Configuration Note NAT Last
Updated: 2014-05-20 Version
1.0
Introduction:
NAT is a mechanism used to translate/modify IP addresses and/or ports in packet headers transparently as the packets transit a NAT-enabled device such as the 7705 SAR. Typically, IP addresses in the private domain are translated/mapped to addresses in the public domain as the packets traverse between the address domains.
Types of NAT:
· Basic NAT:
o Only the IP address in the IP packet header is modified.
o Provides a one-to-one IP address mapping for hosts.
· Network Address Port Translation (NAPT):
o Both the IP address and TCP/UDP port can be modified.
o Provides many-to-many or many-to-one mappings.
o All the NAT policies on the 7705 SAR are of type NAPT.
Setup 1:
Prerequisites:
This Configuration Note assumes that following base configuration has been implemented on the PEs:
- Cards, MDAs and ports configured
- Interfaces configured
Dynamic SNAT configuration
In this example, the 7705 SAR is going to be configured to apply SNAT to the traffic sourced from the ixia by using the “to-68” interface IP address for the NAT pool.
The 7705 SAR is already configured with the following:
1. IES service with one SAP (ID 1/1/1). The SAP is connected to (IXIA tester).
A:SARHC-66>config>service# info
----------------------------------------------
customer 1 create
description "Default customer"
exit
ies 100 customer 1 create
interface "to-ixia" create
address 192.168.1.1/24
sap 1/1/1 create
exit
exit
no shutdown
exit
----------------------------------------------
2. A network interface named “to-68” configured under the base router context. The interface is using port 1/1/2 to connect to the public network (another SAR-Hc box).
A:SARHC-66>config>router>if# info
----------------------------------------------
address 10.66.68.1/30
port 1/1/2
dhcp
shutdown
exit
----------------------------------------------
3. OSPF and LDP are enabled.
A:SARHC-66>config>router>ospf# info
----------------------------------------------
area 0.0.0.0
interface "system"
interface-type point-to-point
exit
interface "to-68"
interface-type point-to-point
exit
interface "to-ixia"
interface-type point-to-point
exit
exit
----------------------------------------------
A:SARHC-66>config>router>ldp# info
----------------------------------------------
interface-parameters
interface "to-68"
exit
exit
targeted-session
exit
----------------------------------------------
The following steps are required to enable the use of SNAT for this example:
1. Define where the SNAT zone is going to be created and which interfaces are going to be assigned to this zone. In this example, the SNAT zone is going to be created under the base router context and it will consist of only one interface: the “to-68” interface.
- Create a security profile to specify the desired NAT idle session timeouts. Since the ixia is only sending UDP packets, if required you can modify the UDP timeout (for this example we are using default parameters).
A:SARHC-66>conf>security>profile# info
----------------------------------------------
name "DEFAULT"
description "Default Session Profile"
timeouts
exit
----------------------------------------------
- Create a security policy to:
- Match the source IP address in the packets sourced from the ixia and destined for the “to-68” interface, thus matching the packets entering the zone created in step 1 (zone-inbound).
- Apply action “nat” to the packets that match the rule.
- Use the security profile created in step 2.
*A:SARHC-66>config>security# info
----------------------------------------------
policy 1 create
description "test policy"
entry 1 create
match protocol udp
direction zone-inbound
src-ip 192.168.1.2 to 192.168.1.4
exit
limit
exit
action nat
exit
exit
commit
----------------------------------------------
- Create a zone under the base router context and configure it with the following:
- Assign the “to-68” interface to the zone.
- Create a NAT pool that applies SNAT to the traffic entering the zone (zone-inbound).
- Specify the IP address of the “to-68” interface as the SNAT IP address.
- Specify the source ports to use to avoid port ID collisions.
- Assign the security policy created in step 3 to the zone.
*A:SARHC-66>conf>router>zone# info
----------------------------------------------
interface to-68
exit
nat
pool 10 create
direction zone-inbound
entry 10 create
ip-addr interface to-68
port 30000 to 30002
exit
exit
exit
policy 1
commit
----------------------------------------------
Verification:
Use <show security profile <profile-id> detail> to display the security profile information.
A:SARHC-66# show security profile 1 detail
===============================================================================
Security Profile
===============================================================================
Profile Id : 1 Applied : Yes
Name : DEFAULT
Description : Default Session Profile
Timeouts :
TCP Syn-Rcvd : 15 sec
TCP Transitory : 4 min
TCP Established: 2 hrs 4 min
TCP Time-Wait : None
UDP Initial : 15 sec
UDP Idle : 5 min
UDP DNS : 15 sec
ICMP Request : 1 min
===============================================================================
Use <show security zone <zone-id> policy detail> to display the zone security policy information.
A:SARHC-66# show security zone 10 policy detail
===============================================================================
Security Zone
===============================================================================
Zone Id : 10 State : Committed
Name : (Not Specified)
===============================================================================
===============================================================================
Policy
===============================================================================
Policy Id : 1 Applied : Yes
Name : (Not Specified)
Scope : Template Def. Action : Reject
Entries : 1
Description : test policy
-------------------------------------------------------------------------------
Policy Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 1 Active : yes
Description : (Not Specified)
Oper. Flags : (Not Specified)
NAT Pool Id : 10
Match : INBOUND
Src. IP : 192.168.1.2-192.168.1.4 Src. Port : None
Dest. IP : None Dst. Port : None
Protocol : udp
ICMP Type : Undefined ICMP Code : Undefined
Profile Id : DEFAULT
Action : nat
Active Matches : 3 Session Limit : None
Total Matches : 6
-------------------------------------------------------------------------------
Num of Entries: 1
===============================================================================
Use <show security zone <zone-id> nat pool <pool-id> detail> to display the zone NAT pool information.
A:SARHC-66# show security zone 10 nat pool 10 detail
===============================================================================
Security Zone
===============================================================================
Zone Id : 10 State : Committed
Name : (Not Specified)
===============================================================================
===============================================================================
NAT Pool
===============================================================================
Pool Id : 10 Direction : INBOUND
Type : source-nat
Name : (Not Specified)
Description : (Not Specified)
-------------------------------------------------------------------------------
Entry Id : 10
IP Address : to-68 Port : 30000..300*
-------------------------------------------------------------------------------
Num of Entries: 1
===============================================================================
Use <show security zone <zone-id> session> to display the active NAT session information for the zone.
A:SARHC-66# show security zone 10 session
===============================================================================
Security Zone
===============================================================================
Zone Id : 10 State : Committed
Name : (Not Specified)
===============================================================================
===============================================================================
Inbound Sessions
===============================================================================
Sess-Id Source NAT Mapping
Proto Action From Destination
-------------------------------------------------------------------------------
00000005 NAT <Base> 192.168.1.2:21000 -> 10.66.68.1:30000
udp 30.30.30.2:63
00000006 NAT <Base> 192.168.1.3:22000 -> 10.66.68.1:30001
udp 30.30.30.2:63
00000007 NAT <Base> 192.168.1.4:23000 -> 10.66.68.1:30002
udp 30.30.30.2:63
-------------------------------------------------------------------------------
Num of Sessions: 3
===============================================================================
===============================================================================
Outbound Sessions
===============================================================================
Sess-Id Source NAT Mapping
Proto Action To Destination
-------------------------------------------------------------------------------
No Outbound Sessions
===============================================================================
Use <show security zone <zone-id> session <session-id> detail> to display detailed information for a NAT session.
A:SARHC-66# show security zone 10 session 5 detail
===============================================================================
Security Zone
===============================================================================
Zone Id : 10 State : Committed
Name : (Not Specified)
===============================================================================
===============================================================================
Security Session Details
===============================================================================
Session Id : 5 Action : NAT
Created : 01/01/2000 22:18:34
Protocol : udp
State : UDP-ESTABLISHED Timeout : 300 seconds
Source : Destination :
Zone : <BASE> Zone : 10
Ip-Address : 192.168.1.2 Ip-Address : 30.30.30.2
Port : 21000 Port : 63
-------------------------------------------------------------------------------
Session Security Trace
-------------------------------------------------------------------------------
[INGRESS] IES-100:to-ixia
[ZONE-10] INBOUND-PLCY:1 Profile:1 Action:nat
[ACTION] SRC-NAT: 192.168.1.2:21000 -> 10.66.68.1:30000
[EGRESS] Base:to-68 <ZONE-10>
===============================================================================
Use <show security zone <zone-id> session <session-id> statistics> to display the statistics of a specific NAT session.
A:SARHC-66# show security zone 10 session 5 statistics
===============================================================================
Security Zone
===============================================================================
Zone Id : 10 State : Committed
Name : (Not Specified)
===============================================================================
===============================================================================
Session 5 Traffic Statistics
===============================================================================
Forward Reverse
-------------------------------------------------------------------------------
Passed
Packets 14810 14811
Octets 681260 681306
===============================================================================