Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How does the NAT system know not to NAT subscriber IP addresses from an IP pool containing publically routable addresses

The NAT (Network Address Translation) feature of ASR5K allows for many subscribers having been assigned their own private ip addresses to share a single publically routable IP address for accessing the internet, in order to conserve on precious publically routable addresses. This is done via a configuration section called "fw-and-nat policy <policy name>" located in the "active-charging service <service name>" part of the configuration. This policy name is referenced in a rulebase which itself is assigned to a subscriber normally via the subscriber's assigned APN (4g) or subscriber profile (3G). Based on criteria such as the source or destination IP address of the packet from the subscriber, one or more "permit nat-realm <NAT Pool group name> statements point to IP pool group(s) that contain pool(s) of publically routable ip addresses.

When a subscriber assigned an IP address attempts to access the internet, the source address of the packet, which is the subscriber assigned IP address, is examined by the system, and IF it is a publically routable address per RFC 1918 (see below), then it will not be NAT'd regardless of any of the configuration lines in the fw-and-nat policy config section that may specify otherwise.

One NAT capability (currently not available when this article written) would be to actually allow NATing of publically routable addresses in addition to non-routable ones. Why? An application for this would be when an organization is actually running out of non-routable addresses and where they start assiging internet routable addresses for internal use only, and then need to NAT such addresses when accessing the internet.

From the RFC 1918, we know that there are specific IP address ranges that are considered private and NOT routable to the internet. The following is directly from the RFC:

3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:        -  (10/8 prefix)      -  (172.16/12 prefix)     - (192.168/16 prefix)

We will refer to the first block as "24-bit block", the second as"20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.

An enterprise that decides to use IP addresses out of the address space defined in this document can do so without any coordination with IANA or an internet registry. The address space can thus be used by many enterprises. Addresses within this private address space will only be unique within the enterprise, or the set of enterprises which choose to cooperate over this space so they may communicate with each other in their own private internet.