Configuring Static and Dynamic NAT Translation
• Legitimate IP address—An address that is assigned by the Network Information Center (NIC) or service
• Inside local address—The IP address assigned to a host on the inside network. This address does not
• Outside local address—The IP address of an outside host as it appears to the inside network. It does not
• Inside global address—A legitimate IP address that represents one or more inside local IP addresses to
• Outside global address—The IP address that the host owner assigns to a host on the outside network.
Dynamic NAT Overview
Dynamic Network Address Translation (NAT) translates a group of real IP addresses into mapped IP addresses
that are routable on a destination network. Dynamic NAT establishes a one-to-one mapping between
unregistered and registered IP addresses; however, the mapping can vary depending on the registered IP
address that is avkailable at the time of communication.
A dynamic NAT configuration automatically creates a firewall between your internal network and outside
networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain—a
device on an external network cannot connect to devices in your network, unless your device has initiated the
contact.
Dynamic NAT translations do not exist in the NAT translation table until a device receives traffic that requires
translation. Dynamic translations are cleared or timed out when not in use to make space for new entries.
Usually, NAT translation entries are cleared when the ternary content addressable memory (TCAM) entries
are limited. The default minimum timeout for dynamic NAT translations is 30 minutes. The minimum value
of the sampling-timeout in the ip nat translation sampling-timeout command was reduced from 30 minutes
to 15 minutes.
Timeout of a dynamic NAT translation involves both the sampling-timeout value and the TCP or UDP timeout
value. The sampling-timeout specifies the time after which the device checks for dynamic translation activity.
It has a default value of 12 hours. All the other timeouts start only after the sample-timeout times out. After
the sampling-timeout, the device inspects the packets that are hitting this translation. The checking happens
for the TCP or UDP timeout period. If there are no packets for the TCP or UDP timeout period, the translation
is cleared. If activity is detected on the translation, then the checking is stopped immediately and a
sampling-timeout period begins.
After waiting for this new sampling-timeout period, the device checks for dynamic translation activity again.
During an activity check the TCAM sends a copy of the packet that matches the dynamic NAT translation to
the CPU. If the Control Plane Policing (CoPP) is configured at a low threshold, the TCP or UDP packets
might not reach the CPU, and the CPU considers this as inactivity of the NAT translation.
Dynamic NAT supports Port Address Translation (PAT) and access control lists (ACLs). PAT, also known
as overloading, is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered
IP address by using different ports. Your NAT configuration can have multiple dynamic NAT translations
with same or different ACLs. However, for a given ACL, only one interface can be specified.
provider.
need to be a legitimate IP address.
have to be a legitimate address, because it is allocated from an address space that can be routed on the
inside network.
the outside world.
The address is a legitimate address that is allocated from an address or network space that can be routed.
Cisco Nexus 3548 Switch NX-OS Interfaces Configuration Guide, Release 9x
Dynamic NAT Overview
93