1. NAT/PAT Explained
Content
NAT/PAT Explained on Cisco Router
o What do you mean by NAT/PAT
Types of NAT
Static NAT
Dynamic NAT
Static PAT
Advantages of using NAT/PAT
IPv4 Address Conservation
Security
Flexibility
Order of Operation Cisco Router
Inside-to-Outside
Outside-to-Inside
What is DNAT
What is SNAT
Terminology Used
Inside Local
Inside Global
Outside Local
Outside Global
o NAT Deployment Scenario
NAT Virtual Interface or NVI
NAT on a stick or hair-pinning
NAT with MPLS VPN or VRF-Aware NAT
NAT with IP Multicast
NAT Box-to-Box High-Availability or SNAT
NAT using Application Layer Gateways (ALG)
NAT Port Translation (NAT-PT)
NAT in Overlapping Networks
NAT for TCP Load Distribution
NAT with HSRP
NAT using Route Map
NAT with IPSec VPN
NAT with Rotary
NAT/PAT on Cisco ASA
o NAT in Routed Mode
o NAT in transparent Mode
2. o NAT with Context Mode - Shared Interface using NAT
o Difference between NAT on 8.2 and 8.3 +
Upgrade from 8.2 to 8.4
o NAT Order of Operation on 8.2 and 8.3 +
o What is Network Object NAT
o What is Twice NAT
o Types of NAT
NAT Control
NAT Exemptions
Configuration on 8.2
Configuration on 8.4
Identity NAT
Configuration on 8.2
Configuration on 8.4
Static NAT
Configuration on 8.2
Configuration on 8.4
Static PAT
Configuration on 8.2
Configuration on 8.4
Dynamic NAT
Configuration on 8.2
Configuration on 8.4
Dynamic PAT
Configuration on 8.2
Configuration on 8.4
Dynamic Policy NAT
Configuration on 8.2
Configuration on 8.4
o Troubleshooting NAT on ASA
NAT/PAT on Nexus Switches
o NAT support on Nexus Switches
o ITD support for SLB NAT on Nexus Switches
o Configuration on Nexus Switches for NAT Support
3. NAT/PAT Explained on Router
What do you mean by NAT/PAT
Network address translation (NAT) is a methodology of remapping one IP address space into another by
modifying network address information in Internet Protocol (IP) datagram packet headers while they are
in transit across a traffic routing device. PAT translates multiple real addresses to a single mapped IP
address by translating the real address and source port to the mapped address and a unique port
Types of NAT
Static NAT
Static address translation (static NAT)—Allows one-to-one mapping between local and global addresses.
It is bi-directional in nature, means both the IPs can initiate the traffic.
For static inside NAT, routing is first checked and then only the packet is translated.
For static outside NAT, translation is first done and then the routing is checked
Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on
the destination network. The mapped pool may include fewer addresses than the real group. With
dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires
translation. Dynamic translations have a timeout period after which they are purged from the
translation table.
PAT or Port Address translation
PAT (or overloading) is a feature of Cisco IOS NAT that is used to translate internal (inside local) private
addresses to one or more outside (inside global, usually registered) IP addresses. Unique source port
numbers on each translation are used to distinguish between the conversations. PAT assigns a unique
source port for each UDP or TCP session. If available, the real source port number is used for the
mapped port. However, if the real port is not available, by default the mapped ports are chosen from
the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore,
ports below 1024 have only a small PAT pool that can be used.
4. Advantages of using NAT/PAT
IP address conservation - Saving depleting public IPv4 address
Security Purpose - Inside IP address is always hidden from the outside world.
Flexibility – It brings in a lot of flexibility to the environment while assigning address scheme
Order of Operation on Cisco Router –
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html
Inside-to-Outside Outside-to-Inside
If IPSec then check input access list If IPSec then check input access list
Decryption - for CET or IPSec Decryption - for CET or IPSec
Check input access list Check input access list
Check input rate limits Check input rate limits
Input accounting Input accounting
Redirect to web cache Redirect to web cache
Policy routing NAT outside to inside (global to local translation)
Routing Policy routing
NAT inside to outside (local to global translation) Routing
Crypto (check map and mark for encryption) Crypto (check map and mark for encryption)
Check output access list Check output access list
Inspect (Context-based Access Control (CBAC)) Inspect CBAC
TCP intercept TCP intercept
Encryption Encryption
Queueing Queueing
What is DNAT
Destination network address translation (DNAT) is a technique for transparently changing the
destination IP address of an end route packet and performing the inverse function for any replies. Any
router situated between two endpoints can perform this transformation of the packet. DNAT is
commonly used to publish a service located in a private network on a publicly accessible IP address. This
use of DNAT is also called port forwarding, or DMZ when used on an entire server, which becomes
exposed to the WAN, becoming analogous to an undefended military demilitarized zone (DMZ).
What is SNAT
Stateful NAT (SNAT) allows two or more network address translators to function as a translation group.
One member of the translation group handles traffic requiring translation of IP address information.
Additionally, it informs the backup translator of active flows as they occur.
5. Terminology used
Inside Local – Configured IP address assigned to a host on the inside network.
Inside Global – The IP address of an inside host as it appears to the outside network, "Translated IP
Address".
Outside Global – The IP address of an outside host as it appears to the inside network.
Outside Local – The configured IP address assigned to a host in the outside network.
NAT Deployment Scenarios
NAT Virtual Interface or NVI
With the introduction of this new feature, called as NAT Virtual Interface (NVI) we can get rid of legacy
"inside" and "outside" commands. We don't need to configure static route for "ip nat inside source"
command. Instead we just enable nat on the interface and make it NVI.
More on this - http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
NAT on a stick or NAT Hair-pinning
What do we mean by Network Address Translation (NAT) on a stick? The term "on a stick" usually
implies the use of a single physical interface of a router for a task. Just as we can use sub interfaces of
the same physical interface to perform Inter-Switch Link (ISL) trunking, we can use a single physical
interface on a router in order to accomplish NAT. The need for NAT on a stick is rare.
Example - Nat on a stick is basically used when you usually have only one physical interface on the
router and you have a requirement to perform nat translation say on your internal network.
More on this - https://networklessons.com/network-services/cisco-ios-nat-stick-configuration-example/
6. NAT with MPLS VPNs or VRF aware NAT
Network Address Translation (NAT) Integration with MPLS VPNs feature allows multiple Multiprotocol
Label Switching (MPLS) Virtual Private Networks (VPNs) to be configured on a single device to work
together. NAT can differentiate which MPLS VPN it receives IP traffic from even if the MPLS VPNs are all
using the same IP addressing scheme. This enhancement enables multiple MPLS VPN customers to share
services while ensuring that each MPLS VPN is completely separate from the other. MPLS service
providers would like to provide value-added services such as Internet connectivity, domain name servers
(DNS), and voice over IP (VoIP) service to their customers. The providers require that their customers; IP
addresses be different when reaching the services. Because MPLS VPN allows customers to use
overlapped IP addresses in their networks, NAT must be implemented to make the services possible.
The Match-in-VRF Support for NAT feature extends VRF-aware NAT by supporting intra-VPN NAT
capability. In the intra-VPN NAT, both the local and global address spaces for end hosts are isolated to
their respective VPNs, and as a result translated addresses for hosts overlap each other. To separate the
address space for translated addresses among VPNs, configure the match-in-vrf keyword in the NAT
mapping (ip nat inside source command) configuration. Both static and dynamic NAT configurations
support the match-in-vrf keyword.
Example - Consider you are an ISP and providing various services to different customers. Two of your
customers are using same internal network range (i.e. 192.168.10.0/24) and are in different VRF.
Everything is fine, but there is request for both of these to access a shared service provided by ISP. How
will you keep both the Customers different while accessing shared services? The solution is to use NAT
with MPLS VPN's, so that while accessing the shared service both use NATted IP.
More on this - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/12-4/nat-
12-4-book/iadnat-mpls-vpn.html
NAT with IP Multicast
The IP Multicast Dynamic Network Address Translation (NAT) feature supports the source address
translation of multicast packets. You can use source address translation when you want to connect to
the Internet, but not all your hosts have globally unique IP addresses. NAT translates the internal local
addresses to globally unique IP addresses before sending packets to the outside network. The IP
multicast dynamic translation establishes a one-to-one mapping between an inside local address and
one of the addresses from the pool of outside global addresses.
Example - When a user (Source - 192.168.10.1) wants to send a multicast traffic over the internet. The
NATting device in the middle will change the source address 192.168.10.1 to a public IP (For example -
224.1.1.10) given in the pool, destination will remain the same.
7. More on this - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-2/nat-
xe-2-book/iadnat-multicast-dynamic.html
NAT Box-to-Box High-Availability or SNAT
SNAT involves two or more routers performing the NAT function as a group. These NAT routers
exchange information in their NAT translation databases with each other. Whenever a new NAT
connection occurs via one of the NAT routers, the router relays that information to the others in the
SNAT group. But these routers aren't just exchanging the IP addresses of the NAT IP flows; they're also
exchanging the TCP state of those flows. The standby routers have already created the NAT translation
table and are waiting for a failure on the active router. Only sessions that are already statically defined
receive the benefit of redundancy without the need for this feature. In the absence of SNAT, sessions
that use dynamic NAT mappings would be severed in the event of a critical failure and would have to be
reestablished.
Note - Cisco announces the end-of-sale and end-of life dates for the Cisco IOS Stateful Failover of
Network Address Translation (SNAT). The recommended replacement for the Cisco IOS SNAT feature is
the Cisco ASA Adaptive Security Appliance beginning with release 7.0.
Example – You have high availability configured between two routers and you want NAT information to
propagate to standby device in case the primary device fails
More on this - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-
mt/nat-15-mt-book/iadnat-b2b-ha.html
NAT using Application Layer Gateways (ALG)
NAT performs translation services on any TCP/UDP traffic that does not carry source and destination IP
addresses in the application data stream. Protocols that do not carry the source and destination IP
addresses include HTTP, TFTP, telnet, archive, finger, Network Time Protocol (NTP), Network File System
(NFS), remote login (rlogin), remote shell (rsh) protocol, and remote copy (rcp). Specific protocols that
embed the IP address information within the payload require the support of an ALG. An ALG is used with
NAT to translate the SIP or SDP messages. The NAT Support for SIP feature allows SIP embedded
messages passing through a router configured with NAT to be translated and encoded back to the
packet. An ALG is used with NAT to translate the SIP or SDP messages.
Example – When you are using protocols like SIP, SCCP, RTSP, IP Multicast, MPLS VPN (VRF- Aware NAT),
PPTP Support, IPSec ESP Tunnel Mode in a PAT Configuration
More on this - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/asr1000/nat-xe-3s-asr1k-book/iadnat-applvlgw.html
8. NAT-PT or NAT Port Translation
Network Address Translation (NAT)-Port Translation (PT) is a migration tool that helps customers
transitions their IPv4 networks to IPv6 networks. NAT-PT allows direct communication between IPv6-
only networks and IPv4-only networks.
Example – When you want to connect completely IPv4 Network to completely IPv6 Network
More on this - http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-
nat/113275-nat-ptv6.html
NAT in Overlapping Networks
The solution involves intercepting Domain Name System (DNS) name-query responses from the outside
to the inside, setting up a translation for the outside address, and fixing up the DNS response before
forwarding it to the inside host. A DNS server is required to be involved on both sides of the NAT device
to resolve users wanting to have connection between both networks. This is called as overlapping NAT
or Twice NAT.
Example - Assume Company A has been assigned a block of IP address for years and now it’s re-assigned
to Company B. Company A do not want to go through all the IP changes in their network and would like
to continue with the same range as Company B. Now what if Company A user wants to access a server
on Company B's network? A DNS request is generated and the device will see that the IP address is local
to Company A. So in order to solve this issue, we must translate both the source and destination
address.
More on this - http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13774-
3.html
NAT for TCP Load Distribution
By using Network Address Translation (NAT), you can establish a virtual host on the inside network that
coordinates load sharing among real hosts. Destination addresses that match an access list are replaced
with addresses from a rotary pool. Allocation is done on a round-robin basis and only when a new
connection is opened from the outside to inside the network
Example - You have a scenario where, you have a couple of web servers and want to load balance traffic
between them but you don't want to spend a fortune buying Load Balancers.
More on this - http://gns3vault.com/network-services/nat-tcp-load-balancing/
9. NAT with HSRP
NAT with HSRP is different from SNAT (Stateful NAT) it is a stateless system. The current session is not
maintained when failure takes place. During static NAT configuration (when a packet does not match
any STATIC rule configuration), the packet is sent through without any translation.
Example – When you have HSRP configured between two devices
More on this - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
3s/asr1000/nat-xe-3s-asr1k-book/iadnat-ha.html
NAT using Route-Maps
The advantage of using route-maps is that under the match command you can have more options other
than source IP address. For example, under the route-map, match interface or match ip next-hop can be
specified. By using route-maps, you can specify the IP address as well as the interface or the next-hop
address to which the packet is to be forwarded. Therefore,
Example - route-maps with NAT are used in a scenario where the subscriber is multi-homing to different
ISPs.
More on this - http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-
nat-routemap.html
NAT with IPSec VPN
The IPSec ESP through NAT feature provides the ability to support multiple concurrent IPSec ESP tunnels
or connections through a Cisco IOS NAT device configured in overload or Port Address Translation (PAT)
mode. The IPSec NAT transparency feature introduces support for IPSec traffic to travel through NAT or
PAT points in the network by addressing many known incompatibilities between NAT and IPSec.
10. NAT/PAT on Cisco ASA
NAT in Routed Mode
When the ASA receives the packet and if it's a new session it will first check security policy configured.
Then, the ASA translates the local source address (10.1.2.27) to the global address 209.165.201.10,
which is on the outside interface subnet. The ASA then records that session and forwards the packet
from the outside interface.
NAT in transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks. Because the transparent firewall does not have any interface IP addresses, you
cannot use interface PAT. When the ASA runs in transparent mode, the outgoing interface of a packet is
determined by performing a MAC address lookup instead of a route lookup. However, If traffic that is at
least one hop away from the ASA with NAT enabled—The ASA needs to perform a route lookup to find
the next hop gateway; you need to add a static route on the ASA for the real host address.
NAT with Context Mode - Shared Interface using NAT
Each packet that enters the ASA must be classified, so that the ASA can determine to which context to
send a packet. If you share an interface, but do not have unique MAC addresses for the interface in each
context, then the destination IP address is used to classify packets. The destination address is matched
with the context NAT configuration
Difference between NAT on 8.2 and 8.3 +
The main difference between NAT in 8.2 and 8.4 is the command set. With the introduction to network
objects, the configuration differs on 8.2 and 8.4. Network object NAT is a quick and easy way to
configure NAT for a single IP address, a range of addresses, or a subnet. When a packet enters the ASA,
both the source and destination IP addresses are checked against the network object NAT rules. Since
8.3 no longer supports the nat-control command
11. NAT Order of Operation on 8.2 and 8.3 +
Post 8.3 version NAT configurations are divided into 3 sections ( Section 1, 2 and 3 )
NAT Operation in ASA 8.2 and earlier NAT Operation in ASA 8.3+
NAT exemption Twice NAT are by default inserted to the
Section 1 of NAT rules on the ASA
Static NAT, Static Policy NAT, Static PAT,
Static Policy NAT, Static Identity NAT
Network Object NAT rules are always
inserted to the Section 2 of NAT rules
Policy dynamic NAT, NAT with Overlapping
addresses
Twice NAT rules configured with an "after-
auto" parameter will be moved to Section
3 of the NAT configuration
Regular dynamic NAT, Regular identity
NAT
Network Object NAT
All NAT rules that are configured as a parameter of a network object are considered to be network
object NAT rules.
Twice NAT
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the
source and destination addresses lets you specify that a source address should be translated to A when
going to destination X, but be translated to B when going to destination Y. The destination address is
optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can
map it to a different address. The destination mapping is always a static mapping. Twice NAT also lets
you use service objects for static NAT-with-port-translation. By default, the rule is added to the end of
section 1 of the NAT table (Version 8.3 +).
New Features for ASA Version 9.0+ NAT Updates
New Features for ASA Version 9.5(1)
Carrier Grade NAT enhancements - For carrier-grade or large-scale PAT, you can allocate a block
of ports for each host, rather than have NAT allocate one port translation at a time (see RFC
6888)
New Features for ASA Version 9.1(2)
Support for the ASA CX module and NAT 64
12. New Features for ASA Version 9.0(1)
NAT support for reverse DNS lookups - NAT now supports translation of the DNS PTR record for
reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled
for the NAT rule.
NAT support for IPv6 - NAT now supports IPv6 traffic, as well as translating between IPv4 and
IPv6 (NAT64). Translating between IPv4 and IPv6 is not supported in transparent mode.
Types of NAT
NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a
NAT rule; for any host on the inside network to access a host on the outside network, you must
configure NAT to translate the inside host address. Interfaces at the same security level are not required
to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security
interface, then all traffic from the interface to a same security interface or an outside interface must
match a NAT rule. Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must
match a NAT rule when it accesses an inside interface. NAT control does not affect static NAT and does
not cause the restrictions seen with dynamic NAT. If you want the added security of NAT control but do
not want to translate inside addresses in some cases, you can apply a NAT exemption or identity NAT
rule on those addresses.
NAT Control 8.2
hostname(config)# nat-control
NAT Control 8.4
There is no nat-control concept in 8.4
NAT Excemption - NAT exemption exempts addresses from translation and allows both translated and
remote hosts to initiate connections.
NAT Excemption - (8.2)
access-list nonat permit ip host 1.1.1.1 host 2.2.2.2
nat (inside) 0 access-list nonat
This tells the ASA, the host is excempted from Natting. Similar to identity nat, but allows outside to
inside initiation, typically used to remove a particular traffic flow from translation
13. Example - Lan to Lan IPSEC with internet access simultaneously
NAT Excemption – (8.4)
8.4 does not have NAT-control concept, so we need to configure Twice NAT
Identity NAT - Identity NAT which is similar to dynamic NAT, you do not limit translation for a host on
specific interfaces. For identity NAT, even though the mapped address is the same as the real address,
you cannot initiate a connection from the outside to the inside (even if the interface access list allows it).
Use static identity NAT or NAT exemption for this functionality.
Identity NAT (8.2)
# static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255
Used to translate an address to itself, only needed when nat-control is on
Identity NAT (8.4)
#object network HOST
# host 10.1.1.1
# nat (inside,outside) static 10.1.1.1
Static NAT—a consistent mapping between a real and mapped IP address. Allows bi-directional traffic
initiation.
Static NAT - (8.2)
#static (dmz, outside) 209.165.201.28 192.168.1.23 mask 255.255.255.0
Permanent translation of public address to private address. Allows outside host to initiate
connection to inside.
Static NAT - (8.4)
#object network DMZ_Network
# host 192.168.1.23 [Real Host]
# nat (dmz,outside) static 209.165.201.28
#access-list outside_in permit ip any host 192.168.1.23 ( real ip should be applied )
#access-group outside_in in out
14. New feature of 8.4 you can specify the translation for an object between multiple interfaces in just 1
line. If we want ASA to perform address translation for our DMZ server on any mapped interface of ASA,
then we can use the "any" keyword in the command
# Object network DMZ_Server
# nat (dmz,any) static 209.165.201.28
Static PAT - PAT translates multiple real addresses to a single mapped IP address by translating the real
address and source port to the mapped address and a unique port
Static PAT - (8.2)
#static (dmz,outside) tcp 10.10.10.10 21 192.168.1.25 2121
Static PAT - (8.4)
#object network FTPSERVER
# host 192.168.1.25
# nat (dmz,outside) static interface service tcp 21 2121
Dynamic NAT - Dynamic NAT translates a group of real addresses to a pool of mapped addresses that
are routable on the destination network
Dynamic NAT - (8.2)
#nat (inside) 1 10.10.10.0 255.255.255.0
#global (outside) 1 100.100.100.10-100.100.100.100
Dynamic NAT - (8.4)
#object network MAPPED_RANGE
# range 100.100.100.10 100.100.100.100
#object network INSIDE_NETWORK
# subnet 10.10.10.0 255.255.255.0
# nat (inside,outside) dynamic MAPPED_RANGE
Translates inside private addresses to pool of public addresses
Note - Does not allow outside host to initiate connection to inside
15. Dynamic PAT—A group of real IP addresses are mapped to a single IP address using a unique source port
of that IP address.
Dynamic PAT - (8.2)
#nat (inside) 1 10.10.10.0 255.255.255.0
#global (outside) 1 interface
Dynamic PAT - (8.4)
#object network INSIDE_NAT
# subnet 10.0.0.0 255.255.255.0
# nat (inside,outside) dynamic interface
*** nat (inside) 1 0 0 means any network on the inside***
Dynamic Policy NAT - Policy NAT lets you identify real addresses for address translation by specifying the
source and destination addresses in an extended access list. You can also optionally specify the source
and destination ports. Regular NAT can only consider the source addresses, not the destination address.
For example, with policy NAT you can translate the real address to mapped address A when it accesses
server A, but also translate the real address to mapped address B when it accesses server B. All types of
NAT support policy NAT, except for NAT exemption. NAT exemption uses an access list to identify the
real addresses, but it differs from policy NAT in that the ports are not considered.
Dynamic Policy NAT (8.2)
# access-list POLICY permit tcp 10.10.10.0 255.255.255.0 host 198.165.201.10 eq 23
# nat (inside) 1 access-list POLICY
# global (outside) 1 100.100.100.1-100.100.100.200
Maps inside ip's to different pools based on ACL
Dynamic Policy NAT (8.4)
Object-nat cannot specify nat conditions based on destination IP
Object-nat cannot configure how to translate the destination ip of the packet
To overcome this we can use Manual NAT or Twice NAT
16. Troubleshooting NAT
Verify layer 2 connectivity
Verify layer 3 routing information
Check access-list configured
show xlate
show conn
show logging
The packet tracer utility can be used to diagnose most NAT-related issues on the ASA
Troubleshooting simple scenario's using packet capture
Run the debug ip nat translations and debug ip packet commands in order to see if the
translations are correct and the correct translation entry is installed in the translation table.
For ASA Version 8.3 +, the evaluation starts at the top (Section 1) and works down until a NAT
rule is matched. Once a NAT rule is matched, that NAT rule is applied to the connection and no
more NAT policies are checked against the packet.
In the case of translating the payload of Domain Name System (DNS) packets, make sure that
translation takes place on the address in the IP header of the packet. If this does not happen,
then NAT does not look into the payload of the packet.
17. NAT/PAT on Cisco Nexus Switches
As far as I know, there are no NAT capabilities on Cisco Nexus 7000 Series Switches.
NAT is only supported on below Nexus Switches
Nexus 9300 Series
Nexus 6000 Series
Nexus 5600 Series
Nexus 3448 Series
ITD support for SLB NAT on Nexus Switches
In SLB-NAT deployment, client can send traffic to a virtual IP address, and need not know about the IP of
the underlying servers. NAT provides additional security in hiding the real server IP from the outside
world. In the case of Virtualized server environments, this NAT capability provides increased flexibility in
moving the real servers across the different server pools without being noticed by the their clients.
With respect health monitoring and traffic reassignment, SLB NAT helps applications to work seamlessly
without client being aware of any IP change
Cisco® Intelligent Traffic Director (ITD) bridges the performance gap between a multi-terabit switch and
gigabit servers and appliances. It provides multiple-terabit Layer 4 load balancing, traffic steering, and
clustering from Cisco Nexus® switches.
NAT Support on various Nexus Switches Models
Nexus
Switches
Nexus
9300 Series
Nexus 7000
Series
Nexus 6000
Series
Nexus
5600 Series
Nexus 4000
Series
Nexus 3548
Series
Static NAT Yes No Yes Yes No Yes
Dynamic
NAT
Yes No Yes Yes No Yes
PAT Yes No Yes Yes No Yes
Twice NAT Yes No Yes Yes No Yes
VRF-Aware
NAT
Yes No Yes Yes No Yes
ITD – SLB
NAT
Yes Yes Yes Yes NA NA
License
Required
FCoE IVR
NAT over
Fibre
Channel
Layer 3 Base
Services
Package
Layer 3
Base
Services
Package
NA Algo Boost
License
NX-OS
Version
Release
7.0(3)I2(1)
Release
6.2(10) –
SLB NAT
Release
7.1(1) N1(1)
Release
7.1(1)
N1(1)
NA Release 6.x
18. Configuration on Nexus Switches for NAT Support
For Nexus Switch 3548 –Example could be found at below link
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/interfaces/602_a1_1/b_N
3548_Interfaces_Config_602_A1_1/b_N3548_Interfaces_Config_602_A1_1_chapter_0101.html
For Nexus Switch 5600 –Example could be found at below link
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/interfaces/7x/b_5600_Inte
rfaces_Config_Guide_Release_7x/b_6k_Interfaces_Config_Guide_Release_7x_chapter_01000.html#task
_EF30C89A841A4E2DAF1A9268EF8CBC4D
For Nexus Switch 6000 –Example could be found at below link
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus6000/sw/interfaces/7x/b_6k_Interfa
ces_Config_Guide_Release_7x/b_6k_Interfaces_Config_Guide_Release_7x_chapter_01000.html
For Nexus Switch 9000 –Example could be found at below link
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7x/interfaces/configuratio
n/guide/b_Cisco_Nexus_9000_Series_NXOS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_
Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_01100.html