Building network automation solutions

9 module online course

Start now!

Category: NAT

Is NAT64 a subset of NAT-PT?

Quick summary for the differently attentive: Even without the DNS processing, NAT-PT and NAT64 differ from the perspective of peer-to-peer applications. The differences don’t matter for IPv6 clients connecting to IPv4 servers.

Whenever I’m talking about NAT64, someone would say “we’re already using it”. As it turns out, they’re usually using NAT-PT, which looks a lot like NAT64 from afar (after all, they both allow IPv6-only clients to connect to IPv4-only servers). However, there are significant differences between the two, the most important one being DNS64, which handles DNS processing completely outside of the forwarding path (NAT-PT has embedded DNS Application Level Gateway, which was one of the major reasons NAT-PT was declared broken beyond hope).

read more see 5 comments

The first step on the path to CGv6

In another interesting timing coincidence, the documentation for IOS-XR release 3.9.1 appeared at approximately the same time (probably a little bit later) as I started to research the viability of CGv6 during the preparation for my NAT64/DNS64 presentation.

A kind guest has provided links to configuration guide and command reference in a comment to my blog post. Thank you!

Looking at the release notes, the CGSE blade currently supports only CGN (large-scale NAT44), the interesting parts (NAT64 or DS-lite AFTR) are still in the pipeline.

add comment

Round-robin NAT: any ideas?

Valeriy sent me a really interesting question:

When you’re using PAT with a NAT address pool, the routers use the lowest IP addresses from the pool as long as possible, using a new address from the pool only when the TCP/UDP ports on the active ones are depleted. This causes problems with services limiting the number of connections from one IP address. Is there any way to make the router use the whole pool for outgoing connections in a round-robin fashion?

Valeriy has already tried rotary pools, but they don’t work with PAT and the ip nat portmap is only useful for VoIP traffic. Any other ideas?

see 2 comments

Small Site Multihoming Tutorial

In 2007 and 2008 I wrote several articles covering small-site multihoming (a site connected to two ISPs without having its own public address space or running BGP).


A multihomed site is a customer site connected with (at least) two uplinks to one or more Internet Service Providers (ISP). Traditionally, a multihomed site needs its own provider independent (PI) public IP address space, has to run BGP with the upstream ISP and thus needs its own BGP autonomous system (AS) number.

read more add comment

NAT translation logging

The ip nat log translations syslog command starts NAT logging: every NAT translation created on the router is logged in syslog (which can be sent to console, syslog host or internal buffer). You could use this command as a poor man’s reporting tool if you have to monitor the address translations on your edge routers (for example, due to security policy or auditing requirements). Obviously you should configure the no logging console first in a production environment; otherwise your router will hang a few moments after you’ve enabled NAT logging.

read more see 7 comments

NAT activates NBAR

A few days ago I had an “interesting” experience on a router that was running low on memory: when I enabled NAT, it immediately ran out of memory although it had over 4 MB free memory before that (and since I was doing the tests in a lab, I wasn't worried about that … in a production network, 4 MB of free memory is something to worry about).

It took me a while to figure out what was going on: the moment you enable NAT in IOS release 12.4, it activates Network Based Application Recognition (NBAR) even when CEF is disabled (and supposedly NBAR requires CEF to run).

read more see 7 comments