28
2013
NAT Virtual Interface aka NVI, what is that?!
Not everyone knows that from IOS version 12.3(14)T, Cisco has introduced a new feature called NAT Virtual Interface; NVI removes the requirements to configure an interface as either NAT inside or NAT outside. An interface can be configured to use NAT or not use NAT.
How to use NVI? It’s easy! You must use the command ‘ip nat source …’ without specifying the inside/outside tag and enable the nat to the interfaces using the command ‘ip nat enable’.
For instance, if you use legacy statement:
Ciscozine(config)#interface range fastEthernet 0/0 Ciscozine(config-if-range)#ip nat inside Ciscozine(config)#interface range fastEthernet 0/1 Ciscozine(config-if-range)#ip nat outside Ciscozine(config)#ip nat inside source static 172.16.0.6 10.16.0.5
with NVI feature the nat will be:
Ciscozine(config)#interface range fastEthernet 0/0 Ciscozine(config-if-range)#ip nat enable Ciscozine(config)#interface range fastEthernet 0/1 Ciscozine(config-if-range)#ip nat enable Ciscozine(config)#ip nat source static 172.16.0.6 10.16.0.5
To better understand this feature, I will explain NVI using the same examples presented in the previous article ‘NAT and PAT: a complete explanation‘ (take no notice of the ip NAT inside/ouside in the images).
First of all, define which interfaces will take part in the IP translation; in these scenarios will be fastethernet 0/0 and fastethernet 0/1:
Ciscozine(config)#interface range fastEthernet 0/0 -1 Ciscozine(config-if-range)#ip nat enable
Then define the translation depending on the NAT/PAT used.
Example #1: Static NAT
How to translate the 172.16.0.5 IP address to the 10.16.0.5 ip address.
Define the static nat entry:
Ciscozine(config)#ip nat source static 172.16.0.6 10.16.0.5
Example #2: Dynamic NAT
How to translate the 172.16.0.0/28 network in the 10.16.0.0/29 network.
Like legacy nat, you need define three things.
Define the nat pool used in the nat translation (this is the same as in legacy nat):
Ciscozine(config)#ip nat pool dynamic-ip 10.0.16.1 10.0.16.6 prefix-length 29
Define which network will be translated (this is the same as in legacy nat):
Ciscozine(config)#ip access-list standard client-list Ciscozine(config-std-nacl)#permit 172.16.0.0 0.0.0.15
Define the dynamic NAT:
Ciscozine(config)#ip nat source list client-list pool dynamic-ip
Example #3: Static PAT
How to expose two different services on Internet:
- The Web server (172.16.0.5) is listening on tcp port 80; this server responds on public address 88.88.88.88:80 from the Internet.
- The SSH server (172.16.0.6) is listening on tcp port 22; this server responds on public address 88.88.88.88:666 from the Internet.
Define the static PAT:
Ciscozine(config)#ip nat source static tcp 172.17.0.5 80 88.88.88.88 80 Ciscozine(config)#ip nat source static tcp 172.17.0.6 22 88.88.88.88 666
Example #4: PAT – NAT Overload
How to share an Internet connection.
Define which network will be translated (this is the same as in legacy nat):
Ciscozine(config)#ip access-list standard client-list Ciscozine(config-std-nacl)#permit 172.16.0.0 0.0.0.255
Define the NAT Overload:
Ciscozine(config)#ip nat source list client-list interface fastethernet0/1 overload
Note: The behavior of the NAT Virtual Interface is the same of the legacy nat; for these reasons:
- With static NAT, translation exists in the NAT translation table as soon as you configure static NAT command, and it remains in the translation table until you delete the static NAT command.
- With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation.
- With static PAT, translation exists in the NAT translation table as soon as you configure static PAT command, and it remains in the translation table until you delete the static PAT command.
- With NAT overload, translations do not exist in the NAT table until the router receives traffic that requires translation.
To check NVI statistics and translations use these commands (observe the ‘nvi’ tag):
- show ip nat nvi translations
- show ip nat nvi statistics
Remember:
- When you enable NAT (legacy or not), the IOS enables a virtual interface called ‘NVI0′. This interface is used ONLY when the ‘ip nat enable’ is enabled. This interface can be found with the command ‘show ip interface brief’ or ‘show interfaces’.
- Cisco recommends to use legacy NAT for VRF to global NAT (ip nat inside/out) and between interfaces in the same VRF. NVI is used for NAT between different VRFs.
- Stateful Network Address Translation (SNAT) is not supported.
References:
Related Posts
-
Praveen Rai
-
Hom
-
Hom
-
Sarmad Ali
-
faizan
-
http://www.facebook.com/fabio.semperboni Fabio Semperboni
- Google Releases Google Chrome 27.0.1453.93 http://t.co/N8BnqjGWvl
- Senior Executives Say Cloud-Based Collaboration Leads to Higher Business Performance http://t.co/mG2W0O7z88
- Telefonica and Cisco Complete 4,000 kilometer 100Gbps IPoDWDM Trial http://t.co/7c0uqzH6bG
Email Updates
Archives
- May 2013
- April 2013
- March 2013
- February 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008