The IP addresses inside a stub domain can be duplicated by another stub domain, for instance a single Class A address could be used in several stub domains. This situation very frequently happens when the domains are not administered by the same authority, as in the case of independent enterprises networks.
As long as the domains are isolated there are not problems, but as soon as they need to be interconnected the addresses overlapping would prevent it. Here is where Network Address Translation (NAT) plays its role: installing a Network Address Translator at each exit point between a stub domain and the backbone, or between stub domains, allows translations of addresses so that each stub domain can "see" valid addresses.
Unfortunately Network Address Translation (NAT) is not for free. Because of the way some protocol/application behaves it may introduce compatibility problems, not always solved.
The problem: some protocols/applications places IP addresses, and/or TCP/UDP ports, in the payload of the packets, at the same
"level" of the application data.
As a result, when the Network Address Translator changes the IP addresses or the TCP/UDP port of a datagram, it results in a
misalignment between the new values in IP/TCP/UDP headers and the content of the packet, which carries the same information BUT at
application level.
To successfuly apply Network Address Translation (NAT) it is therefore necessary to proceed with a further modification of the
packet payload, so that it correspond the current values in the IP/TCP/UDP headers.
Unfortunately there is not a "good-for-all" method and each protocol/application must be identified and processed properly.
The List of protocols/applications supported by NAT section gives the exact view of the
well known application/protocols that require a special handling and that are either supported or not supported by Abilis CPX
Network Address Translator port.
Those not mentioned should be able to work without troubles.
Inside. The set of networks there are subject of translation, usually "private" networks.
Outside. All other networks, usually "public" addresses located on the Internet.
Inside local IP address. The IP address was assigned to a host on the inside network. The address may or may not be a valid outside address (usually on Internet), but in the second case it may actually belong to another organization to which it will impossible to connect, even with NAT. In the table of NAT Aliases this term called as NET:.
Inside global IP address. The IP address of an inside host as it appears to the outside networks. If, as usual, the outside network is the Internet, the address must be one of the "public" addresses that the ISPs have assigned to user's router for those connections. In the table of NAT Aliases this term called as ANET:.
Processed IP packet. It mean in this packet was changed a source or destination address in some cases a source or destination port was changed too.
Ignored IP packet. It mean that this packet was not changed.
Static Address Translation. The user can establish a one-to-one mapping between the inside local and global addresses, which happens when the number (netmask) of inside local and global addresses are identical.
Dynamic Source Address Translation. The user can establish dynamic mapping between the inside and global addresses, which happens when the number (netmask) of inside local and global addresses are different.
Port Address Translation (PAT). The user can conserve addresses in the global address pool by allowing source ports in TCP connections or UDP conversations to be translated. Different local addresses will be mapped to the same global address, with port translation providing the necessary uniqueness for TCP/UDP and other tricks providing uniqueness for ICMP.
This mode is indifferently called "PAT" or "NAT+PAT" and works only with TCP/UDP/ICMP protocols.
Extended filtering in PAT mode. The purpose of this feature is to allow a selective activation of the PAT translation based on the destination TCP/UDP port and on the IP protocol, with the result that network managers can empower their control of the network by:
Granting access only to some service, e.g. web and ftp.
Blocking access only to specific services, e.g. realaudio / realvideo servers
Precisely distinguishing inbound connections from outbound ones
Allowing internal users to access ANY service on the Internet while outside users may access only a restricted set
Destination port mapping. This behaviour is very useful in many situations, the most frequents are:
The user has just one public IP address and on the internal LAN there are more computers on several IP addresses running different services that must be reached from outside, e.g. one runs FTP, another HTTP, another SMTP.
The user has just one public IP address and on the internal LAN there are more computers on several IP addresses running the same service with different contents, e.g. a commercial web, a technical web, a restricted access web.
For more information see Configuration examples section.
The NAT port is referred by the "NAT" abbreviation and it has all the parameters described in this chapter.
Here is an example of the NAT port parameters.
[18:18:41] ABILIS_CPX: D P PO:NAT
PO:911 - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------
NAT ------------------------------------------------------------------------
LOG:DS ACT:NO dimtable:1000 TOUT:60
- PAT mode timeouts ----------------------------------------------------
TCP-CONN:3 TCP-CLOSING:180 TCP-CLOSED:1 TCP-RST:YES
ICMP:30 UDP:3 DNS:30 SNTP:30
FRAG-ID:30 FRAG-PTR:30 SNMP-ALG:NO
To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary
for activating changes made on upper case parameters it is enough to execute the initialization command INIT PO:.
The changes made on the LOG: parameter are immediately active.
The "Not Saved (SAVE CONF)" message is displayed every time the port configuration is modified but not saved with the SAVE CONF command.
The "Not Refreshed (INIT)" message is displayed every time the port configuration is modified but not refreshed with the INIT PO: command.
| LOG: | Events logging activation and generation of alarm signals |
| DS | NO, D, S, A, L, T, ALL, +E |
Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.
The following table shows the available options and the related functionalities usable by the parameter:
| Option | Meaning |
|---|---|
| D | Recording of the driver state changes and/or the meaningful events in Debug Log |
| S | Recording of the driver state changes and/or the meaningful events in the System Log |
| A | Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel |
| L | On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option |
| T | Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events |
Beside the already described options the following values are also allowed:
| Option | Meaning |
|---|---|
| NO | It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled. |
| ALL | It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled. |
| +E | This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored. |
Options can be combined together.
Some examples:
By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.
Some examples:
The changes made on this parameter are immediately activated, without the need of initialization commands.
| ACT: | NAT runtime activation/deactivation |
| NO | NO, YES |
This parameter is used to activate/deactivate the Network Address Translation runtime.
When it is set to "NO", NAT processing is disabled. The IP router will ignore any NAT references.
When it is set to "YES", NAT processing is enabled. The IP router will requests NAT processing whenever a packet arrives from either an INSIDE or an OUTSIDE interface.
Unclassified interfaces,
i.e. those interfaces that don't belong neither to the inside scope nor to the outside (NAT:
field of IP port configuration is set to "NO"), are ignored.
When the Network Address Translation is active, packets will be forwarded only in the following cases:
When NAT is active, packets will not be forwarded between a classified and an unclassified interface.
| DIMTABLE: | Maximum number of simultaneously active translations |
| 1000 | 100 - 10000 |
It specifies how many translations can be created at the same time.
In the case that the translation table gets full, further requests will be ignored and the packets dropped. In this conditions the statistic counter OVERFLOW: will be increased for each dropped packet.
| TOUT: | Time-out for IP links - non PAT mode |
| 60 | 1 - 65535 min |
This value sets the timeout of static and dynamic translations, i.e. those created without the PAT mode.
If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed
by the translation table.
| TCP-CONN: | Time of storage for TCP link in connecting state. |
| 3 | 1-65534 min |
This value sets the timeout for TCP link in connecting state. It is a main state of TCP connection when it has set. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. For more information about states of TCP connection see RFC 793. That value has used in PAT state of NAT only.
| TCP-CLOSING: | Time of storage for TCP link in closing state. |
| 180 | 1-240 sec |
This value sets the timeout for TCP link in closing state. It is a state of TCP connection when one point of link waiting for a connection termination request acknowledgment from another. For more information about states of TCP connection see RFC 793. This value has used in PAT state of NAT only.
| TCP-CLOSED: | Time of storage for TCP link in closed state. |
| 1 | 1-240 sec |
This value sets the timeout for TCP link in closed state. It represents no connection state at all (i.e a connection closed from both sides). For more information about states of TCP connection see RFC 793. This value has used in PAT state of NAT only.
| TCP-RST: | Send RESET for expired link |
| YES | NO, YES |
For packets other than SYN when link is not available NAT send datagram with set RST-bit to the host that sent this datagram. It initiates a new connection establishing. For more information about states of TCP connection see RFC 793. This value has used in PAT state of NAT only.
| ICMP: | Time of storage for ICMP links |
| 30 | 1-240 sec |
This value sets the timeout for ICMP links. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.
| UDP: | Time of storage for UDP links |
| 3 | 1-65534 min |
This value sets the timeout for UDP links. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.
| DNS: | Time of storage for DNS links |
| 30 | 1-240 sec |
This value sets the timeout for DNS links. This links are created in process of DNS packets translating. (DNS packet is UDP packet has had a source port or a destination port equal 53.) If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.
| SNTP: | Time of storage for SNTP links |
| 30 | 1-240 sec |
This value sets the timeout for SNTP links. This links are created in process of SNTP packets translating. (SNTP packet is UDP packet has had a source port or a destination port equal 123.) If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.
| FRAG-ID: | Time of storage for FRAG-ID links |
| 30 | 1-240 sec |
This value sets the timeout for FRAGMENT ID links. This links are created in process of IP fragments translating. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.
| FRAG-PTR: | Time of storage for FRAG-PTR links |
| 30 | 1-240 sec |
This value sets the timeout for FRAGMENT PTR links. This value has used in PAT state of NAT only.
| SNMP-ALG: | Enable/disable SNMP Application Level Gateway |
| NO | NO, YES |
This parameter is used to enable/disable SNMP Application Level Gateway.
Example on how to show state and statistics of the Control Port through the command D S:
[15:00:45] ABILIS_CPX:d s po:911
PO:911 ------------------------------------------------------------------------
NAT STATE:READY CUR-TRANSLATIONS:0 MAX-TRANSLATIONS:1000
------------------------------------------------------------------------
REQ:529 SUCCESS:0 IGNORED:529 ERROR:0
OVERFLOW:0 TCP-RST:0
-----------|--IN SRC---|--IN DST---|--OUT SRC--|--OUT DST--|
ICMP |0 |0 |0 |0 |
TCP |0 |0 |0 |0 |
UDP |0 |0 |0 |0 |
OTHERS |0 |0 |0 |0 |
------------------------------------------------------------------------
FTP |0 |0 |0 |0 |
DNS |0 |0 |0 |0 |
OTHERS |0 |0 |0 |0 |
------------------------------------------------------------------------
FRAG-ID:0 FRAG-POINTER:0
FRAG-UNRESOLVED:0 FRAG-HEADER-FOUND:0
------------------------------------------------------------------------
| CUR-TRANSLATIONS: | Number of translations is currently active. |
| 0 - 65534 |
There are a number of records in NAT dynamic table have used for translation now.
| MAX-TRANSLATIONS: | Limit to possible simultaneous translations |
| 1 - 65534 |
Limit to possible simultaneous translations. There is a size of NAT dynamic table.
| REQ: | Requests total. |
| 0 - 4294967295 |
There are a number of translation requests, which NAT has received after start (or NAT port statistics has cleared).
| SUCCESS: | Successful requests. |
| 0 - 4294967295 |
The number of requests have processed successful (i.e a source or destination address in this IP packet was changed. Or was changed an IP address in packet's body, for example when a packet has a DNS massage in its body).
| IGNORED: | Ignored requests. |
| 0 - 4294967295 |
The number of ignored requests (i.e an IP packet has not changed) because a match have not found.
| ERROR: | Unsuccessful requests. |
| 0 - 4294967295 |
The number of requests have not processed successful independently of error's reason.
| OVERFLOW: | Table overflow. |
| 0 - 4294967295 |
The number of requests have not processed successful because the table is overflow.
| TCP-RST: | TCP resets sent. |
| 0 - 4294967295 |
The number of sent TCP reset packets. The TCP RST packets may be sent only when TCP-RST parameter of NAT is equal YES.
| ICMP: | The number of processed ICMP packets. |
| 0 - 4294967295 |
The number of processed ICMP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.
| TCP: | The number of processed TCP packets. |
| 0 - 4294967295 |
The number of processed TCP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.
| UDP: | The number of processed UDP packets. |
| 0 - 4294967295 |
The number of processed UDP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.
| OTHERS: | The number of processed packets other types. |
| 0 - 4294967295 |
The number of processed packets other (not ICMP/UDP/TCP) types. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.
| FTP: | The number of processed FTP packets. |
| 0 - 4294967295 |
The number of processed FTP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.
| DNS: | The number of processed DNS packets. |
| 0 - 4294967295 |
The number of processed DNS packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.
| OTHERS: | The number of processed packets other types. |
| 0 - 4294967295 |
The number of processed packets other (not FTP/DNS) types. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.
| FRAG-ID: | The number of processed FRAGMENT ID packets. |
| 0 - 4294967295 |
The number of processed FRAGMENT ID packets.
| FRAG-POINTER: | The number of processed FRAGMENT POINTER packets. |
| 0 - 4294967295 |
The number of processed FRAGMENT POINTER packets.
| FRAG-UNRESOLVED: | The number of unprocessed fragment packets. |
| 0 - 4294967295 |
The number of unprocessed fragments of IP packets because a fragment not resolved.
| FRAG-HEADER-FOUND: | The number of processed fragments of IP packets. |
| 0 - 4294967295 |
There are a number of processed fragments of IP packets.
Below is a list of well known special protocols/applications which are supported by CPX NAT.
Below is a list of well known special protocols/applications which cannot work with any NAT implementation, because the information in the payload is ciphered, and therefore NATs cannot modify them!
Below is a list of well known special protocols/applications which are not supported by the current CPX NAT implementation.
Print this page