Cisco Cisco Packet Data Gateway (PDG) Manual De Mantenimiento
New Feature Summary
Generally Available 06-30-2010
1-22
Firewall Features in Release 8.1
This section provides information for new features in the Stateful Firewall product in
Release 8.1.
Release 8.1.
Network Address Translation (NAT)
The NAT feature is used to translate non-routable private IP addresses to routable public IP
address(es) from a pool of public IP addresses that have been assigned for NAT. This
conserves on the number of public IP addresses required to communicate with external
networks, and ensures security as the IP address scheme for the internal network is masked
from external hosts, and each outgoing and incoming packet is translated. NAT can be used
to perform address translation for simple-IP and mobile-IP.
address(es) from a pool of public IP addresses that have been assigned for NAT. This
conserves on the number of public IP addresses required to communicate with external
networks, and ensures security as the IP address scheme for the internal network is masked
from external hosts, and each outgoing and incoming packet is translated. NAT can be used
to perform address translation for simple-IP and mobile-IP.
NAT can be selectively applied to different flows (5 tuple connections) originating from the
subscribers based on the flows' L3/L4 characteristics (Source-IP, Source-Port,
Destination-IP, Destination-Port, and Protocol). Some flows can be selectively marked for
“no NAT” processing based on the flows' L3/L4 characteristics.
subscribers based on the flows' L3/L4 characteristics (Source-IP, Source-Port,
Destination-IP, Destination-Port, and Protocol). Some flows can be selectively marked for
“no NAT” processing based on the flows' L3/L4 characteristics.
NAT works by inspecting both incoming and outgoing IP datagrams and, as needed,
modifying the source IP address and port number in the IP header to reflect the configured
NAT address mapping for outgoing datagrams. The reverse NAT translations is done for
incoming datagrams.
modifying the source IP address and port number in the IP header to reflect the configured
NAT address mapping for outgoing datagrams. The reverse NAT translations is done for
incoming datagrams.
In StarOS 8.1, the NAT feature is only available for UMTS networks.
For more information, see the Personal Stateful Firewall Administration Guide.
Policy-based Firewall and NAT Functionality
In StarOS 8.1, Stateful Firewall releases for CDMA networks use rulebase-based
configurations. Whereas, while earlier releases of Stateful Firewall and NAT for UMTS
networks used rulebase-based configurations, the current releases use policy-based
configurations.
configurations. Whereas, while earlier releases of Stateful Firewall and NAT for UMTS
networks used rulebase-based configurations, the current releases use policy-based
configurations.
In the Policy-based Firewall and NAT implementation, Firewall-and-NAT policies are
configured in the ACS Firewall-and-NAT Policy Configuration Mode. Each policy contains
a set of ruledefs and the firewall/NAT configurations. Multiple such policies can be
configured, however, only one policy is applied to a subscriber at any point of time.
configured in the ACS Firewall-and-NAT Policy Configuration Mode. Each policy contains
a set of ruledefs and the firewall/NAT configurations. Multiple such policies can be
configured, however, only one policy is applied to a subscriber at any point of time.
The policy used for a subscriber can be changed either from the CLI, or by dynamic update
of policy name in Diameter and RADIUS messages. In both cases NAT status on the active
call remains unchanged.
of policy name in Diameter and RADIUS messages. In both cases NAT status on the active
call remains unchanged.
For more information, see the Personal Stateful Firewall Administration Guide.