[rbak-nsp] Some problems with NAT enhanced in SE600

Mon Nov 7 04:34:45 EST 2016

Hello Соловьёв,

That's how enhanced NAT works.
Because enhanced nat force connection to use router supplied port ranges, some software will not work.
I preffer to stick with normal nat.
If you need logging, then use single address for each nat subnet, and then add flow profile in 
subscriber default section, like 
flow apply ip profile logprofile both

and:
!
flow collector SubsLog
 ip-address ipaddress context colectorcontext
 port mycollectorport
 export-version v5
 transport-protocol udp
 ip profile logprofile
!

ip nat pool ip_lan1_nat napt multibind
 address publicip/32 port-block 1 to 15

!
nat policy ip_lan1_nat_policy
! Default class
 ignore
 endpoint-independent filtering udp
 inbound-refresh udp
 icmp-notification
! Named classes
 access-group NATACL
  class NAT
   pool ip_lan1_nat mycontext
   timeout tcp 6000
   endpoint-independent filtering udp
   inbound-refresh udp
   icmp-notification
  class NATLESS
   ignore
   inbound-refresh udp
   icmp-notification
!

Put in NATLESS your DNS servers and local network devices you need.
Using enhanced NAT you can NAT like 2000 users per single card and then you 
run out of microblocks on card because every subscriber have reserved port ranges and
amount of possible open connection even if he only activate and do nothing.

Rafal

Monday, November 7, 2016, 9:12:39 AM, you wrote:

Here is my NAT config 
local]Redback#sh configuration nat
Building configuration...
Current configuration:
!
context local
!
nat logging-profile NAT_LOG_RUBTSOVSK
export-version v9
destination 192.168.0.40 port 9996
!
context local
!
ip nat pool NAPT-pool-1 napt paired-mode
paired-mode subscriber over-subscription 10 port-limit 6000
address 41.215.233.161 to 41.215.233.190
exclude well-known
!
context local
!
policy access-list NAT-acl
seq 10 permit ip 192.168.128.0 0.0.127.255 any class NATclass1
seq 20 permit ip any any class NO_NAT
!
nat policy NAT-1 enhanced
connections tcp maximum 2000
connections udp maximum 2000
connections icmp maximum 30
! Default class
ignore
timeout tcp 1800
timeout udp 60
timeout fin-reset 60
timeout icmp 30
timeout syn 60
timeout basic 300
timeout abandoned 1800
admission-control tcp
admission-control udp
admission-control icmp
endpoint-independent filtering tcp
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
! Named classes
access-group NAT-acl
class NATclass1
pool NAPT-pool-1 local
timeout tcp 18000
timeout udp 60
timeout fin-reset 60
timeout icmp 30
timeout syn 60
timeout abandoned 1800
endpoint-independent filtering tcp
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
class NO_NAT
ignore
inbound-refresh udp
icmp-notification
!
end
With such config we have problem with Skype - no connection - even test connection!
problem with online games such as steam, Dota and etc...
With public IP (no NAT) everything is ok - Skype. games and so on....
What I have forgotten?
------------------------------------------------
С уважением Соловьёв Роман
Технический директор
ООО "СерДи ТелеКом"
тел. +7 87951 35529
       +7 9624 335529
Сайт компании
www.serdi.ru

-- 
Best regards,
Ozga Rafal                          mailto:golem at mtm-info.pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/63a7e349/attachment.html>