3.2.18. cg-nat

Note

requires a Turbo CG-NAT Application License.

CG-NAT configuration.

vrouter running config# vrf <vrf> cg-nat

enabled

Enable/disable CG-NAT in this VRF.

vrouter running config# vrf <vrf> cg-nat
vrouter running cg-nat# enabled true|false
Default value
true

alg

Application-Level Gateway.

vrouter running config# vrf <vrf> cg-nat
vrouter running cg-nat# alg ALG

ALG values

Description

ftp

ALG for File Transfer Protocol.

h323-q931

ALG for H.225.0 Call Signaling Protocol.

h323-ras

ALG for H.225.0 Registration, Admission and Status Protocol.

pptp

ALG for Point-to-Point Tunneling Protocol.

rtsp

ALG for Real Time Streaming Protocol.

sip-tcp

ALG for Session Initiation Protocol over TCP.

sip-udp

ALG for Session Initiation Protocol over UDP.

tftp

ALG for Trivial File Transfer Protocol.

dns-udp

ALG for Domain Name System.

pool

Pools of IP addresses for the CG-NAT rules.

vrouter running config# vrf <vrf> cg-nat pool <string>

<string>

Pool name.

address

IPv4 addresses in the pool.

vrouter running config# vrf <vrf> cg-nat pool <string>
vrouter running pool <string># address ADDRESS

ADDRESS values

Description

<ipv4-address>

An IPv4 address.

<ipv4-prefix>

An IPv4 prefix: address and CIDR mask.

<ipv4-range>

An IPv4 address range, in the form addr4-addr4.

block-size (mandatory)

Number of ports that will be assigned to a given user.

vrouter running config# vrf <vrf> cg-nat pool <string>
vrouter running pool <string># block-size <uint32>

port-range

Range of ports used for each address of the pool.

vrouter running config# vrf <vrf> cg-nat pool <string>
vrouter running pool <string># port-range START END

START

Port range start.

START

START

A 16-bit port number used by a transport protocol such as TCP or UDP.

END

Port range end.

END

END

A 16-bit port number used by a transport protocol such as TCP or UDP.

rule

List of CG-NAT rules.

vrouter running config# vrf <vrf> cg-nat rule <uint16>

<uint16>

Id and priority of the rule. Higher number means lower priority.

dynamic-snat44

Dynamic source NAT44 translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44

match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 match
outbound-interface (mandatory)

Interface to match on outbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 match
vrouter running match# outbound-interface OUTBOUND-INTERFACE

OUTBOUND-INTERFACE

An interface name.
source

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 match source
ipv4-address

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 match source
vrouter running source# ipv4-address IPV4-ADDRESS

IPV4-ADDRESS

An IPv4 prefix: address and CIDR mask.

translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
pool-name (mandatory)

Name of IP address pool used for translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# pool-name <leafref>
max-conntracks-per-user

Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# max-conntracks-per-user <uint32>
max-blocks-per-user

Maximum number of port blocks assigned to a user.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# max-blocks-per-user <uint16>
active-block-timeout

Interval during which the the current block is used to allocate sessions. When set to 0, the current block is always used.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# active-block-timeout <uint16>
user-timeout

Interval during which the current block remains active after all user flows have expired.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# user-timeout <uint16>
port-algo

Port allocation algorithm for new mappings.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# port-algo PORT-ALGO

PORT-ALGO values

Description

parity

Preserve port parity: an even port will be mapped to an even port, and an odd port will be mapped to an odd port.

random

Choose port randomly.
endpoint-mapping

NAT endpoint mapping behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# endpoint-mapping ENDPOINT-MAPPING

ENDPOINT-MAPPING values

Description

dependent

Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port.

independent

Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port.
endpoint-filtering

NAT endpoint filtering behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# endpoint-filtering ENDPOINT-FILTERING

ENDPOINT-FILTERING values

Description

dependent

Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst).

independent

Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ).
hairpinning

Enable communication between two hosts on the internal network, using their mapped endpoint.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# hairpinning true|false
address-pooling

CG-NAT Address Pooling mode.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat44 translate-to
vrouter running translate-to# address-pooling ADDRESS-POOLING

ADDRESS-POOLING values

Description

paired

In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE.

no-paired

In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE.

dynamic-snat64

Dynamic source NAT64 translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64

match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 match
outbound-interface (mandatory)

Interface to match on outbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 match
vrouter running match# outbound-interface OUTBOUND-INTERFACE

OUTBOUND-INTERFACE

An interface name.
source

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 match source
ipv6-address

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 match source
vrouter running source# ipv6-address IPV6-ADDRESS

IPV6-ADDRESS

An IPv6 prefix: address and CIDR mask.

translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
pool-name (mandatory)

Name of IP address pool used for translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# pool-name <leafref>
max-conntracks-per-user

Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# max-conntracks-per-user <uint32>
max-blocks-per-user

Maximum number of port blocks assigned to a user.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# max-blocks-per-user <uint16>
active-block-timeout

Interval during which the the current block is used to allocate sessions. When set to 0, the current block is always used.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# active-block-timeout <uint16>
user-timeout

Interval during which the current block remains active after all user flows have expired.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# user-timeout <uint16>
port-algo

Port allocation algorithm for new mappings.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# port-algo PORT-ALGO

PORT-ALGO values

Description

parity

Preserve port parity: an even port will be mapped to an even port, and an odd port will be mapped to an odd port.

random

Choose port randomly.
endpoint-mapping

NAT endpoint mapping behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# endpoint-mapping ENDPOINT-MAPPING

ENDPOINT-MAPPING values

Description

dependent

Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port.

independent

Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port.
endpoint-filtering

NAT endpoint filtering behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# endpoint-filtering ENDPOINT-FILTERING

ENDPOINT-FILTERING values

Description

dependent

Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst).

independent

Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ).
hairpinning

Enable communication between two hosts on the internal network, using their mapped endpoint.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# hairpinning true|false
address-pooling

CG-NAT Address Pooling mode.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# address-pooling ADDRESS-POOLING

ADDRESS-POOLING values

Description

paired

In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE.

no-paired

In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE.
destination-prefix

NAT64 destination prefix.

vrouter running config# vrf <vrf> cg-nat rule <uint16> dynamic-snat64 translate-to
vrouter running translate-to# destination-prefix DESTINATION-PREFIX

DESTINATION-PREFIX

An IPv6 prefix: address and CIDR mask.

static-dnat44

Static destination NAT44 translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat44

match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat44 match
inbound-interface (mandatory)

Interface to match on inbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat44 match
vrouter running match# inbound-interface INBOUND-INTERFACE

INBOUND-INTERFACE

An interface name.
destination

Match on destination address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat44 match destination
ipv4-address

Match on destination address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat44 match destination
vrouter running destination# ipv4-address IPV4-ADDRESS

IPV4-ADDRESS

An IPv4 prefix: address and CIDR mask.

translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat44 translate-to
ipv4-address (mandatory)

Translated Address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat44 translate-to
vrouter running translate-to# ipv4-address IPV4-ADDRESS

IPV4-ADDRESS

An IPv4 address.

static-dnat46

Static source NAT46 translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46

match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46 match
inbound-interface (mandatory)

Interface to match on inbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46 match
vrouter running match# inbound-interface INBOUND-INTERFACE

INBOUND-INTERFACE

An interface name.
destination

Match on destination address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46 match destination
ipv4-address

Match on destination address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46 match destination
vrouter running destination# ipv4-address IPV4-ADDRESS

IPV4-ADDRESS

An IPv4 prefix: address and CIDR mask.

translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46 translate-to
ipv6-address (mandatory)

Translated Address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46 translate-to
vrouter running translate-to# ipv6-address IPV6-ADDRESS

IPV6-ADDRESS

An IPv6 address.
source-prefix

NAT46 source prefix.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-dnat46 translate-to
vrouter running translate-to# source-prefix SOURCE-PREFIX

SOURCE-PREFIX

An IPv6 prefix: address and CIDR mask.

static-snat44

Static source NAT44 translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat44

match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat44 match
outbound-interface (mandatory)

Interface to match on outbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat44 match
vrouter running match# outbound-interface OUTBOUND-INTERFACE

OUTBOUND-INTERFACE

An interface name.
source

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat44 match source
ipv4-address

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat44 match source
vrouter running source# ipv4-address IPV4-ADDRESS

IPV4-ADDRESS

An IPv4 prefix: address and CIDR mask.

translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat44 translate-to
ipv4-address (mandatory)

Translated Address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat44 translate-to
vrouter running translate-to# ipv4-address IPV4-ADDRESS

IPV4-ADDRESS

An IPv4 address.

static-snat64

Static source NAT64 translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64

match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64 match
outbound-interface (mandatory)

Interface to match on outbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64 match
vrouter running match# outbound-interface OUTBOUND-INTERFACE

OUTBOUND-INTERFACE

An interface name.
source

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64 match source
ipv6-address

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64 match source
vrouter running source# ipv6-address IPV6-ADDRESS

IPV6-ADDRESS

An IPv6 prefix: address and CIDR mask.

translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64 translate-to
ipv4-address (mandatory)

Translated Address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64 translate-to
vrouter running translate-to# ipv4-address IPV4-ADDRESS

IPV4-ADDRESS

An IPv4 address.
destination-prefix

NAT64 destination prefix.

vrouter running config# vrf <vrf> cg-nat rule <uint16> static-snat64 translate-to
vrouter running translate-to# destination-prefix DESTINATION-PREFIX

DESTINATION-PREFIX

An IPv6 prefix: address and CIDR mask.

match (deprecated)

Attention

Deprecated since: 2020-09-01
Obsolete in release: 21q1
Description: This node has been moved into dynamic-snat44 to prepare cgnat64 and one-to-one nat support.
Replacement: / vrf cg-nat rule dynamic-snat44 match

Match parameters.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match

outbound-interface (deprecated) (mandatory)

Interface to match on outbound.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match
vrouter running match# outbound-interface OUTBOUND-INTERFACE

OUTBOUND-INTERFACE

An interface name.

source (deprecated)

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match source
address (deprecated)

Match on source address.

vrouter running config# vrf <vrf> cg-nat rule <uint16> match source
vrouter running source# address ADDRESS

ADDRESS

An IPv4 prefix: address and CIDR mask.

translate-to (deprecated)

Attention

Deprecated since: 2020-09-01
Obsolete in release: 21q1
Description: This node has been moved into dynamic-snat44 to prepare cgnat64 and one-to-one nat support.
Replacement: / vrf cg-nat rule dynamic-snat44 translate-to

Translate to.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to

pool-name (deprecated) (mandatory)

Name of IP address pool used for translation.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# pool-name <leafref>

max-conntracks-per-user (deprecated)

Maximum number of conntracks assigned to a user. When set to 0, the number of conntracks is not limited.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# max-conntracks-per-user <uint32>

max-blocks-per-user (deprecated)

Maximum number of port blocks assigned to a user.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# max-blocks-per-user <uint16>

active-block-timeout (deprecated)

Interval during which the the current block is used to allocate sessions. When set to 0, the current block is always used.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# active-block-timeout <uint16>

user-timeout (deprecated)

Interval during which the current block remains active after all user flows have expired.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# user-timeout <uint16>

port-algo (deprecated)

Port allocation algorithm for new mappings.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# port-algo PORT-ALGO

PORT-ALGO values

Description

parity

Preserve port parity: an even port will be mapped to an even port, and an odd port will be mapped to an odd port.

random

Choose port randomly.

endpoint-mapping (deprecated)

NAT endpoint mapping behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# endpoint-mapping ENDPOINT-MAPPING

ENDPOINT-MAPPING values

Description

dependent

Reuse port mapping for subsequent packets sent from the same internal IP address and port to the same external IP address and port.

independent

Reuse the port mapping for subsequent packets sent from the same internal IP address and port to any external IP address and port.

endpoint-filtering (deprecated)

NAT endpoint filtering behavior.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# endpoint-filtering ENDPOINT-FILTERING

ENDPOINT-FILTERING values

Description

dependent

Inbound packets from external endpoints are filtered out if they don’t fully match an existing mapping (IP/port src/dst).

independent

Inbound packets from external endpoints are filtered out only if their destination IP address and port don’t match an existing mapping (IP/port src can differ).

hairpinning (deprecated)

Enable communication between two hosts on the internal network, using their mapped endpoint.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# hairpinning true|false

address-pooling (deprecated)

CG-NAT Address Pooling mode.

vrouter running config# vrf <vrf> cg-nat rule <uint16> translate-to
vrouter running translate-to# address-pooling ADDRESS-POOLING

ADDRESS-POOLING values

Description

paired

In paired mode, the same IP of the pool is used to translate all the sessions originating from the same CPE.

no-paired

In no-paired mode, different IPs of the pool can be used to translate different sessions originating from the same CPE.

conntrack

Conntrack options.

vrouter running config# vrf <vrf> cg-nat conntrack

behavior

Specific TCP options.

vrouter running config# vrf <vrf> cg-nat conntrack
vrouter running conntrack# behavior <behavior> enabled true|false

<behavior> values

Description

tcp-window-check

TCP window check.

tcp-rst-strict-order

TCP rst strict order.

enabled (mandatory)

Enable option.

enabled true|false

timeouts

Timeouts for the different events/protocols.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts

icmp

Conntrack options for ICMP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# icmp <icmp> <uint32>

<icmp> values

Description

new

State NEW.

established

State ESTABLISHED.

closed

State CLOSED.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

udp

Conntrack options for UDP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# udp <udp> <uint32>

<udp> values

Description

new

State NEW.

established

State ESTABLISHED.

closed

State CLOSED.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

gre-pptp

Conntrack options for GRE-PPTP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# gre-pptp <gre-pptp> <uint32>

<gre-pptp> values

Description

new

State NEW.

established

State ESTABLISHED.

closed

State CLOSED.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

tcp

Conntrack options for TCP.

vrouter running config# vrf <vrf> cg-nat conntrack timeouts
vrouter running timeouts# tcp <tcp> <uint32>

<tcp> values

Description

syn-sent

State SYN-SENT.

simsyn-sent

State SIMSYN-SENT.

syn-received

State SYN-RECEIVED.

established

State ESTABLISHED.

fin-sent

State FIN-SENT.

fin-received

State FIN-RECEIVED.

closed

State CLOSED.

close-wait

State CLOSE-WAIT.

fin-wait

State FIN-WAIT.

last-ack

State LAST-ACK.

time-wait

State TIME-WAIT.
<uint32> (mandatory)

Timeout in seconds.

<uint32>

nat64

NAT64 conntrack options.

vrouter running config# vrf <vrf> cg-nat conntrack nat64

option

Specific NAT64 options.

vrouter running config# vrf <vrf> cg-nat conntrack nat64
vrouter running nat64# option <option> true|false

<option> values

Description

update-tcp-mss

Enable/Disable TCP MSS update.

drop-udp-zero-checksum

Enable/Disable UDP null checksum packet drops.

force-frag-ipv4

Fragment IPv4 packets (with DF flag) if the MTU is too small.

force-frag-ipv6

Fragment IPv6 packets if the MTU is too small.
true|false (mandatory)

Option state.

true|false

mtu

NAT64 lowest IPv6 mtu configuration.

vrouter running config# vrf <vrf> cg-nat conntrack nat64
vrouter running nat64# mtu <mtu> <uint16>

<mtu>

Set lowest IPv6 MTU.
<uint16> (mandatory)

MTU (0 to fragment packet according to the MTU of the output interface).

<uint16>

logging

CG-NAT log configuration.

vrouter running config# vrf <vrf> cg-nat logging

enabled

Enable log.

vrouter running config# vrf <vrf> cg-nat logging
vrouter running logging# enabled true|false