13. Multiservice Integrated Service Adapter and Extended Services Appliance

The 7705 SAR-Hm series of routers supports the Multiservice Integrated Adapter (MS-ISA) and Extended Services Appliance as covered in the topics listed below:

  1. IP Tunnels
  2. Network Address Translation

13.1. IP Tunnels

This section describes the following functionality:

  1. IPSec Secured Interface over Cellular

For general information on IP tunnel support, refer to the topics listed below in the “IP Tunnels” chapter of the 7450 ESS, 7750 SR, and VSR Multiservice Integrated Service Adapter and Extended Services Appliance Guide.

  1. IP Tunnels Overview
    1. Tunnels ISAs
    2. Operational Conditions
    3. Statistics Collection
    4. Security
    5. IKEv2
    6. SHA2 Support
    7. IPSec Client Lockout
    8. IPSec Tunnel CHILD_SA Rekey
    9. Multiple IKE/ESP Transform Support
  2. X.509v3 Certificate Overview
  3. Using Certificates for IPSec Tunnel Authentication
  4. Trust-Anchor-Profile
  5. Cert-Profile
  6. Certificate Management Protocol Version 2 (CMPv2)
  7. OCSP
  8. IPSec Deployment Requirements
  9. IKEv2 Remote-Access Tunnel
  10. Secured Interface
  11. Configuring IPSec with CLI
  12. IP Tunnel Command Reference

To configure and enable IP tunnels, the virtualized tunnel ISA MDA (isa-tunnel-v) must be configured in slot 5 on the router. Refer to the 7705 SAR-Hm and SAR-Hmc Interface Configuration Guide for information.

13.1.1. IPSec Secured Interface over Cellular

The 7705 SAR-Hm series of routers supports IPSec secured interfaces over cellular interfaces.

Figure 17 shows an example of an IPSec secured interface deployment over a cellular interface in a dual SIM environment.

Figure 17:  IPSec Secured Interface over a Cellular Interface 

With IPSec secured interfaces, static IPSec tunnels can be created under the PDN router interface associated for each SIM. When the SIM is active and the node attaches to the cellular network, the PDN router interface becomes operational. At that time, IPSec secured interface tunnels configured on the interface also begin to establish towards the security gateway they are configured to connect to. When the tunnel is established, data traffic traverses the IPSec secured interface. In Figure 17, only the pair of tunnels associated with the active SIM is operational.

The tunnel pair on the second PDN router interface is kept down and becomes operational when the second SIM becomes active.

Each IPsec secured interface tunnel is associated with one service. The supported service types are IES and VPRN.

Each service that needs to be secured over the PDN router interface must be configured with its own IPSec secured interface tunnel. For example if VPRN1, VPRN2, and VPRN3 all need to be secured, then three different IPSec secured interfaces are required, one for each service.

IPSec secured interface is supported on IPv4 and IPv6 PDN router interfaces.

The CLI output below shows an example of IPSec secured interface configured on an IPv6 PDN router interface:

#--------------------------------------------------
echo "ISA Configuration"
#--------------------------------------------------
    isa
        tunnel-group 1 isa-scale-mode tunnel-limit-32 create
            reassembly 2000
            multi-active
            mda 1/5
            no shutdown
        exit
    exit
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
    router Base
        interface "lte-interface1" pdn
            port 1/1/1
            ip-mtu 1500
            ipv6
            exit
            no shutdown
        exit
#--------------------------------------------------
echo "IPsec Configuration"
#--------------------------------------------------
    ipsec
        ike-transform 1 create
            dh-group 21
            ike-auth-algorithm sha384
            ike-encryption-algorithm des
        exit
        ike-policy 1 create
            ike-version 2
            dpd interval 10
            ike-transform 1
        exit
        ipsec-transform 1 create
            esp-auth-algorithm auth-encryption
            esp-encryption-algorithm aes256-gcm8
        exit
    exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
    service
        vprn 1 name "vprn1" customer 1 create
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-v6-ip 463c:f068:d815:e0ee:7ecf:5660::/96
                        remote-v6-ip c97e:a8fa:1785:52d7:9bb8:9b3b::/96
                    exit
                    entry 2 create
                        local-v6-ip 463c:f068:d815:e0ee:7ecf:5661::/96
                        remote-v6-ip c97e:a8fa:1785:52d7:9bb8:9b3c::/96
                    exit
                exit
            exit
            route-distinguisher 1.1.1.1:52
            static-route-entry c97e:a8fa:1785:52d7:9bb8::/80
                ipsec-tunnel "tunnel1-vprn1"
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
#--------------------------------------------------
echo "Router (Service Side) Configuration"
#--------------------------------------------------
    router Base
        interface "lte-interface1" pdn
            ipsec tunnel-group 1 public-sap 1
                ipsec-tunnel "tunnel1-vprn1" private-sap 1 private-service-
name "vprn1" create
                    encapsulated-ip-mtu 1300
                    remote-gateway-address 2001:90:10:3::2
                    security-policy 1
                    dynamic-keying
                        ike-policy 1
                        pre-shared-key "2KMbfx1sfSVdLxLEJsuVhs/
hfa42V3XyCZMLyubX" hash2
                        transform 1
                    exit
                    no shutdown
                exit
                no shutdown
            exit
        exit
    exit

13.2. Network Address Translation

This section describes the following Network Address Translation (NAT) functionality supported on the 7705 SAR-Hm series of routers:

  1. NAT with Static Port Forwarding
  2. NAT Command Reference

NAT runs on a single virtual ISA configured on the node. For general information on NAT support, refer to the topics listed below in “Network Address Translation” in the 7450 ESS, 7750 SR, and VSR Multiservice Integrated Service Adapter and Extended Services Appliance Guide.

  1. Terminology
  2. Network Address Translation (NAT) Overview
  3. Large Scale NAT
  4. One-to-One (1:1) NAT
  5. NAT Logging
    1. Syslog/SNMP/Local-File Logging
    2. SNMP Trap Logging
    3. NAT Syslog
  6. ISA Feature Interactions
    1. MS-ISA Use with Service Mirrors
  7. Configuring NAT

13.2.1. NAT with Static Port Forwarding

With NAT, the source IP address and the port of the host on the private side (inside) of the network are translated to an external IP address and port on the public side (outside) of the network. The IP address on the inside can be assigned to a raw socket IP host connected to an RS-232 serial interface or assigned to an IP interface associated with an Ethernet port.

Static port forwarding is configured on the CLI using the following parameters:

  1. inside IP address
  2. inside port
  3. outside IP address
  4. outside port
  5. protocol

Figure 18 shows an example of a network with a 7705 SAR-Hm series node configured to use NAT with static port forwarding.

Figure 18:  NAT with Static Port Forwarding 

In the scenario shown above, the “RTU” VPRN service is inside and the “SCADA” VPRN service is outside. The “RTU” VPRN contains two IP transport services, one for each connected device. For information about IP transport services, see IP Transport Services and also refer to “Serial Transport over Raw Sockets” in the 7705 SAR-Hm and SAR-Hmc Interface Configuration Guide.

Figure 18 shows specific values for the inside IP address and port and outside IP address and port. The cellular interface of the node is used as the network-facing interface to transport the outside VPRN traffic.

When a packet is sent from the SCADA master to the node over the LTE network, it will be carried within the outside “SCADA” VPRN service towards the node. The node will send the packet to the BB-ISA MDA to perform the required NAT function based on the configured NAT policy. NAT is applied to the packet as needed. The packet is then processed by the inside “RTU” VPRN service, destined to the corresponding IP transport service.

When a packet is sent from the RTU towards the SCADA master, the inside “RTU” VPRN service sends the packet to the BB-ISA MDA where the NAT policy translates the IP address and port to the outside IP address and port, The BB-ISA MDA then sends the packet to the outside “SCADA” VPRN service where it is routed over the cellular interface using the “SCADA” VPRN service.

The steps and CLI outputs below show the configuration of NAT with static port forwarding based on Figure 18.

  1. Configure NAT on the BB-ISA MDA:
    config
         isa
            nat-group 1  
                  mda 1/6
  2. Configure the inside “RTU” VPRN (1) service for the inside static port forwarding NAT function:
    config
         service 
              vprn 1   
                 interface 'rtu1'
                     address 192.168.0.1/32
                     loopback 
                 interface 'rtu2'
                     address 192.168.0.2/32
                     loopback 
                 ip-transport 1/3/1
                     local-host ip-addr 192.168.0.1 port-num 2000 protocol udp
                     remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp 
                 ip-transport 1/3/2
                     local-host ip-addr 192.168.0.2 port-num 2000 protocol udp
                     remote-host ip-addr 1.2.3.4 port-num 1000 protocol udp
        
        
    config
         service 
              vprn 1   
                 nat
                     inside 
                         destination-prefix 1.2.3.4/24   .  
                         nat-policy 'sar-hm-1'  
        
        
    config
         service 
               nat 
                    nat-policy 'sar-hm-1  
                         pool 'pool-name-1'  router 2  
                    port-forwarding  
                        lsn router 1 ip 192.168.0.1 protocol udp port 2000 outside-
                                      ip 10.0.0.1 outside-port 100 nat-policy "sar-hm-1"
                        lsn router 1 ip 192.168.0.2 protocol udp port 2000 outside-
                                      ip 10.0.0.1 outside-port 101 nat-policy "sar-hm-1"
  3. Configure the outside “SCADA” VPRN (2) service for the outside static port forwarding NAT function:
    service vprn 2  
         interface 'Outside_RTU' 
            address 10.0.0.1/32
            loopback
         nat
            outside
                   pool 'pool-name-1'nat-group 1 type large-scale 
                             address-range 10.0.0.1 10.0.0.1 create 
                             port-forwarding-range 30000  
                             port-reservations ports 1000 

13.2.2. NAT Command Reference

The 7705 SAR-Hm series of routers supports the NAT commands listed in this section. For command descriptions, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

13.2.2.1. ISA Configuration Commands

config
— isa
nat-group nat-group-id [create]
— no nat-group nat-group-id
active-mda-limit number
— no active-mda-limit
description description-string
— no description
[no] mda mda-id
[no] shutdown
[no] suppress-lsn-events
[no] suppress-lsn-sub-blks-free

13.2.2.2. NAT Service Configuration Commands

configure
— service
— nat
nat-policy nat-policy-name [create]
— no nat-policy nat-policy-name
block-limit [1..40]
— no block-limit [
description description-string
— no description
filtering filtering-mode
— no filtering
pool nat-pool-name service-name service-name
pool nat-pool-name router router-instance
— no pool
port-limits
forwarding limit
— no forwarding
watermarks high percentage-high low percentage-low
— no watermarks
session-limits
max num-sessions
— no max
watermarks high percentage-high low percentage-low
— no watermarks
[no] timeouts
icmp-query [min minutes] [sec seconds]
— no icmp-query
tcp-established [hrs hours] [min minutes] [sec seconds]
— no tcp-established
tcp-rst [min minutes] [sec sec]
— no tcp-rst
tcp-syn [hrs hours] [min minutes] [sec seconds]
— no tcp-syn
tcp-time-wait [min minutes] [sec seconds]
— no tcp-time-wait
tcp-transitory [hrs hours] [min minutes] [sec seconds]
— no tcp-transitory
udp [hrs hours] [min minutes] [sec seconds]
— no udp
udp-dns [hrs hours] [min minutes] [sec seconds]
— no udp-dns
udp-inital [min minutes] [sec seconds]
— no udp-inital
[no] udp-inbound-refresh
port-forwarding
lsn router router-instance [b4 ipv6-address] [aftr ipv6-address] ip ip-address protocol {tcp | udp} [port port] [outside-ip ipv4-address] [outside-port port] [nat-policy nat-policy-name]
— no lsn router router-instance [b4 ipv6-address] ip ip-address protocol {tcp | udp} port port [nat-policy nat-policy-name]

13.2.2.3. NAT VPRN Commands

config
— service
— vprn service-id customer cust-id create
[no] nat
— inside
— classic-lsn-max-subscriber-limit max
— no classic-lsn-max-subscriber-limit
destination-prefix ip-prefix/length [nat-policy nat-policy-name]
— no destination-prefix ip-prefix/length
deterministic
prefix ip-prefix/length subscriber-type nat-sub-type nat-policy nat-policy-name [create]
prefix ip-prefix/length subscriber-type nat-sub-type
— no prefix ip-prefix/length subscriber-type nat-sub-type
map start lsn-sub-address end lsn-sub-address to outside-ip-address
— no map start lsn-sub-address end lsn-sub-address
[no] shutdown
nat-policy nat-policy-name
— no nat-policy
outside
mtu value
— no mtu
pool nat-pool-name nat-group nat-group-id type pool-type [applications applications] [create]
— no pool nat-pool-name
address-range start-ip-address end-ip-address [create]
— no address-range start-ip-address end-ip-address
description description-string
— no description
[no] drain
description description-string
— no description
mode {auto | napt | one-to-one}
— no mode
port-forwarding-range range-end
— no port-forwarding-range
port-reservation blocks num-blocks
port-reservation ports num-ports
— no port-reservation
subscriber-limit limit
— no subscriber-limit
watermarks high percentage-high low percentage-low
— no watermarks

13.2.2.4. NAT Persistence Commands

The 7705 SAR-Hm series of routers supports the persistence commands listed in this section. For command descriptions, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

config
— system
persistence
nat-port-forwarding
— description description-string
no description
location cflash-id
no location

13.2.2.5. NAT IPv4 Filter Policy Commands

The 7705 SAR-Hm series of routers supports the NAT IPv4 filter policy commands listed in this section. For command descriptions, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

config
— filter
ip-filter filter-id [name filter-name] [create]
— no ip-filter {filter-id | filter-name}
entry entry-id [create]
— no entry entry-id
[no] action [secondary]
nat [nat-policy nat-policy-name]

13.2.2.6. NAT Routing Protocol Commands

The 7705 SAR-Hm series of routers supports the NAT routing protocol commands listed in this section. For command descriptions, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Classic CLI Command Reference Guide.

config
— router
[no] policy-options]
[no] policy-statement name
entry entry-id [create]
— no entry entry-id
[no] from
— protocol protocol [all | instance instance]
— no protocol