Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Network Address Translation Overview
NAT Feature Overview ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22937-01
If a NAT IP pool is not configured in any of the above cases, no NAT will be performed for the flow. Or, if bypass NAT
is configured in a matched access rule or for ―no ruledef matches‖ then NAT will not be applied even if the default NAT
IP pool is configured. The order of priority is:
is configured in a matched access rule or for ―no ruledef matches‖ then NAT will not be applied even if the default NAT
IP pool is configured. The order of priority is:
1. Bypass NAT
2. NAT IP pool in ruledef
3. NAT IP pool for ―no-ruledef-matches‖
4. Default NAT IP pool
2. NAT IP pool in ruledef
3. NAT IP pool for ―no-ruledef-matches‖
4. Default NAT IP pool
When a new NAT IP pool is added to a Firewall-and-NAT policy, it is associated with the active subscriber (call) only
if that call is associated with less than three (maximum limit) NAT IP pools. If the subscriber is already associated with
three NAT IP pools, any new flows referring to the newly added NAT IP pool will get dropped. The newly added NAT
IP pool is associated to a call only when one of the previously associated NAT IP pools is freed from the call.
if that call is associated with less than three (maximum limit) NAT IP pools. If the subscriber is already associated with
three NAT IP pools, any new flows referring to the newly added NAT IP pool will get dropped. The newly added NAT
IP pool is associated to a call only when one of the previously associated NAT IP pools is freed from the call.
NAT Application Level Gateway
Some network applications exchange IP/port information of the host endpoints as part of the packet payload. This
information is used to create new flows, by server or client.
information is used to create new flows, by server or client.
As part of NAT ALGs, the IP/port information is extracted from the payload, and the flows are allowed dynamically
(through pinholes). IP and port translations are done accordingly. However, the sender application may not be aware of
these translations since these are transparent, so they insert the private IP or port in the payload as usual.
(through pinholes). IP and port translations are done accordingly. However, the sender application may not be aware of
these translations since these are transparent, so they insert the private IP or port in the payload as usual.
For example, FTP NAT ALG interprets ―PORT‖ and ―PASV reply‖ messages, and NAT translates the same in the
payload so that FTP happens transparently through NAT. This payload-level translation is handled by the NAT ALG
module.
payload so that FTP happens transparently through NAT. This payload-level translation is handled by the NAT ALG
module.
The NAT module will have multiple NAT ALGs for each individual application or protocol.
Supported NAT ALGs
This release supports NAT ALGs only for the following protocols:
File Transfer Protocol (FTP)
Real Time Streaming Protocol (RTSP)
For NAT ALG processing, in the rulebase, routing rules must be configured to route packets to the corresponding
analyzers.
analyzers.
EDRs and UDRs
This section describes the NAT-specific attributes supported in EDRs and UDRs.