To configure a Global:
1. Navigate to CGN Technology > LSN (NAT 44) > Global
2. Click + Add Global.
3. On the Add Global page, Specify the required details and click Create.
The create confirmation message is displayed.
The following parameters are available for the configuration:
|
Field |
Option |
Description |
|---|---|---|
|
Attempt Port Preservation |
|
This option enables LSN port preservation. Port preservation attempts to use the same source protocol port for a client’s public address (NAT address) that is used in the client’s inside address. |
|
Hairpinning |
|
Configure hairpin filtering to prevent self hairpinning (when traffic that is initiated by an inside client is routed back to itself). Select one of the following options: |
|
Filter None |
Allows for self-hairpinning for UDP packets only. This is the default behavior for UDP packets. |
|
|
Filter Self IP |
Drops packets that have the same inside client IP address for both the source and destination. |
|
|
Filter Self IP and Port |
Drops packets that have the same inside client IP address and protocol port number for both the source and destination. This option may be needed if double NAT is used. |
|
|
|
|
For more information about hairpinning options, see the “Large Scale Network Address Translation” chapter in the IPv4-to-IPv6 Transition Solutions Guide. |
|
Inbound Refresh |
|
By default, the session age for a NAT translation is reset to its maximum value by either inbound or outbound traffic. This command disables or enables resetting of the age-out time for NAT translation when inbound packets are received. This command does not apply for outbound packets. |
|
LSN IP Selection |
|
Specify the method for LSN to use to select the IP addresses within a pool. Select one of the following options: |
|
random |
Selects addresses randomly, instead of using any of the other methods. |
|
|
round-robin |
Selects addresses sequentially. |
|
|
least-used-strict |
Selects the address with the fewest NAT ports of any type (TCP or UDP) used. This option is not applicable to ICMP. |
|
|
least-udp-used-strict |
Selects the address with the fewest UDP NAT ports used. |
|
|
least-tcp-used-strict |
Selects the address with the fewest TCP NAT ports used. |
|
|
least-reserved-strict |
Selects the address with the fewest TCP or UDP NAT ports reserved. |
|
|
least-tcp-reserved-strict |
Selects the address with the fewest TCP NAT ports reserved. |
|
|
least-udp-reserved-strict |
Selects the address with the fewest UDP NAT ports reserved. |
|
|
least-users-strict |
Selects the address with the fewest users. |
|
|
LSN SYN Timeout (Seconds) |
|
Configures SYN timeout for TCP sessions NATed by LSN. Select a value between 2 and 30. The default value is 4. |
|
Half-Closed Timeout (Seconds) |
|
Configures the TCP half-closed session timeout for LSN. Select a value between 2 and 3000. |
|
Strictly Sticky NAT |
|
Select this option to strictly adhere to the sticky NAT behavior. Regardless of configuring destination IP addresses in the LSN rule-list configuration, ACOS uses the same mapping for all traffic between the client and the NAT IP addresses once the mapping is dynamically assigned. |
|
Class List Binding |
|
Select a class list to bind to the LSN. |
|
Send ICMP On User Quota Exceeded |
|
Send ICMP Destination Unreachable messages when user quota is exceeded. Select from one of the following options: |
|
Admin Filtered |
ACOS device sends an ICMP Unreachable message with code type 3, code 13, administratively filtered. |
|
|
Host Unreachable |
ACOS device sends an ICMP Unreachable message with code type 3, code 1 for IPv4, and type 1 code 3 for IPv6. |
|
|
Disable |
Disable ICMP Unreachable messages when the user quota is exceeded. |
|
|
Send ICMP On Port Unavailable |
|
Send ICMP Destination Unreachable messages when there are no protocol ports available for NAT mappings. Select from one of the following options: |
|
Admin Filtered |
ACOS device sends an ICMP Unreachable message with code type 3, code 13, administratively filtered. |
|
|
Host Unreachable |
ACOS device sends an ICMP Unreachable message with code type 3, code 1 for IPv4, and type 1 code 3 for IPv6. |
|
|
Disable |
Disable ICMP Unreachable messages when the port is unavailable. |
|
|
Default PCP Template |
|
Select the Port Control Protocol (PCP) template to use as the set of default PCP settings. When PCP is enabled, the ACOS device acts as a PCP server for Large Scale NAT (LSN) clients (PCP clients). The ACOS device parses incoming UDP packets arriving on the PCP port, extracts the relevant information and creates or refreshes the IPv4-IPv4 mapping as requested by the PCP client. The ACOS device then sends a PCP response message back to the PCP client. The mapping created for the client is an implicit dynamic mapping. Note: You can override this selection in individual LSN pools. |
|
Default Logging Template |
|
Select the LSN logging template to use for LSN session logging. Note: You can override this selection in individual LSN pools. For information on configuring a logging template, see LSN Logging Templates. |
|
Pool |
|
Configure a NAT pool containing the IPv4 address(es) to use for NATting traffic from IPv6 clients to IPv4 servers. Click + Add New Row and enter the following details: |
|
Pool Name |
Select the name of a configured pool name from the drop-down list. For more information, see See Large-Scale NAT Pools. |
|
|
Template |
Select the name of a configured template from the drop-down list. For more information, see LSN Logging Templates. |
|
|
Action |
Click the save icon under ‘Action’ to save the information. |
|
|
LSN STUN Timeout-TCP |
|
Configure the LSN STUN timeout for TCP. The LSN STUN timeout specifies how long a NAT mapping for a full-cone session is maintained after the data session ends. Click + Add New Row and specify the following details: |
|
Port Start |
Specify the start port number in the range to which the timeout will apply. Specify a value between 1 to 65535. |
|
|
Port End |
Specify the end port number in the range to which the timeout will apply. Specify a value between 1 to 65535. |
|
|
Timeout (Minutes) |
Specify the timeout value. Specify a value between 0 to 60 minutes. |
|
| LSN STUN Timeout-UDP |
|
Configure the LSN STUN timeout for UDP. The LSN STUN timeout specifies how long a NAT mapping for a full-cone session is maintained after the data session ends. Click + Add New Row and specify the following details: |
|
Port Start |
Specify the start port number in the range to which the timeout will apply. Specify a value between 1 to 65535. |
|
|
Port End |
Specify the end port number in the range to which the timeout will apply. Specify a value between 1 to 65535. |
|
|
Timeout (Minutes) |
Specify the timeout value. Specify a value between 0 to 60 minutes. |
|
|
MSS Clamp Type |
|
Configure TCP maximum segment size (MSS) clamping. MSS clamping checks the TCP MSS value in packets from IPv4 clients and, if necessary, changes it before sending the NATted request to the server. Select from one of the following options: |
|
None |
This option does not change the MSS value. |
|
|
Fixed |
This option changes the MSS to the length you specify. When ‘Fixed’ is selected, the following option is displayed: |
|
|
Maximum Value Specify the maximum segment size as a fixed number. Specify a value between 1 to 1460. |
||
|
Subtract |
This option reduces the MSS if it is longer than the specified number of bytes. This option sets the MSS based on the following information: |
|
|
Subtract Value
Specify a value between 1 to 1460. |
||
|
Minimum Value Specify the minimum value of the MSS between 1 and 1460. |
||
|
TCP Reset on Error Outbound |
|
Enabling this option sends TCP resets to LSN clients in response to invalid TCP packets from the inside network. By default, the option is enabled. |
|
Health Check Gateway |
|
This option configures enforcement of gateway health monitoring prior to redistributing LSN NAT pool prefixes. Click + Add New Row and specify the following details: |
| IPv4 Address | Specify the IPv4 address to which the port health check gateway will apply. |
|
| IPv6 Address | Specify the IPv6 address to which the port health check gateway will apply. |
|
|
LSN Port Overloading-TCP |
|
Configure the port overloading behavior for LSN. Specify the TCP port range to which the port overloading will apply. |
| LSN Port Overloading-UDP | Specify the UDP port range to which the port overloading will apply. |
|
|
LSN Port Overloading Unique |
|
This option changes the granularity for Port Overloading. Select one of the following options: |
|
Destination Address |
The granularity is based on the destination IP address. |
|
|
Destination Address and Port |
The granularity is based on the destination IP address and the destination protocol port. |
|
|
LSN Port Overloading Allow Different User |
|
This option allows an overloaded port to be used by more than one client. By default, a port can be overloaded to create multiple mappings only for the same client. |
|
Enhanced User Tracking |
|
This option configures the enhanced user tracking for viewing the peak session utilization, NAT port utilization, and aggregated upstream and downstream byte and packet count per subscriber for both LSN and NAT64. The information in the enhanced user tracking log can be used to detect anomaly attack in the client’s network. The log information also provides enhanced visibility for allocating user quota values for sessions and ports. When there are new NAT IPs, the NAT port utilization log helps to allocate the NAT IPs to the appropriate NAT pools for efficient utilization. The option is deselected by default. |
Logging
This section allows you to configure a severity level for NAT pool exhaustion log messages.
|
Field |
Option |
Description |
|---|---|---|
|
Nat Resource Exhausted Level |
|
This option configures the warning level of error messages that occur when the NAT pool quota is exceeded. Select one of the following options: |
|
|
Warning |
Configures the error messages to be flagged as warnings. |
|
|
Critical |
Configures the error messages to be flagged as critical. |
|
|
Notice |
Configures the error messages to be flagged as notifications. |
|
Nat Quota Exceeded Level |
|
This option configures the warning level of error messages that occur when the NAT pool resources are exhausted. Select one of the following options: |
|
|
Warning |
Configures the error messages to be flagged as warnings. |
|
|
Critical |
Configures the error messages to be flagged as critical. |
|
|
Notice |
Configures the error messages to be flagged as notifications. |
Translation
This section configures default idle-timeout values for services and protocol traffic over LSN.
|
Field |
Option |
Description |
|---|---|---|
|
TCP Timeout (Seconds) |
|
Specify an idle-timeout for TCP traffic. Specify a value between 2 and 15000 seconds. Default is 300 seconds. |
|
UDP Timeout (Seconds) |
|
Specify an idle-timeout for UDP traffic. Specify a value between 2 and 15000 seconds. Default is 300 seconds. |
|
ICMP Timeout |
|
Specify an idle-timeout for ICMP traffic. Specify a value between 2 and 15000 seconds. |
| ICMP Timeout Fast |
|
Specify an idle-timeout for ICMP traffic fast aging. Specify a value between 2 and 15000 seconds. |
|
Service Timeout List |
|
Specify the idle timeout or fast aging for specific services on a port. Click + Add New Row and specify the options mentioned below: |
|
Service Type |
Select one of the following options:
|
|
|
Port |
Specify a value between 1 and 65535. |
|
| Port End |
Specify an end port range between 1 and 65535. |
|
|
Timeout |
Specify timeout value in seconds. Specify a value between 2 and 15000 seconds. |
|
|
Fast |
Specify whether to enable or disable fast aging. |
NAT Exclude Port
Excludes a specific port or a range of ports from the LSN NAT pools in both shared and L3v partitions.
|
Field |
Option |
Description |
|---|---|---|
|
Port TCP List |
|
This option excludes a specific TCP port or a range of ports from the LSN NAT pools. Click + Add New Row and specify the options mentioned below: |
|
|
Port |
Specify the start TCP port in the range to which the ‘NAT Exclude Port’ will apply. Specify a specific port to exclude from the LSN NAT pool when Port End is blank. Specify a value between 1024 to 65535. |
|
|
Port End |
Specify the last port in the range to which the ‘NAT Exclude Port’ will apply. Specify a value between 1024 to 65535. |
|
Port UDP List |
|
This option excludes a specific UDP port or a range of ports from the LSN NAT pools. Click + Add New Row and specify the options mentioned below: |
|
|
Port |
Specify the start UDP port in the range to which the ‘NAT Exclude Port’ will apply. Configures a specific port to exclude from the LSN NAT pool when Port End is left blank. Specify a value between 1024 to 65535. |
|
|
Port End |
Specify the end port in the range to which the ‘NAT Exclude Port’ will apply. Specify a value between 1024 to 65535. |