NAT Configuration


NAT Configuration
 
 
This chapter describes how to configure the Network Address Translation (NAT) in-line service feature.
The following topics are covered in this chapter:
 
 
Before You Begin
This section lists the steps to perform before you can start configuring NAT support on a system:
Step 1
Step 2
Step 3
 
Configuring the System
This section lists the high-level steps to configure the NAT feature.
Step 1
Step 2
Step 3
 
Configuring NAT
This section describes how to configure the NAT in-line service feature.
Step 1
Step 2
Optional: Configure port maps as described in the Configuring Port Maps section.
Step 3
Optional: Configure host pools as described in the Configuring Host Pools section.
Step 4
Optional: Configure IMSI pools as described in the Configuring IMSI Pools section.
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Optional: Configure the default Firewall-and-NAT policy as described in the Configuring the Default Firewall-and-NAT Policy section.
Step 16
Step 17
Step 18
Step 19
Step 20
Step 21
Step 22
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
 
Enabling the ECS Subsystem and Creating the ECS Service
To enable the ECS subsystem and create the enhanced charging service, use the following configuration:
 
configure
  require active-charging
  active-charging service <ecs_service_name> [ -noconfirm ]
  end
 
Configuring Port Maps
This is an optional configuration. To create and configure an application-port map for TCP and UDP protocols, use the following configuration:
 
configure
  active-charging service <ecs_service_name>
     port-map <port_map_name> [ -noconfirm ]
        port { <port_number> | range <start_port> to <end_port> }
        end
Notes:
 
 
Configuring Host Pools
This is an optional configuration. To create and configure a host pool, use the following configuration:
 
configure
  active-charging service <ecs_service_name>
     host-pool <host_pool_name> [ -noconfirm ]
        ip { <ip_address> | <ip_address/mask> | range <start_ip_address> to <end_ip_address> }
        end
Notes:
 
 
Configuring IMSI Pools
This is an optional configuration. To create and configure an IMSI pool, use the following configuration:
 
configure
  active-charging service <ecs_service_name>
     imsi-pool <imsi_pool_name> [ -noconfirm ]
        imsi { <imsi_number> | range <start_imsi> to <end_imsi> }
        end
Notes:
 
 
Configuring Access Ruledefs
To create and configure an access rule definition, use the following configuration:
 
configure
  active-charging service <ecs_service_name>
     access-ruledef <access_ruledef_name> [ -noconfirm ]
        bearer 3gpp apn [ case-sensitive ] <operator> <value>
        bearer 3gpp imsi { <operator> <msid> | { !range | range } imsi-pool <imsi_pool> }
        bearer username [ case-sensitive ] <operator> <user_name>
        icmp { any-match <operator> <condition> | code <operator> <code> | type <operator> <type> }
        ip { { { any-match | downlink | uplink } <operator> <condition> } | { { dst-address | src-address } { { <operator> { <ip_address> | <ip_address/mask> } } | { !range | range } host-pool <host_pool_name> } | protocol { { <operator> { <protocol> | <protocol_assignment> } } | { <operator> <protocol_assignment> } }
        tcp { any-match <operator> <condition> | { { dst-port | either-port | src-port } { { <operator> <port_number> } | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
        udp { any-match <operator> <condition> | { dst-port | either-port | src-port } { <operator> <port_number> | { !range | range } { <start_range> to <end_range> | port-map <port_map_name> } } }
        create-log-record
        end
Notes:
 
 
Configuring NAT IP pools/NAT IP Pool Groups
This section describes how to create and configure NAT IP pools/NAT IP pool groups.
The following topics are covered in this section:
 
 
Configuring One-to-One NAT IP Pools /NAT IP Pool Groups
To create and configure a one-to-one NAT IP pool/NAT IP pool group, use the following configuration:
configure
  context <context_name> [ -noconfirm ]
     ip pool <nat_pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } nat-one-to-one [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] } + ] [ group-name <nat_pool_group_name> ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ send-icmp-dest-unreachable ] [ send-nat-binding-update ] [ srp-activate ] + ]
     ip pool <pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } public <priority>
     end
Notes:
 
Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
To add a NAT IP pool to a NAT IP pool group, use the group-name <nat_pool_group_name> option.
NAT IP pool and NAT IP pool group names must be unique.
When configuring a NAT IP pool group, note that only those NAT IP pools that have similar characteristics can be grouped together. The similarity is determined by the “nat-one-to-one” and “on-demand” parameters. Dissimilar NAT IP pools cannot be grouped together.
It is recommended that for each NAT IP pool in a NAT IP pool group the other parameters (“nat-binding-timer”, “send-nat-binding-update”, “nexthop-forwarding-address”, “send-icmp-dest-unreachable”, and “srp-activate”) also be configured with the same values, so that the NAT behavior is predictable across all NAT IP pools in that NAT IP pool group.
The NAT IP pool from which a NAT IP address is assigned will determine the actual values to use for all parameters.
 
Configuring Many-to-One NAT IP Pools /NAT IP Pool Groups
To create and configure a Many-to-One NAT IP pool/NAT IP pool group, use the following configuration:
configure
  context <context_name> [ -noconfirm ]
     ip pool <nat_pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } napt-users-per-ip-address <users> [ alert-threshold { { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] } + ] [ group-name <nat_pool_group_name> ] [ max-chunks-per-user <chunks> ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ port-chunk-size <size> ] [ port-chunk-threshold <threshold> ] [ send-icmp-dest-unreachable ] [ send-nat-binding-update ] [ srp-activate ] + ]
     ip pool <pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } public <priority>
     end
Notes:
 
Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
To add a NAT IP pool to a NAT IP pool group, use the group-name <nat_pool_group_name> option.
NAT IP pool and NAT IP pool group names must be unique.
When configuring a NAT IP pool group, note that only those NAT IP pools that have similar characteristics can be grouped together. The similarity is determined by the “napt-users-per-ip-address”, “napt-users-per-ip-address <users>”, “on-demand”, and “port-chunk-size” parameters. Dissimilar NAT IP pools cannot be grouped together.
It is recommended that for each NAT IP pool in a NAT IP pool group the other parameters (“nat-binding-timer”, “send-nat-binding-update”, “nexthop-forwarding-address”, “send-icmp-dest-unreachable”, “srp-activate”, and “port-chunk-threshold”) also be configured with the same values, so that the NAT behavior is predictable across all NAT IP pools in that NAT IP pool group.
The NAT IP pool from which a NAT IP address is assigned will determine the actual values to use for all parameters.
 
Configuring Firewall-and-NAT Policies
To create and configure a Firewall-and-NAT Policy, use the following configuration:
configure
  active-charging service <ecs_service_name>
     fw-and-nat policy <fw_nat_policy_name> [ -noconfirm ]
        nat policy nat-required default-nat-realm <nat_pool_name / nat_pool_group_name>
        access-rule priority <priority> { [ dynamic-only | static-and-dynamic ] access-ruledef <access_ruledef_name> { deny [ charging-action <charging_action_name> ] | permit [ nat-realm <nat_pool_name/nat_pool_group_name> | [ bypass-nat ] ] }
        access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action <charging_action_name> ] | permit [ bypass-nat | nat-realm <nat_pool_name/nat_pool_group_name> ] }
        end
Notes:
 
The nat policy nat-required command enables NAT for all subscribers using the policy.
Rule matching is done for the first packet for a flow. Only when no rules match, the no-ruledef-matches configuration is considered. The default settings for uplink direction is “permit”, and for downlink direction “deny”.
access-rule no-ruledef-matches uplink action permit nat-realm <nat_pool_name/nat_pool_group_name>
 
Configuring Action on NAT IP Address/Port Allocation Failure
To configure sending ICMP error messages in the event of NAT IP address/port allocation failure, use the following configuration:
configure
  active-charging service <ecs_service_name>
     nat allocation-failure send-icmp-dest-unreachable
     end
 
Configuring Action on Packets During NAT IP Allocation
To configure action to take on packets when NAT IP/NPU allocation is in progress, use the following configuration:
configure
  active-charging service <ecs_service_name>
     nat allocation-in-progress { buffer | drop }
     end
Notes:
 
 
Configuring NAT TCP-2msl-timeout Setting
To configure NAT TCP 2msl Timeout setting, use the following configuration:
configure
  active-charging service <ecs_service_name>
     nat tcp-2msl-timeout <timeout>
     end
 
Configuring Action on TCP Idle Timeout
To configure action to take on TCP idle timeout expiry for NAT flows, use the following configuration:
configure
  active-charging service <ecs_service_name>
     fw-and-nat policy <fw_nat_policy_name>
        firewall tcp-idle-timeout-action { drop | reset }
        end
 
Configuring Private IP NPU Flow Timeout Setting
To configure Private IP NPU Flow Timeout setting, use the following configuration:
configure
  active-charging service <ecs_service_name>
     fw-and-nat policy <fw_nat_policy_name>
        nat private-ip-flow-timeout <timeout>
        end
Notes:
 
 
Configuring Flow Recovery
To configure Flow Recovery parameters for NAT flows, use the following configuration:
configure
  active-charging service <ecs_service_name>
     firewall flow-recovery { downlink | uplink } [ [ no-flow-creation ] [ timeout <timeout> ] + ]
     end
Notes:
 
The no-flow-creation keyword specifies not to create data session/flow-related information for downlink-initiated packets (from the Internet to the subscriber) while the downlink flow-recovery timer is running, but send to subscriber.
 
Enabling NAT for APN/Subscribers
This section describes how to enable NAT support for APN/subscribers.
The following topics are covered in this section:
 
 
Enabling NAT for APN
To configure the Firewall-and-NAT Policy within an APN, use the following configuration:
Important: This configuration is only applicable to UMTS networks.
configure
  context <context_name>
     apn <apn_name>
        fw-and-nat policy <fw_nat_policy_name>
        end
Notes:
 
<fw_nat_policy_name> must be a valid Firewall-and-NAT policy in which NAT policy is enabled as described in the Configuring Firewall-and-NAT Policy section.
 
Enabling NAT for Subscribers
To configure the Firewall-and-NAT Policy in a subscriber template, use the following configuration:
configure
  context <context_name>
     subscriber default
        fw-and-nat policy <fw_nat_policy_name>
        end
Notes:
 
<fw_nat_policy_name> must be a valid Firewall-and-NAT policy in which NAT policy is enabled as described in the Configuring Firewall-and-NAT Policy section.
 
Configuring the Default Firewall-and-NAT Policy
This is an optional configuration to specify a default Firewall-and-NAT policy to use if in the APN/subscriber configurations the following command is configured:
default fw-and-nat policy
To create a rulebase and configure a default Firewall-and-NAT policy in it, use the following configuration:
configure
  active-charging service <ecs_service_name>
     rulebase <rulebase_name> [ -noconfirm ]
        fw-and-nat default-policy <fw_nat_policy_name>
        end
 
Configuring NAT Application Level Gateways/Dynamic Pinholes
This section describes how to configure routing rules to open up dynamic pinholes for Application Level Gateways (ALG) functionality.
The following topics are covered in this section:
 
 
Creating Routing Ruledefs
To configure ECS routing rules for FTP and RTSP protocols, use the following configuration:
configure
  active-charging service <ecs_service_name>
     ruledef <ruledef_name>
        tcp either-port <operator> <value>
        rule-application routing
        end
Notes:
 
 
Configuring Routing Ruledefs in Rulebase
To configure the routing ruledefs in the rulebase, use the following configuration:
configure
  active-charging service <ecs_service_name>
     rulebase <rulebase_name>
        route priority <priority> ruledef <ruledef_name> analyzer { ftp-control | pptp | rtsp | sip advanced | tftp }
        rtp dynamic-flow-detection
        end
Notes:
 
For RTSP ALG processing, in the rulebase, the rtp dynamic-flow-detection command must be configured.
For SIP ALG processing, the advanced option must be configured to ensure that packets matching the routing rule will be routed to the SIP ALG for processing and not to the ECS SIP analyzer.
 
Enabling NAT ALG
To enable NAT ALGs, use the following configuration:
configure
  active-charging service <ecs_service_name>
     firewall nat-alg { all | ftp | pptp | rtsp | sip }
     idle-timeout alg-media <idle_timeout>
     end
Notes:
 
route priority 1 ruledef ftp analyzer ftp-control
route priority 2 ruledef rtsp analyzer rtsp
rtp dynamic-flow-detection
The idle-timeout alg-media idle_timeout CLI command configures the Media Inactivity Timeout setting. The timeout gets applied on RTP and RTCP media flows that are created for SIP calls. The timeout is applied only on those flows that actually match the RTP and RTCP media pinholes that are created by the SIP ALG.
 
Configuring EDR Format
To configure EDR format for NAT-specific attributes, use the following configuration:
configure
  active-charging service <ecs_service_name>
     edr-format <edr_format_name>
        attribute sn-nat-subscribers-per-ip-address priority <priority>
        attribute sn-subscriber-nat-flow-ip priority <priority>
        attribute sn-subscriber-nat-flow-port priority <priority>
        end
 
Configuring UDR Format
To configure UDR format for NAT-specific attributes, use the following configuration:
configure
  active-charging service <ecs_service_name>
     udr-format <udr_format_name>
        attribute sn-subscriber-nat-flow-ip priority <priority>
        end
 
Configuring NAT Binding Record Format
To configure NBR format, use the following configuration:
configure
  active-charging service <ecs_service_name>
     edr-format <nbr_format_name>
        attribute sn-correlation-id priority <priority>
        rule-variable ip subscriber-ip-address priority <priority>
        attribute sn-fa-correlation-id priority <priority>
        attribute radius-fa-nas-ip-address priority <priority>
        attribute radius-fa-nas-identifier priority <priority>
        attribute radius-user-name priority <priority>
        attribute radius-calling-station-id priority <priority>
        attribute sn-nat-ip priority <priority>
        attribute sn-nat-port-block-start priority <priority>
        attribute sn-nat-port-block-end priority <priority>
        attribute sn-nat-binding-timer priority <priority>
        attribute sn-nat-subscribers-per-ip-address priority <priority>
        attribute sn-nat-realm-name priority <priority>
        attribute sn-nat-gmt-offset priority <priority>
        attribute sn-nat-port-chunk-alloc-dealloc-flag priority <priority>
        attribute sn-nat-port-chunk-alloc-time-gmt priority <priority>
        attribute sn-nat-port-chunk-dealloc-time-gmt priority <priority>
        attribute sn-nat-last-activity-time-gmt priority <priority>
        exit
     fw-and-nat policy <fw_nat_policy_name>
        nat binding-record edr-format <nbr_format_name> port-chunk-allocation port-chunk-release
        end
Notes:
 
The NBR format name configured in the edr-format <nbr_format_name> and the nat binding-record edr-format <nbr_format_name> commands must be the same.
 
Configuring Bulkstats Collection
To configure NAT realm bulk statistics collection, use the following configuration:
configure
  bulkstats collection
  bulkstats historical collection
  bulkstats mode
     sample-interval <sample_interval>
     transfer-interval <transfer_interval>
     file <file_number>
        remotefile format <format>
        receiver <ip_address> primary mechanism { tftp | { ftp | sftp } login <login> encrypted password <password> }
        exit
     nat-realm schema <schema_name> format <format_string>
     end
The following is a sample configuration for cumulative bulkstats collection:
nat-realm schema cumulativenatschema format "NAT-REALM Schema: cumulativenatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\n Total binding updates sent to AAA: %nat-bind-updates%\nTotal bytes transferred by realm: %nat-rlm-bytes-tx%\nTotal flows used by realm: %nat-rlm-flows%\nTotal flows denied IP: %nat-rlm-ip-denied%\nTotal flows denied ports: %nat-rlm-port-denied%\n-----------------------\n"
The following is a sample configuration for snapshot bulkstats collection:
nat-realm schema snapshotnatschema format "NAT-REALM Schema: snapshotnatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\nTotal NAT public IP address: %nat-rlm-ttl-ips%\nCurrent NAT public IP address in use: %nat-rlm-ips-in-use%\nCurrent subscribers using realm: %nat-rlm-current-users%\nTotal port chunks: %nat-rlm-ttl-port-chunks%\nCurrent port chunks in use: %nat-rlm-chunks-in-use%\n-----------------------\n"
 
Configuring NAT Thresholds
This section describes how to configure NAT thresholds.
The following topics are covered in this section:
 
 
Enabling Thresholds
To enable thresholds, use the following configuration:
configure
  threshold monitoring firewall
  context <context_name>
     threshold monitoring available-ip-pool-group
     end
Notes:
 
The threshold monitoring available-ip-pool-group command is required only if you are configuring IP pool thresholds. It is not required if you are only configuring NAT port chunks usage threshold.
 
Configuring Threshold Poll Interval
To configure threshold polling interval, use the following configuration:
configure
  threshold poll ip-pool-used interval <interval>
  threshold poll nat-port-chunks-usage interval <interval>
  end
 
Configuring Thresholds Limits
To configure threshold limits, use the following configuration:
configure
  context <context_name>
     threshold ip-pool-free <high_threshold> clear <low_threshold>
     threshold ip-pool-hold <high_threshold> clear <low_threshold>
     threshold ip-pool-release <high_threshold> clear <low_threshold>
     threshold ip-pool-used <high_threshold> clear <low_threshold>
     exit
  threshold nat-port-chunks-usage <high_threshold> clear <low_threshold>
  end
Notes:
 
Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context.
The thresholds configured for an individual NAT IP pool using the alert-threshold keyword will take priority, i.e it will override the above context-wide configuration.
 
Enabling SNMP Notifications
To enable SNMP notifications, use the following configuration:
configure
  snmp trap { enable | suppress } { ThreshNATPortChunksUsage | ThreshClearNATPortChunksUsage }
  snmp trap { enable | suppress } { ThreshIPPoolUsed | ThreshIPPoolFree | ThreshIPPoolRelease | ThreshIPPoolHold | ThreshClearIPPoolUsed }
  end
 
Backing Out of NAT
This is a licensed feature requiring the [600-00-7871] NAT Bypass license. For more information please contact your local sales representative.
 
Configuring NAT Backout for APN
To configure a secondary IP pool that is not overwritten by the RADIUS supplied list, use the following configuration. The secondary pool configured will be appended to the RADIUS supplied IP pool list / APN provided IP pool list whichever is applicable during call setup.
Important: This configuration is only applicable to UMTS networks.
configure
  context <context_name>
     apn <apn_name>
        secondary ip pool <pool_name>
        exit
     busyout ip pool name <private_pool_name>
     end
Notes:
The secondary ip pool <pool_name> command is license dependent.
The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.
 
Configuring NAT Backout for Subscribers
To configure a secondary IP pool that is not overwritten by the RADIUS supplied list, use the following configuration. The secondary pool configured will be appended to the RADIUS supplied IP pool list/subscriber template provided IP pool list whichever is applicable during call setup.
configure
  context <context_name>
     subscriber default
        secondary ip pool <pool_name>
        exit
     busyout ip pool name <private_pool_name>
     end
Notes:
 
The secondary ip pool <pool_name> command is license dependent.
The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.
 
Changing Firewall-and-NAT Policy in Mid-session
To change Firewall-and-NAT policy in mid-session, use the following configuration:
update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase <rulebase_name> } { all | callid <call_id> | fw-and-nat-policy <fw_nat_policy_name> | imsi <imsi> | ip-address <ipv4_address> | msid <msid> | rulebase <rulebase_name> | username <user_name> } [ -noconfirm ]
Notes:
 
 
Verifying the Configuration
To verify your configurations:
Step 1
show subscriber full
The output displays subscriber information. Verify the NAT IP pools associated with subscriber and the NAT IP addresses allocated from each pool.
If a pool type is not-on-demand, the pool’s type is indicated explicitly.
Step 2
show active-charging flows full
The output displays enhanced charging flow information.
For many-to-one NAT, verify the NAT IP address and NAT port used for the subscriber flow.
For one-to-one NAT, verify the NAT IP address.
For ICMP, the NAT IP address is displayed only if an active ICMP record is available.
 
Saving the Configuration
To save changes to the configuration, see the Verifying and Saving Your Configuration chapter.
 
Gathering NAT Statistics
The following table lists the commands that can be used to gather NAT statistics.
In the following table, the first column lists what statistics to gather and the second column lists the command to use.
Gathering NAT Statistics
show active-charging flows nat required nat-ip <nat_ip_address> nat-port <nat_port>
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883