07 Apr

Carrier Grade NAT on ASR1000

IOS XE 3.6S was released recently introducing Carrier Grade NAT to ASR 1000 platform. CGN translates IPv4 addresses into IPv6 addresses and vice versa and is one of the most critical feature while world is slowly moving into IPv6 addressing. It can also be used for NAT44 (IPv4 private to IPv4 public) translation. What differs CGN from traditional NAT? CGN increases the scalability of the number of NAT translations that can be supported because destination information is not stored and works good with carrier services like broadband access aggregation (ie. PPPoE, DSL)

Carrier Grade NAT differs a little from traditional NAT. It does not support outside mappings, because it does not store destination IP address. There are also few other limitations on ASR1000 platform – IP Sessions are not supported nor box-to-box redundancy. Other features important for service providers, including Lawful Intercept, high-speed logging using NetFlow, vrf-awareness or multihoming, are supported.
CGN is enabled globally – you can’t have carrier grade and traditional NAT working together on same box. Old NAT configuration have to be removed prior to enabling CGN. Feature is enabled using command

ASR1000(config)# ip nat settings mode cgn

8 thoughts on “Carrier Grade NAT on ASR1000

  1. This is what i had in mind! The only question is what if you combine an asr1006 for BNG and enable CGN also? What will be the performance of the router in terms of the number of terminated subscriber and memory of course!Although i believe that with the upgraded rsp/memory that all asr1006 comes at least 48k subscriber would be more than enough in the box for simultaneously CGN and ppp termination!
  2. hi to all, we are just deploying a new ASR1004 with NAT44 / ip nat settings mode CGN .. seems that's not working very well, anyone who has already deployed it ?? any PPT / best practises document ?? thanks a lot to all.
  3. Hi, this is summary config for the ASR1004: boot system flash bootflash:asr1000rp1-adventerprisek9.03.06.02.S.152-2.S2.bin .... .... interface TenGigabitEthernet0/0/0 description *** Physical Links to ASBR *** no ip address load-interval 30 carrier-delay msec 100 ! interface TenGigabitEthernet0/0/0.3650 description *** UPLINK TO INET *** encapsulation dot1Q 3650 ip address 172.16.11.202 255.255.255.252 ip nat outside ip ospf authentication message-digest ip ospf message-digest-key 1 md5 xxxx ip ospf network point-to-point ip ospf bfd ! interface TenGigabitEthernet0/0/0.3651 description *** DOWNLINK TO MOBILE USERS *** encapsulation dot1Q 3651 ip address 172.16.11.205 255.255.255.252 ip nat inside ip ospf authentication message-digest ip ospf message-digest-key 1 md5 xxxx ip ospf network point-to-point ip ospf bfd ! ip nat settings mode cgn no ip nat settings support mapping outside ip access-list extended POOL1_TEST permit icmp 10.24.0.0 0.0.255.255 any permit ip 10.24.0.0 0.0.255.255 any ! ip nat pool POOL1_TEST 109.111.120.112 109.111.120.119 netmask 255.255.255.248 ip nat inside source list POOL1_TEST pool POOL1_TEST overload Should I remove overload ?? now testing with 2x end users, the Public IP used is always the same/the first .. With a normal laptop, NAT is working good but with mobile tests, not working well , maybe i should use more parameteres like ip virtual-reassambly ?? ip tcp mss-adjust ?? ip mtu (less than 1500) ?? Making some icmp from the laptop, it's working well, but i just don't understand how it works as with CGN NAT, the outside IP/Port is not shown in the translations table. EJ: ASR1004-1#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 109.111.120.112:1 10.24.143.254:40 --- --- Thanks in advance to all.
  4. Hi guys We've deployed CGN in ASR1002 HX since some months. I have only 1 problem that appears often. All sessions for home banking, https, are closing so fast, so it ends my customers sessions after 30 secondos, 1 or 2 minutes. just looking for an example or best practices

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.