Nat Feature Overview - Cisco ASR 5000 series Product Overview
Hide thumbs
Also See for ASR 5000 series:
- Administration manual (509 pages) ,
- Installation manual (317 pages) ,
- Thresholding configuration manual (163 pages)
Table of Contents
Advertisement
Network Address Translation Overview
NAT Feature Overview
This section provides an overview of the NAT in-line service feature.
NAT translates non-routable private IP address(es) to routable public IP address(es) from a pool of public IP addresses
that have been designated for NAT. This enables to conserve on the number of public IP addresses required to
communicate with external networks, and ensures security as the IP address scheme for the internal network is masked
from external hosts, and each outgoing and incoming packet goes through the translation process.
NAT works by inspecting both incoming and outgoing IP datagrams and, as needed, modifying the source IP address
and port number in the IP header to reflect the configured NAT address mapping for outgoing datagrams. The reverse
NAT translation is applied to incoming datagrams.
NAT can be used to perform address translation for simple IP and mobile IP. NAT can be selectively applied/denied to
different flows (5-tuple connections) originating from subscribers based on the flows' L3/L4 characteristics—Source-IP,
Source-Port, Destination-IP, Destination-Port, and Protocol.
Important:
Important:
flows, NAT is supported only if the PPTP ALG is configured. For more information on ALGs, please refer to the
Application Level Gateway
Important:
Important:
Class A 10.0.0.0 – 10.255.255.255, Class B 172.16.0.0 – 172.31.255.255, and Class C 192.168.0.0 – 192.168.255.255
NAT supports the following mappings:
One-to-One: In one-to-one NAT each private IP address is mapped to a unique public NAT IP address. The private source
ports do not change.
When a private IP address (IP1:port1) is mapped to a public IP address (IP2:port1), any packets from IP1:port1 will be
sent as though via IP2:port1. The external host can only send packets to IP2:port1, which are translated to IP1:port1. The
NAT port number will be the same as the source private port.
Many-to-One: In many-to-one NAT, multiple private IP addresses are mapped to a single public NAT IP address. In order
to distinguish between different subscribers and different connections originating from same subscriber, internal private
L4 source ports are translated to pre-assigned L4 NAT ports. Ports are allocated in chunks such that each private IP
address is reserved a set of ports for future use. This is also known as Network Address Port Translation (NAPT).
Once a flow is marked to use a specific NAT IP address the same NAT IP address is used for all packets originating on
that flow. The NAT IP address is released only when all flows and subscribers associated with it are released.
When all NAT IP addresses are in use, and a subscriber with a private IP address fails to get a NAT IP address for a
specific flow, that specific flow will not be allowed and will fail.
All downlink—inbound from external networks—IP packets that do not match one of the existing NAT bindings are
discarded by the system.
OL-22938-02
NAT works only on flows originating internally. Bi-directional NAT is not supported.
NAT is supported only for TCP, UDP, and ICMP flows. For other flows NAT is bypassed. For GRE
section.
If a subscriber is assigned with a public IP address, NAT is not applied.
To get NATed, the private IP addresses assigned to subscribers must be from the following ranges:
NAT Feature Overview ▀
Cisco ASR 5000 Series Product Overview ▄
NAT
Advertisement
Table of Contents
