Documente Academic
Documente Profesional
Documente Cultură
Multimedia Core
Platforms
Network Address
Translation
Administration
Guide
Version 9.0
Generally Available
03-31-2010
NOTICE OF COPYRIGHT
The material contained in this document is for informational purposes only and is subject to change without notice.
No part of this document may be reproduced, transmitted, transcribed, or stored in a retrieval system in any form or
by any means, mechanical, magnetic, optical, chemical, or otherwise without the written permission of Starent
Networks, Corp.
Starent, the Starent logo, ST16, and ST40 are registered trademarks of Starent Networks, Corp. How Wireless
Connects and StarOS are trademarks of Starent Networks, Corp.
VA Linux is a registered trademark of VA Linux Systems, Inc. Microsoft and Microsoft Windows are registered
trademarks of Microsoft Corporation. Sun, Solaris, and Netra are registered trademarks of Sun Microsystems.
Linux is a registered trademark of Linus Torvalds. Adobe, Acrobat, Acrobat Reader are registered trademarks
of Adobe Systems, Inc. CompactFlash is a trademark of SanDisk Corporation. Panduit is a registered trademark
or Panduit Corporation. HyperTerminal is a registered trademark of Hilgraeve Inc. MOLEX is a registered
trademark of Molex, Inc. Red Hat is a registered trademark of Red Hat, Inc. Intel is a registered trademark of
Intel Corporation.
Any trademarks, trade names, service marks, or service names owned or registered by any other company and used
in this documentation are the property of their respective companies.
TABLE OF CONTENTS
Section I: Overview
Chapter 1: Network Address Translation Overview
Supported Platforms and Products ............................................................................................... 1-2
Licenses ........................................................................................................................................ 1-3
Supported Standards ..................................................................................................................... 1-4
NAT Feature Overview ................................................................................................................ 1-5
NAT Realms ............................................................................................................................ 1-6
NAT IP Address Allocation and Deallocation ........................................................................ 1-8
NAT IP Address Allocation ................................................................................................ 1-9
NAT IP Address Deallocation ............................................................................................ 1-9
NAT Port-chunk Allocation and Deallocation ........................................................................ 1-9
NAT Port-chunk Allocation ............................................................................................... 1-9
NAT Port-chunk Deallocation .......................................................................................... 1-10
NAT IP Allocation/Port Allocation Failure ...................................................................... 1-10
TCP 2MSL Timer ............................................................................................................. 1-10
NAT Binding Records ........................................................................................................... 1-11
NAT Binding Updates ........................................................................................................... 1-12
CoA NAT Query ................................................................................................................... 1-12
Firewall-and-NAT Policy ...................................................................................................... 1-13
Disabling NAT Policy ...................................................................................................... 1-14
Updating Firewall-and-NAT Policy in Mid-session ......................................................... 1-14
Target-based NAT Configuration ..................................................................................... 1-15
NAT Application Level Gateway .......................................................................................... 1-16
Supported NAT ALGs ...................................................................................................... 1-16
EDRs and UDRs .................................................................................................................... 1-16
EDRs ................................................................................................................................. 1-16
UDRs ................................................................................................................................ 1-16
Bulk Statistics ........................................................................................................................ 1-17
Alarms ................................................................................................................................... 1-17
Session Recovery and ICSR .................................................................................................. 1-18
How NAT Works ....................................................................................................................... 1-20
Generally Available
03-31-2010
ii
Generally Available
03-31-2010
iii
Generally Available
iv
03-31-2010
This section contains an overview of the information contained within this document. It lists
conventions used and related documentation. In addition, it provides information about
contacting Starent Networks Corporation.
This documentation provides information on Network Address Translation configuration.
IMPORTANT
The information and instructions in this document assume that the system hardware has
been fully installed and the installation was verified according to the instructions found in
the System Installation Guide.
Conventions Used
The following tables describe the conventions used throughout this documentation.
Icon
Notice Type
Description
Information note
Caution
Warning
Typeface Conventions
Text represented as a screen display
Description
This typeface represents displays that appear on
your terminal screen, for example:
Login:
This typeface represents commands that you
enter, for example:
show ip access-list
This document always gives the full form of a
command in lowercase letters. Commands are
not case sensitive.
Typeface Conventions
Description
This typeface represents a variable that is part of
a command, for example:
Description
{keyword or variable}
[keyword or variable]
{nonce | timestamp}
OR
[count number_of_packets | size number_of_bytes]
vi
Generally Available
03-31-2010
IMPORTANT
For warranty and repair information, please be sure to include the Return Material
Authorization (RMA) tracking number on the outside of the package.
vii
viii
SECTION I
OVERVIEW
Generally Available
03-31-2010
CHAPTER 1
NETWORK ADDRESS TRANSLATION OVERVIEW
This chapter provides an overview of Network Address Translation (NAT) in-line service
feature.
The following topics are covered in this chapter:
Licenses
Supported Standards
1-2
Generally Available
03-31-2010
Licenses
Licenses
Network Address Translation (NAT) is a licensed in-line service feature requiring the
following licenses:
Any other in-line service counting license (Enhanced Charging Service, Stateful
Firewall, Content Filtering, etc.). For more information, please contact your local sales
representative.
For information on license requirements for customer-specific NAT features, please contact
your local sales/service representative.
IMPORTANT
For information on installing licenses, see the Managing License Keys chapter of the System
Administration and Configuration Guide.
1-3
Supported Standards
Starent Networks NAT feature supports the following RFCs:
1-4
RFC 3022: Traditional IP Network Address Translator (Traditional NAT); January 2001
RFC 3027: Protocol Complications with the IP Network Address Translator; January
2001
RFC 4787: Network Address Translation (NAT) Behavioral Requirements for Unicast
UDP; January 2007
RFC 4966: Reasons to Move the Network Address Translator - Protocol Translator
(NAT-PT) to Historic Status; July 2007
Generally Available
03-31-2010
IMPORTANT
NAT is supported only for TCP, UDP, and ICMP flows. For other flows NAT is bypassed.
IMPORTANT
If a subscriber is assigned with a public IP address, NAT is not applied.
IMPORTANT
To get NATed, the private IP addresses assigned to subscribers must be from the following
ranges:
- Class A 10.0.0.0 10.255.255.255
- Class B 172.16.0.0 172.31.255.255
- Class C 192.168.0.0 192.168.255.255
1-5
send packets to IP2:port1, which are translated to IP1:port1. The NAT port number will
be the same as the source private port.
Once a flow is marked to use a specific NAT IP address the same NAT IP address is used for
all packets originating on that flow. The NAT IP address is released only when all flows and
subscribers associated it are released.
When all NAT IP addresses are in use, and a subscriber with a private IP address fails to get
a NAT IP address for a specific flow, that specific flow will not be allowed and will fail.
All downlinkinbound from external networksIP packets that do not match one of the
existing NAT bindings are discarded by the system.
NAT Realms
A NAT realm is a pool of unique public IP addresses available for translation from private
source IP addresses. IP addresses in a NAT realm are contiguous, and assignable as a subnet
or a range that constitutes less than an entire subnet. IP addresses configured in NAT realms
within a context must not overlap. At any time, within a context, a NAT IP address must be
configured in any one NAT realm. IP addresses can be added to a NAT realm as a range of
IP addresses.
IMPORTANT
The minimum number of public IP addresses that must be allocated to each NAT realm
must be greater than or equal to the number of Session Managers (SessMgrs) available on
the system. This differs on the ST16 and ST40 platforms.
On the ST16 platform, it is >= 230 public IP addresses. This can be met by a single Class
C. Since a SessMgr does not communicate with other SessMgrs to know what ports have
been allocated or free, each SessMgr has its own sub-pool of ports to allocate from.
On the ST40 platform, it is >= 84 public IP addresses. This can be met by a range of 84 host
addresses from a single Class C. The remaining space from the Class C can be used for
other allocations.
Each address has available its port range ~64K ports.
Up to 2000 unique IP pools + NAT IP realms can be configured per context. A subscriber
can be associated with a maximum of three different NAT IP realms. This way a subscriber
can have NATed flows on three different NAT IP addresses at the same time.
1-6
Generally Available
03-31-2010
Allocation of NAT IP addresses in NAT realms to subscriber traffic is based on the L3/L4
characteristicsIP addresses, ports, and protocolof the subscriber flows. It is possible to
configure the system to perform or not perform NAT based on one or more L3/L4
parameters. This feature is also known as Target-based NAT. For more information, see the
Target-based NAT Configuration section.
NAT realms have the following configurable parameters. These parameters are applicable to
all IP addresses in a NAT realm.
Not-on-demand Allocation Mode: This is the default mode. In this mode, the NAT
IP address is allocated to the subscriber at call setup. If there are three NAT realms
(maximum allowed) configured in the subscribers Firewall-and-NAT policy, the
subscriber is allocated three NAT IP addresses, one from each realm.
On-demand Allocation Mode: In this mode NAT resources are assigned and
allocated dynamically based on subscriber flows. The NAT IP address is allocated to
the subscriber when the data traffic flows in and not at call setup.
In case of on-demand realms, since the NAT IP address is not allocated to the subscriber
at call setup, the subscriber may not have a NAT IP address allocated when the first
packet is received. Until the successful allocation of a NAT IP address, based on the
configuration, the packets can either be buffered or dropped. Once a free NAT IP address
is available, it is allocated to the subscriber to be used for flows matching the realm.
NAT Binding Timer: Specifies the timeout period, in seconds, to deallocate NAT
resources that were allocated to subscriber flows. The timer starts counting down when
subscriber flows stop, and on expiry the NAT resources are deallocated to be available
for other subscriber flows.
In one-to-one allocation, for a given NAT IP address, the NAT Binding Timer starts
counting down when there are no active flows using that NAT IP address. When the
NAT Binding Timer expires, the NAT IP address gets deallocated.
Maximum Users per NAT IP Address: Applicable only to many-to-one NAT realms.
Specifies the maximum number of subscribers sharing one NAT IP address. A maximum
of 2016 subscribers can be configured per NAT IP address.
Port Chunk Size: Applicable only to many-to-one NAT realms. Specifies the block size
of contiguous ports to be assigned to a many-to-one NAT realm subscriber. This number
has to be divisible by 32 up to a maximum of 32,256.
1-7
AAA Binding Update Message Required: Applicable only to one-to-one NAT realms.
Enables AAA binding messages for one-to-one NAT realms. This is not supported for
many-to-one NAT realms.
Alert Thresholds: Threshold limits can be specified to trigger alarms for the NAT pools
for pool-used, pool-free, pool-hold, and pool-release cases.
1-8
Generally Available
03-31-2010
Inbound connection to the NAT IP address can be allowed in one-to-one realms based on
configuration.
Maximum Users per NAT IP Address: The maximum number of subscribers sharing a
NAT IP address. Once the number of active subscribers using a NAT IP address reaches
this limit, that NAT IP address cannot be allocated to new subscribers.
In case of many-to-one not-on-demand NAT realms, the last port-chunk is not released
back to the pool even after NAT Binding Timer expires. Only when the call gets
disconnected, the port-chunk is released along with the NAT IP address.
In case of many-to-one on-demand NAT realms, when the last flow using the port-chunk
gets cleared, the NAT Binding Timer is started. When the NAT Binding Timer expires,
the port-chunk along with the NAT IP address is released back to the pool.
In case of one-to-one on-demand NAT realms, when there are no active flows using a
NAT IP address, the NAT Binding Timer is started. When the NAT Binding Timer
expires, the NAT IP address gets deallocated.
1-9
A subscribers data traffic is NATed with ports chosen in a random fashion from the
port-chunk allocated to that subscriber. When all the ports in a port-chunk are in use, a free
port-chunk is requested for. A new port-chunk is only allocated if the Maximum
Port-chunks Per User is not reached.
1-10
Generally Available
03-31-2010
the TCP connection gets cleared. This ensures that a NAT TCP port gets reused only after
expiry of the configured TCP 2MSL timer.
Consider a case where a single TCP flow is active in a port-chunk. When this connection
gets cleared, the TCP NAT port goes to Time Wait state. Since this is the last flow of the
port-chunk, the NAT Binding Timer also gets started. Assume NAT Binding timer >= TCP
2MSL timer. Once the 2MSL timer expires, the TCP port becomes usable. However, the
NAT Binding Timer keeps counting, and on expiry, the port-chunk is released.
In case the NAT Binding Timer < TCP 2MSL Timer, on NAT Binding Timer expiry, the
TCP port is forcefully moved to Free State (made usable) from Time Wait state and the
port-chunk released.
radius-calling-station-id
radius-fa-nas-identifier
radius-fa-nas-ip-address
radius-user-name
sn-correlation-id, if available
sn-fa-correlation-id, if available
sn-nat-binding-timer: Optional
sn-nat-gmt-offset: Optional, GMT offset of the node generating this record. For
example: -5.00, +5.30
sn-nat-ip
sn-nat-last-activity-time-gmt
sn-nat-port-block-end
sn-nat-port-block-start
sn-nat-port-chunk-dealloc-time-gmt
1-11
sn-nat-realm-name: Optional
sn-nat-subscribers-per-ip-address: Optional
Alloc-Flag
Binding-Timer
Correlation-Id
Loading-Factor
NAT-IP-Address
If the NAT binding information is not available at the AAA, the AAA server can query the
chassis for the information. This query uses the Change of Authorization (CoA) format,
wherein the AAA sends a one-to-one NAT IP address as a query, and in the CoA query
response the NBU is obtained if available at the time of query.
The CoA query request must contain the following attributes:
Event-Timestamp
NAS-IP-Address
SN1-NAT-IP-Address
For a successful query, the CoA ACK response contains the following attributes:
1-12
Generally Available
03-31-2010
Acct-Session-Id
Correlation-Id
Framed-IP-Address
NAT-IP-Address
NAT-Port-Block-End
NAT-Port-Block-Start
User-Name
Firewall-and-NAT Policy
IMPORTANT
In StarOS 8.x, NAT for CDMA and early UMTS releases used rulebase-based
configurations, whereas in later UMTS releases NAT used policy-based configurations. In
StarOS 9.0, NAT for UMTS and CDMA releases both use policy-based configurations. For
more information, please contact your local service representative.
ECS Rulebase: The default Firewall-and-NAT policy configured in the ECS rulebase has
the least priority. If there is no policy configured in the APN/subscriber template, and/or
no policy to use is received from the AAA/OCS, only then the default policy configured
in the ECS rulebase is used.
1-13
AAA/OCS: The Firewall-and-NAT policy to be used can come from the AAA server or
the OCS. If the policy comes from the AAA/OCS, it will override the policy configured
in the APN/subscriber template and/or the ECS rulebase.
IMPORTANT
The Firewall-and-NAT policy received from the AAA and OCS have the same priority.
Whichever comes latest, either from AAA/OCS, is applied.
The Firewall-and-NAT policy to use can also be received from RADIUS during
authentication.
If the AAA/OCS sends the SN-Firewall-Policy AVP with the string disable, the locally
configured Firewall-and-NAT policy does not get applied.
If the SN-Firewall-Policy AVP is received with the string NULL, the existing
Firewall-and-NAT policy will continue.
If the SN-Firewall-Policy AVP is received with a name that is not configured locally, the
subscriber session is terminated.
IMPORTANT
For all NAT-enabled subscribers, when the Firewall-and-NAT policy is deleted, the call is
dropped.
1-14
Generally Available
03-31-2010
In a Firewall-and-NAT policy, you can change the NAT enabled/disabled status at any time.
However, the updated NAT status will only be applied to new calls, active calls using that
Firewall-and-NAT policy will remain unaffected.
This association is done with the help of access ruledefs configured in the
Firewall-and-NAT policy. The NAT realm/NAT IP address to be used for a subscriber flow
is decided during rule match. When packets match an access ruledef, NAT is applied using
the NAT IP address allocated to the subscriber from the NAT realm configured in that access
ruledef.
If no NAT realm name is configured in the access ruledef matching the packet, and if there
is a NAT realm configured for no ruledef matches, a NAT IP address from the NAT realm
configured for no ruledef matches is allocated to the flow.
If no NAT realm is configured for no ruledef matches and if there is a default NAT realm
configured in the rulebase, a NAT IP address from this default NAT realm is allocated to the
flow.
If a NAT realm is not configured in any of the above cases, no NAT will be performed for
the flow. Or, if bypass NAT is configured in a matched access rule or for no ruledef
matches then NAT will not be applied even if the default NAT realm is configured. The
order of priority is:
1 Bypass NAT
2 NAT realm in ruledef
3 NAT realm for no ruledef matches
4 Default NAT realm
When a new NAT realm is added to a Firewall-and-NAT policy, it is associated with the
active subscriber (call) only if that call is associated with less than three NAT realms
(maximum allowed). If the subscriber is already associated with three NAT realms, any new
flows referring to the newly added NAT realm will get dropped. The newly added NAT
realm is associated to a call only when one of the previously associated NAT realms is freed
from the call.
1-15
FTP: A TCP-based protocol that uses two flows, one for control messages and the other
for data/file transfer. FTP uses PORT and PASSIVE reply commands to exchange data
flow parameters. These commands carry the IP address and port information as part of
payload.
To enable NAT ALGs, the routing rule(s) to the corresponding analyzers must be added to
the rulebase.
EDRs
The following NAT-specific attributes are supported in regular EDRs:
1-16
Generally Available
03-31-2010
UDRs
The following NAT-specific attribute is supported in regular UDRs:
sn-subscriber-nat-flow-ip: NAT IP addresses that are being used by NAT-enabled
subscribers. The NAT IP addresses assigned from each of the associated realm for the call
are logged. A space is used as a separator between IP addresses
Bulk Statistics
NAT bulkstats are per context and per NAT realm. The NAT realms are configured in a
context and statistics are stored per context per realm. These statistic variables, both
cumulative and snapshot, are available in the nat-realm schema.
Bulkstats are only generated for the first 100 NAT realms from an alphabetical list of all
NAT realms based on the context name and realm name. Therefore, to generate bulkstats for
a specific NAT realm it must be named such that it gets selected in the first 100 bulkstats.
The following is the list of cumulative statistics that can be part of NAT bulkstats. The
context name and the realm name are the two keys.
Context name
Realm name
Total binding updates sent to AAA: Cumulative interim AAA NBU sent from a realm.
Total number of bytes transferred by realm: Cumulative bytes transferred through the
NAT realm (sum of uplink and downlink).
Total number of flows used by realm: Cumulative flows used by the realm.
Total number of flows denied IP: Cumulative flows denied NAT IP.
Total number of flows denied ports: Cumulative flows denied NAT port.
The following is the list of snapshot statistics that can be part of NAT bulkstats.
Context name
Realm name
Total NAT public IP address: Total number of NAT IPs in the NAT realm in a context. Is
a static value.
Current NAT public IP address in use: Current number of NAT IPs in use in the NAT
realm in a context.
Current subscribers using realm: Current numbers subscribers using the realm.
Total port-chunks: Total number port-chunks in the NAT realm in a context. Is a static
value.
Current port-chunks in use: Current number of port-chunks in use in the NAT realm in a
context.
1-17
Alarms
Alert threshold values can be specified to generate alarms for NAT realms. To specify
realm-specific threshold limits (pool-used, pool-free, pool-release, and pool-hold)
alert-threshold NAT pool parameter can be used, or it can also be specified across
context. These thresholds can be specified to any number of NAT realms.
In case of many-to-one NAT, it is possible to specify port-chunks usage threshold per NAT
realm. This threshold value is applicable to all many-to-one NAT realms across the system.
However, note that alarms are only generated for the first 100 many-to-one NAT realms
from an alphabetical list of all NAT realms.
The public IP address used for the subscriber is recovered. The NAT IP address being
used by the subscriber can be on-demand or not-on-demand. In case of many-to-one
NAT, the port-chunks associated with the NAT IP address for the subscriber needs to
check-pointed as well.
In case Bypass NAT feature is used, then the private IP flow needs to be recovered.
To be recovered the NAT IP addresses need to be checkpointed. The checkpointing can be:
Full Checkpoint
Micro Checkpoint
To recover the bypass NAT flow, the bypass flow needs to be checkpointed. The
checkpointing of Bypass NAT flow can be:
Full Checkpoint
Micro Checkpoint
In case of not-on-demand, the NAT IP address being used by the subscriber is known after
call setup. This gets checkpointed as part of the normal full checkpoint. In case of
on-demand NAT, the NAT IP address being used by the subscriber is known only in the
data-path. This will be checkpointed as part of micro checkpoint.
In case of many-to-one NAT, the port-chunks being used will always be checkpointed as
part of micro checkpoint.
In case of bypass NAT flow, in most cases the flow gets checkpointed as part of micro
checkpoint.
Any information that is checkpointed as part of full checkpoint is always recovered. Data
checkpointed through micro checkpoint cannot be guaranteed to be recovered. The timing
of switchover plays a role for recovery of data done through micro checkpoint. If failover
happens after micro checkpoint is completed, then the micro checkpointed data will get
recovered. If failover happens during micro checkpoint, then the data recovered will be the
one obtained from full checkpoint.
Once NAT IP/and Port-Chunks/Bypass Nat flow are recovered, the following holds good:
1-18
Generally Available
03-31-2010
One-to-one NAT: Since NAT IP address being used for one-to-one NAT is recovered,
on-going flows will be recovered as part of Firewall Flow Recovery algorithm as
one-to-one NAT does not change the port.
Many-to-one NAT: On-going flows will not be recovered as the port numbers being used
for flows across chassis peers/SessMgr peers are not preserved.
Bypass NAT Flow: On-going flows will be recovered as part of Firewall Flow Recovery
algorithm.
Event
Impacted
Details
Session
No
Session recovered.
New Traffic
No
Ongoing Traffic
Yes
One-to-one NAT
Many-to-one
NAT
Unsolicited Traffic
(downlink packets)
Yes
Session
No
Session recovered.
New Traffic
No
TCP
Yes
UDP
Yes and No
Ongoing
Traffic
ICMP
Bypass NAT
Yes and No
Unsolicited Traffic
(downlink packets)
No
Session
No
Session recovered.
New Traffic
No
Ongoing Traffic
No
Unsolicited Traffic
(downlink packets)
No
For more information, in the System Enhanced Feature Configuration Guide, see the
Session Recovery and Interchassis Session Recovery chapters.
1-19
For many-to-one NAT, at least one valid NAT realm is configured in the
Firewall-and-NAT policy, and that realm is configured in the context.
2 If all of the above is true, once a private IP address is allocated to the subscriber, the NAT
resource to be used for the subscriber is determined. This is only applicable for
not-on-demand allocation mode.
IMPORTANT
The private IP addresses assigned to subscribers must be from the following ranges for
them to get translated:
Class A 10.0.0.0 10.255.255.255
Class B 172.16.0.0 172.31.255.255
Class C 192.168.0.0 192.168.255.255
IMPORTANT
A maximum of three NAT realms can be configured in a rulebase. A subscriber can be
allocated only one NAT IP address per NAT realm. Hence, at any point, there can be a
maximum of three NAT IP addresses allocated to a subscriber.
3 Flow setup is based on the NAT mapping configured for the subscriber:
In case of many-to-one NAT mapping, a NAT IP address and a port from a port-chunk,
are allocated for each connection originating from the subscriber. In order to identify a
particular subscriber call line, the SessMgr installs a flow using NAT (public) IP address
+ range of NAT ports allocated for the subscriber.
The number of NAT ports to be allocated for each subscriber depends on the number of
maximum associations allowed per subscriber. The number of NAT ports per subscriber
must be lesser than or equal to any multiple of the number of max associations per
subscriber. The number of associations per context/VPN and per subscriber is configurable.
1-20
Generally Available
03-31-2010
Data packets
Is packet uplink?
yes
no
Send to
Internet
Is NAT enabled?
no
yes
Send to
MS
no
no
yes
Does binding exist?
fail
pass
yes
Downlink NAT
processing
Is NAT processing
successful?
fail
pass
1-21
done
Is packet fragmented
yes
no
IP header checks
IP Reassembly
fail
Update statistics
and drop the
packet
Transport layer
header and state
checks
fail
Update statistics
and drop the
packet
In progress
fail
Update statistics
and DoS attacks,
and drop the
packet
yes
fail
Update statistics
and DoS attacks,
and drop the
packet
pass
no
Transport layer
header and state
checks
pass
pass
yes
Update statistics
and drop the
packet
no
1-22
Generally Available
03-31-2010
no
yes
Update statistics
and drop the
packet
yes
Update statistics
and drop the
packet
denied
Update statistics
and drop the
packet
no
no
allowed
If NAT has to be
applied?
Update statistics
and drop the
packet
yes
no
Is IP available?
no
If buffering
enabled?
yes
Send IP allocation
request
Buffer packets
no
yes
Check port
availability and
mapping table
VPN
no
Update statistics
and drop the
packet
Update statistics
and drop the
packet
fails
yes
IP allocation
response
pass
1-23
yes
pass
Uplink NAT
processing
Process buffer
packets
Is NAT processing
successful?
no
Update statistics
and drop the
packet
yes
Update statistics
and drop the
packet
yes
Flooding
detected
no
Create FW flow,
update the flow
and packet stats
To ECS
for further
processing
NAT Translation
1-24
SECTION II
CONFIGURATION
Generally Available
03-31-2010
CHAPTER 2
NAT CONFIGURATION
This chapter describes how to configure the Network Address Translation (NAT) in-line
service feature.
IMPORTANT
In StarOS 8.x, NAT for CDMA and early UMTS releases used rulebase-based
configurations, whereas in later UMTS releases NAT used policy-based configurations. In
StarOS 9.0, NAT for UMTS and CDMA releases both use policy-based configurations. For
more information, please contact your local service representative.
Configuring NAT
NAT Configuration
2-2
Generally Available
03-31-2010
2-3
NAT Configuration
Configuring NAT
This section describes how to configure Policy-based NAT support in a system.
1 Enable the ECS subsystem and create the enhanced charging service as described in the
Enabling the ECS Subsystem and Creating the ECS Service section.
2 Optional: Configure port maps as described in the Configuring Port Maps section.
3 Optional: Configure host pools as described in the Configuring Host Pools section.
4 Optional: Configure IMSI pools as described in the Configuring IMSI Pools section.
5 Configure access ruledefs as described in the Configuring Access Ruledefs section.
6 Configure NAT realms as described in the Configuring NAT Realms section.
7 Configure Firewall-and-NAT policies as described in the Configuring Firewall-and-NAT
Policies section.
8 Configure action on NAT IP address/port allocation failure as described in the Configuring
Action on NAT IP Address/Port Allocation Failure section.
9 Configure action on packets during NAT IP allocation as described in the Configuring
Action on Packets During NAT IP Allocation section.
10 Configure NAT TCP-2msl-timeout setting as described in the Configuring NAT
TCP-2msl-timeout Setting section.
11 Configure action on TCP idle timeout as described in the Configuring Action on TCP Idle
Timeout section.
12 Configure Private IP NPU Flow Timeout setting as described in the Configuring Private IP
NPU Flow Timeout Setting section.
13 Configure Flow Recovery as described in the Configuring Flow Recovery section.
14 Enable NAT support for APN/subscribers as described in the Enabling NAT for
APN/Subscribers section.
15 Optional: Configure the default Firewall-and-NAT policy as described in the Configuring
the Default Firewall-and-NAT Policy section.
16 Configure NAT ALGs as described in the Configuring NAT ALGs/Dynamic Pinholes
section.
17 Configure EDR formats as described in the Configuring EDR Format section.
18 Configure UDR formats as described in the Configuring UDR Format section.
19 Configure NBR formats as described in the Configuring NAT Binding Record Format
section.
20 Configure NAT realm bulk statistics collection as described in the Configuring Bulkstats
Collection section.
21 Configure NAT thresholds as described in the Configuring NAT Thresholds section.
2-4
Generally Available
03-31-2010
Configuring NAT
22 Optional: Configure a secondary IP pool, which is not overwritten by the RADIUS supplied
list, as described in the Backing Out of NAT section.
IMPORTANT
Commands used in the configuration examples in this section provide base functionality to
the extent that the most common or likely commands and/or keyword options are presented.
In many cases, other optional commands and/or keyword options are available. Refer to the
Command Line Interface Reference for complete information regarding all commands.
2-5
NAT Configuration
Notes:
A maximum of 256 host pools, IMSI pools, and port maps each, and a combined
maximum of 4096 rules (host pools + IMSI pools + port maps + charging ruledefs +
access ruledefs + routing ruledefs) can be created in a system.
Port maps, host pools, IMSI pools, and charging, access, and routing ruledefs must
each have unique names.
A maximum of 10 options can be configured in each host pool, IMSI pool, and port
map.
2-6
Generally Available
03-31-2010
Configuring NAT
Notes:
If the source IP address is not configured, then it is treated as any source IP.
If the destination IP address is not configured, then it is treated as any destination IP.
If the source port number is not configured, then it is treated as any source port.
If the destination port is not configured, then it is treated as any destination port.
If both uplink and downlink fields are not configured, then the rule will be treated as
either direction, i.e. packets from any direction will match that rule.
Access ruledefs are different from enhanced charging service ruledefs. A combined
maximum of 4096 rules (host pools, IMSI pools, port maps, and access, charging, and
routing ruledefs) can be created in a system. A combined maximum of 2048 access
and charging ruledefs can be created in a system.
Configuring access ruledefs involves the creation of several ruledefs with different
sets of rules and parameters. For more information, see the Firewall Ruledef
Configuration Mode Commands chapter of the Command Line Interface Reference.
2-7
NAT Configuration
Notes:
The IP addresses configured in the NAT realms within a context must not overlap. At
any time, within a context, a NAT IP address must be configured in any one NAT
realm.
For many-to-one NAT realms, the default NAT binding timer value is 60 seconds.
For one-to-one NAT realms, by default the feature is disabledthe IP addresses/
port-chunks once allocated will never be freed.
Thresholds configured using the alert-threshold keyword are specific to the pool
that they are configured in. Thresholds configured using the threshold ip-pool-*
commands in the Context Configuration Mode apply to all IP pools in the context,
and override the threshold configurations set within individual pools.
2-8
Generally Available
03-31-2010
Configuring NAT
Notes:
The IP addresses configured in the NAT realms within a context must not overlap. At
any time, within a context, a NAT IP address must be configured in any one NAT
realm.
For many-to-one NAT realms, the default NAT binding timer value is 60 seconds. For
one-to-one NAT realms, by default the feature is disabledthe IP addresses/
port-chunks once allocated will never be freed.
Thresholds configured using the alert-threshold keyword are specific to the pool
that they are configured in. Thresholds configured using the threshold ip-pool-*
commands in the Context Configuration Mode apply to all IP pools in the context,
and override the threshold configurations set within individual pools.
Notes:
In StarOS 8.x, NAT for CDMA and early UMTS releases used rulebase-based
configurations, whereas in later UMTS releases NAT used policy-based
configurations. In StarOS 9.0, NAT for UMTS and CDMA releases both use
policy-based configurations. For more information, please contact your local service
representative.
The nat policy nat-required command enables NAT for all subscribers using
the policy.
2-9
NAT Configuration
Rule matching is done for the first packet for a flow. Only when no rules match, the
configuration is considered. The default settings for uplink
direction is permit, and for downlink direction deny.
no-ruledef-matches
If there are no rules matching a packet, then the NAT realm to be used for the flow is
taken from the following configuration:
access-rule no-ruledef-matches uplink action permit nat-realm
<nat_realm_name>
If there is no NAT realm name configured in the matching access ruledef, NAT will
be bypassed, i.e., NAT will not be applied to the flow.
Notes:
2-10
Generally Available
03-31-2010
Configuring NAT
Notes:
By default, for NAT-enabled calls the downlink private IP NPU flow will not be
installed at call setup for a subscriber session. The flow will only be installed on
demand. When there is no traffic on the private flow, the private IP flow will be
removed after the configurable timeout period.
To configure the Firewall-and-NAT Policy within an APN, use the following configuration:
configure
context <context_name>
apn <apn_name>
fw-and-nat policy <fw_nat_policy_name>
end
2-11
NAT Configuration
Notes:
must be a Firewall-and-NAT policy in which Firewall and
NAT policy are enabled as described in the Configuring Firewall-and-NAT Policies
section.
<fw_nat_policy_name>
Notes:
must be a Firewall-and-NAT policy in which Firewall and
NAT policy are enabled as described in the Configuring Firewall-and-NAT Policies
section.
<fw_nat_policy_name>
To create a rulebase and configure a default Firewall-and-NAT policy in it, use the
following configuration:
configure
active-charging service <service_name>
rulebase <rulebase_name> [ -noconfirm ]
fw-and-nat default-policy <fw_nat_policy_name>
end
2-12
Generally Available
03-31-2010
Configuring NAT
Notes:
Notes:
Notes:
If enabled, a routing rule for the particular protocol must be configured in the
rulebase. For example:
route priority 1 ruledef ftp analyzer ftp-control
route priority 2 ruledef rtsp analyzer rtsp
For RTSP NAT ALG to work, the following command must be configured in the
rulebase:
rtp dynamic-flow-detection
2-13
NAT Configuration
Notes:
2-14
Generally Available
03-31-2010
Configuring NAT
The NBR format name configured in the edr-format <nbr_format_name> and the
nat binding-record edr-format <nbr_format_name> commands must be the
same.
Enabling Thresholds
2-15
NAT Configuration
Enabling Thresholds
To enable thresholds, use the following configuration:
configure
threshold monitoring firewall
context <context_name>
threshold monitoring available-ip-pool-group
end
Notes:
The thresholds configured for an individual NAT pool using the alert-threshold
keyword will take priority, i.e will override the above context-wide configuration.
2-16
Generally Available
03-31-2010
Configuring NAT
To configure a secondary IP pool that is not overwritten by the RADIUS supplied list, use
the following configuration. The secondary pool configured will be appended to the
RADIUS supplied IP pool list / APN provided IP pool list whichever is applicable during
call setup.
configure
context <context_name>
apn <apn_name>
secondary ip pool <pool_name>
exit
busyout ip pool name <private_pool_name>
end
Notes:
Notes:
2-17
NAT Configuration
Notes:
2-18
The above command takes effect only for current calls. For new calls, the RADIUS
returned/APN/Subscriber template/rulebase configured policy is used.
Generally Available
03-31-2010
The output displays subscriber information. Verify the NAT pools associated a subscriber
and the NAT IP addresses allocated from each pool.
If a pool type is not-on-demand, the pools type is indicated explicitly.
2 To view active charging flows information, in the Exec mode, enter the following
command:
show active-charging flows full
The output displays active charging flow information. Verify the NAT IP address and NAT
port used for the subscriber flow.
In case of one-to-one NAT, only the NAT IP address is displayed.
For ICMP, the NAT IP address is displayed only if an active ICMP record is available.
2-19
NAT Configuration
Action to perform
NAT statistics
Information on NAT bind records generated for port show active-charging rulebase
chunk allocation and release.
statistics name <rulebase_name>
2-20
Generally Available
03-31-2010
2-21
NAT Configuration
2-22
CHAPTER 3
VERIFYING AND SAVING YOUR CONFIGURATION
This chapter describes how to verify and save the system configuration.
Feature Configuration
In many configurations, specific features are set and need to be verified. Examples include
APN and IP address pool configuration. Using these examples, enter the following
commands to verify proper feature configuration:
show apn all
The output displays the complete configuration for the APN. In this example, an APN called
apn1 is configured.
access point name (APN): apn1
authentication context: test
pdp type: ipv4
Selection Mode: subscribed
ip source violation: Checked
accounting mode: gtpp
max-primary-pdp-contexts: 1000000
primary contexts: not available
local ip: 0.0.0.0
primary dns: 0.0.0.0
ppp keep alive period : 0
absolute timeout : 0
long duration timeout: 0
ip header compression: vj
data compression: stac mppc deflate
min compression size: 128
ip output access-group:
ppp authentication:
allow noauthentication: Enabled
drop limit: 10
No early PDUs: Disabled
total-pdp-contexts: 1000000
total contexts: not available
secondary dns: 0.0.0.0
ppp mtu : 1500
idle timeout : 0
long duration action: Detection
compression mode:
normal
ip input access-group:
imsi authentication:Disabled
The output from this command should look similar to the sample shown below. In this
example, all IP pools were configured in the isp1 context.
context : isp1:
+-----Type:
(P) - Public
(R) - Private
|
(S) - Static
(E) - Resource
|
|+----State:
(G) - Good
(D) - Pending Delete
(R)-Resizing
||
||++--Priority: 0..10 (Highest (0) .. Lowest (10))
||||
||||+-Busyout: (B) - Busyout configured
|||||
|||||
vvvvv Pool Name Start Address
Mask/End Address Used
Avail
----- --------- --------------- --------------- -------- -------PG00 ipsec
12.12.12.0
255.255.255.0
0
254
PG00 pool1
10.10.0.0
255.255.0.0
0
65534
SG00 vpnpool
192.168.1.250
192.168.1.254
0
5
Total Pool Count: 5
IMPORTANT
Many features can be configured on the system. There are show commands specifically for
these features. Refer to the Command Line Interface Reference for more information.
Service Configuration
Verify that your service was created and configured properly by entering the following
command:
show <service_type> <service_name>
The output is a concise listing of the service parameter settings similar to the sample
displayed below. In this example, a P-GW service called pgw1 is configured.
Service name
:
Service-Id
Context
Status
Restart Counter
EGTP Service
LMA Service
Session-Delete-Delay Timer
Session-Delete-Delay timeout
PLMN ID List
Newcall Policy
3-2
pgw1
: 1
: test1
: STARTED
: 8
: egtp1
: Not defined
: Enabled
: 10000(msecs)
: MCC: 100, MNC: 99
: None
Generally Available
03-31-2010
Context Configuration
Verify that your context was created and configured properly by entering the following
command:
show context name <name>
The output shows the active context. Its ID is similar to the sample displayed below. In this
example, a context named test1 is configured.
Context Name
-----------test1
ContextID
--------2
State
----Active
System Configuration
Verify that your entire configuration file was created and configured properly by entering
the following command:
show configuration
This command displays the entire configuration including the context and service
configurations defined above.
This command displays errors it finds within the configuration. For example, if you have
created a service named service1, but entered it as srv1 in another part of the
configuration, the system displays this error.
You must refine this command to specify particular sections of the configuration. Add the
keyword and choose a section from the help menu:
section
or
show configuration errors section aaa-config
3-3
Description
Specifies the path and name to which the configuration file is to be stored. url may refer to a local or
a remote file. url must be entered using one of the following formats:
tftp: 69 - data
Note: host_name can only be used if the networkconfig parameter is configured for DHCP and
the DHCP server returns a valid nameserver.dx
username is the username required to gain access to the server, if necessary.
pwd is the password for the specified username if required.
/dir specifies the directory where the file is located if one exists.
/file_name specifies the name of the configuration file to be saved.
Note: Name configuration files with a .cfg extension.
3-4
Generally Available
03-31-2010
Keyword/Variable
Description
Optional: This keyword directs the system to save the CLI configuration file to the local device, defined
by the url variable, and then automatically copies the file to the like device on the standby SPC/SMC, if
available.
-redundant
Note: This keyword works only for like local devices that are located on both the active and standby
SPCs/SMCs. For example, if you save the file to the /pcmcia1 device on the active SPC/SMC, that
same type of device (a PC-Card in Slot 1 of the standby SPC/SMC) must be available. Otherwise, a
failure message is displayed.
Note: If saving the file to an external network (non-local) device, the system disregards this keyword.
-noconfirm
Optional: Indicates that no confirmation is to be given prior to saving the configuration information to
the specified filename (if one was specified) or to the currently active configuration file (if none was
specified).
showsecrets
Optional: This keyword causes the CLI configuration file to be saved with all passwords in plain text,
rather than their default encrypted format.
verbose
Optional: Specifies to display every parameter that is being saved to the new configuration file.
IMPORTANT
The -redundant keyword is only applicable when saving a configuration file to local
devices.
This command does not synchronize the local file system. If you have added, modified, or
deleted other files or directories to or from a local device for the active SPC/SMC, then you
must synchronize the local file system on both SPCs/SMCs.
EXAMPLE(S)
To save a configuration file called system.cfg to a directory that was previously created
called cfgfiles on the SPCs/SMCs CompactFlash, enter the following command:
save configuration /flash/cfgfiles/system.cfg
To save a configuration file called init_config.cfg to the root directory of a TFTP server with a
hostname of config_server, enter the following command:
save configuration tftp://config_server/init_config.cfg
3-5
3-6
SECTION III
APPENDICES
Generally Available
03-31-2010
APPENDIX A
SAMPLE NAT CONFIGURATION
ntp
enable
server 10.6.1.1
#exit
snmp engine-id local 123007e123275a8c123ff07ca49
active-charging service service_1
nat allocation-failure send-icmp-dest-unreachable
host-pool host1
ip range 3.4.5.6 to 4.5.6.7
#exit
host-pool host2
ip range 5.6.7.8 to 6.7.8.9
#exit
host-pool host3
ip range 7.8.9.0 to 8.9.0.1
#exit
ruledef ip_any
ip any-match = TRUE
#exit
ruledef rt_ftp
tcp either-port = 21
rule-application routing
#exit
ruledef rt_ftp_data
tcp either-port = 20
rule-application routing
#exit
ruledef rt_http
tcp either-port = 80
rule-application routing
#exit
ruledef rt_rtp
rtp any-match = TRUE
rule-application routing
#exit
ruledef rt_rtsp
tcp either-port = 554
rule-application routing
#exit
access-ruledef fw_icmp
icmp any-match = TRUE
#exit
access-ruledef fw_tcp
tcp any-match = TRUE
#exit
access-ruledef fw_udp
udp any-match = TRUE
#exit
edr-format nbr_format1
attribute sn-correlation-id priority 1
rule-variable ip subscriber-ip-address priority 2
attribute sn-fa-correlation-id priority 3
attribute radius-fa-nas-ip-address priority 4
attribute radius-fa-nas-identifier priority 5
attribute radius-user-name priority 6
attribute radius-calling-station-id priority 7
attribute sn-nat-ip priority 8
A-2
Generally Available
03-31-2010
A-3
#exit
fw-and-nat policy base_1
access-rule priority 1 access-ruledef fw_tcp permit nat-realm
nat_pool1
access-rule priority 2 access-ruledef fw_udp permit nat-realm
nat_pool2
firewall tcp-first-packet-non-syn reset
nat policy nat-required default-nat-realm nat_pool3
nat binding-record edr-format nbr_format1 port-chunk-allocation
port-chunk-release
#exit
fw-and-nat policy base_2
access-rule priority 10 access-ruledef fw_tcp permit nat-realm
nat_pool2
access-rule priority 20 access-ruledef fw_udp permit nat-realm
nat_pool1
access-rule priority 25 access-ruledef fw_icmp permit bypass-nat
nat policy nat-required default-nat-realm nat_pool3
#exit
nat tcp-2msl-timeout 120
#exit
context pdsn
interface pdsn
ip address 9.0.1.2 255.255.255.0
#exit
ssh key abc123def456ghi789abc123def456ghi789 len 461
server sshd
subsystem sftp
#exit
subscriber default
ip access-group css-1 in
ip access-group css-1 out
ip context-name isp
mobile-ip send accounting-correlation-info
active-charging rulebase base_1
exit
aaa group default
#exit
gtpp group default
#exit
pdsn-service pdsn
spi remote-address 9.0.1.2 spi-number 256 encrypted secret
abc123def456ghi789 timestamp-tolerance 0
spi remote-address 9.0.1.2 spi-number 256 encrypted secret
abc123def456ghi789 timestamp-tolerance 0
spi remote-address 9.0.1.2 spi-number 9999 encrypted secret
abc123def456ghi789 timestamp-tolerance 0
authentication pap 1 chap 2 allow-noauth
bind address 0.1.2.3
#exit
edr-module active-charging-service
file name NBR_nat current-prefix Record rotation time 45 headers
edr-format-name
#exit
#exit
context isp
ip access-list css
A-4
Generally Available
03-31-2010
A-5
bulkstats mode
sample-interval 1
transfer-interval 15
file 1
remotefile format /localdisk/ABC.bulkstat
receiver 66.77.88.99 primary mechanism ftp login root encrypted
password 34dab256a700e2a8
#exit
#exit
port ethernet 17/1
no shutdown
bind interface pdsn pdsn
#exit
port ethernet 17/2
no shutdown
bind interface isp isp
#exit
port ethernet 17/3
no shutdown
bind interface radius radius
#exit
port ethernet 17/4
no shutdown
#exit
port ethernet 17/5
no shutdown
#exit
end
A-6
INDEX
A
AAA binding update
message required ......................................... 1-8
About This Guide ..................................................v
Active Charging Service (ACS)
enabling ...................................................... 2-6
alert thresholds .................................................. 1-8
ALG
NAT, about ............................................... 1-16
NAT, configuring ...................................... 2-13
B
binding records ................................................ 1-11
binding timer ..................................................... 1-7
binding updates ............................................... 1-12
C
Contacting
Customer Support ......................................... vii
Starent Networks ............................................vi
Technical Support......................................... vii
Conventions
Used in document ............................................v
Customer Support
Contacting ................................................... vii
D
Documentation
Providing feedback ....................................... vii
F
Feedback
Documentation ............................................. vii
firewall-and-NAT policy .................................. 1-13
H
host pools
configuring ................................................. 2-6
I
IMSI pools
configuring ................................................. 2-6
L
licenses
Stateful Firewall .......................................... 1-3
M
max allowed chunks per subscriber ..................... 1-8
N
NAT
about .......................................................... 1-5
ALG, about ............................................... 1-16
ALG, configuring ...................................... 2-13
configuring
Generally Available
03-31-2010
R
ruledefs, firewall
configuring ................................................. 2-7
S
session recovery
NAT ......................................................... 1-18
SRP activate ...................................................... 1-8
Starent Networks
Contacting .....................................................vi
Customer support ..........................................vii
Technical support ..........................................vii
Stateful Firewall
configuration, sample...................................A-1
licenses ....................................................... 1-3
platforms and networks, supported................ 1-2
T
TCP 2MSL timer ............................................. 1-10
Technical Support
Contacting ....................................................vii
U
users per NAT IP address ................................... 1-7
Index-2