IP Router Configuration
7705 SAR OS Router Configuration Guide 43
NAT Zones
NAT configuration is based on zones. Zones segment a network, making it easier to control
and organize traffic. A zone consists of a group of Layer 3 interfaces with common criteria,
bundled together. NAT policies, which define a set of rules that determine how NAT should
direct traffic, can be applied to the entire zone.
With source NAT, a traffic session can only be initiated from a private domain to a public
domain. Unless a session is created, packets from the public domain cannot be forwarded to
the private domain. All arriving packets from the private domain, which are routed towards
a public interface are checked to determine if they traverse a NAT zone. If so, the packets are
examined against the NAT policy rules. If there is a match between the policy and the packet,
NAT is applied to the packet. Source NAT changes the source IP address and the source port
of the packet, based on the configured NAT pool.
Zones can be segmented as small as a single interface or as large as the maximum number of
interfaces supported by 7705 SAR. For example, in metrocell applications, all the SAPs on
the access point used to aggregate the metrocell can be placed in a single zone (zone 2) and
the uplink public interface can be placed in another zone (zone 1). All traffic routed between
the two zones uses NAT rules based on the NAT policies created for zone 1 and zone 2.
An example of the above zone configuration is shown in Figure 2.
Figure 2: Zone Configuration in a Mobile Backhaul Network
Note:
• Zone 1 or zone 2 can be omitted if no specific security policy match criteria are required
on the zone.
• If a packet does not travel between any zones, then NAT policies are not applied.
IPSec
Service
Pair Private
VPRN &
Public IES
VPRN 1
Private
access
IPSec
metrocell
IES 2
access
GRT
UPLINK
Zone 1
IES 10
Public
access
IES
UPLINK
Zone 1
NAT
policy
Or
Switch
MC IPSec
OAM traffic
24025
NAT
7705 SAR
NAT
To Next Page
Loading...
