Cisco Cisco Mobility Unified Reporting User Guide
Network Address Translation Overview
▀ NAT Overview
▄ Cisco ASR 5000 Series Product Overview
694
OL-24419-05
Important:
For all NAT-enabled subscribers, when the Firewall-and-NAT policy is deleted, the call is dropped.
In a Firewall-and-NAT policy, you can change the NAT enabled/disabled status at any time. However, the updated
NAT status will only be applied to new calls, active calls using that Firewall-and-NAT policy will remain unaffected.
NAT status will only be applied to new calls, active calls using that Firewall-and-NAT policy will remain unaffected.
Target-based NAT Configuration
A NAT IP pool can be selected based on the L3/L4 characteristics of a subscriber’s flows. NAT can be con figured such
that all subscriber traffic coming towards specific public IP address(es) always selects a specific NAT IP pool based on
the L3/L4 traffic characteristics.
that all subscriber traffic coming towards specific public IP address(es) always selects a specific NAT IP pool based on
the L3/L4 traffic characteristics.
Important:
A subscriber can be allocated only one NAT IP address per NAT IP pool/NAT IP pool group from a
maximum of three NAT IP pools/NAT IP pool groups. Hence, at anytime, there can only be a maximum of three NAT
IP addresses allocated to a subscriber.
This association is done with the help of access ruledefs configured in the Firewall-and-NAT policy. The NAT IP
pool/NAT IP address to be used for a subscriber flow is decided during rule match. When packets match an access
ruledef, NAT is applied using the NAT IP address allocated to the subscriber from the NAT IP pool/NAT IP pool group
configured in that access ruledef.
If no NAT IP pool/NAT IP pool group name is configured in the access ruledef matching the packet, and if there is a
NAT IP pool/NAT IP pool group configured for “no ruledef matches”, a NAT IP address from the NAT IP pool/NAT IP
pool group configured for “no ruledef matches” is allocated to the flow.
If no NAT IP pool/NAT IP pool group is configured for “no ruledef matches” and if there is a default NAT IP
pool/NAT IP pool group configured in the rulebase, a NAT IP address from this default NAT IP pool/NAT IP pool
group is allocated to the flow.
pool/NAT IP address to be used for a subscriber flow is decided during rule match. When packets match an access
ruledef, NAT is applied using the NAT IP address allocated to the subscriber from the NAT IP pool/NAT IP pool group
configured in that access ruledef.
If no NAT IP pool/NAT IP pool group name is configured in the access ruledef matching the packet, and if there is a
NAT IP pool/NAT IP pool group configured for “no ruledef matches”, a NAT IP address from the NAT IP pool/NAT IP
pool group configured for “no ruledef matches” is allocated to the flow.
If no NAT IP pool/NAT IP pool group is configured for “no ruledef matches” and if there is a default NAT IP
pool/NAT IP pool group configured in the rulebase, a NAT IP address from this default NAT IP pool/NAT IP pool
group is allocated to the flow.
If a NAT IP pool/NAT IP pool group is not configured in any of the above cases, no NAT will be performed for the
flow. Or, if bypass NAT is configured in a matched access rule or for “no ruledef matches” then NAT will not be
applied even if the default NAT IP pool/NAT IP pool group is configured. The order of priority is:
flow. Or, if bypass NAT is configured in a matched access rule or for “no ruledef matches” then NAT will not be
applied even if the default NAT IP pool/NAT IP pool group is configured. The order of priority is:
1. Bypass NAT
2. NAT IP pool/NAT IP pool group in ruledef
3. NAT IP pool/NAT IP pool group for “no-ruledef-matches”
4. Default NAT IP pool/NAT IP pool group
When a new NAT IP pool/NAT IP pool group is added to a Firewall-and-NAT policy, it is associated with the active
subscriber (call) only if that call is associated with less than three (maximum limit) NAT IP pools/NAT IP pool groups.
If the subscriber is already associated with three NAT IP pools/NAT IP pool groups, any new flows referring to the
newly added NAT IP pool/NAT IP pool group will get dropped. The newly added NAT IP pool/NAT IP pool group is
associated to a call only when one of the previously associated NAT IP pools/NAT IP pool groups is freed from the call.
subscriber (call) only if that call is associated with less than three (maximum limit) NAT IP pools/NAT IP pool groups.
If the subscriber is already associated with three NAT IP pools/NAT IP pool groups, any new flows referring to the
newly added NAT IP pool/NAT IP pool group will get dropped. The newly added NAT IP pool/NAT IP pool group is
associated to a call only when one of the previously associated NAT IP pools/NAT IP pool groups is freed from the call.
NAT Application Level Gateway
Some network applications exchange IP/port information of the host endpoints as part of the packet payload. This
information is used to create new flows, by server or client.
information is used to create new flows, by server or client.