Chapter 8 Integrated Session Border Controller Security

NAPT and NAT Traversal

Note A termination can be described as a point of entry or exit of media flows relative to the DBE.

Terminations may share a single local address and port under one or the other of the following conditions:

Terminations have an MGC-managed local address, in which case they must be specified with a proper gm/sam.

Terminations are specified with a gm/sam and the address is “non-local”; that is, the pinhole is No NAPT or the termination is the one that is the unwritten flow of a Single NAPT pinhole.

This enhancement supports the following functionality:

Call signaling can be routed to the MGC through the DBE.

Call signaling from different subscribers can be routed through different pinholes on the DBE.

These different pinholes can share the same IP address and port on the subscriber side on the DBE. This is a typical scenario on the User-Network Interface, where it is simpler to publish a single IP and port to many subscribers.

DBE Restrictions

The following is a restriction of DBE support for this feature:

Only three different lengths of network masks can be in use at the same time on a given local address and port combination. Otherwise, the DBE issues error 510 “Insufficient Resources.”

NAPT and NAT Traversal

The data border element (DBE) performs translation of IP addresses and port numbers via Network Address and Port Translation (NAPT) and Network Address Translation (NAT) Traversal functions in both directions.

NAT converts an IP address from a private address to a public address in real time. It allows multiple users to share a single public IP address. The DBE can learn the NAT’s public address and latch onto it for that flow.

Remote Source Address Mask Filtering

This feature adds support for the Remote Source Address Filtering (saf) and Remote Source Address Mask (rsam) properties of the ETSI TS 102 333 Gate Management (GM) package.1

The media gateway controller (MGC) can specify the gm/saf and gm/rsam properties of terminations in Add and Modify requests. The SBC reports them in Audit responses.

This feature allows the MGC to program multiple terminations with the same local address and port, VPN ID, and transport protocol, as long as the multiple terminations are distinguished by their remote source address mask, and the local address is taken from an MGC-managed address range.

This feature supports a single local address for each phone where each phone transmits media using a single pinhole. This means several signaling flows or pinholes can have the same address and port.

1. ETSI TS 102 333 version 1.1.2 Gate Management Package

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

 

OL-15421-01

8-5

 

 

 

Page 85
Image 85
Cisco Systems ASR 1000 manual Napt and NAT Traversal, Etsi TS 102 333 version 1.1.2 Gate Management Package