3.2.18. cg-nat

Note

requires a Turbo CG-NAT Application License.

CG-NAT configuration.

vrouter running config# vrf <vrf> cg-nat

enabled

Enable/disable CG-NAT in this VRF.

vrouter running config# vrf <vrf> cg-nat
vrouter running cg-nat# enabled true|false
Default value
true

alg

Application-Level Gateway.

vrouter running config# vrf <vrf> cg-nat
vrouter running cg-nat# alg ALG

ALG values

Description

ftp

ALG for File Transfer Protocol.

h323-q931

ALG for H.225.0 Call Signaling Protocol.

h323-ras

ALG for H.225.0 Registration, Admission and Status Protocol.

pptp

ALG for Point-to-Point Tunneling Protocol.

rtsp

ALG for Real Time Streaming Protocol.

sip-tcp

ALG for Session Initiation Protocol over TCP.

sip-udp

ALG for Session Initiation Protocol over UDP.

tftp

ALG for Trivial File Transfer Protocol.

dns-udp

ALG for Domain Name System.

pool

Pools of IP addresses for the CG-NAT rules.

vrouter running config# vrf <vrf> cg-nat pool <string>

<string>

Pool name.

address

IPv4 addresses in the pool.

vrouter running config# vrf <vrf> cg-nat pool <string>
vrouter running pool <string># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv4-range>

An IPv4 address range, in the form addr4-addr4.

block-size (mandatory)

Number of ports that will be assigned to a given user.

vrouter running config# vrf <vrf> cg-nat pool <string>
vrouter running pool <string># block-size <uint32>

port-range

Range of ports used for each address of the pool.

vrouter running config# vrf <vrf> cg-nat pool <string>
vrouter running pool <string># port-range START END

START

Port range start.

START

START

A 16-bit port number used by a transport protocol such as TCP or UDP.

END

Port range end.

END

END

A 16-bit port number used by a transport protocol such as TCP or UDP.

rule

List of CG-NAT rules.

vrouter running config# vrf <vrf> cg-nat rule <uint16>

<uint16>

Id and priority of the rule. Higher number means lower priority.

match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match

outbound-interface (mandatory)

Interface to match on outbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match
vrouter running match# outbound-interface OUTBOUND-INTERFACE

OUTBOUND-INTERFACE

An interface name.

source

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match source
address

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match source
vrouter running source# address ADDRESS

ADDRESS

An IPv4 prefix: address and CIDR mask.

translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to

pool-name (mandatory)

Name of IP address pool used for translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# pool-name <leafref>

max-conntracks-per-user

Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# max-conntracks-per-user <uint32>

max-blocks-per-user

Maximum number of port blocks assigned to a user.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# max-blocks-per-user <uint16>

active-block-timeout

Interval during which the the current block is used to allocate sessions. When set to 0, the current block is always used.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# active-block-timeout <uint16>

user-timeout

Interval during which the current block remains active after all user flows have expired.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# user-timeout <uint16>

port-algo

Port allocation algorithm for new mappings.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# port-algo PORT-ALGO

PORT-ALGO values

Description

parity

Preserve port parity: an even port will be mapped to an even port, and an odd port will be mapped to an odd port.

random

Choose port randomly.

endpoint-mapping

NAT endpoint mapping behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# endpoint-mapping ENDPOINT-MAPPING

ENDPOINT-MAPPING values

Description

dependent

Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port.

independent

Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port.

endpoint-filtering

NAT endpoint filtering behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# endpoint-filtering ENDPOINT-FILTERING

ENDPOINT-FILTERING values

Description

dependent

Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst).

independent

Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ).

hairpinning

Enable communication between two hosts on the internal network, using their mapped endpoint.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# hairpinning true|false

conntrack

Conntrack options.

vrouter running config# vrf <vrf> cg-nat conntrack

behavior

Specific TCP options.

vrouter running config# vrf <vrf> cg-nat conntrack
vrouter running conntrack# behavior <behavior> enabled true|false

<behavior> values

Description

tcp-window-check

TCP window check.

tcp-rst-strict-order

TCP rst strict order.

enabled (mandatory)

Enable option.

enabled true|false

timeouts

Timeouts for the different events/protocols.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts

icmp

Conntrack options for ICMP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# icmp <icmp> <uint32>

<icmp> values

Description

new

State NEW.

established

State ESTABLISHED.

closed

State CLOSED.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

udp

Conntrack options for UDP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# udp <udp> <uint32>

<udp> values

Description

new

State NEW.

established

State ESTABLISHED.

closed

State CLOSED.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

gre-pptp

Conntrack options for GRE-PPTP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# gre-pptp <gre-pptp> <uint32>

<gre-pptp> values

Description

new

State NEW.

established

State ESTABLISHED.

closed

State CLOSED.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

tcp

Conntrack options for TCP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# tcp <tcp> <uint32>

<tcp> values

Description

syn-sent

State SYN-SENT.

simsyn-sent

State SIMSYN-SENT.

syn-received

State SYN-RECEIVED.

established

State ESTABLISHED.

fin-sent

State FIN-SENT.

fin-received

State FIN-RECEIVED.

closed

State CLOSED.

close-wait

State CLOSE-WAIT.

fin-wait

State FIN-WAIT.

last-ack

State LAST-ACK.

time-wait

State TIME-WAIT.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

logging

CG-NAT log configuration.

vrouter running config# vrf <vrf> cg-nat logging

enabled

Enable log.

vrouter running config# vrf <vrf> cg-nat logging
vrouter running logging# enabled true|false