Network Address Translation
Overview
Network Address Translation (NAT) rewrites address information in IP packets that travel between private and public networks. NAT effectively extends the public IPv4 address space; multiple end users can share one IP address. NAT provides security by preventing an internal IP address, such as an end-user address, from entering a public network.
NAT translates internal, or private, host IP address and TCP port values to external, or public, values. When NAT receives a packet from an internal host, it replaces the source address information in the packet with public address information, and forwards the packet to the destination. NAT assigns private IP addresses and ports dynamically using values from an allocated pool, but can also use values that are statically assigned to internal hosts, depending on the type of NAT deployment.
The NFM-P NAT support includes:
-
configurable port usage limits per subscriber, address range, or policy
-
reserved port ranges for specified forwarding classes that are exempt from port usage limits
-
configurable protocol timeout periods for efficient resource management
The NAT configuration on a routing instance includes:
-
one or more NAT address pools that are associated with local ISA-NAT groups
-
a NAT policy that specifies port ranges and operational parameters, and optionally, an IPFIX export policy that specifies IP traffic flow export information
An NFM-P operator assigns port ranges in an address pool configuration. Port ranges specify the number of ports that are allocated to a subscriber for mapping to host sessions. If all ports for a subscriber are in use, additional port assignments cannot occur and host sessions are rejected. This function helps to prevent the flooding of NAT by a virus attack or multiple peer-to-peer file transfers. You can override a port range limit by configuring a range of reserved ports that are assigned based on the traffic forwarding class.
Note: You cannot use ports 0 to 1023, which are called the well-known ports or privileged ports, in a NAT configuration.
To provide equitable and timely NAT resource allocation to hosts, you can specify timeout values in a NAT policy for protocols such as ICMP, TCP, and UDP. NAT ends a host session after the timeout period, for example, when a TCP handshake takes an excessive amount of time.
The NAT drain function is a mechanism that is used to gracefully remove the host sessions associated with an address range in a NAT address pool. When an address range is in the draining state, NAT drops new session requests for the address range. After an existing session associated with a draining address range closes, a new session for the same host is created using a different address range. The drain function removes an address range only when there are no sessions associated with the address range. See To start or stop a NAT address-pool drain operation for information about using the NAT drain function.
You can view general NAT statistics, for example, address pool allocation and session counts for different protocols on the Statistics tab of an ISA-NAT group member properties form.
Note: The NFM-P does not record detailed NAT session information such as session duration or packet counts. You can obtain this information from a request to a participating NE.
The NFM-P supports the following NAT deployment types:
-
L2-aware—Hosts of the same subscriber can share a private address, and are assigned public addresses from a pool in a base routing instance.
-
large-scale—Each host can have a unique static or dynamic private address, and is assigned a public address from a pool in a VPRN routing instance.
L2-aware NAT
In L2-aware NAT, a NAT policy is associated with a subscriber profile that is applied to an IES SAP or a VPRN routing instance. The policy specifies an address pool on the base routing instance. When DHCP assigns a private IP address that is in an L2-aware NAT address range, NAT assigns a public IP address to the host packets. See Chapter 78, IES management for information about configuring NAT in an IES. See Chapter 79, VPRN service management for information about configuring NAT on a VPRN.
Note: A NAT configuration on a base routing instance applies to each IES site or VPRN routing instance on the NE.
A NAT policy that is specified in a subscriber profile redirects the IPv4 traffic for the subscriber to NAT.
External address assignment
The External Assignment option on L2–aware NAT pools allows the assignment of outside IP addresses to a subscriber by an external system (for example, a RADIUS server). The External Assignment configuration ensures that all traffic to or from a particular L2-aware subscriber is received on the same ISA card when outside IP addresses are allocated by an external system.
Large-scale NAT
Large-scale NAT, or LSN, is required when each host in a customer VPRN service has a unique private IP address and requires a unique public IP address, for example, in mobile network deployments. Large-scale NAT is used between routing instances. A customer VPRN routing instance provides host access and forwards packets through NAT to a VPRN or through an IES to an NE routing instance, which provides public network access.
A VPRN routing instance requires an ACL IP filter or static route to transmit host traffic through the NAT function, and uses an address pool in the VPRN routing instance. You can configure large-scale NAT to statically and dynamically assign private addresses. See Chapter 79, VPRN service management for information about configuring NAT in a VPRN service. See Static port forwarding for information about configuring NAT to use static private addresses.
You can use the NFM-P Statistics Plotter to plot real-time LSN subscriber host statistics on a base or VPRN routing instance. See To plot LSN subscriber host statistics .
Static port forwarding
In a large-scale NAT deployment, you can configure NAT to assign static private addresses to subscriber hosts using static port forwarding. Static port forwarding ensures that an internal host uses the same private IP address and port each time they connect to the network. You can use the NFM-P to configure static port forwarding for TCP and UDP independently.
A standby routing instance can be specified to create static port forwards for pools in a redundant configuration. The NFM-P identifies the active pool from the two specified NEs and creates a static port forward on the active pool. In the event of a wildcard static port forward request, if there is a switch-over of the active pool, the NFM-P attempts to create the static port forward on the other pool. If there is a second pool switch-over, the static port forward is not created.
See Chapter 79, VPRN service management for information about configuring static port forwarding in a VPRN service. See Chapter 74, Residential subscriber management for information about configuring L2Aware static port forwarding on a residential subscriber instance.
Base router and VPRN static one-to-one NAT
With static one-to-one NAT, NAT is performed on packets traveling from an inside (private) interface to an outside (public) interface or from an outside interface to an inside interface. Static one-to-one NAT can be applied to a single IP address or a subnet of IP addresses and is performed on the IP header of a packet, not on the UDP/TCP port.
Mapping statements, or entries, can be configured to map an IP address range to a specific IP address. The direction of the NAT mapping entry dictates whether NAT is performed on a packet source IP address or subnet, or on a packet destination IP address or subnet. The 7705 SAR supports inside mapping entries that map an inside IP address range to an outside IP address range sequentially.
With an inside mapping entry, consider the following:
-
Packets that originate from an inside interface and are destined for an inside interface are forwarded without any NAT being applied.
-
Packets that originate from an outside interface and are destined for an outside interface are forwarded without any NAT being applied.
-
If there is a matching one-to-one NAT mapping entry, packets that originate from an inside interface and are destined for an outside interface undergo static one-to-one NAT where NAT changes the source IP address of the packet IP header. The packet is forwarded whether or not a NAT mapping entry is found unless the Drop Packets without NAT parameter is enabled. When a mapping entry is not found and the Drop Packets without NAT parameter is enabled, the packet is not forwarded.
-
If there is a matching one-to-one NAT mapping entry, packets that originate from an outside interface and are destined for an inside interface undergo static one-to-one NAT where NAT changes the destination IP address of the packet IP header. The packet is forwarded whether or not a NAT mapping entry is found unless the Drop Packets without NAT parameter is enabled. When a mapping entry is not found and the Drop Packets without NAT parameter is enabled, the packet is not forwarded.
Static one-to-one NAT is performed on packets that transit the node and match the mapping entry. These packets include IPSec packets, GRE packets, and IP packets. NAT can be performed on packets from a single inside interface or multiple inside interfaces that are traveling to a single outside interface or multiple outside interfaces.
Static one-to-one NAT is not performed on packets that are destined for the node, on self-generated traffic, or on routing protocols. The 7705 SAR blocks static one-to-one NAT to a public prefix that has the same IP subnet as a local interface.
Static one-to-one NAT is supported on the GRT and on VPRNs.
The following table lists the types of outside and inside interfaces that are supported on the GRT for static one-to-one NAT.
Table 30-1: GRT interfaces supported for static one-to-one NAT
GRT interface type |
Outside |
Inside |
---|---|---|
Network interface |
Yes |
No |
IES interface |
Yes |
Yes |
IES R-VPLS interface |
Yes |
Yes |
IES Layer 3 spoke SDP interface |
Yes |
Yes |
IPSec public interface |
n/a |
n/a |
VPRN static one-to-one NAT
For VPRNs, static one-to-one NAT can be configured between an inside interface and a outside MP-BGP MPLS transport tunnel interface. See the 7705 SAR NE documentation for more information about VPRNs and one-to-one NAT.
The following table lists the types of outside and inside interfaces that are supported on a VPRN for one-to-one NAT.
Table 30-2: VPRN interfaces supported for static one-to-one NAT
VPRN interface type |
Outside |
Inside |
---|---|---|
SAP interface |
Yes |
Yes |
R-VPLS interface |
Yes |
Yes |
Layer 3 spoke SDP interface |
Yes |
Yes |
IPSec private interface |
Yes |
Yes |
Auto-bind GRE/MPLS (MP-BGP), where MPLS includes segment routing, LDP, and RSVP |
Yes |
No |
Dynamic block reservation
To prevent starvation of dynamic port blocks for subscribers that use static port forwarding, dynamic port blocks can be reserved for the lifetime of the static port forward. Dynamic port blocks are associated with the same inside IP addresses that are associated with the static port forward. A log entry is not generated until the dynamic port block is used.
At the time of static port forward creation:
-
If the corresponding dynamic port block mapping (same inside IP address) does not exist, dynamic port block(s) are reserved and associated with the same inside IP addresses used in the static port forward. No log entries are generated for the reserved dynamic port blocks.
-
If corresponding dynamic mappings (relative to the inside IP address) exist, the existing port block is reserved (or kept) after the last mapping within it has expired. The reserved dynamic port block(s) continue to be associated with the same inside IP address until the static port forward is deleted. A log entry is generated when the last mapping in the dynamic port block expires (even if the dynamic port block continues to be reserved).
NAT pools
A NAT pool is a range of public IP addresses that are translated to inside private IP addresses in a Large Scale or L2 Aware NAT configuration. A NAT pool is required in order to configure a NAT policy, as well as static port forwarding, DS Lite, and NAT 64.
In a dual-homing redundant NAT configuration, a group of NAT pools is configured for switch-over. The group is called a Pool Fate Sharing Group (PFSG), in which there is one lead pool, and a group of subordinate pools that follow the lead pool. The subordinate pools inherit the lead pool activity and state. The lead pool has its own export route which must match the monitoring route of all the pools in the corresponding PFSG on the peering node. All pools in a PFSG should belong to the same ISA-NAT group.
Application-agnostic NAT
If a NAT pool is created as application-agnostic, IP addresses are translated in 1:1 fashion, regardless of protocol. Ports are not translated for TCP or UDP traffic. Traffic through the NAT pool can be initiated from inside or outside. When a NAT pool is configured as application-agnostic, certain parameters in the pool are pre-configured and cannot be changed:
An application agnostic NAT pool is used to configure static 1:1 NAT, where the operator has control of mapping between the inside and outside IP addresses.
ALG for TCP/UDP are supported in a protocol-agnostic NAT pool.
NAT policies
A NAT policy defines general NAT properties and associates a NAT address pool with an ISA-NAT group on the same NE. A NAT policy is associated with a subscriber profile for L2-aware NAT in an IES or VPRN service, or for large-scale NAT in a VPRN service.
A NAT pool must be assigned to the local NAT policy before the NAT policy can be associated with the NAT configuration. A NAT policy is required in order to configure DS Lite, NAT 64, and NAT subscriber identification.
Individual NAT policies can be configured on various objects on an inside NAT configuration in order to create flexible mapping of inside traffic to outside pools, based on traffic criteria. Subscribers are mapped to different NAT pools, based on their source IP.
-
A local NAT policy can be configured for each destination prefix. Destination prefixes point to the global NAT policy for a NAT configuration by default.
-
A local NAT policy can be configured for each static port forward entry. Static port forwards point to the global NAT policy for a NAT configuration by default.
-
ACL IP and IPv6 filter policies can be configured to divert traffic to NAT based on filter match criteria. Each filter entry can point to an individual NAT policy. For IPv6 filter entries, you can specify the NAT type (DS-LITE or NAT-64).
-
A local NAT policy is configured on a NAT prefix list for L2-aware NAT configurations. The NAT policy must be configured with a NAT pool.
The subscriber retention timeout configuration specifies the time a NAT subscriber and its associated IP address is kept after all hosts and associated port blocks have expired. If a NAT subscriber host appears before the retention timeout has elapsed, it is assigned the same outside IP address.
NAT firewall policies
A firewall policy is associated with a subscriber profile for IPv6 firewall configurations. The policy is configured with an NE, on which downstream forwarding occurs. Incoming network traffic to the NE is disallowed if there is no matching traffic flow, or if port forwarding does not exist. IPv6 domains are provisioned, containing IPv6 prefixes. Each domain points to a NAT group and the IPv6 prefixes are micronetted over the NAT group members. The IPv6 address is assigned externally, using DHCPv6 relay.
Several components must be configured to function with the firewall policy:
All of these components can be configured on both base and VPRN routing instances.
NAT prefix lists
A NAT prefix list is used to create a set of mappings between destination IP prefixes and a specific NAT policy for an L2-aware NAT configuration. The NAT prefix list is associated with a subscriber profile, and with a NAT policy.
NAT classifiers
The NAT classifier is referenced by the NAT policy in DNAT configurations. It determines the destination IP address and the type of traffic that is subject to DNAT.
IPFIX export policies
An IPFIX export policy defines how IP traffic flow information is formatted and transferred from an exporter to a collector to facilitate services such as measurement, accounting, and billing. You can specify the router instance type, IPFIX Collector address, MTU, and refresh timeouts. You can add an IPFIX export policy to a NAT policy.
ISA-NAT groups
An ISA-NAT group provides a redundant NAT function for routing instances using ISA Broadband Applications MDAs or ESA VMs.
See the NE documentation for more information about NAT deployment.
NAT Destinations
A NAT destination prefix applies NAT to all traffic that matches a given route. A NAT Destination cannot be configured in conjunction with a NAT policy that points to a NAT pool that resides in the same service. Such a configuration would result in a routing loop.
NAT 64
NAT 64 allows IPv6 hosts to connect to IPv4-only servers, mapping their inside IPv6 addresses to outside IPv4 addresses. NAT 64 configuration requires support for IPv6 (chassis mixed mode) on the NE. You must assign a NAT policy to the NAT configuration before enabling NAT 64. IP fragmentation can be configured to allow IPv6 packet fragmentation before transmission.
DS Lite
DS Lite is intended for network operators that have an IPv6-only access network, but IPv4-only CPEs. The inside IPv4 host information is encapsulated into a 4to6 tunnel that runs over the IPv6 network. At the other end, the IPv4 address is de-encapsulated and translated to an outside IPv4 address via CGN. You must assign a NAT policy to the NAT configuration before enabling DS Lite. IP fragmentation can be configured to allow IPv6 packet fragmentation before transmission if the packets are larger than the tunnel MTU for a given DS Lite address.
Deterministic NAT
Deterministic NAT is a mode of operation in which the inside IP address and source ports are deterministically mapped to the outside IP address and port range at the time of configuration. Each inside IP address is permanently mapped to an outside IP address and a dedicated port block. The dedicated port block is referred to as the deterministic port block. Deterministic mapping can be automatically extended by a dynamic port block in cases where a deterministic port range runs out of ports. Because a simple formula is used to determine the inside IP address based on the outside IP address and port, there is no need for NAT logging.
The NAT deterministic script generates an offline calculation of the deterministic NAT map entries. You can save the script results to a folder on a remote server by specifying a URL for the server in the local NE properties.
In the NFM-P, inside IP addresses are configured in the form of prefixes. Any inside prefix on any routing instance can be mapped to any deterministic pool on any routing instance, including the deterministic pool in which the inside prefix is defined. The mapping between the inside prefix and the deterministic pool is achieved through a NAT policy that is referenced for each individual prefix. IP addresses from the prefixes on the inside are distributed over the IP addresses defined in the outside pool referenced by the NAT policy.
A port block is a collection of ports that is assigned to a subscriber. A deterministic LSN subscriber can have only one deterministic port block that can be extended by multiple dynamic port blocks. All port blocks for an LSN subscriber must be allocated from a single outside IP address.
A port range is a collection of ports that can spawn multiple port blocks of the same type. For example, a deterministic port range includes all ports that are reserved for deterministic consumption. A dynamic port range is a total collection of ports that can be allocated in the form of dynamic port blocks.
Destination NAT
Destination NAT (DNAT) is used for traffic steering when the destination IP address is rewritten. A typical use of DNAT is the redirection of unauthenticated traffic to an authentication server. Once authenticated, DNAT would be removed by means of a RADIUS CoA request.
DNAT is used as part of large-scale NAT (deterministic and non-determistic) and L2–aware NAT configurations. DNAT-only configuration is applicable only to large-scale NAT. When a NAT policy is configured for use in DNAT-only configurations, it must not be configured with port limit or NAT pool parameters. When a NAT policy is configured for use in DNAT configurations, it must reference a NAT classifier, which determines the destination IP address and the type of traffic that is subject to DNAT.