Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NAT for GTP

The Network Address Translation (NAT) protocol is used to inspect the GTP traffic between the internal GPRS network and the Internet (external network) and vice versa.

Understanding NAT for GTP

A General Packet Radio Service (GPRS) interface supports both GPRS tunneling protocol (GTP) inspection and Network Address Translation (NAT) simultaneously in the same routing instance. When GTP packets configured with static NAT are inspected in a network, only addresses within IP headers are translated. The addresses within their payloads are not translated. For each endpoint, the related GTP session must belong to the same zone and virtual router. This means the header source IP, C-tunnel IP, and U-tunnel IP in the payload are defined in the same scope for a packet.

When you enable NAT, only the outer IP packet has to be translated. The embedded IP addresses are not translated.

During a GTP packet flow, the source IP address and destination IP address cannot be translated to NAT simultaneously. When you delete or deactivate NAT rule configuration on a device, the NAT rule related GSN and GTP tunnels are deleted. If the NAT rule related GSN number and tunnel number are huge, this deleting process will take several minutes.

Example: Configuring GTP Inspection in NAT

This example shows how to configure a NAT rule to map a private IP (one that is inside the network and not routable) to a public IP (one that is outside of the network and is routable). It also shows how to inspect GTP traffic between an internal and external network.

Requirements

Before you begin, the device must be restarted after GTP is enabled. By default, GTP is disabled on the device.

Overview

In this example, you configure interfaces as ge-0/0/0 and ge-0/0/1, with addresses 10.0.0.254/8 and 123.0.0.254/8. You then configure the security zone and static NAT. You enable the GTP service in the security policies to allow bidirectional traffic between two networks, and you check the traffic between the internal and external network.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure GTP inspection in NAT:

  1. Configure interfaces.

  2. Configure and security zones

  3. Define the address book.

  4. Define NAT rule.

  5. Enable GTP profile.

  6. Check GTP traffic.

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying GTP Inspection on NAT

Purpose

Verify the GTP traffic between the internal network and the external network.

Action

From operational mode, enter the show security command.

Understanding Network Address Translation-Protocol Translation

Network Address Translation-Protocol Translation (NAT-PT) is a protocol translation mechanism that can be done in two directions, from IPv4 address format to IPv6 address format and vice versa. NAT-PT binds the addresses in the IPv6 network with addresses in the IPv4 network and vice versa to provide transparent routing for the datagrams traversing between address realms.

In each direction, the static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping includes a destination IP address translation in one direction and a source IP address translation in the opposite direction.

The main advantage of NAT-PT is that the end devices and networks can run either IPv4 addresses or IPv6 addresses and traffic can be started from any side.

Example: Enhancing Traffic Engineering by Configuring NAT-PT Between an IPv4 and an IPv6 Endpoint with SCTP Multihoming

This example shows how to enhance traffic engineering by configuring NAT-PT between an IPv4 endpoint and an IPv6 endpoint. NAT-PT is a protocol translation mechanism that allows communication between IPv6-only and IPv4-only nodes through protocol-independent translation of IPv4 and IPv6 datagrams, requiring no state information for the session. NAT-PT binds the addresses in the IPv6 network with addresses in the IPv4 network and vice versa to provide transparent routing for the datagrams traversing between address realms. The main advantage of NAT-PT is that the end devices and networks can run either IPv4 addresses or IPv6 addresses and traffic can be started from any side.

Requirements

This example uses the following hardware and software components:

  • SRX5400 device

  • Endpoint A connected to an SRX5400 device using two IPv6 addresses

  • Endpoint B connected to an SRX5400 device using two IPv4 addresses

Overview

In this example, you configure NAT-PT between an IPv4 endpoint and an IPv6 endpoint. Endpoint A is connected to the SRX5400 device using two IPv6 addresses and endpoint B is connected to the SRX5400 device using two IPv4 addresses.

You can configure the SRX5400 device to translate the IP header and IP address list (located in the INIT/INT-ACK message) between an IPv4 address format and an IPv6 address format. In each direction, static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping includes destination IP address translation in one direction and source IP address translation in the opposite direction.

Figure 1 illustrates the network topology used in this example.

Topology

Figure 1: NAT-PT Between an IPv4 Endpoint and an IPv6 EndpointNAT-PT Between an IPv4 Endpoint and an IPv6 Endpoint

For configuring NAT-PT details between IPv4 and IPv6 endpoints, seeTable 1.

Table 1: Configuring NAT-PT Details Between IPv4 and IPv6 Endpoints

Endpoints

Address One

Address Two

A (IPv6)

2a.1.1.1/96

2c.3.3.3/96

B (IPv4)

2.2.2.2/24

4.4.4.4/34

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

To configure NAT-PT between an IPv4 endpoint and an IPv6 endpoint:

  1. Configure interfaces.

  2. Configure zones.

  3. Configure rules for the first static NAT zone.

  4. Specify the static NAT rule match criteria for the traffic coming from zone 1.

  5. Configure rules for the second static NAT zone.

  6. Specify the static NAT rule match criteria for the traffic coming from zone 2.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security zones, and show security nat static commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration

Purpose

Verify that the NAT-PT configuration between an IPv4 endpoint and an IPv6 endpoint is correct.

Action

From operational mode, enter the show security zones and show security nat static rule all commands.

Meaning

The show security zones command displays all the zones configured and the interfaces associated with the zone. The show security nat static rule all command displays all the static NAT rules configured.