Redundancy| Mapping 2 with No Redundancy| Mapping 1

with Redundancy

| Mapping 2 with Redundancy| Flow Creation
---|---|---|---|---
NA| NA| Stateless| Stateless| Not on both active and standby

Restrictions for Stateless Static Network Address Translation

The following restrictions apply to the Stateless Static NAT:

• Stateless Static NAT is supported only on IPv4.
• Stateless Static NAT is supported only on default NAT mode. If you change the mode to CGN, it will fail as stateless mappings are already configured.
• Stateless Static NAT is not supported for static mapping with route-map.
• Stateless Static NAT does not support ALG processing for stateless static mappings.

Configuring Stateless Static NAT

You can cofigure the stateless static NAT on the following:

• Inside static NAT
• Outside static NAT
• Inside static NAT network
• Outside static NAT network
• Inside static NAT with PAT
• Outside static NAT with PAT

Configuring Stateless Static Inside and Outside NAT
Perform the following task to configure a static NAT translation with static mapping is set to stateless. When you set the static mapping to stateless, sessions are not created for that flow.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip stateless
4. ip nat outside source static global-ip local-ip stateless
5. exit
6. end

DETAILED STEPS

| Command or Action| Purpose
---|---|---
Step 1| enable

Example: Router> enable

|

• Enables privileged EXEC mode.
• Enter your password if prompted.

Step 2| configure terminal

Example: Router# configure terminal

| Enters global configuration mode.
Step 3| ip nat inside source static local-ip global-ip stateless

Example: Router(config)# ip nat inside source static 10.1.1.1 100.1.1.1 stateless

| Establishes static translation between an inside local address and an inside global address.
Step 4| ip nat outside source static global-ip local-ip stateless

Example: Router(config)# ip nat outside source static 100.1.1.1 10.1.1.1 stateless

| Establishes static translation between an outside global address and inside local address.
Step 5| exit

Example: Router(config-if)# exit

| Exits interface configuration mode and returns to global configuration mode.
Step 6| end

Example: Router(config-if)# end

| Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Stateless Static NAT Port Forwarding
Perform the following task to configure a static NAT translation port forwarding with static mapping is set to stateless. When you set the static mapping to stateless, sessions are not created for that flow.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip nat inside source static {tcp|udp} local-ip local-port global-ip global-port extendable Stateless
4. ip nat outside source static {tcp|udp} global-ip global-port local-ip local-port extendable Stateless
5. exit
6. end

DETAILED STEPS

| Command or Action| Purpose
---|---|---
Step 1| enable

Example:

Router> enable

|

• Enables privileged EXEC mode.
• Enter your password if prompted.

Step 2| configure terminal

Example: Router# configure terminal

| Enters global configuration mode.
Step 3| ip nat inside source static { tcp|udp } local-ip local- port global-ip global-port extendable Stateless

Example: Router(config)# ip nat inside source static tcp

10.1.1.1 80 100.11.1.1 8080 extendable stateless

| Establishes static translation between an inside local address and an inside global address.
Step 4| ip nat outside source static { tcp|udp } global-ip global-port local-ip local-port extendable Stateless

Example:

Router(config)# ip nat outside source static tcp
100.1.1.1 8080 10.1.1.1 80 extendable stateless

| Establishes static translation between an outside global address and inside local address.
Step 5| exit

Example: Router(config-if)# exit

| Exits interface configuration mode and returns to global configuration mode.
Step 6| end

Example:

Router(config-if)# end

| Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Stateless Static NAT Network
Perform the following task to configure a static NAT translation network with static mapping is set to stateless. When you set the static mapping to stateless, sessions are not created for that flow.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip nat inside source static network local-network-mask global-network-mask Stateless
4. ip nat outside source static network global-network-mask local-network-mask Stateless
5. exit
6. end

DETAILED STEPS

| Command or Action| Purpose
---|---|---
Step 1| enable

Example:

Router> enable

|

• Enables privileged EXEC mode.
• Enter your password if prompted.

Step 2| configure terminal

Example: Router# configure terminal

| Enters global configuration mode.
Step 3| ip nat inside source static network local-network-mask global-network-mask Stateless

Example: Router(config)# ip nat inside source static network

10.0.0.0 100.1.1.0 /24 stateless

| Establishes static translation between an inside local network and an inside global network.
Step 4| ip nat outside source static network global-network-mask local-network-mask Stateless

Example: Router(config)# ip nat outside source static network 100.0.0.0 10.1.1.0 /24 stateless

| Establishes static translation between a outside global network and an inside local network.
Step 5| exit

Example: Router(config-if)# exit

| Exits interface configuration mode and returns to global configuration mode.
Step 6| end

Example: Router(config-if)# end

| Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Stateless Static NAT with VRF
Perform the following task to configure a static NAT translation with static mapping is set to stateless in VRF aware NAT scenario. When you set the static mapping to stateless, sessions are not created for that flow.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip [vrf vrf-name [match-in-vrf ]] Stateless
4. ip nat outside source static global-ip local-ip [vrf vrf-name [match-in-vrf ]] Stateless
5. exit
6. end

DETAILED STEPS

| Command or Action| Purpose
---|---|---
Step 1| enable

Example: Router> enable

|

• Enables privileged EXEC mode.
• Enter your password if prompted.

Step 2| configure terminal

Example: Router# configure terminal

| Enters global configuration mode.
Step 3| ip nat inside source static local-ip global-ip [ vrf vrf-name [ match-in-vrf ]] Stateless

Example: Router(config)# ip nat inside source static

10.1.1.1 100.11.1.1 vrf vrf1 match-in-vrf stateless

| Establishes static translation between an inside local address and an inside global address.

• The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
• The Stateless keyword does not create the flow entries for static mapping.

Step 4| ip nat outside source static global-ip local-ip [ vrf

vrf-name [ match-in-vrf ]] Stateless

Example: Router(config)# ip nat outside source static

100.1.1.1 10.1.1.1 vrf vrf1 match-in-vrf stateless

| Establishes static translation between a outside global address and an inside local address.

• The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
• The Stateless keyword does not create the flow entries for static mapping.

Step 5| exit

Example: Router(config-if)# exit

| Exits interface configuration mode and returns to global configuration mode.
Step 6| end

Example: Router(config-if)# end

| Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Stateless Static NAT with Static Stateless Static NAT Port Forwarding
Perform the following task to configure a static NAT port forwarding with VRF with static mapping is set to stateless. When you set the static mapping to stateless, sessions are not created for that flow.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip nat inside source static {tcp | udp} local-ip local-port global-ip global-port [vrf vrf-name [match-in-vrf ]] extendable stateless
4. ip nat outside source static {tcp | udp} global-ip global-port local-ip local-port [vrf vrf-name [match-in-vrf ]] extendable stateless
5. exit
6. end

DETAILED STEPS

| Command or Action| Purpose
---|---|---
Step 1| enable

Example: Router> enable

|

• Enables privileged EXEC mode.
• Enter your password if prompted.

Step 2| configure terminal

Example: Router# configure terminal

| Enters global configuration mode.
Step 3| ip nat inside source static { tcp | udp } local-ip local-port global-ip global-port [ vrf vrf-name [ match-in-vrf ]] extendable stateless

Example: Router(config)# ip nat inside source static tcp

10.1.1.1 80 100.11.1.1 8080 vrf 1 match-in-vrf extendable stateless

| Establishes static translation between an inside local address and an inside global address.

• The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
• The Stateless keyword does not create the flow entries for static mapping.

Step 4| ip nat outside source static { tcp | udp } global-ip global-port local-ip local-port [ vrf vrf-name [ match-in-vrf ]] extendable stateless

Example:

Router(config)# ip nat outside source static tcp
100.1.1.1 8080 10.1.1.1 80 vrf 1 match-in-vrf extendable stateless

| Establishes static translation between a outside global address and an inside local address.

• The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
• The Stateless keyword does not create the flow entries for static mapping.

Step 5| exit

Example: Router(config-if)# exit

| Exits interface configuration mode and returns to global configuration mode.
Step 6| end

Example: Router(config-if)# end

| Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Static Stateful NAT with Static Stateless NAT in Redundant Device
Perform the following task to configure a static NAT translation with static mapping is set to stateless. When you set the static mapping to stateless, sessions are not created for that flow. In this configuration, only on static mapping is set to stateless. A NAT translation entry is created when the flow matches to both mapping statements or if it matches to stateful mapping entry only. However, it will not be created if it matches to stateless entry only.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip nat inside source static local-ip global-ip [vrf vrf-name [redundancy group name [match-in-vrf ]]] stateless
4. ip nat inside source static local-ip global-ip [vrf vrf-name [redundancy group name match-in-vrf ]]] stateless
5. exit
6. end

DETAILED STEPS

| Command or Action| Purpose
---|---|---
Step 1| enable

Example: Router> enable

|

• Enables privileged EXEC mode.
• Enter your password if prompted.

Step 2| configure terminal

Example: Router# configure terminal

| Enters global configuration mode.
Step 3| ip nat inside source static local-ip global-ip [ vrf vrf-name [ redundancy group name [ match-in-vrf ]]] stateless

Example: Router(config)# ip nat inside source static

10.180.4.4 10.236.214.218 vrf vrf1 redundancy 1 mapping-id 11 match-in-vrf stateless

| Establishes static translation between an inside local address and an inside global address.

• The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
• The Stateless keyword does not create the flow entries for static mapping.

Step 4| ip nat inside source static local-ip global-ip [ vrf vrf-name [ redundancy group name match-in-vrf ]]] stateless

Example: Router(config)# ip nat outside source static
10.180.4.8 10.240.214.220 vrf vrf1 redundancy 1 mapping-id 10 match-in-vrf stateless

| Establishes static translation between an inside local address and an inside global address.

• The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
• The Stateless keyword does not create the flow entries for static mapping.

| Command or Action| Purpose
---|---|---
Step 5| exit

Example: Router(config-if)# exit

| Exits interface configuration mode and returns to global configuration mode.
Step 6| end

Example: Router(config-if)# end

| Exits interface configuration mode and returns to privileged EXEC mode.

Example: Configuring Stateless Static NAT

Stateless Static NAT
The following example shows how to configure a stateless static inside and outside NAT translation between the local IP address 10.1.1.1 and the global IP address 100.1.1.1. The Stateless keyword does not create the flow entries for static mapping.

• Router# configure terminal
• Router(config)# ip nat inside source static 10.1.1.1 100.1.1.1 stateless
• Router(config)# ip nat outside source static 100.1.1.1 10.1.1.1 stateless

Stateless Static NAT with Port Forwarding
The following example shows how to configure a stateless static NAT port forwarding translation between the local IP address 10.1.1.1 and the global IP address 100.1.1.1. The Stateless keyword does not create the flow entries for static mapping.

• Router# configure terminal
• Router(config)# ip nat inside source static tcp 10.1.1.1 80 100.11.1.1 8080 extendable stateless
• Router(config)# ip nat outside source static tcp 100.1.1.1 8080 10.1.1.1 80 extendable stateless

Stateless Static NAT Network
The following example shows how to configure a stateless static NAT network between an inside local network and an inside global network. The Stateless keyword does not create the flow entries for static mapping.

• Router# configure terminal
• Router(config)# ip nat inside source static network 10.0.0.0 100.1.1.0 /24 stateless Router(config)# ip nat outside source static network 100.0.0.0 10.1.1.0 /24 stateless

Static Stateless NAT with VRF
The following example shows how to configure a stateless static NAT translation between the local IP address 10.1.1.1 and the global IP address 100.1.1.1. The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF. The Stateless keyword does not create the flow entries for static mapping.

• Router# configure terminal
• Router(config)# ip nat inside source static 10.1.1.1 100.11.1.1 vrf vrf1 match-in-vrf stateless
• Router(config)# ip nat outside source static 100.1.1.1 10.1.1.1 vrf vrf1 match-in-vrf stateless
• Router(config)# Router(config-if)# end

Static Stateless NAT with Static Stateless Static NAT Port Forwarding
The following example shows how to configure a stateless static NAT translation between the local IP address 10.1.1.1 and the global IP address 100.1.1.1. The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF. The Stateless keyword does not create the flow entries for static mapping.

• Router# configure terminal
• Router(config)# ip nat inside source static tcp 10.1.1.1 80 100.11.1.1 8080 vrf 1 match-in-vrf extendable stateless
• Router(config)# ip nat outside source static tcp 100.1.1.1 8080 10.1.1.1 80 vrf 1 match-in-vrf extendable stateless
• Router(config)# Router(config-if)# end

Static Stateful NAT with Static Stateless NAT in Device-to-Device HA
The following example shows how to configure a stateless static NAT with static stateless NAT matching the flow with device-to-device redundancy enabled.

• Router# configure terminal
• ip nat inside source static 10.180.4.4 10.236.214.218 vrf vrf1 redundancy 1 mapping-id 11 match-in-vrf stateless
• ip nat outside source static 10.180.4.8 10.240.214.220 vrf vrf1 redundancy 1 mapping-id 10

Feature Information for Statless Static NAT

Table 2: Feature Information for Statless Static NAT

is introduced for IOS XE static NAT configuration.

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>