Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Network Address Translation Overview
▀ NAT Feature Overview
▄ Cisco ASR 5000 Series Product Overview
OL-22938-01
AAA/OCS: The Firewall-and-NAT policy to be used can come from the AAA server or the OCS. If the policy
comes from the AAA/OCS, it will override the policy configured in the APN/subscriber template and/or the
ECS rulebase.
ECS rulebase.
Important:
The Firewall-and-NAT policy received from the AAA and OCS have the same priority. Whichever
comes latest, either from AAA/OCS, is applied.
The Firewall-and-NAT policy to use can also be received from RADIUS during authentication.
Disabling NAT Policy
Important:
By default, NAT processing for subscribers is disabled.
NAT processing for subscribers is disabled in the following cases:
If the AAA/OCS sends the SN-Firewall-Policy AVP with the string ―disable‖, the locally configured Firewall-
and-NAT policy does not get applied.
If the SN-Firewall-Policy AVP is received with the string ―NULL‖, the existing Firewall-and-NAT policy will
continue.
If the SN-Firewall-Policy AVP is received with a name that is not configured locally, the subscriber session is
terminated.
Updating Firewall-and-NAT Policy in Mid-session
The Firewall-and-NAT policy can be updated mid-session provided the policy was enabled during call setup.
Important:
When the firewall AVP contains ―disable‖ during mid-session firewall policy change, there will be
no action taken as the Firewall-and-NAT policy cannot be disabled dynamically. The policy currently applied will
continue.
continue.
Important:
For all NAT-enabled subscribers, when the Firewall-and-NAT policy is deleted, the call is dropped.
In a Firewall-and-NAT policy, you can change the NAT enabled/disabled status at any time. However, the updated
NAT status will only be applied to new calls, active calls using that Firewall-and-NAT policy will remain unaffected.
NAT status will only be applied to new calls, active calls using that Firewall-and-NAT policy will remain unaffected.
Target-based NAT Configuration
A NAT IP pool can be selected based on the L3/L4 characteristics of a subscriber‘s flows. NAT can be configured such
that all subscriber traffic coming towards specific public IP address(es) always selects a specific NAT IP pool based on
the L3/L4 traffic characteristics.
that all subscriber traffic coming towards specific public IP address(es) always selects a specific NAT IP pool based on
the L3/L4 traffic characteristics.