Target-Based Nat Configuration - Cisco ASR 5000 series Product Overview
Hide thumbs
Also See for ASR 5000 series:
- Administration manual (509 pages) ,
- Installation manual (317 pages) ,
- Thresholding configuration manual (163 pages)
Table of Contents
Advertisement
Network Address Translation Overview
Important:
no action taken as the Firewall-and-NAT policy cannot be disabled dynamically. The policy currently applied will
continue.
Important:
In a Firewall-and-NAT policy, you can change the NAT enabled/disabled status at any time. However, the updated
NAT status will only be applied to new calls, active calls using that Firewall-and-NAT policy will remain unaffected.
Target-based NAT Configuration
A NAT IP pool can be selected based on the L3/L4 characteristics of a subscriber's flows. NAT can be configured such
that all subscriber traffic coming towards specific public IP address(es) always selects a specific NAT IP pool based on
the L3/L4 traffic characteristics.
Important:
maximum of three NAT IP pools/NAT IP pool groups. Hence, at anytime, there can only be a maximum of three NAT
IP addresses allocated to a subscriber.
This association is done with the help of access ruledefs configured in the Firewall-and-NAT policy. The NAT IP
pool/NAT IP address to be used for a subscriber flow is decided during rule match. When packets match an access
ruledef, NAT is applied using the NAT IP address allocated to the subscriber from the NAT IP pool/NAT IP pool group
configured in that access ruledef.
If no NAT IP pool/NAT IP pool group name is configured in the access ruledef matching the packet, and if there is a
NAT IP pool/NAT IP pool group configured for ―no ruledef matches‖, a NAT IP address from the NAT IP pool/NAT IP
pool group configured for ―no ruledef matches‖ is allocated to the flow.
If no NAT IP pool/NAT IP pool group is configured for ―no ruledef matches‖ and if there is a default NAT IP
pool/NAT IP pool group configured in the rulebase, a NAT IP address from this default NAT IP pool/NAT IP pool
group is allocated to the flow.
If a NAT IP pool/NAT IP pool group is not configured in any of the above cases, no NAT will be performed for the
flow. Or, if bypass NAT is configured in a matched access rule or for ―no ruledef matches‖ then NAT will not be
applied even if the default NAT IP pool/NAT IP pool group is configured. The order of priority is:
1. Bypass NAT
2. NAT IP pool/NAT IP pool group in ruledef
3. NAT IP pool/NAT IP pool group for ―no-ruledef-matches‖
4. Default NAT IP pool/NAT IP pool group
When a new NAT IP pool/NAT IP pool group is added to a Firewall-and-NAT policy, it is associated with the active
subscriber (call) only if that call is associated with less than three (maximum limit) NAT IP pools/NAT IP pool groups.
If the subscriber is already associated with three NAT IP pools/NAT IP pool groups, any new flows referring to the
newly added NAT IP pool/NAT IP pool group will get dropped. The newly added NAT IP pool/NAT IP pool group is
associated to a call only when one of the previously associated NAT IP pools/NAT IP pool groups is freed from the call.
OL-22938-02
When the firewall AVP contains ―disable‖ during mid-session firewall policy change, there will be
For all NAT-enabled subscribers, when the Firewall-and-NAT policy is deleted, the call is dropped.
A subscriber can be allocated only one NAT IP address per NAT IP pool/NAT IP pool group from a
NAT Feature Overview ▀
Cisco ASR 5000 Series Product Overview ▄
Advertisement
Table of Contents
