CG-NAT — how to start using and why you need it

September 21, 2021
CG-NAT — how to start using and why you need it
CG-NAT (Carrier Grade Network Address Translation) is a technology that enables an ISP to replace a user's local IP address with a public one in TCP/IP networks. Let's find out how CG-NAT is implemented in Stingray Service Getaway and why it is the right solution for you.

How it works

With the CG-NAT solution, ISP has the ability to allocate a public IPv4 address to multiple clients. Thus it is easier to implement IPv6 by extending the use of IPv4. The Stingray Service Getaway traffic monitoring and analysis system is designed for ISPs, but you can also use it to replace NAT devices in your IT infrastructure. The solution is designed to work effectively in any environment: in case if your network infrastructure grows or changes it is easy to adjust it to your needs.


Here are some of CG-NAT alternative solutions and their advantages and disadvantages from their users’ point of view.

  • A10 Networks Thunder. As advantages users notice democratic pricing with no sudden changes, high reliability of the solution, as well as rare failures, ease of use, intuitive graphical interface, and detailed documentation. Among the disadvantages, users name the solution’s problems with tracking simultaneous use of multiple ports.
  • F5 BIG-IP. Users like the ease of use, a good system of protection against external intrusion, and a large number of available and flexible functions. On the other hand, there are the weak sides of the solution like sagging speed, occasional connection problems, and the fact that it gives little information in case of problems (so sometimes it is not very clear how exactly the situation can be fixed).
  • Cisco ASR 9000. Users like the familiar Cisco ecosystem, reliability, and ease of use. As for disadvantages, they notice problems with documentation and occasional bugs in the internal architecture.

Alternative solutions CG-NAT

Also, you can implement CG-NAT independently with the help of your technical specialists. There are examples of successful cases on telecom-related resources. As an advantage in this case – the possibility of full control of the solution from your side (your engineers would understand the exact architecture of the solution). The main disadvantage is that creating CG-NAT functionality on your own is constant hard work and requires resources. So it is more likely for many companies just to use an out-of-the-box solution.

Pros of CG-NAT as part of Stingray SG

  1. It makes the use of IPv4 address space the most efficient way.
  2. It meets requirements specified in RFC 4787 (Network Address Translation (NAT) Behavioral Requirements for Unicast UDP) and RFC 6888 (Common Requirements for Carrier-Grade NATs), which is a guarantee of stable operation of the system.
  3. Stingray Service Getaway can perform 128 million sessions at a time.
  4. You can dynamically scale the solution and increase throughput without traffic interruption.
  5. Unified management of all platform functionality.
  6. Translations are logged and available either as logs or can be transferred to an external collector via NetFlow v10 (IPFIX).

How to set up NAT in Stingray SG

It can be easily set up in just two commands.

Create a profile with a single command, here it is:

fdpi_ctrl load profile --service 11 test_nat
--profile.json '{ "nat_ip_pool" : ",5.200.44/25",
"nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000 }'

The other command to turn it on:

fdpi_ctrl load --service 11 test_nat --ip


fdpi_ctrl load --service 11 test_nat --login test_subs


fdpi_ctrl load --service 11 test_nat --cidr

CG-NAT management via a graphical interface

  • Load on profiles and NAT address pool

GUI Load on profiles and NAT address pool

  • NAT statistics (port load)

GUI NAT statistics (port load)

  • Statistics on the conversion of private IP addresses to public ones

GUI Statistics on the conversion of private IP addresses to public ones


Stingray Service Getaway has a built-in Full Cone NAT option that allows packets to be sent from any source on an external mapped TCP/UDP port. This makes it easier to monitor the activity of peer-to-peer services (such as torrents, games, etc). All client connections from one internal IP address are bound to one external IP address because of Paired IP address pooling.

There is also basic protection against DDoS attacks. It works simply like this: if an attempt is made to connect to an external address from the outside on a certain port, then the NAT device checks if there are any connections set up for that port. If there is none, the connection will be terminated.

Besides that, in the situation, if one of the subscribers gets infected by malware, we can limit the number of used UDP and TCP ports, so it will not take all network resources. In this case, not all of the subscribers will be infected but only one of them.

Also, there is a technology named Hairpinning. It allows all subscribers behind a NAT to access each other’s public addresses without forwarding packets outside the device and translating outside the device.


The Stingray SG must operate in an in-line mode in order for the CG-NAT function to work correctly.

A Stingray SG BRAS or Complete license is also required for this. Address translation speed depends on the selected license and hardware platform: it can be from 6 to 200 Gbit/s. We also recommend installing a backup platform in case of emergency situations.

We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.