Configuring IP Router Parameters
44 7705 SAR OS Router Configuration Guide
In Figure 2, the OAM traffic from the metrocell is not encrypted. The OAM traffic is
aggregated into a single VPRN service and IPSec functionality encrypts the OAM traffic. The
encrypted traffic enters IES 10 with an IPSec header that has a routable IP destination address
(typically to a security gateway) in addition to the encrypted payload. The far end destination
IP address can be reached through IES uplink zone 1 or GRT uplink zone 1. Since the traffic
from IES 10 to the uplink zone crosses a zone boundary, the zone policy is applied to the
uplink interface, and NAT is applied to the packet. The source IP address in the packet is
replaced with the IP address of the uplink Interface.
Similarly, in Figure 2, traffic from the metrocell (indicated by the dashed line), is encrypted
by the metrocell with a valid IP header that contains a destination IP address (typically to a
security gateway). The far end destination is reachable through IES uplink zone 1 or GRT
uplink zone 1. The packet has NAT applied to it because the packet must cross a zone
boundary. The source IP address of the metrocell packet that enters IES 2 is replaced with the
source IP address of IES uplink zone 1 as it exits the 7705 SAR. In addition the source UDP/
TCP port may also be replaced depending on the NAT policy configured for the zone.
In both of the cases described above, NAT is applied to the IP traffic according to NAT zone
policy rules configured for IES uplink zone 1 or GRT uplink zone 1.
When using NAT in conjunction with IPSec, all IPSec tunnels need to be configured
(enabled) with NAT Traversal (NAT-T) functionality. Enabling NAT-T on IPSec causes an
insertion of the UDP port below the IPSec IP header. This UDP port can be used by NAT to
uniquely identify each IPSec tunnel.
With static destination NAT, when packets from a public domain arrive at a zone, their source
and destination IP addresses are evaluated to determine from which interface within the zone
the packet will egress.
Zone Direction
NAT policies can be configured based on traffic direction entering (inbound) the zone or
leaving (outbound) the zone. A zone can be configured so that all traffic inbound to the zone
has NAT applied to it based on the configured NAT policy for that zone. Likewise, a zone
can be configured so that all traffic leaving the zone has NAT applied to it.
An example of inbound zone direction is shown in Figure 3. All traffic entering zone 2 has
NAT applied to it based on the configured NAT policy assigned to zone 2.
To Next Page
Loading...
