IP Addressing Services

Introduction

Network Address Translation (NAT) operates on a routing device that connects two networks together. One of these networks (which is designated as "inside") has private addresses that require conversion into legal addresses before packets are forwarded onto the other network (which is designated as "outside"). The translation operates in conjunction with routing so that you can simply enable NAT on a gateway router when you need translation. The table in the NAT Feature Support on Catalyst Switches section of this document summarizes the support of the NAT feature in Cisco Catalyst switches.

Refer to Network Address Translation (NAT) Technology Support for additional information on how to implement the NAT feature. The page provides sample configurations and troubleshoot tips.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

NAT Feature Support on Catalyst Switches

This table provides information about NAT feature support in Catalyst switches:

• ¹ CatOS = Catalyst OS.

• ² MSFC = Multilayer Switch Feature Card.

• ³ MSM = Multilayer Switch Module.

• ⁴ RSM = Remote Switch Module.

• ⁵ RSFC = Router Switch Feature Card.

• ⁶ Catalyst 4500/4000 series switches with Supervisor Engine III/IV support the Access Gateway Module (AGM) in Cisco IOS Software Release 12.1(13)EW or later. You need Cisco IOS Software Release 12.2.13T or later on the AGM module. NAT has support in the software switching path on the AGM module.

• ⁷Catalyst 2940, 2970, 2950/2955 does not support IP Routing and the NAT feature. For more information, refer to the Cisco Feature Navigator Tool (registered customers only) .

Additional Notes for the Catalyst 6500/6000

1. Software performs the NAT function on the Catalyst 6500/6000 with a Supervisor Engine 1/2 and MSFC/MSFC2. There is no support in the hardware path.

2. When you use the NAT router feature on a Catalyst 6500 with Supervisor Engine 1/2 and MSFC/MSFC2, packets that traverse the NAT outside interface can (in certain configurations) undergo software routing instead of Layer 3 (L3) switching. The software routing can occur regardless of whether the packets require translation. For packets that traverse the NAT outside interface, the redirection to MSFC for software routing should occur for only those packets that require NAT. Cisco IOS Software only translates traffic that traverses from NAT inside interfaces to NAT outside interfaces. Create the access control list (ACL) for use with NAT to be more specific. Have the ACL limit the software-handled packets to only those packets that require NAT translation. For example, if you use a general ACL, such as permit ip any any, to specify the traffic that requires NAT, all traffic inbound or outbound on the NAT outside interface is software routed. Traffic that does not originate in the NAT inside interfaces or have the NAT inside interfaces as a destination is also software routed. If you use a more specific ACL, such as permit ip 192.168.1.0 0.0.0.255 any, only the NAT outside traffic that matches the ACL is software routed.

3. The NAT function is performed in hardware for unicast packets on a Catalyst 6500 with Supervisor Engine 720 and MSFC3 when you run Cisco IOS Software Release 12.2(14)SX or later.

Caveats in the NAT Feature on the Catalyst 6500/6000 MSFC/MSFC2

This table lists some of the caveats that relate to the NAT feature on the Catalyst 6500/6000 MSFC/MSFC2:

Description	Version with Resolution
If you configure a port with a VACL1 access map that has an action clause that contains the capture keyword, the port does not send any traffic to the MSFC to process in software. This configuration prevents the NAT feature operation. Refer to Cisco bug IDs CSCdu61309 (registered customers only) and CSCdx37625 (registered customers only) for more information.	Cisco IOS Software Release 12.1.13(E)
When you configure approximately 500 static NAT entries and issue the mls aclmerge algorithm odm command, a reload can occur if you issue the ip nat outside command for an active interface. Refer to Cisco bug ID CSCdx74455 (registered customers only) for more information.	Cisco IOS Software Release 12.1(12c)E1
With 7,000 NAT entries and 3,000 pps2 of NAT traffic, MSFC CPU utilization is 100 percent. Refer to Cisco bug ID CSCdx40232 (registered customers only) for more information.	Cisco IOS Software Release 12.1(12c)E1
NAT pool subranges do not work. Refer to Cisco bug ID CSCdt21533 (registered customers only) for more information.	Cisco IOS Software Release 12.1 (11b)E3
A sequence problem results when there are NAT ACL configurations and static NAT entries in the startup configuration at bootup. The problem results in the program of incorrect entries into the TCAM3. Refer to Cisco bug ID CSCdx35689 (registered customers only) for more information.	Cisco IOS Software Release 12.1(11b)E3
With the configuration of the NAT outside-source static translation, packets are forwarded without translation. Refer to Cisco bug ID CSCdv12429 (registered customers only) for more information.	Cisco IOS Software Release 12.1(8a)E4

¹ VACL = VLAN ACL.

² pps = packets per second.

³ TCAM = ternary content addressable memory.

Related Information

• Network Address Translation (NAT) Technology Support
• Switches Product Support
• LAN Switching Technology Product Support
• Technical Support & Documentation - Cisco Systems