SuperStack II Remote Access System 1500 System Management Guide for Release 2.0

[previous]

[next]

Using Network Address Translation and Port Address Translation

This chapter contains the following information:

Overview
Configuring NAT and PAT
Case Studies

Network Address Translation (NAT) and Port Address Translation (PAT) act as address translators between public and private networks. They allow users on a privately addressed network to access the public network.

Use NAT if your Internet Service Provider (ISP) assigns you a public subnetwork. Use PAT if your ISP assigns you one IP address.

Network Address Translation

NAT translates IP addresses.

For example, assume your ISP assigns you a public subnetwork 200.1.1.0/28 from which you set aside a pool of public addresses from 200.1.1.1 to 200.1.1.10. When a user on 192.168.111.to 200.1.1.15 and a user on your private network (with an IP address of 192.168.111.1/C on the private network attempts to access a public host. The following happens:

The SuperStack II Remote Access System (RAS) 1500, when it receives the "outbound" packet, uses NAT to translate the private address, 192.168.111.1, to the first free IP address in the public pool, 200.1.1.1. The RAS 1500 maintains a dynamic NAT mapping for this translation.
Then, when an "inbound" packet addressed to 200.1.1.1 arrives at the RAS 1500 from the public network, the RAS 1500 uses the dynamic NAT mapping to reverse the translation (from 200.1.1.1 to 192.168.111.1), and the packet is routed to the correct user on the private network.
The next user is assigned the next free IP address from the pool. For example, 200.1.1.2. When the connection for a user ends, the IP address is returned to the public address pool.

NAT is either "dynamic" or "static." The preceding example is dynamic and is depicted in the following diagram. (Figure 19 shows fewer addresses in the pool than in the preceding example.)

Figure 19 Dynamic NAT

Figure 20 depicts static NAT.

Figure 20 Static NAT

Port Address Translation

PAT translates Internet Protocol (IP) addresses and User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) source port numbers.

For example, assume your ISP assigns you a public IP address of 200.1.1.1 and a user on your private network (with an IP address of 192.168.111.1, for example) attempts to access the public network. The following happens:

The RAS 1500, when it receives the "outbound" packet, uses PAT to translate the private source address and source port number. For example, 192.168.111.1, port 4444 is translated to the ISP-assigned public IP address, 200.1.1.1, port 5001. The RAS 1500 maintains a dynamic PAT mapping for this translation.
Then, when an "inbound" packet addressed to 200.1.1.1, port 5001 arrives at the RAS 1500 from the public network, the RAS 1500 uses the dynamic PAT mapping to reverse the translation (from 200.1.1.1, port 5001 to 192.168.111.1, port 4444), and the packet is routed to the correct user on the private network.
The next user is assigned the same public IP address and the next free port number. For example, 200.1.1.1, port 5002. When the connection for a user ends, the port number becomes available for other users.

PAT is either "dynamic" or "static." The preceding example is dynamic and is depicted in the following diagram. (Figure 21 shows fewer addresses in the pool than in the preceding example.)

Figure 21 Dynamic PAT

Figure 22 depicts static PAT.

Figure 22 Static PAT

Configuring NAT and PAT

Configuring Network Address Translation

Enabling and Disabling Users

To enable NAT for a user, use the following command:

: set network user <username> nat_option nat

: set network user nat_user nat_option nat

To disable NAT for a user, use the following command:

: set network user <username> nat_option disable

: set network user nat_user nat_option disable

Adding Dynamic and Static Address Assignments

To add a dynamic public address pool:

: add nat dynamic user < > public_pool_start <ip address> count <number of addresses>

: add nat dynamic user nat_user public_pool_start 200.1.1.1 count 10

To add a static address assignment, use the following command:

: add nat static user <username> public_address <ip address> private_address <ip address>

: add nat static user nat_user public_address 200.1.1.11 private_address 198.168.111.1

View NAT Settings and Mappings

To show user settings, which includes its NAT settings:

: show user <username>

: show user nat_user

To list active NAT address mappings, use the following command:

: list nat user <username> address

To list active NAT port mappings, use the following command:

: list nat user <username> port

Configuring Port Address Translation

Enabling and Disabling Users

To enable PAT for a user, use the following command:

: set network user <username> nat_option pat

: set network user pat_user nat_option pat

To disable PAT for a user, use the following command:

: set network user <username> nat_option disable

: set network user pat_user nat_option disable

Adding Dynamic and Static Address Assignments

Unless you receive incoming connections from the public network, dynamic PAT does not need configuration beyond enabling a user and choosing PAT option.

To add a static address assignment, use one of the following commands:

: add pat tcp user <username> private_address <ip address> private_port <number> public_port <number>

: add pat udp user <username> private_address <ip address> private_port <number> public_port <number>

: add pat tcp user pat_user private_address 192.168.111.1 private_port 80 public_port 80

Incoming packets from the public network whose destination port mappings do not exist in the dynamic PAT translation table are directed to a default host. To specify the default host, use the following command:

: set network user <username> pat_default_address <IP address>

: set network user pat_user pat_default_address 192.168.111.2

Viewing PAT Settings and Mappings

To show user settings, which includes its PAT settings, use the following command:

: show user <username>

: show user pat_user

To list active PAT address mappings, use the following command:

: list pat user <username> address

To list active PAT port mappings, use the following command:

: list pat user <username> port

Case Studies

This section contains one case study for NAT and one for PAT.

NAT Case Study

A private network with a RAS 1500 requires access to a public network.

This access is across a PPP link with "ascend" compression initiated by the RAS1 500.

The user ID ("main") and password ("ras") have been agreed to by the ISP. In the NAT user profile, the transmit_authentication setting must match the user ID ("main"), and the send_password setting must match the password ("ras").

The public subnet allocated by the ISP for use by this private network is 202.55.55.40/29.

The RAS 1500 is assigned the address 202.55.55.41/29.

The private network has two servers that will be accessed by hosts from the public network. The ISP access number is 3067.

The local area network (LAN) configuration of the RAS 1500 is the same as it would be without a NAT user added.

A NAT user is a normal user with some configuration differences. The differences are the following:

IP address assignment for the wide area network (WAN) link
Routing behavior over the WAN link
Addition of static NAT mappings
Addition of a public IP pool for dynamic NAT mappings

Private networks should not be advertised to the public network, hence the ip_routing parameter is set to "listen."

Static NAT is performed for 2 hosts on the private network. A dynamic public IP address translation pool is defined for other machines on the private network to be able to access the public network.

1 . Set basic system settings.

: set system name RASCNTRL
: set command prompt RASCNTRL
: set system transmit_authentication_name RASCNTRL

2 . Set IP network settings.

: add ip network ip address 192.168.111.254/C enable no
: set ip network ip routing_protocol ripv2
: enable ip network ip

3 . Set authentication.

: set ppp receive_authentication either

4 . Add a modem group named 78.

: add modem_group 78 interface rm0/slot:2/mod:[3-4]

5 . Add and configure a user named "nat_user."

: add user nat_user password ras type network,dial_out enable no
: set user nat_user modem_group 78 phone_number 3067
: set network user nat_user ppp compression_algorithm ascend
: set network user nat_user transmit_authentication main send_password ras
: set network user nat_user ipx disable appletalk disable bridging disable

: set network user nat_user nat_option nat
: set network user nat_user ip_routing listen rip ripv2
: set network user nat_user default_route_option enable

: set network user nat_user address_selection negotiate
: set dial_out user nat_user local_ip_address 255.255.255.255

: set user nat_user idle_timeout 120
: set dial_out user nat_user site type ondemand

6 . Configure NAT mappings.

: add nat dynamic user nat_user public_pool_start 202.55.55.42/29 count 3
: add nat static user nat_user private_address 192.168.111.106 public_address 202.55.55.45
: add nat static user nat_user private_address 192.168.111.140 public_address 202.55.55.46

7 . Enable the user.

: enable user nat_user

8 . Save your work.

: save all

PAT Case Study

The following case study configures PAT on the RAS 1500, with 2 channel multilink PPP connected to the ISP with dial-on-demand and bandwidth-on-demand. The 2 channels may be either ISDN or analog interfaces and assume that you have already configured the ISDN modems for proper operation. However, adding more than 4 Multi-Link Point-to-Point Protocol (MLPPP) links diminishes the gain of adding the channels because of the MLPPP overhead.

1 . Specify the local Ethernet IP address.

: add ip network ip address 192.168.1.1/C

2 . Enter the local IP address pool for dial-in users.

: add ip pool ippool initial_pool_address 192.168.1.10 size 24

3 . Specify initial settings for the user named "pat_user."

: add modem_group PATMODEM interfaces rm0/slot:1/mod:1,rm0/slot:1/mod:2
: add user pat_user password pat type network,dial_out enabled no
: set user pat_user phone 15085551212
: set user pat_user alternate_phone_number 15088711313
: set user pat_user modem_group PATMODEM
: set user pat_user idle_timeout 60
: set network user pat_user network_service ppp
: set network user pat_user ipx disable appletalk disable bridging disable

4 . Set the username and password for your ISP account.

: set network user pat_user transmit_authentication betty
: set network user pat_user send_password fred

5 . Specify additional user settings.

: set network user pat_user ppp compression none
: set network user pat_user address_selection negotiate
: set network user pat_user default_route_option enable
: set network user pat_user ip_routing listen
: set network user pat_user nat_option pat
: set network user pat_user pat_default_address 192.168.1.2
: set dial user pat_user data async
: set dial user pat_user local_ip_address 255.255.255.255
: set dial user pat_user site type ondemand

6 . Specify the default gateway.

: add framed_route user pat_user ip_route 0.0.0.0 gateway 255.255.255.255
: set dial user pat_user site type ondemand

7 . Set multilink PPP settings with bandwidth-on-demand.

: set net user pat_user ppp max_channels 2
: set net user pat_user ppp channel_expansion 70 channel_decrement 20
: enable user pat_user

8 . Save your work.

: save all

[previous]

[next]