NAT Configuration


NAT Configuration
This chapter describes how to configure the Network Address Translation (NAT) in-line service feature.
*IMPORTANT: In StarOS 8.x, NAT for CDMA and early UMTS releases used rulebase-based configurations, whereas in later UMTS releases NAT used policy-based configurations. In StarOS 9.0, NAT for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
The following topics are covered in this chapter:
l
l
l
l
l
l
Before You Begin
This section lists the steps to perform before you can start configuring NAT on a system.
1
2
3
Configuring the System
This section lists the high-level steps to configure NAT.
1
2
3
Configuring NAT
This section describes how to configure Policy-based NAT support in a system.
1
2
Optional: Configure port maps as described in the Configuring Port Maps section.
3
Optional: Configure host pools as described in the Configuring Host Pools section.
4
Optional: Configure IMSI pools as described in the Configuring IMSI Pools section.
5
6
7
8
9
10
11
12
13
14
Enable NAT support for APN/subscribers as described in the Enabling NAT for APN/Subscribers section.
15
Optional: Configure the default Firewall-and-NAT policy as described in the Configuring the Default Firewall-and-NAT Policy section.
16
17
18
19
20
21
22
Optional: Configure a secondary IP pool, which is not overwritten by the RADIUS supplied list, as described in the Backing Out of NAT section.
*IMPORTANT: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
Enabling the ECS Subsystem and Creating the ECS Service
To enable the ECS subsystem and create the enhanced charging service on the system, use the following configuration:
configure
require active-charging
active-charging service <service_name> [ -noconfirm ]
end
Configuring Port Maps
This is an optional configuration. To create and configure an application-port map for TCP and UDP protocols, use the following configuration:
configure
active-charging service <service_name>
port-map <port_map_name> [ -noconfirm ]
port { <port_number> | range <start_port> to <end_port> }
end
Notes:
l
A maximum of 256 host pools, IMSI pools, and port maps each, and a combined maximum of 4096 rules (host pools + IMSI pools + port maps + charging ruledefs + access ruledefs + routing ruledefs) can be created in a system.
l
l
Configuring Host Pools
This is an optional configuration. To create and configure a host pool, use the following configuration:
configure
active-charging service <service_name>
host-pool <host_pool_name> [ -noconfirm ]
ip { <ip_address> | <ip_address/mask> | range <start_ip_address> to <end_ip_address> }
end
Configuring IMSI Pools
This is an optional configuration. To create and configure an IMSI pool, use the following configuration:
configure
active-charging service <service_name>
imsi-pool <imsi_pool_name> [ -noconfirm ]
imsi { <imsi_number> | range <start_imsi> to <end_imsi> }
end
Configuring Access Ruledefs
To create and configure an access rule definition, use the following configuration:
configure
active-charging service <service_name>
access-ruledef <access_ruledef_name> [ -noconfirm ]
bearer apn [ case-sensitive ] <operator> <value>
bearer imsi { <operator> <msid> | { !range | range } imsi-pool <imsi_pool_name> }
bearer username [ case-sensitive ] <operator> <user_name>
icmp { any-match <operator> <condition> | code <operator> <code> | type <operator> <type> }
ip { { { any-match | downlink | uplink } <operator> <condition> } | { { dst-address | src-address } { { <operator> { <ip_address> | <ip_address/mask> } } | { !range | range } host-pool <host_pool_name> } | protocol { { <operator> { <protocol> | <protocol_assignment> } } | { <operator> <protocol_assignment> } }
tcp { any-match <operator> <condition> | { { dst-port | either-port | src-port } { { <operator> <port_number> } | { !range | range } { <from_range> to <end_range> | port-map <port_map_name> } } }
udp { any-match <operator> <condition> | { dst-port | either-port | src-port } { <operator> <port_number> | { !range | range } { <from_range> to <end_range> | port-map <port_map_name> } } }
create-log-record
end
 
Notes:
l
l
l
l
l
l
If both uplink and downlink fields are not configured, then the rule will be treated as either direction, i.e. packets from any direction will match that rule.
l
Access ruledefs are different from enhanced charging service ruledefs. A combined maximum of 4096 rules (host pools, IMSI pools, port maps, and access, charging, and routing ruledefs) can be created in a system. A combined maximum of 2048 access and charging ruledefs can be created in a system.
l
Configuring access ruledefs involves the creation of several ruledefs with different sets of rules and parameters. For more information, see the Firewall Ruledef Configuration Mode Commands chapter of the Command Line Interface Reference.
Configuring NAT Realms
This section describes how to create and configure NAT realms.
The following topics are covered in this section:
l
l
Configuring One-to-One NAT Realms
To create and configure a One-to-One NAT realm, use the following configuration:
configure
context <context_name> [ -noconfirm ]
ip pool <nat_realm_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } nat-one-to-one [ alert-threshold [ { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] + ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ send-nat-binding-update ] [ srp-activate ] + ]
ip pool <pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } public <priority>
end
Notes:
l
l
l
The IP addresses configured in the NAT realms within a context must not overlap. At any time, within a context, a NAT IP address must be configured in any one NAT realm.
l
The IP addresses in a NAT realm may be contiguous, and must be assignable as a subnet or a range that constitutes less than an entire subnet.
l
For many-to-one NAT realms, the default NAT binding timer value is 60 seconds. For one-to-one NAT realms, by default the feature is disabled—the IP addresses/ port-chunks once allocated will never be freed.
l
Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
l
Configuring Many-to-One NAT Realms
To create and configure a Many-to-One NAT realm, use the following configuration:
configure
context <context_name> [ -noconfirm ]
ip pool <nat_realm_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } napt-users-per-ip-address <users> [ alert-threshold [ { pool-free | pool-hold | pool-release | pool-used } <low_thresh> [ clear <high_thresh> ] + ] [ max-chunks-per-user <chunks> ] [ nat-binding-timer <binding_timer> ] [ nexthop-forwarding-address <ip_address> ] [ on-demand ] [ port-chunk-size <size> ] [ port-chunk-threshold <threshold> ] [ send-nat-binding-update ] [ srp-activate ] + ]
ip pool <pool_name> { <ip_address> <subnet_mask> | <ip_address/mask> | range <start_ip_address> <end_ip_address> } public <priority>
end
Notes:
l
l
l
The IP addresses configured in the NAT realms within a context must not overlap. At any time, within a context, a NAT IP address must be configured in any one NAT realm.
l
The IP addresses in a NAT realm may be contiguous, and must be assignable as a subnet or a range that constitutes less than an entire subnet.
l
For many-to-one NAT realms, the default NAT binding timer value is 60 seconds. For one-to-one NAT realms, by default the feature is disabled—the IP addresses/ port-chunks once allocated will never be freed.
l
Thresholds configured using the alert-threshold keyword are specific to the pool that they are configured in. Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context, and override the threshold configurations set within individual pools.
l
Configuring Firewall-and-NAT Policies
To create and configure a Firewall-and-NAT Policy, use the following configuration:
configure
active-charging service <service_name>
fw-and-nat policy <fw_nat_policy_name> [ -noconfirm ]
nat policy nat-required default-nat-realm <nat_realm_name>
access-rule priority <priority> { [ dynamic-only | static-and-dynamic ] access-ruledef <access_ruledef_name> { deny [ charging-action <charging_action_name> ] | permit [ nat-realm <nat_realm_name> | [ bypass-nat ] ] }
access-rule no-ruledef-matches { downlink | uplink } action { deny [ charging-action <charging_action_name> ] | permit [ bypass-nat | nat-realm <nat_realm_name> ] }
end
Notes:
l
In StarOS 8.x, NAT for CDMA and early UMTS releases used rulebase-based configurations, whereas in later UMTS releases NAT used policy-based configurations. In StarOS 9.0, NAT for UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local service representative.
l
The nat policy nat-required command enables NAT for all subscribers using the policy.
l
A maximum of three NAT realms can be configured within a Firewall-and-NAT policy. A subscriber can be allocated only one NAT IP address per realm. Hence, at anytime, there can be a maximum of three NAT IP addresses allocated to a subscriber.
l
l
Rule matching is done for the first packet for a flow. Only when no rules match, the no-ruledef-matches configuration is considered. The default settings for uplink direction is “permit”, and for downlink direction “deny”.
l
access-rule no-ruledef-matches uplink action permit nat-realm <nat_realm_name>
l
If there is no NAT realm name configured in the matching access ruledef, NAT will be bypassed, i.e., NAT will not be applied to the flow.
Configuring Action on NAT IP Address/Port Allocation Failure
To configure sending ICMP error messages in the event of NAT IP address/port allocation failure, use the following configuration:
configure
active-charging service <service_name>
nat allocation-failure send-icmp-dest-unreachable
end
Configuring Action on Packets During NAT IP Allocation
To configure action to take on packets when NAT IP/NPU allocation is in progress, use the following configuration:
configure
active-charging service <service_name>
nat allocation-in-progress { buffer | drop }
end
Notes:
l
In On-demand NAT IP allocation (wherein a NAT IP address is allocated to the subscriber when a packet is being sent), if no free NAT IP address is available, a NAT-IP Alloc Request is sent to the VPNMgr to get a NAT IP. During that time packets are dropped. This command enables to either buffer or drop the packets received when IP Alloc Request is sent to VPNMgr.
Configuring NAT TCP-2msl-timeout Setting
To configure NAT TCP 2msl Timeout setting, use the following configuration:
configure
active-charging service <service_name>
nat tcp-2msl-timeout <timeout>
end
Configuring Action on TCP Idle Timeout
To configure action to take on TCP idle timeout expiry for NAT flows, use the following configuration:
configure
active-charging service <service_name>
fw-and-nat policy <fw_nat_policy_name>
firewall tcp-idle-timeout-action { drop | reset }
end
Configuring Private IP NPU Flow Timeout Setting
To configure Private IP NPU Flow Timeout setting, use the following configuration:
configure
active-charging service <service_name>
fw-and-nat policy <fw_nat_policy_name>
nat private-ip-flow-timeout <timeout>
end
Notes:
l
By default, for NAT-enabled calls the downlink private IP NPU flow will not be installed at call setup for a subscriber session. The flow will only be installed on demand. When there is no traffic on the private flow, the private IP flow will be removed after the configurable timeout period.
Configuring Flow Recovery
To configure Flow Recovery parameters for NAT flows, use the following configuration:
configure
active-charging service <service_name>
firewall flow-recovery { downlink | uplink } [ timeout <timeout> ]
end
Enabling NAT for APN/Subscribers
This section describes how to enable NAT support for APN/subscribers.
The following topics are covered in this section:
l
l
Enabling NAT for APN
*IMPORTANT: This configuration is only applicable to UMTS networks.
To configure the Firewall-and-NAT Policy within an APN, use the following configuration:
configure
context <context_name>
apn <apn_name>
fw-and-nat policy <fw_nat_policy_name>
end
Notes:
l
<fw_nat_policy_name> must be a Firewall-and-NAT policy in which Firewall and NAT policy are enabled as described in the Configuring Firewall-and-NAT Policies section.
l
To specify that the default Firewall-and-NAT policy configured in the rulebase be used for subscribers who use this APN, in the APN Configuration Mode, apply the following command: default fw-and-nat policy
Enabling NAT for Subscribers
To configure the Firewall-and-NAT Policy in a subscriber template, use the following configuration:
configure
context <context_name>
subscriber default
fw-and-nat policy <fw_nat_policy_name>
end
Notes:
l
<fw_nat_policy_name> must be a Firewall-and-NAT policy in which Firewall and NAT policy are enabled as described in the Configuring Firewall-and-NAT Policies section.
l
To specify that the default Firewall-and-NAT policy configured in the rulebase be used for subscribers, in the Subscriber Configuration Mode, apply the following command: default fw-and-nat policy
Configuring the Default Firewall-and-NAT Policy
This is an optional configuration to specify a default Firewall-and-NAT policy to use if in the APN/subscriber configurations the following command is configured:
default fw-and-nat policy
To create a rulebase and configure a default Firewall-and-NAT policy in it, use the following configuration:
configure
active-charging service <service_name>
rulebase <rulebase_name> [ -noconfirm ]
fw-and-nat default-policy <fw_nat_policy_name>
end
Configuring NAT ALGs/Dynamic Pinholes
This section describes how to configure routing rules to open up dynamic pinholes for Application Level Gateways (ALG) functionality.
The following topics are covered in this section:
l
l
l
Creating Routing Ruledefs
To configure ECS routing rules for FTP and RTSP protocols, use the following configuration:
configure
active-charging service <service_name>
ruledef <ruledef_name>
tcp either-port <operator> <value>
rule-application routing
end
Notes:
l
Configuring Routing Ruledefs in Rulebase
To configure the routing ruledefs in the rulebase, use the following configuration:
configure
active-charging service <service_name>
rulebase <rulebase_name>
route priority <priority> ruledef <ruledef_name> analyzer { ftp-control | rtsp }
rtp dynamic-flow-detection
end
Notes:
l
l
For RTSP ALG to work, in the rulebase, the rtp dynamic-flow-detection command must be configured.
Enabling NAT ALG
To enable NAT ALGs, use the following configuration:
configure
active-charging service <service_name>
firewall nat-alg { all | ftp | rtsp }
end
Notes:
l
route priority 1 ruledef ftp analyzer ftp-control
route priority 2 ruledef rtsp analyzer rtsp
l
rtp dynamic-flow-detection
l
Configuring EDR Format
To configure EDR format for NAT-specific attributes, use the following configuration:
configure
active-charging service <service_name>
edr-format <edr_format_name>
attribute sn-nat-subscribers-per-ip-address priority <priority>
attribute sn-subscriber-nat-flow-ip priority <priority>
attribute sn-subscriber-nat-flow-port priority <priority>
end
Configuring UDR Format
To configure UDR format for NAT-specific attributes, use the following configuration:
configure
active-charging service <service_name>
udr-format <udr_format_name>
attribute sn-subscriber-nat-flow-ip priority <priority>
end
Configuring NAT Binding Record Format
To configure an NBR format, use the following configuration:
configure
active-charging service <service_name>
edr-format <nbr_format_name>
attribute sn-correlation-id priority <priority>
rule-variable ip subscriber-ip-address priority <priority>
attribute sn-fa-correlation-id priority <priority>
attribute radius-fa-nas-ip-address priority <priority>
attribute radius-fa-nas-identifier priority <priority>
attribute radius-user-name priority <priority>
attribute radius-calling-station-id priority <priority>
attribute sn-nat-ip priority <priority>
attribute sn-nat-port-block-start priority <priority>
attribute sn-nat-port-block-end priority <priority>
attribute sn-nat-binding-timer priority <priority>
attribute sn-nat-subscribers-per-ip-address priority <priority>
attribute sn-nat-realm-name priority <priority>
attribute sn-nat-gmt-offset priority <priority>
attribute sn-nat-port-chunk-alloc-dealloc-flag priority <priority>
attribute sn-nat-port-chunk-alloc-time-gmt priority <priority>
attribute sn-nat-port-chunk-dealloc-time-gmt priority <priority>
attribute sn-nat-last-activity-time-gmt priority <priority>
exit
fw-and-nat policy <fw_nat_policy_name>
nat binding-record edr-format <nbr_format_name> port-chunk-allocation port-chunk-release
end
Notes:
l
The NBR format name configured in the edr-format <nbr_format_name> and the nat binding-record edr-format <nbr_format_name> commands must be the same.
Configuring Bulkstats Collection
To configure NAT realm bulk statistics collection, use the following configuration:
configure
bulkstats collection
bulkstats historical collection
bulkstats mode
sample-interval <sample_interval>
transfer-interval <transfer_interval>
file <file_number>
remotefile format <format>
receiver <ip_address> primary mechanism { tftp | { ftp | sftp } login <login> encrypted password <password> }
exit
nat-realm schema <schema_name> format <format_string>
end
The following is a sample configuration for cumulative bulkstats collection:
nat-realm schema cumulativenatschema format "NAT-REALM Schema: cumulativenatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\n Total binding updates sent to AAA: %nat-bind-updates%\nTotal bytes transferred by realm: %nat-rlm-bytes-tx%\nTotal flows used by realm: %nat-rlm-flows%\nTotal flows denied IP: %nat-rlm-ip-denied%\nTotal flows denied ports: %nat-rlm-port-denied%\n-----------------------\n"
The following is a sample configuration for snapshot bulkstats collection:
nat-realm schema snapshotnatschema format "NAT-REALM Schema: snapshotnatschema\nVPN Name: %vpnname%\nRealm Name: %realmname%\nTotal NAT public IP address: %nat-rlm-ttl-ips%\nCurrent NAT public IP address in use: %nat-rlm-ips-in-use%\nCurrent subscribers using realm: %nat-rlm-current-users%\nTotal port chunks: %nat-rlm-ttl-port-chunks%\nCurrent port chunks in use: %nat-rlm-chunks-in-use%\n-----------------------\n"
Configuring NAT Thresholds
This section describes how to configure NAT thresholds.
The following topics are covered in this section:
l
l
l
l
Enabling Thresholds
To enable thresholds, use the following configuration:
configure
threshold monitoring firewall
context <context_name>
threshold monitoring available-ip-pool-group
end
Configuring Threshold Poll Interval
To configure threshold polling interval, use the following configuration:
configure
threshold poll ip-pool-used interval <interval>
threshold poll nat-port-chunks-usage interval <interval>
end
Configuring Thresholds Limits
To configure threshold limits, use the following configuration:
configure
context <context_name>
threshold ip-pool-free <high_thresh> [ clear <low_thresh> ]
threshold ip-pool-hold <high_thresh> [ clear <low_thresh> ]
threshold ip-pool-release <high_thresh> [ clear <low_thresh> ]
threshold ip-pool-used <high_thresh> [ clear <low_thresh> ]
exit
threshold nat-port-chunks-usage <high_thresh> [ clear <low_thresh> ]
end
Notes:
l
Thresholds configured using the threshold ip-pool-* commands in the Context Configuration Mode apply to all IP pools in the context.
l
The thresholds configured for an individual NAT pool using the alert-threshold keyword will take priority, i.e will override the above context-wide configuration.
Enabling SNMP Notifications
To enable SNMP notifications, use the following configuration:
configure
snmp trap { enable | suppress } { ThreshNATPortChunksUsage | ThreshClearNATPortChunksUsage }
snmp trap { enable | suppress } { ThreshIPPoolUsed | ThreshIPPoolFree | ThreshIPPoolRelease | ThreshIPPoolHold | ThreshClearIPPoolUsed }
end
Backing Out of NAT
*IMPORTANT: This is a licensed feature requiring the [600-00-7871] NAT Bypass license. Please contact your local sales representative for more information.
Configuring NAT Backout for APN
*IMPORTANT: This configuration is only applicable to UMTS networks.
To configure a secondary IP pool that is not overwritten by the RADIUS supplied list, use the following configuration. The secondary pool configured will be appended to the RADIUS supplied IP pool list / APN provided IP pool list whichever is applicable during call setup.
configure
context <context_name>
apn <apn_name>
secondary ip pool <pool_name>
exit
busyout ip pool name <private_pool_name>
end
Notes:
l
The secondary ip pool <pool_name> command is license dependent.
l
The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.
Configuring NAT Backout for Subscribers
To configure a secondary IP pool that is not overwritten by the RADIUS supplied list, use the following configuration. The secondary pool configured will be appended to the RADIUS supplied IP pool list/subscriber template provided IP pool list whichever is applicable during call setup.
configure
context <context_name>
subscriber default
secondary ip pool <pool_name>
exit
busyout ip pool name <private_pool_name>
end
Notes:
l
The secondary ip pool <pool_name> command is license dependent.
l
The busyout ip pool name <private_pool_name> command must be configured in the destination context. This command makes addresses from the specified IP pool in the current context unavailable once they are free.
Changing Firewall-and-NAT Policy in Mid-session
To change Firewall-and-NAT policy in mid-session, in the Exec mode, use the following command:
update active-charging { switch-to-fw-and-nat-policy <fw_nat_policy_name> | switch-to-rulebase <rulebase_name> } { all | callid <call_id> | fw-and-nat-policy <fw_nat_policy_name> | imsi <imsi> | ip-address <ipv4_address> | msid <msid> | rulebase <rulebase_name> | username <user_name> } [ -noconfirm ]
Notes:
l
To be able to change the Firewall-and-NAT policy in mid session, firewall-and-NAT must have been enabled for the subscriber in the APN/Subscriber template configuration, or in the rulebase (the default policy) during call setup.
l
The above command takes effect only for current calls. For new calls, the RADIUS returned/APN/Subscriber template/rulebase configured policy is used.
Verifying the Configuration
To verify your configurations:
1
show subscriber full
The output displays subscriber information. Verify the NAT pools associated a subscriber and the NAT IP addresses allocated from each pool.
If a pool type is not-on-demand, the pool’s type is indicated explicitly.
2
show active-charging flows full
The output displays active charging flow information. Verify the NAT IP address and NAT port used for the subscriber flow.
In case of one-to-one NAT, only the NAT IP address is displayed.
For ICMP, the NAT IP address is displayed only if an active ICMP record is available.
Gathering NAT Statistics
The following table lists the commands that can be used to gather NAT statistics.
In the following table, the first column lists what statistics to gather and the second column lists the action to perform.
 
show active-charging nat statistics nat-realm <nat_realm_name>
show active-charging fw-and-nat policy statistics name <fw_nat_policy_name>
show active-charging rulebase statistics name <rulebase_name>
Information for subscriber flows with NAT enabled, and using specific NAT IP address.
show active-charging flows nat required nat-ip <nat_ip_address>
Information for subscriber flows with NAT enabled, and using specific NAT IP address and NAT port number.
show active-charging flows nat required nat-ip <nat_ip_address> nat-port <nat_port>
show active-charging sessions nat { not-required | required }
show active-charging firewall statistics nat-realm <nat_realm_name>
Information for all current subscribers who have either active or dormant sessions. Check IP address associated with subscriber.
Information for subscribers with NAT processing enabled and using the specified NAT IP address.
Information for subscribers with NAT processing enabled and using the specified NAT realm.
show subscribers nat required nat-realm <nat_realm_name>
Saving the Configuration
To save changes made to the system configuration, see the Saving Your Configuration chapter.
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883