NAT Reassembly

If a packet is fragmented before it arrives on a TNSR interface, only the initial fragment packet contains header information needed to properly apply NAT. Later fragments lack these details, which prevents TNSR NAT from seeing port data. This can lead to fragments being mishandled because TNSR has no way to determine what it should do to these fragments. NAT reassembly works around this problem by holding fragments and reassembling entire packets for inspection, allowing TNSR to properly act upon the full packet.

Configuration

The nat reassembly (ipv4|ipv6) command, available from config mode, enters config-nat-reassembly mode to configure how NAT fragment reassembly behaves for either IPv4 or IPv6.

The following commands are available within config-nat-reassembly mode:

concurrent-reassemblies <max-reassemblies>

Configures the maximum number of packets held for reassembly at any time. Default 1024.

disable

Disables NAT reassembly

enable

Enables NAT reassembly

fragments <max-fragments>

Maximum number of fragments to reassemble. Default 5.

timeout <seconds>

Number of seconds to wait for additional fragments to arrive for reassembly. Default 2 seconds.

View Configuration

To view the current values in the configuration for NAT reassembly, use show nat reassembly:

tnsr# show nat reassembly

NAT Reassembly Parameters
-------------------------
Family: ipv4
    Enabled : true
    Timeout : 2 seconds
    Max Fragments : 5
    Max concurrent reassemblies: 1024
Family: ipv6
    Enabled : true
    Timeout : 2 seconds
    Max Fragments : 5
    Max concurrent reassemblies: 1024