EcoNAT Documentation

Typical configurations EcoNAT Documentation / NAT configuration / Typical configurations

NAT for Internet access
Implementation in peer to peer networks with overlapping address ranges

NAT for Internet access

Typical scheme of how EcoNAT used for network address translation for Internet access, is shown in the figure below.

EcoNAT typical configuration includes three type of pools for different types of traffic. Pools are recommended to enter in the following order:

Static IP addresses are allocated administratively in a static pool (see "Pools and ACL").
NAT pool (see "Pools and ACL") – is needed when using protocols that do not support ports (for example, GRE). An exception is the PPTP protocol (cgnat pool is created for its processing and alg pptp parameter is switched on in NAT general settings). If you need a basic NAT with permitted externally-initiated connections and independently basic NAT with banned connections – it is possible to have two NAT pool differing with allow_external_connect parameter value.
Most of the subscribers have an Internet access through CGNAT pool (see "Pools and ACL").

If you have a situation when you need to adjust the translation of overlapping IP address ranges in two different pools (see figure below), it is important to set the rule priorities. Keep in mind, however, that the first rule with a lower number would be handled, in case of the triggering the rest are not checked.

In the situation shown in the figure ACL must be formed for the two pools with the following rules (with the proviso that poolA has higher priority than poolB):

for poolA:

acla {

  10 deny ip src range 10.22.22.1-10.22.22.20 dst any

  20 allow ip src net 10.22.22.0/24 dst any

for poolB:

aclb {

  10 allow ip src range 10.22.22.1-10.22.22.20 dst any

In this case, whether the source IP belongs to the range of Y (10.22.22.1-10.22.22.20) will be checked at first for poolA. If belongs, the packet will be rejected by poolA pool, and then poolB and his list of rules will be examined. If not belongs, the rule whether the source IP belongs to the range X (10.22.22.0/24) will be tested, and in this case, the packet will be passed poolA pool.
The rule whether the source IP belongs to the range of Y for poolB will be checked, and in this case, the packet will be passed.

Implementation in peer to peer networks with overlapping address ranges

A typical usage EcoNAT pattern for the network address translation peering is shown below. On the left there is EcoNAT implementation in the service provider network diagram, and on the right is point of view of the end user diagram.

If the subscriber address space of service provider overlaps with addresses used his peering partners, for the implementation of peering into a traffic exchange points (with addresses kind of 10.0.0.0/8, or other type of private addresses) you need to implement the translation of users IP into free address space.

EcoNAT is ready to solve this problem. For this purpose, create additional NAT pools and set the rules for the selection of these pools in associated with them ACL.

In most peering cases, it is created a single NAT pool with allowed external connections (for maximum transparency) and a higher than for pools serving the Internet access priority. The criterion for the choosing of the pool may serve the DST field of the IP packet for which in the ACL rules indicates the network of peering partners in the dst field. Thus, packets bound for the peer-to-peer network, will be translated with selected pool to the address space allocated to provider.