The table of NAT Aliases can store up to 255 entries, indexed starting from 0 up to 254.
The entry priority index sets the entries verification order and must be sequential.
The priority index for NAT Aliases is also utilized as a reference for operations of insertion, modification and deletion.
In the table of NAT Aliases, configurations may be added, modified, deleted while the Abilis CPX is working, without needing to restart it. Changes made in the table are immediately actives by executing the command INIT NAT or by executing the initialization command INIT PO:, where "xxx" is the NAT port number.
Commands for handling the table of NAT Aliases are described in the Configuration of NAT Alias entries section of the document Commands relating to NAT.
The available commands are the following:
A NATHere it follows an example of the NAT Aliases visualization. All values are only examples.
[18:14:08] ABILIS_CPX: D NAT
- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
------------------------------------------------------------------------------
PR: SIDE: ADD: NET: ANET: SIPP: DIPP: PAT:
PROT: DPO: ADPO:
------------------------------------------------------------------------------
0 IN DST 002.002.002.002/32 005.005.005.005/32 10 * NO
------------------------------------------------------------------------------
1 OUT DST 005.005.005.005/32 002.002.002.002/32 * * NO
------------------------------------------------------------------------------
2 IN DST 002.002.002.003/32 005.005.005.006/32 10 * NO
------------------------------------------------------------------------------
3 OUT DST 005.005.005.006/32 002.002.002.003/32 * * NO
------------------------------------------------------------------------------
4 IN SRC 000.000.000.000/32 000.000.000.000/32 * * YES
ICMP
------------------------------------------------------------------------------
5 IN SRC 000.000.000.000/32 000.000.000.000/32 * * YES
TCP *
------------------------------------------------------------------------------
6 IN DST 000.000.000.000/32 000.000.000.000/32 * * YES
UDP * *
------------------------------------------------------------------------------
As it is possible to note from the previous example, this command desn't display information about parameters whose values are the default ones. They will be only displayed if their values have been changed from the default ones. In such way, the description of single entry is simply contained in one row.
Single entry displaying:
[12:41:53] ABILIS_CPX: D NAT PR:4
- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
------------------------------------------------------------------------------
PR: SIDE: ADD: NET: ANET: SIPP: DIPP: PAT:
PROT: DPO: ADPO:
------------------------------------------------------------------------------
4 IN SRC 000.000.000.000/32 000.000.000.000/32 * * YES
ICMP
------------------------------------------------------------------------------
The "Not Saved (SAVE CONF)" message is displayed every time the table is modified but not saved with the SAVE CONF command.
The "Not Refreshed (INIT)" message is displayed every time the table is modified but not refreshed with the INIT NAT command or the INIT PO: command.
| PR: | NAT alias entry priority (The 0 priority is the highest) |
| none | from 0 up to 254 |
It is the entry priority. The priority index sets NAT alias entries looking order.
The NAT alias entry priority index is also use by the adding, modifying and deleting commands for referring to it.
Priority indexes, every time an entry is added or deleted, in the list are automatically kept in sequential order.
The verifying procedure is executed for each entry when NAT has had an IP datagram which must be translated, i.e. if an entry in NAT dynamic table for this IP datagram has not found.
It starts from the entry with priority 0 and continues until the suitable one will be found or the list will end.
| SIDE: | Side of translation |
| IN | IN, OUT |
It sets the side of translation. The "IN" value stands for "inside"; "OUT" value stands for "outside".
A NAT alias entry is used only when the side of the translation for incoming IP datagram is equal to the side of the translation for this record.
The side of translation for incoming IP datagrams is defined in NAT: field of IP port configuration.
| ADD: | Address translation type |
| SRC | SRC, DST |
It sets the type of translation. The "SRC" value stands for "source IP address"; "DST" value stands for "destination IP address".
A NAT alias entry can be used to translate the source IP address of the IP datagram or to translate the destination IP address of the IP datagram.
In the case that both source and destination IP adresses have to be translated, two entries have to be defined in the table of NAT Aliases.
For more information about address translation see the section NAT configuration examples.
| NET: | Network IP address and mask |
| 000.000.000.000/32 | see below |
It sets the network IP address and mask values used to match with the address of the IP datagram to be translated.
Allowed values for the network IP address are shown in the following table:
| HEX: | 00000000 | 01000000 - 7EFFFFFF | 80000000 - DFFFFFFF |
|---|---|---|---|
| DDN: | 0.0.0.0 | 1.0.0.0 - 126.255.255.255 | 128.0.0.0 - 223.255.255.255 |
IP addresses of class D and E are not currently supported.
Allowed values for the network mask are [0 - 32]. Only values that contain a contiguous sequence of bits set to 1 are accepted. Moreover doing the "logical And" between the network IP address value and the related mask value, the result should be the network IP address itself.
This filed can also be set to the name of an IP addresses list or to the name of an IP addresses ranges list betweek peaks (E.g.: 'ListName'). The referenced list must already be defined in the Elements Lists service.
For more information about address translation see the section NAT configuration examples.
| ANET: | Alias network IP address and mask |
| 000.000.000.000/32 | see below |
It sets the network IP address and mask values to be used to replace the original address of the IP datagram.
Allowed values for the alias network IP address are shown in the following table:
| HEX: | 00000000 | 01000000 - 7EFFFFFF | 80000000 - DFFFFFFF |
|---|---|---|---|
| DDN: | 0.0.0.0 | 1.0.0.0 - 126.255.255.255 | 128.0.0.0 - 223.255.255.255 |
IP addresses of class D and E are not currently supported.
Allowed values for the alieas network related mask are [0 - 32]. Only values that contain a contiguous sequence of bits set to 1 are accepted. Moreover doing the "logical And" between the alias network IP address value and the related mask value, the result should be the alias network IP address itself.
This field can also be set to "OUT-IPP" value, in this case the original address of the IP datagram will be replaced with the IP address of the IP port from which it will be forwarded, i.e. the IP address set in IPADD: field of IP port configuration.
For more information about address translation see the section NAT configuration examples.
| SIPP: | Source IP port |
| * | 0..63, *, NONE |
It sets the IP port from which the IP datargram has to be received in order to match the entry.
The value "*", that stands for "any IP port", allows the translation to be independent of the IP port from which the datagram has been received.
The value "NONE", that stands for "no IP port", can be used to temporary disable a certain entry without deleting it.
| DIPP: | Destination IP port |
| * | 0..63,*, NONE |
It sets the IP port from which the translated IP datagram has to be forwarded in order to match the entry.
The value "*", that stands for "any IP port", allows the translation to be independent of the IP port from which the datagram has to be forwarded.
The value "NONE", that stands for "no IP port", makes the entry to mach only with IP datagram with internal detination.
| PAT: | Port address translation activation/deactivation. |
| NO | NO, YES |
It allows to enable/disable the Port Address Translation (PAT) mode for this record.
When this parameter is set to "YES", the PAT mode is enabled and the additional parameters PROT:, DPO: and ADPO: can be configured.
| PROT: | Allowed IP protocols |
| * | ICMP, TCP, UDP, *, NONE |
It sets the IP protocols values that make the IP datagram to match with this entry.
Values "ICMP", "TCP" and "UDP" can be joined using the comma (",") character. This parameter can be set only when the Port Address Translation (PAT) mode is enabled, i.e. when the PAT: field is set to "YES".
| DPO: | Allowed destination TCP/UDP ports. |
| * | see below |
It sets the destination TCP/UDP port(s) values that make the IP datagram to match with this entry.
It can be set to a single port, using the corresponding mnemonic or a decimal value in the range [1..65535].
It can be set to a range of ports, using two port values separated by colon (":") character.
It can also be set to the name of a TCP/UDP ports list or to the name of a Rule list or to the name of a Master rule list between primes (E.g.: 'ListName'). The referenced list must already be defined in the Elements Lists service.
By last the value "*", that stands for "any port" can be used to make the translation to be independent of the destination TCP/UDP port.
Here there are examples of accepted values: "22" or "SSH" or "1:1024" or "*" or "'List'".
This parameter can be set only when the Port Address Translation (PAT) mode is enabled, i.e. when the PAT: field is set to "YES", and when TCP/UDP protocols are selected in PROT: field.
| ADPO: | Alias destination TCP/UDP ports. |
| * | 1 - 65535, * |
It sets the alias destination TCP/UDP port(s) values that has to be set in the IP datagram matching with this entry.
It can be set to a single port, using the corresponding mnemonic or a decimal value in the range [1..65535].
The value "*", that stands for "any port" can be used to leave the TCP/UDP port of the IP datagram unchanged.
This parameter can be set only when the Port Address Translation (PAT) mode is enabled, i.e. when the PAT: field is set to "YES"; when TCP/UDP protocols are selected in PROT: field and when the ADD: field is equal to "DST".
Print this page