Cisco Cisco Packet Data Gateway (PDG) Guia De Resolução De Problemas
Network Address Translation Overview
NAT Feature Overview ▀
Cisco ASR 5000 Series Network Address Translation Administration Guide ▄
OL-22992-01
Important:
A subscriber can be allocated only one NAT IP address per NAT IP pool/NAT IP pool group from a
maximum of three NAT IP pools/NAT IP pool groups. Hence, at anytime, there can only be a maximum of three NAT
IP addresses allocated to a subscriber.
IP addresses allocated to a subscriber.
This association is done with the help of access ruledefs configured in the Firewall-and-NAT policy. The NAT IP
pool/NAT IP address to be used for a subscriber flow is decided during rule match. When packets match an access
ruledef, NAT is applied using the NAT IP address allocated to the subscriber from the NAT IP pool/NAT IP pool group
configured in that access ruledef.
pool/NAT IP address to be used for a subscriber flow is decided during rule match. When packets match an access
ruledef, NAT is applied using the NAT IP address allocated to the subscriber from the NAT IP pool/NAT IP pool group
configured in that access ruledef.
If no NAT IP pool/NAT IP pool group name is configured in the access ruledef matching the packet, and if there is a
NAT IP pool/NAT IP pool group configured for ―no ruledef matches‖, a NAT IP address from the NAT IP pool/NAT IP
pool group configured for ―no ruledef matches‖ is allocated to the flow.
NAT IP pool/NAT IP pool group configured for ―no ruledef matches‖, a NAT IP address from the NAT IP pool/NAT IP
pool group configured for ―no ruledef matches‖ is allocated to the flow.
If no NAT IP pool/NAT IP pool group is configured for ―no ruledef matches‖ and if there is a default NAT IP
pool/NAT IP pool group configured in the rulebase, a NAT IP address from this default NAT IP pool/NAT IP pool
group is allocated to the flow.
pool/NAT IP pool group configured in the rulebase, a NAT IP address from this default NAT IP pool/NAT IP pool
group is allocated to the flow.
If a NAT IP pool/NAT IP pool group is not configured in any of the above cases, no NAT will be performed for the
flow. Or, if bypass NAT is configured in a matched access rule or for ―no ruledef matches‖ then NAT will not be
applied even if the default NAT IP pool/NAT IP pool group is configured. The order of priority is:
flow. Or, if bypass NAT is configured in a matched access rule or for ―no ruledef matches‖ then NAT will not be
applied even if the default NAT IP pool/NAT IP pool group is configured. The order of priority is:
1. Bypass NAT
2. NAT IP pool/NAT IP pool group in ruledef
3. NAT IP pool/NAT IP pool group for ―no-ruledef-matches‖
4. Default NAT IP pool/NAT IP pool group
2. NAT IP pool/NAT IP pool group in ruledef
3. NAT IP pool/NAT IP pool group for ―no-ruledef-matches‖
4. Default NAT IP pool/NAT IP pool group
When a new NAT IP pool/NAT IP pool group is added to a Firewall-and-NAT policy, it is associated with the active
subscriber (call) only if that call is associated with less than three (maximum limit) NAT IP pools/NAT IP pool groups.
If the subscriber is already associated with three NAT IP pools/NAT IP pool groups, any new flows referring to the
newly added NAT IP pool/NAT IP pool group will get dropped. The newly added NAT IP pool/NAT IP pool group is
associated to a call only when one of the previously associated NAT IP pools/NAT IP pool groups is freed from the call.
subscriber (call) only if that call is associated with less than three (maximum limit) NAT IP pools/NAT IP pool groups.
If the subscriber is already associated with three NAT IP pools/NAT IP pool groups, any new flows referring to the
newly added NAT IP pool/NAT IP pool group will get dropped. The newly added NAT IP pool/NAT IP pool group is
associated to a call only when one of the previously associated NAT IP pools/NAT IP pool groups is freed from the call.
NAT Application Level Gateway
Some network applications exchange IP/port information of the host endpoints as part of the packet payload. This
information is used to create new flows, by server or client.
information is used to create new flows, by server or client.
As part of NAT ALGs, the IP/port information is extracted from the payload, and the flows are allowed dynamically
(through pinholes). IP and port translations are done accordingly. However, the sender application may not be aware of
these translations since these are transparent, so they insert the private IP or port in the payload as usual.
(through pinholes). IP and port translations are done accordingly. However, the sender application may not be aware of
these translations since these are transparent, so they insert the private IP or port in the payload as usual.
For example, FTP NAT ALG interprets ―PORT‖ and ―PASV reply‖ messages, and NAT translates the same in the
payload so that FTP happens transparently through NAT. This payload-level translation is handled by the NAT ALG
module.
payload so that FTP happens transparently through NAT. This payload-level translation is handled by the NAT ALG
module.
The NAT module will have multiple NAT ALGs for each individual application or protocol.