THOMSON SpeedTouch Configuration Manual

SpeedTouch™608WL and SpeedTouch™620 only

SpeedTouch™

(Wireless) Business DSL Router

Hyper-NAT Configuration Guide

Release R5.3.0

SpeedTouch™

Hyper-NAT Configuration Guide

R5.3.0

Passing on, and copying of this document, use and communication of its contents is not permitted without written authorization from THOMSON. The content of this document is furnished for informational use only, may be subject to change without notice, and should not be construed as a commitment by THOMSON. THOMSON assumes no responsibility or liability for any errors or inaccuracies that may appear in this document.

Thomson Telecom Belgium Prins Boudewijnlaan, 47 B-2650 Edegem Belgium

www.speedtouch.com

Trademarks

The following trademarks are used in this document:

 SpeedTouch™ is a trademark of THOMSON.  Microsoft®, MS-DOS®, Windows® and Windows NT® are either registered trademarks or trademarks of Microsoft Corpora-

tion in the United States and/or other countries.

 UNIX® is a registered trademark of UNIX System Laboratories, Incorporated.  Apple® and Mac OS® are registered trademarks of Apple Computer, Incorporated, registered in the United States and other

countries.

 Adobe, the Adobe logo, Acrobat and Acrobat Reader are trademarks or registered trademarks of Adobe Systems, Incorpo-

rated, registered in the United States and/or other countries.

 Netscape® and Netscape Navigator® are registered trademarks of Netscape Communications Corporation.  Ethernet™ is a trademark of Xerox Corporation.  UPnP™ is a certification mark of the UPnP™ Implementers Corporation.  Wi-Fi® and the Wi-Fi logo are registered trademarks of the Wi-Fi Alliance. "Wi-Fi CERTIFIED", "Wi-Fi ZONE", "Wi-Fi Alli-

ance", their respective logos and "Wi-Fi Protected Access" are trademarks of the Wi-Fi Alliance.

Other products may be trademarks or registered trademarks of their respective manufacturers.

Document Information

Status: v1.0 (March 2005) Reference: E-NIT-CTC-20040716-0004 Short Title: Hyper-NAT Configuration Guide ST R5.3.0

E-NIT-CTC-20040716-0004 v1.0

Contents

About this Hyper-NAT Configuration Guide ............ 5

1 Introduction ................................................................... 7

1.1 The need for address translation ................................................... 8

1.2 What is address translation............................................................ 9

2 NAT, PAT and NAPT ................................................... 11

3 Dynamic versus static address translation............... 13

4 Address translation flavours...................................... 15

4.1 Traditional or outbound address translation ............................... 16

4.1.1 Basic NAT ................................................................................................... 17

4.1.2 Network Address Port Translation (NAPT) ....................................................... 18

4.2 Two-Way NAT............................................................................... 19

4.3 N-N NAT ....................................................................................... 20

4.4 M-N NAT or Multi NAT ................................................................. 21

4.5 Transparent NAT .......................................................................... 22

4.6 Port range shifting ....................................................................... 23

4.7 Translation templates .................................................................. 24

E-NIT-CTC-20040716-0004 v1.0

5 Application level gateways ........................................25

6 Network address translation configuration on the

SpeedTouch™ ............................................................. 27

6.1 Configure address translation on the GUI ................................... 28

6.1.1 Configuring Hyper-NAT on the Web Pages....................................................... 29

6.1.2 Enable/disable address translation on an interface............................................. 30

6.1.3 Create an address translation mapping ............................................................ 31

6.1.4 Create a template......................................................................................... 34

6.2 Configure address translation on the CLI .................................... 37

6.3 Configure NAT maps .................................................................... 40

6.3.1 Basic NAT ................................................................................................... 41

6.3.2 Two-Way NAT ............................................................................................. 42

6.3.3 N-N NAT ..................................................................................................... 43

6.3.4 Multi NAT ................................................................................................... 44

6.3.5 Transparent NAT.......................................................................................... 46

6.4 Configure NAPT maps.................................................................. 48

6.4.1 Basic NAPT ................................................................................................. 49

6.4.2 NAPT using default server ............................................................................. 50

6.4.3 NAPT using transparent default server ............................................................ 51

6.4.4 NAPT using transparent default server and port range constraint (=IP Passthrough) . 52

6.4.5 NAPT using host function.............................................................................. 53

6.4.6 NAPT using transparent host function............................................................. 54

6.4.7 NAPT using dynamic port range constraint ...................................................... 55

6.5 Configure port shifting maps ....................................................... 56

6.5.1 Inbound port shifting..................................................................................... 57

6.6 Configure templates .................................................................... 58

6.6.1 X+n templates ............................................................................................ 60

About this Hyper-NAT Configuration Guide

E-NIT-CTC-20040716-0004 v1.0

About this Hyper-NAT Configuration Guide

Used Symbols

Terminology

Generally, the SpeedTouch™608 or SpeedTouch™620 will be referred to as SpeedTouch™ in this Hyper-NAT Configuration Guide.

Typographical

Conventions

In interactive input and output, typed input is displayed in a bold font and commands are displayed

like this.

Comments are added in italics.

Example:

Documentation and

software updates

THOMSON continuously develops new solutions, but is also committed to improve its existing products.

For suggestions regarding this document, please contact

documentation.speedtouch@thomson.net

For more information on THOMSON's latest technological innovations, documents and software releases, visit us at:

www.speedtouch.com

A note provides additional information about a topic.

A tip provides an alternative method or shortcut to perform an action.

A caution warns you about potential problems or specific precautions that need to be taken.

=>language list CODE LANGUAGE VERSION FILENAME en* english 4.2.0.1 <system>

Only one language is available

About this Hyper-NAT Configuration Guide

E-NIT-CTC-20040716-0004 v1.0

Introduction

E-NIT-CTC-20040716-0004 v1.0

1Introduction

Introduction Internet technology is based on the IP protocol and in order to communicate via IP,

each device participating in the communication must have a unique IP address. This presents a problem, since the Internet is expanding at an exponential rate. Address translation is a method for connecting multiple computers to the Internet (or any other IP network) sharing one public IP address. This allows home users and small businesses to connect their network to the Internet cheaply and efficiently.

The impetus towards increasing the use of address translation comes from a number of factors:

 A world shortage of IP addresses

 Security needs

 Ease and flexibility of network administration

The need for address translation

E-NIT-CTC-20040716-0004 v1.0

1.1 The need for address translation

IP addresses While the number of available addresses seems large, the Internet is growing at such

a pace that it will soon be exhausted. The next generation IP protocol, IP version 6, allows for more addresses, but it will take years before the existing network infrastructure will be fully migrated to the new protocol.

Address translation allows a single device, such as the SpeedTouch™, to act as an agent between the Internet (or public network) and a local (or private) network. This means that only one, unique IP address is required to represent an entire group of computers. The outside world is unaware of this division and thinks that only one computer is connected.

Security Many people view the Internet as a "one-way street"; they forget that while their

computer is connected to the Internet, the Internet is also connected to their computer. That means that anybody with Internet access can potentially access resources on their computers (such as files, e-mail, company network etc.). Most personal computer operating systems are not designed with security in mind, leaving them wide open to attacks from the Internet.

The security implications can be disastrous. Confidential company information such as product plans or marketing strategies can be stolen, this can lead to major financial losses or even cause the company to fold.

Implementing address translation automatically provides firewall-style protection between your private network and public networks (the Internet or other public networks). Address translation only allows connections that originate from inside the private network. Basically, this means that a computer on a public network cannot connect to your computer unless your computer has initiated the contact. You can browse the Internet and connect to a site, and even download a file; but somebody else cannot latch onto your IP address and use it to connect to a port on your computer.

In specific circumstances (static address translation) devices from public networks are allowed to initiate connections to computers on the private network. This is only done when specifically granted by the local network after appropriate configuration.

Administration A real benefit of address translation is apparent in network administration. For

example it is possible to move a Web server or FTP server to another host without having to worry about broken links. Simply change the inbound mapping at the Internet Gateway to reflect the new host location. Also changes in the private network are easily made without any problems, because the only public IP address either belongs to the Internet Gateway or comes from a pool of global addresses.

The device performing address translation should be secure/protected.

What is address translation

E-NIT-CTC-20040716-0004 v1.0

1.2 What is address translation

Introduction Using address translation, the IP and/or TCP/UDP port identifications can change

while traversing the network.

IP address translation

Figure 1: IP address translation

Quite some private networks use private IP addresses, meaning that these host are not known (and as such cannot be routed) within the Internet (= public network). When such a host would enter the Internet, one should assign it an IP identification, which is allowed to be used in the public network.

This is what will be done. The private network will have an exit point towards the public network (typically called a gateway) and this exit point will convert the IP address of the private network towards a valid public IP address. The reverse procedure is followed when a packet is received back from the public network.

As the address translation is only performed on-demand and due to the fact that not all private hosts need access to the public network at the same time, a small pool of available public IP addresses on the WAN interface of the modem will be sufficient, this means sparing out addresses.

TCP/UDP port

translation

This type of translation will commonly be used in conjunction with IP address translation. Not only the IP address will be changed but also the port number.

The main advantage of this way of working is that the same public IP address can be assigned to two different private LAN nodes, yet using a different port numbering scheme, which in fact boils down to IP address multiplexing.

As several nodes can use the same IP address, a considerable saving is done on the amount of public IP addresses needed.

Private Public

SpeedTouchTM

Address

Translation

What is address translation

E-NIT-CTC-20040716-0004 v1.0

NAT, PAT and NAPT

E-NIT-CTC-20040716-0004 v1.0

2NAT, PAT and NAPT

Introduction Three different categories of address translation exist, namely:

 Network Address Translation (NAT): a private IP address X is translated into a

public IP address Y.

 Port Address Translation (PAT): a UDP/TCP port number X is translated into a

port number Y.

 Network Address and Port Translation (NAPT): both the private IP address and

port number are translated.

NAT If NAT is enabled, then a private IP address is changed into a temporary public IP

address. The NAT translation technique is often used in dial-up or for on-demand connections in which remote connections go up and down frequently. When the user is connected, s/he is assigned a single external IP address; once that user disconnects, the IP address is released and becomes free for use again.

HTTP to 30.0.0.1

Figure 2: NAT example

As illustrated above, the SpeedTouch™ NAT box has an internally configured mapping from the private IP address to a public one and vice versa. It is transparent for NAT whether this table information is persistent or not.

Important to notice is that 30.0.0.1 thinks he receives a message from 20.0.0.1 instead of 192.168.0.1. So NAT hides the original originator.

PAT PAT only changes the port number (TCP or UDP) of the packet. In most cases PAT is

used in combination with NAT. When NAT and PAT are used together, this is called NAPT.

A common practise is that for outgoing packets the source port number is changed and for incoming packets it will be the destination port.

PAT is also used when a service is not running on the default internal port. E.g. webs er vice on port 8080 instead of 80. This will be explained later on in this document.

Public

SpeedTouch

192.168.0.1 192.168.0.254

20.0 .0.1 30.0 .0.1

Private Public

192.168.0.1 20.0.0.1

Src : 192.168 .0.1 Dst : 30.0.0.1

Src : 20.0.0.1 Dst : 30.0.0.1

Src : 30. 0.0. 1 Ds t: 20. 0.0. 1

Src : 30.0.0.1 Dst : 192.168 .0.1

NAT, PAT and NAPT

E-NIT-CTC-20040716-0004 v1.0

NAPT Network Address & Port Translation (NAPT) is the most popular form of address

translation. It is used almost exclusively by access devices designed to hide small-tomedium sized networks behind a single public IP address. NAPT works by translating the source IP address and the source port number on the public interface.

HTTP 30.0.0.1

Figure 3: NAPT example

In case a HTTP session is initiated which has to pass the NAPT enabled box, both the source IP address and source port number will be translated for outgoing packets. For incoming connections (belonging to the outgoing connections), the destination IP address and port number will be changed.

Figure 4: NAPT for multiple hosts (share the same IP address)

Suppose that two hosts want to share one common IP address. For outgoing traffic there will be no issue: both the IP addresses “192.168.0.1” and “192.168.0.2” are translated into this same IP address. But, as soon as packets come back (incoming), the NAPT box has to know to which of the two 192.168.0.x addresses the address translation needs to be performed.

This is where port translation comes into action: the destination port number in the incoming packet will be used as input to decide to which of the 192.168.0.x addresses to translate the address.

` `

Public

192.168.0.1 192.168.0.254

20.0.0.1 30.0.0.1

Private Pub lic

192.168.0.1/600 20.0.0.11/1025

SpeedTouch

NAPT enabled

Src : 192.168 .0.1/600 Dst : 30.0.0.1 /80

Src : 20.0.0. 1/1025 Dst : 30.0.0. 1/80

Src : 30.0.0.1 /80 Dst : 20.0.0.1 /1025

Src : 30.0.0.1 /80 Dst : 192.168 .0.1/600

Public

192.168.0.1

30.0.0.1

Private Public

192.168.0.1/734 20.0 .0.1/403

20.0. 0.1/908192.168.0.2/521

192.168.0.2

192.168.0.254

20.0.0.1

SpeedTouch

NAPT enabled

Dynamic versus static address translation

E-NIT-CTC-20040716-0004 v1.0

3 Dynamic versus static address translation

Address translation per

interface

Figure 5: Address translation per interface

Typically several public IP addresses can be assigned to one network device that gives access to the public network. The routing logic of the network device will decide to which interface a packet coming from the private network needs to be send. For each interface to the public network, it’s possible to activate or deactivate address translation. In the SpeedTouch™, interfaces can be enabled in three modes:

 Disabled: no address translation on the interface.

 Enabled: address translation is enabled, but when there is no address

translation map, the packet is dropped.

 Transparent: address translation is only performed when there is a address

translation map defined.

This last one has nothing to do with transparent NAT, but with the behaviour of the interface.

When a packet arrives at the NAT module and a address translation map is found, the packet will be translated when the interface is in enabled or transparent mode. If there is no address translation map found, the packet will be dropped in enabled mode but passed in transparent mode. The NAT module becomes transparent as it were.

Inbound/outbound

connections

An address translation map is used for mapping one or more private IP addresses into one or more public IP addresses on a specific interface.

Private Public

SpeedTouch

Network A Network B

Inbound connections

Outbound connections

SpeedTouch

NAT enabled

interface

Dynamic versus static address translation

E-NIT-CTC-20040716-0004 v1.0

Figure 6: Inbound/outbound connections

All connections, leaving from an interface where NAT is enabled are called outbound

connections.

Connections arriving on the NAT enabled interface are called inbound connections.

Dynamic address

translation

Outgoing connections typically use dynamic address translation. For example a connection initiated from IP address X in the private network will be translated into public IP address Y on an enabled public interface. This mapping will be added dynamically in an internal table of the device and will exist only for the lifetime of that connection.

This also implies that, when resetting the device, this dynamic – non-persistent – table entry will be lost. It is necessary to enable address translation on a public interface to take profit of this dynamic translation.

Static address

translation

Connections initiated from the public network (so called incoming connections) make use of static address mapping. An incoming initiator packet will need to pass the static address translation table before being forwarded to the private network. This information is non-volatile and needs to be configured in advance. Different configuration flavours exist to configure this static mapping (individual, template, default) and will be discussed further on in the document.

Applicability of address

translation

Address translation is used in case:

 Multiple private hosts access a public network through the same gateway

(single public address on the gateway).

 The inside address is not routable on the outside network.

 The user wants to prevent the inside address(es) from outside attacks.

 The user wants to avoid network renumbering when changing service

provider.

 The user wants to make servers accessible from the outside network.

Netwo rk A Netwo rk B

Outbound connections

Inbound connections

SpeedTouch

NAT enabled

interface

Address translation flavours

E-NIT-CTC-20040716-0004 v1.0

4 Address translation flavours

Introduction Network Address Translation is a method by which IP addresses are mapped from

one address realm to another, providing transparent routing to end hosts.

Several flavours of network address translation transforms can be defined depending on the relationship between inside IP addresses and outside IP addresses.

Topi c Pag e

4.1 Traditional or outbound address translation 16

4.2 Two-Way NAT 19

4.3 N-N NAT 20

4.4 M-N NAT or Multi NAT 21

4.5 Transparent NAT 22

4.6 Port range shifting 23

4.7 Translation templates 24

Traditional or outbound address translation

E-NIT-CTC-20040716-0004 v1.0

4.1 Traditional or outbound address translation

Introduction Traditional NAT (sometimes referred to as outbound address translation) is the most

common method of using address translation. Its primary use is to translate private addresses to legal addresses for use in a public network. When configured for dynamic operation, hosts within a private network can initiate access to the public network. On the contrary external nodes on the outside network will not be able to access the private network.

Two types of traditional NAT exist — basic NAT and NAPT.

Basic NAT

E-NIT-CTC-20040716-0004 v1.0

4.1.1 Basic NAT

Introduction With Basic NAT, a block of public addresses are set aside for translating addresses of

hosts in a private domain as they originate sessions to the public domain.

Basic NAT involves only address translation, no port mapping is done. This requires an external IP address for each simultaneous connection.

Basic NAT example

Figure 7: Basic NAT example

Host 192.168.0.1 sends a packet to the Web server 30.0.0.1. As soon as the packet is processed by the SpeedTouch™ its source IP address is translated into the outside IP address 20.0.0.1 and forwarded to the Web server.

Basic NAT is the least secure translation method. By not defining the translation to the port level, and accepting return information on any port, basic NAT can leave private hosts open to port access.

Public

192.168.0.1

192.168.0.254

20.0.0.1 30.0.0.1

Src IP

192.168.0.1

Des t IP

30. 0.0.1

Src port

5500

Dest port

Src IP

20.0.0.1

Dest IP

30.0.0.1

Src port

5500

Dest port

Src IP

30.0.0.1

Des t IP

192.168.0.1

Src port

Dest port

5500

Src IP

30.0.0.1

Dest IP

20.0.0.1

Src port

Dest port

5500

NAT box Internal Mappings

Inside IP

192.168.0.1

192.168.0.2

Ouside IP

20.0.0.1

20.0.0.2

Des t. IP

30.0.0.1

192.168.0.2

SpeedTouch

NAT enabl ed

Network Address Port Translation (NAPT)

E-NIT-CTC-20040716-0004 v1.0

4.1.2 Network Address Port Translation (NAPT)

Introduction NAPT extends the notion of translation one step further by also translating the

transport identifier (For example TCP and UDP port numbers, ICMP query identifiers). NAPT allows a set of hosts to share one single public address. Note that NAPT can be combined with Basic NAT so that a pool of public addresses are used in conjunction with port translation.

NAPT example

Figure 8: NAPT example

Host 192.168.0.1 and 192.168.0.2 both send a packet to the Web server 30.0.0.1. The SpeedTouch™ translates the inside IP addresses into the outside IP address

20.0.0.1.

For returning packets, the SpeedTouch™ needs to know to which 192.168.0.x address the translation needs to be performed, that’s why the SpeedTouch™ also translates the source port numbers.

Public

192.168.0.2

192.168.0.254

20.0.0.1 30.0.0.1

Src IP

192.168.0.1

Dest IP

30.0.0.1

Src port

5500

Dest port

Src IP

20.0.0.1

Des t IP

30.0.0.1

Src port

2013

Dest port

Src IP

192.168.0.2

Dest IP

30.0.0.1

Src port

5500

Dest port

Src IP

20.0.0.1

Des t IP

30.0.0.1

Src port

4013

Dest port

192.168.0.1

NAT box Internal Mappings

Inside IP Insid e Po rt

Outsid e

Port

192.168.0.1 5500 2013

Dest.

Port

192.168.0.2 5500 4013 80

Ousid e IP

20.0. 0.1

Des t. IP

30.0.0.1

SpeedTouch

NAT enabl ed

+ 46 hidden pages

THOMSON SpeedTouch Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual