Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Network Address Translation Overview
NAT Feature Overview ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-01
NAT Feature Overview
This section provides an overview of the NAT in-line service feature.
NAT translates non-routable private IP address(es) to routable public IP address(es) from a pool of public IP addresses
that have been designated for NAT. This enables to conserve on the number of public IP addresses required to
communicate with external networks, and ensures security as the IP address scheme for the internal network is masked
from external hosts, and each outgoing and incoming packet goes through the translation process.
that have been designated for NAT. This enables to conserve on the number of public IP addresses required to
communicate with external networks, and ensures security as the IP address scheme for the internal network is masked
from external hosts, and each outgoing and incoming packet goes through the translation process.
NAT works by inspecting both incoming and outgoing IP datagrams and, as needed, modifying the source IP address
and port number in the IP header to reflect the configured NAT address mapping for outgoing datagrams. The reverse
NAT translation is applied to incoming datagrams.
and port number in the IP header to reflect the configured NAT address mapping for outgoing datagrams. The reverse
NAT translation is applied to incoming datagrams.
NAT can be used to perform address translation for simple IP and mobile IP. NAT can be selectively applied/denied to
different flows (5-tuple connections) originating from subscribers based on the flows' L3/L4 characteristics—Source-IP,
Source-Port, Destination-IP, Destination-Port, and Protocol.
different flows (5-tuple connections) originating from subscribers based on the flows' L3/L4 characteristics—Source-IP,
Source-Port, Destination-IP, Destination-Port, and Protocol.
Important:
NAT works only on flows originating internally. Bi-directional NAT is not supported.
Important:
NAT is supported only for TCP, UDP, and ICMP flows. For other flows NAT is bypassed. For GRE
flows, NAT is supported only if the PPTP ALG is configured. For more information on ALGs, please refer to the
Important:
If a subscriber is assigned with a public IP address, NAT is not applied.
Important:
To get NATed, the private IP addresses assigned to subscribers must be from the following ranges:
Class A 10.0.0.0 – 10.255.255.255, Class B 172.16.0.0 – 172.31.255.255, and Class C 192.168.0.0 – 192.168.255.255
NAT supports the following mappings:
One-to-One: In one-to-one NAT each private IP address is mapped to a unique public NAT IP address. The
private source ports do not change.
When a private IP address (IP1:port1) is mapped to a public IP address (IP2:port1), any packets from IP1:port1
will be sent as though via IP2:port1. The external host can only send packets to IP2:port1, which are translated
to IP1:port1. The NAT port number will be the same as the source private port.
will be sent as though via IP2:port1. The external host can only send packets to IP2:port1, which are translated
to IP1:port1. The NAT port number will be the same as the source private port.
Many-to-One: In many-to-one NAT, multiple private IP addresses are mapped to a single public NAT IP
address. In order to distinguish between different subscribers and different connections originating from same
subscriber, internal private L4 source ports are translated to pre-assigned L4 NAT ports. Ports are allocated in
chunks such that each private IP address is reserved a set of ports for future use. This is also known as Network
Address Port Translation (NAPT).
subscriber, internal private L4 source ports are translated to pre-assigned L4 NAT ports. Ports are allocated in
chunks such that each private IP address is reserved a set of ports for future use. This is also known as Network
Address Port Translation (NAPT).
Once a flow is marked to use a specific NAT IP address the same NAT IP address is used for all packets originating on
that flow. The NAT IP address is released only when all flows and subscribers associated with it are released.
that flow. The NAT IP address is released only when all flows and subscribers associated with it are released.
When all NAT IP addresses are in use, and a subscriber with a private IP address fails to get a NAT IP address for a
specific flow, that specific flow will not be allowed and will fail.
specific flow, that specific flow will not be allowed and will fail.