3D Connexion 17621 User Manual
Compatible Systems Setup Guides: Network
Address Translation Configuration Guide
Document ID: 17621
Contents − Network Address Translation Configuration
Guide
IMPORTANT DISCLAIMERS
EXPLANATION OF NAT FUNCTIONALITY
Internet sources for Network Address Translation documents
Reasons for Network Address Translation
NAT EXAMPLE NETWORKS
Example One: Network Address Translation "private" Network
Example Two: Network Address Translation "private" Network and user's network with
"global" IP addresses
Example Three: Network Address Translation "private" Network on a Sub−Interface on the
NAT External Port
IMPORTANT NOTE FOR NAT ON SUB−INTERFACES
CONSOLE COMMANDS FOR THE NAT SOFTWARE
show nat
show nat config
show nat map
show nat sessions
show nat statistics
show nat address_db
CONFIGURATION SECTION
[ NAT Global ] configure commands and example keywords
[ NAT Mapping ] edit commands and example keywords
[ IP < Secton ID > ] configure commands and example keywords for Example One
EXTERNAL NAT PORT
INTERNAL NAT PORT
[ IP < Secton ID > ] configure commands and example keywords for Example Three
EXTER NAL NAT PORT
INTERNAL NAT PORT
NAT PASSTHRU RANGE
FINAL NOTES
IMPORTANT DISCLAIMERS
Not all Compatible Systems devices have Network Address Translation ability. Due to memory
1.
limitations and software code size, the following routers do not have NAT software:
MicroRouter 900i♦
MicroRouter 1000R♦
RISC Router 3000E♦
RISC Router 3400R♦
RISC Router 3800R♦
NAT functionality is available on Compatible Systems device IP interfaces with one important
2.
exception. A WAN interface can be used as the NAT external port only if its IP address is assigned in
the device's configuration. NAT cannot function on a WAN interface which has its IP address
assigned by a dial−up, PPP negotiation.
Compatible Systems NAT implementation supports Real Audio and CUSeeMe.3.
The NAT software in Compatible Systems devices does not yet support several IP Applications.
4.
Some of the more popular IP applications not yet supported are:
IRC (Internet Relay Chat)♦
X Windows♦
IPSec♦
EXPLANATION OF NAT FUNCTIONALITY
Reasons for Network Address Translation
IP Address Availability
The Internet is still growing at an almost exponential rate, with a finite number of Internet
Protocol (IP) addresses available. Several solutions to this future shortage of IP addresses
have been proposed and are currently being developed. One of the solutions currently being
used is Network Address Translation (NAT).
NAT can ease the IP address shortage by creating "local" or "private" networks (also referred
to as NAT Networks in this document) which are connected to the "official" Internet/External
Network using only a single "global" IP address. This "global" IP address would have
originally been assigned by the Internet Network Information Center (InterNIC), probably
through an Internet Service Provider (ISP) or System Administrator.
For example, a private group can create a local network of ten workstations with an IP
addressing system which is totally independent of the Internet, and connect their network to
the Internet with one "global" Internet IP address. In this case, the group would only need a
single IP address supplied by an ISP or the company System Administrator, rather than an IP
address for each workstation −− a savings of nine valuable IP addresses.
Local Network Security
Another useful feature of NAT is its ability to act as a "firewall." The workstations on the
NAT Network may freely establish connections with the External Network/Internet. The
opposite case is possible, but is controlled by NAT. NAT can allow just a few connections, or
even no connections, to be established from the External Network to the NAT Network, as
the user sees fit.
NAT Functionality
Of course NAT requires that some processor must translate the "private" network IP
addresses to the "global" Internet IP address, and vice−versa. This is where routers using
NAT come into the picture. This document explains how NAT was developed for Compatible
Systems devices on three example networks, and details how the routers are configured using
the Command Line interface to properly do Network Address Translation.
Note: The Command Line interface is currently the only way to configure the NAT
functionality. CompatiView NAT functionality is in development, but not yet available.
A Compatible Systems router with NAT functionality enabled will do one of the following to
IP packets sent through a NAT interface:
Translate an IP address and otherwise modify an IP packet if its address matches one
1.
of the NAT IP address ranges defined for the router.
Allow the router to accept and process the IP packet if that packet is addressed to the
2.
router itself (e.g., broadcast packets, a Telnet session to the router, or pinging the
router).
Allow the IP packet to be routed without modifying it, if the IP address of the packet
3.
is within the NAT PassThru Range defined for the router.
Drop the packet if none of the conditions in 1, 2, or 3 are met.4.
Conditions 1 and 2 are presented in Example One below. Condition 3 is presented in
Example Two. Condition 2 can be thought of as a default subset of Condition 3, where the
destination is the router itself rather than some local LAN configured with a global IP address
and connected to the router on an IP interface different from the one connecting the router to
the Internet.
NAT EXAMPLE NETWORKS
Example One (Figure 1): The simpler of the two NAT Examples. The IP Interface Ethernet 0 on the NAT
Router connects to the Internet. Such an IP interface is called the External NAT Port in this document.
Everything behind the NAT Router, connected to the Internal Ethernet Hub and the NAT Router, via IP
interface Ethernet 1, is part of the NAT Network. IP interfaces such as Ethernet 1 are called the Internal NAT
Port in this document.
Example Two (Figure 2): WAN 0 (the External NAT Port) is the NAT IP interface connecting to the
Internet; Ethernet 1 (the Internal NAT Port) connects to the NAT Network, but Ethernet 0 connects to an
Ethernet hub which has "global" IP addresses. Ethernet 0, and its connected hub, are in effect part of the
Internet. The Compatible Systems NAT software will allow the WAN 0 External NAT Port to pass IP packets
to both the user's (Private) NAT Network and the LAN which has "global" IP addresses. The user can limit
access to, or protect, the NAT Network while not effecting the performance of the portion of the network with
"global" IP addresses.
Example Three: Very similar to Example Two, except that the External NAT Port, Internal NAT Port, and
the port for the NAT PassThru Range are all located on the same physical port, by using sub−interfaces on
this physical port.
EXAMPLE ONE
The Example One network, which was used in the development of the NAT software at
Compatible Systems, is using a MicroRouter 2220R as the NAT Router. The NAT Router has
IP port Ethernet 0 connected to the External Network and IP port Ethernet 1 connected to the
NAT Network. Two Macintosh workstations, a PC running Windows NT and another
MicroRouter 2220R are connected to the NAT Network Internal Ethernet hub. Other
workstations and routers are connected to the External Ethernet hub, but, for clarity, only the
connections to the NAT Router and the router connected to the Internet are shown here.
Figure 1
(*) NOTES: All of the machines in the NAT network must address their IP packets to the Internal Interface of the
"NAT" MR 2220 Router (Ethernet 1).
Several important points about Compatible Systems NAT implementation are shown in
Figure 1, and warrant special mention here:
The NAT functionality must be enabled in the router intended to do Network Address
1.
Translation. This is done by setting the Enabled variable (Enabled = On) in the [NAT
Global] section. This will be described in more detail later in the NAT
CONFIGURATION SECTION. In Example One, the NAT Router is the router
between the NAT Network and the Internet.
The IP interface that communicates with the Internet must also be enabled for NAT.
2.
This is done by setting the NatMap variable (NatMap = On) on this interface in the
[IP <Section ID>] section. This will also be described in more detail later in the NAT
CONFIGURATION SECTION. In Example One this is the Ethernet 0 IP interface.
The IP Interface which is communicating with the External Network or Internet must
3.
be the only interface which has NatMap = On. It is important that one, and only one,
IP interface on a NAT Router have its NatMap variable set to On.
Point C is probably the most important, and least obvious, configuration requirement. In
Example One, Ethernet 0 and Ethernet 1 both seem to be participating in Network Address
Translation. The user could assume that NatMap could be set to On in both IP ports. THIS IS
NOT THE CASE! Only Ethernet 0 should have NatMap = On. Compatible Systems NAT
software will not function between two IP ports which both have NatMap = On.
Again, in Compatible Systems routers with the [NAT Global] variable Enabled=On, the
single IP interface which has NatMap = On is called the External NAT Port. The IP interface
connected to the "private" IP addresses is called the Internal NAT Port. In Example One,
Ethernet 0 is the External NAT Port and Ethernet 1 is the Internal NAT Port.
NAT only translates the address of the workstations/routers in the NAT Network. It does not
need to adjust the address of the location on the External Network. The MicroRouter 2220R
NAT Router just makes the workstations/routers in the NAT Network appear to be at the
Internet IP addresses of 198.41.9.194 or 198.41.9.219 and accessible through the IP interface
of Ethernet 0 on this router. The sub−interface makes the Internet address assignment based
on logic in the software. These translations are done using Translation Sessions (also called
NAT Sessions) in the NAT software. One NAT Session is created for each IP
Communication Session that is established through the NAT Router.
Since NAT can be viewed and is often used as a type of firewall, Point B makes sense. The
previous paragraph also helps explain the reason for Point B. NAT must modify packets
destined for, and coming from, the External Network/Internet. The NAT Router IP interface
which most directly communicates with the Internet must be the one doing Network Address
Translation (NatMap = On).
Except for one special condition, which will be explained shortly, IP sessions can only be
established between the Internet and the NAT Network through the NAT Router by locations
on the NAT Network (only from the inside to the outside).
Note: NAT functionality is available on Compatible Systems router IP interfaces with one
important exception. A WAN interface can be used as the External NAT Port only if its IP
address is assigned in the Router's configuration. NAT cannot function on WAN interfaces
that have their IP address assigned by a dial−up, PPP negotiation.
AN EXAMPLE NAT SESSION (CONDITION 1)
The Mac at internal address 10.5.3.10 is going to ping the Internet location 128.138.240.11.
The Mac sends its IP packets (ICMP Echo Requests) to its Gateway IP address of 10.5.3.1.
This is the address of the Internal NAT Port on the NAT Router (Ethernet 1) which is
connected to the NAT Network. At this point the NAT Router begins to create a NAT Session
for this IP session. This NAT Session contains information about:
the NAT Network location (Internal NAT) source IP address {10.5.3.10}♦
the Internet location (Remote) IP destination address {128.138.240.11}♦
the External, translated NAT (External NAT) IP source address it will use in
♦
translating the packet {198.41.9.219}
and the Application Protocol being transmitted by the IP packets (ICMP).♦
On outbound packets, all Internal NAT source IP address entries {10.5.3.10} in the packet are
changed to the External NAT IP address {198.41.9.219}.
On inbound packets, in response, all External NAT destination IP addresses {198.41.9.219}
are changed to Internal NAT IP addresses {10.5.3.10}.
The NAT Session, which was created by the outbound IP packet from the NAT Network, is
what allows this translation to take place.
NAT Sessions can be displayed in the Command Line interface with the command show nat
sessions.
Nat_2220> show nat sessions
Active Map Remote Proto Hashes
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−−−−−− −−−−−− −−−−−−−−−
10.5.3.10:0 −>198.41.9.219:0 128.138.240.11:0 ICMP 221/909
A NAT Session stores the three IP addresses as two pairs of IP addresses (or "hashes"): the
hash of the "Remote" IP address and "External NAT" address (the "Mapped Hash"), and the
hash of the "Remote" IP address and the "Internal NAT" address, and the Application
Protocol of the IP session which established the NAT Session (in this case, ICMP) (See Table
1).
Table 1
(The External or MAPPED "Hash")
128.138.240.11:0 198.41.9.219:0
|
|
{Protocol = ICMP}−−>+ <<=======================>> The "NAT SESSION"
|
|
198.138.240.11:0 10.5.3.10:0
(The Internal "Hash")
The details of the NAT functionality for the MicroRouter 2220R NAT Router of Figure 1
and Table 1 are shown in Table 2.
Table 2
External Network NAT Router NAT Network
IP Addreses IP Addreses IP Addreses
=============== ====================================== ===============
External Gateway Internal
Range(s) Address Range
−−−−−−−−−−−−−− −−−−−−−− −−−−−−−−
'Global' IP 198.41.9.194 10.5.3.1 10.5.3.0 10.5.3.2 to
Addreses &198.41.9.219 10.5.3.30
Once again, note that the remote Internet IP address, be it a source or destination address, is
never changed. The processes on the outside never really "know" the address(es) of the
processes communicating with them through the NAT Router.
The External Range term shown in Table 2 could be confusing. It is not the address or
addresses to which the processes inside the NAT Network are communicating, as the name
might imply. The External Range(s) is (are) the IP address(es) the NAT algorithm is using to
allow outside processes to communicate with the IP addresses in the NAT Network through
the External NAT Port. The internal processes only route their IP packets through the NAT
Router Gateway address(es) on the Gateway's Internal NAT Port(s). They address their
packets to the outside IP addresses, not the Gateway Address. This is important to note
because other descriptions of NAT on the Internet have not explicitly said this and initially
caused confusion.
CONDITION 1: A NAT SESSION INITIATED FROM THE OUTSIDE
Let's make one change to the network of Example One − the NT workstation is now a Web
server. Is this possible with Compatible Systems NAT? If possible, is it really useful? For
security (and practicality) reasons, NAT Sessions are generated by IP packets traveling from
the NAT Network to the Internet. How could an outside user ever reach the NT Web server
on the NAT Network if the server did not first contact the user on the Internet (a highly
unlikely situation)?
This is where another part of the Compatible Systems NAT software is useful. It is called the
NAT Map Database. This database contains pairs of IP addresses (or IP address:TCP/UDP
port combinations) which allow sites on the Internet to have access through the NAT Router
to the NAT Network. The Internet sites can initialize NAT Sessions with sites on the NAT
Network.
The NAT Map Database can be displayed in the Command Line interface with the command
show nat map.
Nat_2220> show nat map
[ Nat Map Database ]
Total Number of Entries in NAT Map Database: 1
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Internal External
LineNo. <IPaddress[/Mask or :Port]> −> <IPaddress[/Mask or :Port]>
1 <10.5.3.11/32> −> <198.41.9.194/32>
The user on the Internet could now access the IP address 198.41.9.194 and the NAT Router
would allow access to the NT Station on the NAT Network at address 10.5.3.11. They can be
viewed as "one−to−one translation pairs."
Of course, the user could access everything else in the Web server with this configuration. A
more secure NAT Map Database entry would only allow the external user access to the NT
station as a Web Server. This could be done by modifying the NAT Map Database entry to
the following form:
10.5.3.11:80 −> 198.41.9.195:80
The NAT Map Database entry is always entered with the Internal IP address first, followed by
a space, followed by a "−>" (a single equal sign "=" could be used instead), followed by a
space, followed by the IP address all External/Internet users will access. See the EDIT
CONFIG NAT MAPPING section for more details.
AN EXAMPLE NAT SESSION USING A NAT MAP DATABASE ENTRY
(CONDITION 1.A)
A site on the Internet at 128.138.240.11 attempts to establish an IP session with the Web
Server at 10.5.3.11 on the NAT Network. The site at 128.138.240.11 has no information that
the NAT Web server is at 10.5.3.11; rather the NAT Map Database entry of:
10.5.3.11:80 −> 198.41.9.195:80
allows the NAT Router to make the NAT Web server appear to be at 198.41.9.194. This NAT
Map Database entry allows the NAT software to create a NAT Session when the site at
128.138.240.11 initiates an IP session to the NAT External Range IP address:port
combination of 198.41.9.195:80. Remember that the NAT software cannot establish a NAT
Session initiated by a source on the External Network/Internet unless such a "one−to−one"
translation pair is defined in the NAT Map Database.
The NAT software will now translate packets from the Internet with the destination IP
address:TCP port combination of 198.41.9.195:80 to the destination of 10.5.3.11:80. The
NAT software will translate packets from the NAT Web server with a source of 10.5.3.11:80
to a source of 198.41.9.195:80 before routing them out of the External NAT Port.
PINGING THE NAT ROUTER (CONDITION 2)
This is a relatively simple situation. A source on the Internet sends an ICMP Echo Request
Packet to IP address 198.41.9.195 (the IP address of Ethernet 0 on the NAT Router). The
NAT Router does not do a Network Address Translation on the packet. The destination
address is not in the NAT External Range of 198.41.9.194, 198.41.9.195 or 198.41.9.219. It is
accepted by the NAT Router for processing. The NAT Router generates an ICMP Echo Reply
packet and transmits it out Ethernet 0 to the source IP address from the ICMP Echo Request
packet.
EXAMPLE TWO
This example demonstrates the functionality of the PassThru Range of Compatible Systems
NAT software.
Example Two uses one Compatible Systems MicroRouter 2220R router to connect to the
Internet through WAN 0 (the External NAT Port), to the NAT Network, with "private" IP
addresses, through Ethernet 1 (the Internal NAT Port), and to part of the user's Network,
which has "global" IP addresses, through Ethernet 0.
The part of the user's network connected to NAT Router Ethernet 0 is really part of the
Internet. The External NAT Interface of WAN 0 connects to the WAN 0 of another router and
to the Internet. This second router, even though it is shown in Figure 2, is not important to
this example, except for the fact that it routes packets with addresses in the NAT PassThru
Range to the WAN 0 External NAT Port of the NAT Router.
Figure 2
(*) NOTES: Private IP Addresses for the Frane Relay connection across the "WAN Cloud".
(**) NOTES: All of the machines in the NAT network must address their IP packets to the Internal Interface of
the MR 2220 "NAT Router" (Ethernet 1).
Unlike Example 1, only part of the network behind this NAT Router is actually a NAT
Network. Again, the part of the IP network connected to Ethernet 0 is accessible as part of the
Internet. External sources can communicate with almost all of the IP addresses on Ethernet 0
without restriction. WAN 0 is the External NAT Port, Ethernet 1 is the Internal NAT Port and
Ethernet 0 is not really involved with Network Address Translation; it just directly connects a
portion of the user's network using "global" IP addresses to the Internet.
The NAT PassThru Range (198.41.9.195/27 in this case) allows the NAT Router to transmit
IP packets between WAN 0 and Ethernet 0 as if the NAT Router is not even using NAT.
However, NAT functionality does exist for the WAN 0 IP interface of the NAT Router.
PACKETS FROM THE NAT NETWORK THROUGH ETHERNET 1
(CONDITION 1, AGAIN)
The NAT Network packets, from the "private" IP address range of 10.0.0.0/8, are translated
as they travel through the NAT Router and appear on the External Network to originate from
the IP source address of 198.41.9.214. Packets from the External Network in response, with
the destination IP address 198.41.9.214, will be translated to the proper "private" 10.0.0.0/8
network address by the NAT Router and transmitted through IP Interface Ethernet 1 to the
NAT Network.
As has been previously stated, only sites on the NAT Network may create NAT Sessions for
IP Address Translation unless one or more NAT Map Database one−to−one translation pairs
exist in the [NAT Global] Configuration. None of these pairs exist in this example. All
communication between the NAT Network and External Network must be initiated by the
NAT Network. This example demonstrates two other important aspects of the Compatible
Loading...