-
Cisco IOS IP Mobility Configuration Guide, Release 12.4T
-
Part 1: Mobile IP
-
Configuring Mobile IP
-
Mobile IP MIB Support for SNMP
-
Mobile IP—NAT Detect
-
Mobile IP—Support for Foreign Agent Reverse Tunneling
-
Mobile IP—Challenge/Response Extensions
-
Mobile IP—Generic NAI Support and Home Address Allocation
-
Mobile IP Home Agent Policy Routing
-
Mobile IP—Home Agent Accounting
-
Mobile IP Dynamic Security Association and Key Distribution
-
Mobile IP—Support for RFC 3519 NAT Traversal
-
-
Part 2: Mobile Networks
-
Cisco Mobile Networks
-
Cisco Mobile Networks—Asymmetric Link
-
Cisco Mobile Networks—Static Collocated Care-of Address
-
Cisco Mobile Networks—Priority HA Assignment
-
Cisco Mobile Networks—Tunnel Templates for Multicast
-
Mobile Networks Dynamic Collocated Care-of Address
-
Mobile Networks Deployment MIB
-
Mobile IP—Foreign Agent Local Routing to Mobile Networks
-
Mobile IP—Generic Routing Encapsulation for Cisco Mobile Networks
-
Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
-
Mobile IP— Policy and Application-Based Routing for MR Multipath
-
Mobile Router DHCP Support for Dynamic CCoA and Foreign Agent Processing
-
Mobile Ad Hoc Networks for Router-to-Radio Communications
-
-
Part 1: Mobile IP
Table Of Contents
Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
Prerequisites for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
Restrictions for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
Information About Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
NAT Traversal Support Overview
Mobile IP Support for NAT Traversal on the Mobile Router Feature Design
How to Configure the Mobile Router for RFC 3519 NAT Traversal Support
Configuring the Mobile Router for NAT Traversal Support
Configuring the Home Agent for NAT Traversal Support
Verifying Mobile Router NAT Traversal Support
Configuration Examples for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router: Example
Feature Information for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
First Published: June 22, 2006Last Updated: November 17, 2006The Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router feature extends support for Network Address Translation (NAT) traversal to the mobile router when the mobile router is in private addressing space behind a NAT-enabled device and needs to register directly to the public home agent using a private collocated care-of address (CCoA).
NAT traversal is based on the RFC 3519 specification and defines how Mobile IP should operate to traverse networks that deploy NAT within their network. NAT traversal allows Mobile IP to interoperate with networks that have NAT enabled by providing an alternative method for tunneling Mobile IP data traffic. New extensions in the Mobile IP registration request and reply messages have been added that establish User Datagram Protocol (UDP) tunneling.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/fn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
•
•
•
•
•
Prerequisites for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
The mobile router should have the ability to obtain a CCoA on the visited network.
Restrictions for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
•
•
Information About Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
Before you configure the Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Access Router feature, you should understand the following concepts:
•
•
This document uses the terms "mobile node" and "mobile router." Most of the conceptual information in this document applies to both a mobile node and a mobile router. The term "mobile router" also applies to the Cisco 3200 Mobile Access Router. Refer to the "Glossary" section for definitions of these terms.
NAT Traversal Support Overview
Network Address Translation (NAT) is a mechanism that conserves address space by reducing the need for globally unique IP addresses. NAT is designed to allow networks with private addressing schemes to exchange traffic with public networks. However, NAT can conflict with the delivery of Mobile-IP-encapsulated traffic for a mobile node (or mobile router) that resides behind a NAT-enabled router.
In Mobile IP, usually IP-in-IP tunneling or generic routing encapsulation (GRE) tunneling allows traffic to be sent between the home agent or mobile nodes either directly or through a foreign agent. These tunneling mechanisms do not generally contain enough information to permit unique translation from the public address to the particular care-of address (CoA) of a mobile node or foreign agent that resides behind the NAT-enabled router. Specifically, there are no TCP/UDP port numbers to permit unique translation of the private CoA into the public address. Thus, the traffic from the mobile node cannot be routed even after a successful registration and will always be dropped at the NAT gateway.
NAT traversal solves this problem by using UDP tunneling as an encapsulation mechanism for tunneling Mobile IP data traffic, for both forward and reverse tunneling, between the home agent and foreign agent or between the home agent and mobile node. UDP tunneling is established by the use of new message extensions in the initial Mobile IP registration request and reply exchange that request UDP tunneling. Registration requests and replies do not use UDP tunneling.
UDP-tunneled packets that have been sent by a mobile node use the same ports as the registration request message. The source port may vary between new registration requests but remains the same for all tunneled data and reregistrations. The destination port is always 434. UDP- tunneled packets that are sent by a home agent use the same ports, but in reverse.
When the registration request packet traverses a NAT-enabled router, the home agent detects the traversal by comparing the source IP address of the packet with the CoA inside the request. If the two addresses differ, the home agent detects that a NAT gateway exists in the middle. If the home agent is configured to accept NAT traversal, it accepts the registration request and enables the use of UDP tunneling, and the data traffic passes through the NAT gateway. Thereafter, any traffic from the home agent to the mobile node is sent through the UDP tunnel. If there is a foreign agent, the foreign agent must also be configured for NAT traversal in order for UDP tunneling to work. See the "Mobile IP Support for NAT Traversal on the Mobile Router Feature Design" section for information about the scenario in which the mobile router chooses to register with the home agent using a private CCoA.
By setting the force bit in the UDP tunneling request, the mobile node or mobile router can request that Mobile IP UDP tunneling be established regardless of the NAT detection outcome by the home agent. This capability can be useful in networks that have firewalls and other filtering devices that allow TCP and UDP traffic but do not support NAT translation. The final outcome of whether the mobile node or mobile router will receive UDP tunneling is determined by whether the home agent is configured to accept such requests.
NAT devices are designed to drop the translation state after a period of traffic inactivity over the tunnel. NAT traversal support has implemented a keepalive mechanism that avoids a NAT translation entry on a NAT device from expiring when there is no active Mobile IP data traffic going through the UDP tunnel. The keepalive messages are sent to ensure that NAT keeps the state information associated with the session and that the tunnel stays open.
The keepalive timer interval is configurable on the home agent, the mobile router, and the foreign agent but is controlled by the home agent keepalive interval value sent in the registration reply. When the home agent sends a keepalive value in the registration reply, the mobile node, mobile router, or foreign agent must use that value as its keepalive timer interval.
The keepalive timer interval configured on the foreign agent or mobile router is used only if the home agent returns a keepalive interval of zero in the registration reply.
Mobile IP Support for NAT Traversal on the Mobile Router Feature Design
The Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router feature was designed for the scenario where the mobile router is behind a NAT-enabled router and needs to register directly to the home agent using a private CCoA address.
If configured for NAT traversal, the mobile router will request UDP tunneling in its registration request. If the home agent is configured for NAT traversal, the home agent will send a registration reply stating that it will accept UDP tunneling. Upon receiving this reply, the mobile router will create a UDP tunnel with the agreed-upon encapsulation type. The mobile router will also enable the periodic keepalive message between the mobile router and the home agent. If there is a keepalive failure or if there is no keepalive response from the home agent for three or more successive registration requests, the mobile router will terminate the UDP tunnel and will restart the registration process. Figure 1 shows the UDP tunnel that was set up between the home agent and the mobile router.
Figure 1 Topology Showing the UDP Tunnel Between the Home Agent and the Mobile Router
How to Configure the Mobile Router for RFC 3519 NAT Traversal Support
This section contains the following tasks:
•
•
•
Configuring the Mobile Router for NAT Traversal Support
This task shows you how to configure the mobile router for NAT traversal support.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring the Home Agent for NAT Traversal Support
This task shows you how to configure the home agent for NAT traversal support.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying Mobile Router NAT Traversal Support
Perform this task to verify mobile router NAT traversal support.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuration Examples for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
This section provides the following configuration example:
•
Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router: Example
The following example shows how to configure NAT traversal between the home agent and the mobile router.
Home Agent Configuration
interface Loopback1ip address 198.168.2.1. 255.255.255.255!router mobile!! The following command sets the UDP keepalive interval to 60 seconds and enables the HA ! to accept forced UDP tunneling registration requests.!ip mobile home-agent nat traversal keepalive 60 forced acceptip mobile home-agentip mobile virtual-network 10.99.100.0 255.255.255.0ip mobile host 10.99.100.1 10.99.100.100 virtual-network 10.99.100.0 255.255.255.0ip mobile mobile-networks 10.99.100.2description MAR-3200register!ip mobile secure host 10.99.100.1 10.99.100.100 spi 100 key hex12345678123456781234567812345678 algorithm md5 mode prefix-suffixMobile Router Configuration
interface Loopback1! Description MR's home address.ip address 10.99.100.2 255.255.255.255!interface FastEthernet0/0description Wi-Fi Linkip address 10.5.3.32 255.255.255.0! The following command sets the UDP keepalive interval to 60 seconds and enables the ! mobile router to request UDP tunneling.ip mobile router-service collocated registration nat traversal keepalive 60 forceip mobile router-service roam priority 120!ip mobile routeraddress 10.99.100.2 255.255.255.0collocated single-tunnelhome-agent 10.1.1.1 priority 110mobile-network Vlan210reverse-tunnelAdditional References
The following sections provide references related to the Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router feature.
Related Documents
Mobile IP information and configuration tasks
Cisco IOS IP Mobility Configuration Guide, Release 12.4
Mobile IP commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Cisco IOS IP Mobility Command Reference, Release 12.4T
Information about NAT Traversal Support for Mobile IP
Mobile IP Support for RFC 3519 NAT Traversal, Cisco IOS Release 12.3(8)T feature module
Cisco 3200 Series Mobile Access Router documentation
Cisco 3200 Series Mobile Access Router Software Configuration Guide
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS IP Mobility Command Reference at http://www.cisco.com/en/US/docs/ios/ipmobility/command/reference/imo_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
Feature Information for Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/fn. An account on Cisco.com is not required.
Note
Glossary
agent advertisement—An advertisement message constructed by an attachment of a special extension to an ICMP Router Discovery Protocol (IRDP).
care-of address—The termination point of the tunnel to a mobile node or mobile router. This can be a collocated care-of address, by which the mobile node or mobile router acquires a local address and detunnels its own packets, or a foreign agent care-of address, by which a foreign agent detunnels packets and forwards them to the mobile node or mobile router.
CDPD—cellular digital packet data. Open standard for two-way wireless data communication over high-frequency cellular telephone channels. Allows data transmissions between a remote cellular link and a NAP. Operates at 19.2 kbps.
foreign agent—A router on the visited network of a foreign network that provides routing services to the mobile node while registered. The foreign agent detunnels and delivers packets to the mobile node or mobile router that were tunneled by the home agent of the mobile node. For packets sent by a mobile node, the foreign agent may serve as a default router for registered mobile nodes.
GPRS—general packet radio service. A service defined and standardized by the European Telecommunication Standards Institute (ETSI). GPRS is an IP packet-based data service for Global System for Mobile Communications (GSM) networks.
home agent—A router on a home network of the mobile node or that tunnels packets to the mobile node or mobile router while they are away from home. It keeps current location information for registered mobile nodes called a mobility binding.
home network—The network, possibly virtual, whose network prefix equals the network prefix of the home address of a mobile node.
mobile network—A network that moves with the mobile router. A mobile network is a collection of hosts and routes that are fixed with respect to each other but are mobile, as a unit, with respect to the rest of the Internet.
mobile node—A host or router that changes its point of attachment from one network or subnet to another. A mobile node may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its home IP address, assuming that link-layer connectivity to a point of attachment is available.
mobile router—A mobile node that is a router. It provides for the mobility of one or more entire networks moving together, perhaps on an airplane, a ship, a train, an automobile, a bicycle, or a kayak. The nodes connected to a network served by the mobile router may themselves be fixed nodes or mobile nodes or routers.
registration—The process by which the mobile node is associated with a care-of address on the home agent while it is away from home. Registration may happen directly from the mobile node to the home agent or through a foreign agent.
tunnel—The path followed by a packet while it is encapsulated from the home agent to the mobile node. The model is that, while it is encapsulated, a packet is routed to a knowledgeable de-encapsulating agent, which decapsulates the datagram and then correctly delivers it to its ultimate destination.
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
