Limitations for NAT

A public network interface address is pinged using an IP address in an address pool as the source IP address. If the ping reply packet is fragmented into three or more fragments, the ping operation fails.

Do not ping any address in a CGN public address pool, or ensure that the ping packet length does not exceed the interface MTU.

If the ICMP packet is fragmented into three or more fragments when you ping a public network interface address, the ping operation fails.

ICMP sessions do not support hot backup.

None

ICMP hot backup fails.

The ALG does not process TCP fragments.

The size of TCP packets cannot be greater than the maximum segment size (MMS), and no TCP fragments are generated.

None

TCP fragments are transparently transmitted, but are not dropped.

ALG sessions do not support hot backup.

None

ALG session hot backup fails.

FTP do not support two ALG scenarios. One is a private network client accesses a public network server in passive mode. The other is a public network client accesses a private network server in port mode.

In these cases, the control session is not associated with the data session. As a result, the control session ages when data is being downloaded.

None

A file can be properly transferred, but the FTP interface displays a transfer failure.

ALG does not support packets longer than 2048 bytes.

None

The function is not affected.

ALG supports TCP-based RTSP, not UDP-based RTSP. ALG also supports UDP-based SIP, not TCP-based SIP.

None

The function is not affected.

Policy-based routing does not take effect if it is configured in a CGN user domain or delivered by a RADIUS authentication server.

Policy-based routing is configured in a NAT instance.

Policy-based routing does not take effect.

When an interface network address is configured in a CGN public address pool, reverse traffic cannot be forwarded because the network-side device cannot learn the ARP entry of the interface network address.

Network-to-user traffic is interrupted.

In easy IP scenarios, do not set the IP address of an FTP (pasv mode), NQA, or RADIUS server to a reused interface address. If such an address is used, established forwarding flows of TCP/UDP/ICMP/GRE non-NAT packets may be incorrectly distributed, causing protocol interruptions.

Run the exclude-port command in the NAT instance view to filter port numbers. For implicit ports numbered greater than 1024, properly plan their usage.

After an interface address is reused in easy IP, non-NAT packets may be incorrectly processed by NAT.

When multiple equal-cost outbound interfaces are used for route load balancing, the source IP addresses are used as a hash factor to find an outbound interface for the user-to-network traffic. If one of outbound interfaces distribute the traffic that matches an ACL rule to a NAT board for process, the source IP addresses are converted. In this case, if the device performs the hash mechanism based on the new source IP addresses, the outbound interfaces may differ.

Properly plan the functions.

None

In a VPN scenario supported by on-board NAT, VPN NAT users cannot run Telnet or FTP to connect to a NAT device.

The VPN cross-connection is configured to import NAT device's route to the private network VPN. Alternatively, ACL rules are configured in the traffic distribution board to solve the problem.

Private VPN users cannot run Telnet or FTP to connect to a device.

NAT ALG cannot be used in HA backup.

None

None

A NAT policy is configured on an outbound interface. A device searches for the outbound interface based on routing information. Traffic cannot be returned through the inbound interface that receives the traffic.

None

The configuration cannot meet requirement in a scenario that services are sent and returned through the same interface.

In a port-level NAT server scenario or when address-level NAT server function without a NAT server mode specified is configured, an address pool must be configured (and bound to an outbound policy if a centralized board is used). Otherwise, user traffic cannot be forwarded.

Configure an address pool (and bind it to an outbound policy if a centralized board is used).

NAT server user traffic cannot be forwarded.

In an easy IP scenario (an interface address can be used as an IP address in an address pool or NAT server address), when the NAT traffic distribution policy is configured on a user-side interface or a global UCL-based traffic distribution policy is configured, the user-side interface fails to ping the reused interface.

None

The ping fails.

When simplified NAT is configured, the configuration of this function must be finished and then the NAT address pool and NAT internal server can be configured. Without the simplified NAT instance configured, no NAT address pool or NAT internal server can be configured.

Configure services in the correct sequence.

Deploy services based on the simplified NAT deployment solution.

In non-centralized-board service scenarios, the configuration information about the HA backup group and HA service instance group is generated by default when a simplified NAT instance is configured. The default configuration information cannot be used by a non-simplified NAT instance/NAT64 instance.

Properly plan services.

Deploy services based on the simplified NAT deployment solution.

In a simplified NAT instance, the HA backup group and HA service instance group that are generated by default are named default. If the configurations of the same name already exist, the simplified NAT instance fails to be created.

Properly plan services.

Deploy services based on the simplified NAT deployment solution.

In simplified NAT, the traffic distribution policy is supported only by an outbound interface. Bind this policy to either the NAT instance or an address pool on the same interface.

Plan configurations properly.

Deploy services based on the simplified NAT deployment solution.

No NAT address pool or NAT internal server can be configured in a simplified NAT instance.

Properly plan services.

Deploy services based on the simplified NAT deployment solution.

The simplified NAT instance is mutually exclusive with the maximum number of sessions based on users.

Properly plan services.

Deploy services based on the simplified NAT deployment solution.

None

In the other scenarios, if NAT and IPsec are configured for the same flow of a specified user on the same device, traffic may fail to be forwarded.

DNS mapping takes effect on an address-level NAT server, not a port-level NAT server.

None

The port-level NAT server function is not supported.

None

NAT44 traffic distribution on an outbound interface cannot be used in the other MPLS scenarios. If this function is used in another MPLS scenario, traffic fails to be forwarded, or functions (such as load balancing and rapid switching) fail to take effect.

NAT is supported only by NSP-As, NSP-Bs, NSP-Cs, and NSP-Ds.

Plan services properly.

None.

The CGN ALG can identify packets only through well-known ports. For example, the FTP ALG needs to identify TCP port 21.

For the packets that need to be processed by the CGN ALG, well-known ports must be used.

The CGN ALG cannot identify the packet, and the ALG function becomes invalid.

NSP-50/NSP-50-E boards do not support easy IP functions, including NAT address pools and re-using an interface address as an internal server address. User easy IP traffic cannot be forwarded through such boards.

Properly plan services before service provisioning.

User easy IP traffic cannot be forwarded through NSP-50/NSP-50-E boards.

Before a device creates a flow table for a user, the session-end-only parameter is configured to enable a device to send only session aging log information. Before the flow table ages, the session-end-only parameter is changed to the session-start-only parameter. After the flow table ages, no flow table aging log message is sent to a log server, and the log server does not obtain the session source tracing information.

None

After the flow table ages, an aging log message cannot be sent.