Network Address Translation Overview
▄ Cisco ASR 5000 Series Product Overview
How NAT Works
The following steps describe how NAT works:
Step 1 In the subscriber profile received from the AAA Manager, the SessMgr checks for the following:
Enhanced Charging Service subsystem must be enabled
In the Firewall-and-NAT policy, NAT must be enabled
The Firewall-and-NAT policy must be valid
For Many-to-One NAT, at least one valid NAT IP pool must be configured in the Firewall-and-NAT
policy, and that NAT IP pool must be configured in the context
Step 2 If all of the above is true, once a private IP address is allocated to the subscriber, the NAT resource to be used for the
subscriber is determined. This is only applicable for not-on-demand allocation mode.
Important: The private IP addresses assigned to subscribers must be from the following ranges for
them to get translated: Class A 10.0.0.0 – 10.255.255.255, Class B 172.16.0.0 – 172.31.255.255, and Class C
192.168.0.0 – 192.168.255.255
Important: A subscriber can be allocated only one NAT IP address per NAT IP pool/NAT IP pool
group from a maximum of three pools/pool groups. Hence, at any point, there can be a maximum of three
NAT IP addresses allocated to a subscriber.
Step 3 Flow setup is based on the NAT mapping configured for the subscriber:
In case of one-to-one NAT mapping, the subscriber IP address is mapped to a public IP address. The
private source ports do not change. The SessMgr installs a flow using the NAT IP address and a
fixed port range (1–65535).
In case of many-to-one NAT mapping, a NAT IP address and a port from a port-chunk, are allocated for
each connection originating from the subscriber. In order to identify a particular subscriber call line,
the SessMgr installs a flow using NAT (public) IP address + NAT ports allocated for the subscriber.
The following figures illustrate the flow of packets in NAT processing.
To Next Page
Loading...
