Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Network Address Translation Overview
NAT Feature Overview ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22937-01
Important:
In StarOS 8.x, NAT for CDMA and early UMTS releases used rulebase-based configurations,
whereas in later UMTS releases NAT used policy-based configurations. In StarOS 9.0 and later releases, NAT for
UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local
service representative.
UMTS and CDMA releases both use policy-based configurations. For more information, please contact your local
service representative.
Important:
In a Firewall-and-NAT policy, a maximum of three NAT IP pools can be configured. A subscriber
can be allocated only one NAT IP address per NAT IP pool, hence at anytime, there can only be a maximum of three
NAT IP addresses allocated to a subscriber.
NAT IP addresses allocated to a subscriber.
New NAT IP pools cannot be added to a policy if the maximum allowed is already configured in it. However, a pool
can be removed and then a new one added. When a pool is removed and a new one added, the pool that was removed
will stay associated with the subscriber as long as the subscriber has active flows using that pool. If the subscriber is
already associated with three NAT IP pools (maximum allowed), any new flows from that subscriber for the newly
added pool will be dropped. A deleted pool is disassociated from the subscriber on termination of all flows from that
subscriber using that pool. The new pool is associated with the subscriber only when the subscriber sends a packet to the
newly added pool.
can be removed and then a new one added. When a pool is removed and a new one added, the pool that was removed
will stay associated with the subscriber as long as the subscriber has active flows using that pool. If the subscriber is
already associated with three NAT IP pools (maximum allowed), any new flows from that subscriber for the newly
added pool will be dropped. A deleted pool is disassociated from the subscriber on termination of all flows from that
subscriber using that pool. The new pool is associated with the subscriber only when the subscriber sends a packet to the
newly added pool.
In the Firewall-and-NAT policy configuration, the NAT policy must be enabled. Once NAT is enabled for a subscriber,
the NAT IP address to be used is chosen from the NAT IP pools specified in matching access rules configured in the
Firewall-and-NAT policy.
the NAT IP address to be used is chosen from the NAT IP pools specified in matching access rules configured in the
Firewall-and-NAT policy.
The Firewall-and-NAT policy used for a subscriber can be changed either from the command line interface, or through
dynamic update of policy name in Diameter and RADIUS messages. In both the cases, NAT status on the active call
remains unchanged.
dynamic update of policy name in Diameter and RADIUS messages. In both the cases, NAT status on the active call
remains unchanged.
The Firewall-and-NAT policy to be used for a subscriber can be configured in:
ECS Rulebase: The default Firewall-and-NAT policy configured in the ECS rulebase has the least priority. If
there is no policy configured in the APN/subscriber template, and/or no policy to use is received from the
AAA/OCS, only then the default policy configured in the ECS rulebase is used.
AAA/OCS, only then the default policy configured in the ECS rulebase is used.
APN/Subscriber Template: The Firewall-and-NAT policy configured in the APN/subscriber template overrides
the default policy configured in the ECS rulebase. To use the default policy configured in the ECS rulebase, in
the APN/subscriber configuration, the command to use the default rulebase policy must be configured.
the APN/subscriber configuration, the command to use the default rulebase policy must be configured.
AAA/OCS: The Firewall-and-NAT policy to be used can come from the AAA server or the OCS. If the policy
comes from the AAA/OCS, it will override the policy configured in the APN/subscriber template and/or the
ECS rulebase.
ECS rulebase.
Important:
The Firewall-and-NAT policy received from the AAA and OCS have the same priority. Whichever
comes latest, either from AAA/OCS, is applied.
The Firewall-and-NAT policy to use can also be received from RADIUS during authentication.
Disabling NAT Policy
Important:
By default, NAT processing for subscribers is disabled.