The Network Address Translator port (NAT)

Revised for CPX 4.7.0.

Network Address Translation (NAT) problems
Terminology
Types of address translation

Configuration of the NAT port
Statistics of the NAT port

Configuration of NAT Aliases

Supported protocols/applications
Configuration examples

The IP addresses inside a stub domain can be duplicated by another stub domain, for instance a single Class A address could be used in several stub domains. This situation very frequently happens when the domains are not administered by the same authority, as in the case of independent enterprises networks.

As long as the domains are isolated there are not problems, but as soon as they need to be interconnected the addresses overlapping would prevent it. Here is where Network Address Translation (NAT) plays its role: installing a Network Address Translator at each exit point between a stub domain and the backbone, or between stub domains, allows translations of addresses so that each stub domain can "see" valid addresses.

Network Address Translation (NAT) problems

Unfortunately Network Address Translation (NAT) is not for free. Because of the way some protocol/application behaves it may introduce compatibility problems, not always solved.

The problem: some protocols/applications places IP addresses, and/or TCP/UDP ports, in the payload of the packets, at the same "level" of the application data.
As a result, when the Network Address Translator changes the IP addresses or the TCP/UDP port of a datagram, it results in a misalignment between the new values in IP/TCP/UDP headers and the content of the packet, which carries the same information BUT at application level.

To successfuly apply Network Address Translation (NAT) it is therefore necessary to proceed with a further modification of the packet payload, so that it correspond the current values in the IP/TCP/UDP headers.
Unfortunately there is not a "good-for-all" method and each protocol/application must be identified and processed properly.

The List of protocols/applications supported by NAT section gives the exact view of the well known application/protocols that require a special handling and that are either supported or not supported by Abilis CPX Network Address Translator port.
Those not mentioned should be able to work without troubles.

Terminology

Inside. The set of networks there are subject of translation, usually "private" networks.

Outside. All other networks, usually "public" addresses located on the Internet.

Inside local IP address. The IP address was assigned to a host on the inside network. The address may or may not be a valid outside address (usually on Internet), but in the second case it may actually belong to another organization to which it will impossible to connect, even with NAT. In the table of NAT Aliases this term called as NET:.

Inside global IP address. The IP address of an inside host as it appears to the outside networks. If, as usual, the outside network is the Internet, the address must be one of the "public" addresses that the ISPs have assigned to user's router for those connections. In the table of NAT Aliases this term called as ANET:.

Processed IP packet. It mean in this packet was changed a source or destination address in some cases a source or destination port was changed too.

Ignored IP packet. It mean that this packet was not changed.

Types of address translation

Static Address Translation. The user can establish a one-to-one mapping between the inside local and global addresses, which happens when the number (netmask) of inside local and global addresses are identical.

Dynamic Source Address Translation. The user can establish dynamic mapping between the inside and global addresses, which happens when the number (netmask) of inside local and global addresses are different.

Port Address Translation (PAT). The user can conserve addresses in the global address pool by allowing source ports in TCP connections or UDP conversations to be translated. Different local addresses will be mapped to the same global address, with port translation providing the necessary uniqueness for TCP/UDP and other tricks providing uniqueness for ICMP.

This mode is indifferently called "PAT" or "NAT+PAT" and works only with TCP/UDP/ICMP protocols.

Extended filtering in PAT mode. The purpose of this feature is to allow a selective activation of the PAT translation based on the destination TCP/UDP port and on the IP protocol, with the result that network managers can empower their control of the network by:

Granting access only to some service, e.g. web and ftp.
Blocking access only to specific services, e.g. realaudio / realvideo servers
Precisely distinguishing inbound connections from outbound ones
Allowing internal users to access ANY service on the Internet while outside users may access only a restricted set

Destination port mapping. This behaviour is very useful in many situations, the most frequents are:

The user has just one public IP address and on the internal LAN there are more computers on several IP addresses running different services that must be reached from outside, e.g. one runs FTP, another HTTP, another SMTP.
The user has just one public IP address and on the internal LAN there are more computers on several IP addresses running the same service with different contents, e.g. a commercial web, a technical web, a restricted access web.

For more information see Configuration examples section.

Configuration of the NAT port

The NAT port is referred by the "NAT" abbreviation and it has all the parameters described in this chapter.

Here is an example of the NAT port parameters.

[18:18:41] ABILIS_CPX: D P PO:NAT
                                                                               
PO:911 - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------
NAT    ------------------------------------------------------------------------
       LOG:DS          ACT:NO           dimtable:1000   TOUT:60             
       - PAT mode timeouts ----------------------------------------------------
       TCP-CONN:3      TCP-CLOSING:180  TCP-CLOSED:1    TCP-RST:YES                         
       ICMP:30         UDP:3            DNS:30          SNTP:30             
       FRAG-ID:30      FRAG-PTR:30      SNMP-ALG:NO

To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary for activating changes made on upper case parameters it is enough to execute the initialization command INIT PO:.
The changes made on the LOG: parameter are immediately active.

The "Not Saved (SAVE CONF)" message is displayed every time the port configuration is modified but not saved with the SAVE CONF command.

The "Not Refreshed (INIT)" message is displayed every time the port configuration is modified but not refreshed with the INIT PO: command.

Details of the NAT port parameters

LOG:	Events logging activation and generation of alarm signals
DS	NO, D, S, A, L, T, ALL, +E

Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.

The following table shows the available options and the related functionalities usable by the parameter:

Option	Meaning
D	Recording of the driver state changes and/or the meaningful events in Debug Log
S	Recording of the driver state changes and/or the meaningful events in the System Log
A	Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel
L	On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option
T	Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events

Beside the already described options the following values are also allowed:

Option	Meaning
NO	It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled.
ALL	It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled.
+E	This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored.

Options can be combined together.

Some examples:

setting "LOG:DS+E", activates the extended logging functions for Events Log and System Log
setting "LOG:STA", activates the extended logging functions for System Log, SNMP traps generation and periodic detection of alarm states;

By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.

Some examples:

Suppose the current value of the parameter is "LOG:DSTA", by setting "LOG:-A", the periodic detection of eventual alarm states is removed, leaving unchanged all the remaining options; in such way the final value of the parameter will be "LOG:DST";
Suppose the current value of the parameter is "LOG:ST", by setting "LOG:+DA", the logging function of the events on the Events Log and the periodic alarm detection are added to the already activated options; in such way the final value of the parameter will be "LOG:DSTA".

The changes made on this parameter are immediately activated, without the need of initialization commands.

ACT:	NAT runtime activation/deactivation
NO	NO, YES

This parameter is used to activate/deactivate the Network Address Translation runtime.

When it is set to "NO", NAT processing is disabled. The IP router will ignore any NAT references.

When it is set to "YES", NAT processing is enabled. The IP router will requests NAT processing whenever a packet arrives from either an INSIDE or an OUTSIDE interface.

Unclassified interfaces, i.e. those interfaces that don't belong neither to the inside scope nor to the outside (NAT: field of IP port configuration is set to "NO"), are ignored.

When the Network Address Translation is active, packets will be forwarded only in the following cases:

Between unclassified interfaces (NAT: field of IP port configuration is set to "NO")
Between classified interfaces (NAT: field of IP port configuration is set to "INSIDE" or NAT: field of IP port configuration is set to "OUTSIDE") but only if a translation really took place.

When NAT is active, packets will not be forwarded between a classified and an unclassified interface.

DIMTABLE:	Maximum number of simultaneously active translations
1000	100 - 10000

It specifies how many translations can be created at the same time.

In the case that the translation table gets full, further requests will be ignored and the packets dropped. In this conditions the statistic counter OVERFLOW: will be increased for each dropped packet.

TOUT:	Time-out for IP links - non PAT mode
60	1 - 65535 min

This value sets the timeout of static and dynamic translations, i.e. those created without the PAT mode.
If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table.

TCP-CONN:	Time of storage for TCP link in connecting state.
3	1-65534 min

This value sets the timeout for TCP link in connecting state. It is a main state of TCP connection when it has set. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. For more information about states of TCP connection see RFC 793. That value has used in PAT state of NAT only.

TCP-CLOSING:	Time of storage for TCP link in closing state.
180	1-240 sec

This value sets the timeout for TCP link in closing state. It is a state of TCP connection when one point of link waiting for a connection termination request acknowledgment from another. For more information about states of TCP connection see RFC 793. This value has used in PAT state of NAT only.

TCP-CLOSED:	Time of storage for TCP link in closed state.
1	1-240 sec

This value sets the timeout for TCP link in closed state. It represents no connection state at all (i.e a connection closed from both sides). For more information about states of TCP connection see RFC 793. This value has used in PAT state of NAT only.

TCP-RST:	Send RESET for expired link
YES	NO, YES

For packets other than SYN when link is not available NAT send datagram with set RST-bit to the host that sent this datagram. It initiates a new connection establishing. For more information about states of TCP connection see RFC 793. This value has used in PAT state of NAT only.

ICMP:	Time of storage for ICMP links
30	1-240 sec

This value sets the timeout for ICMP links. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.

UDP:	Time of storage for UDP links
3	1-65534 min

This value sets the timeout for UDP links. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.

DNS:	Time of storage for DNS links
30	1-240 sec

This value sets the timeout for DNS links. This links are created in process of DNS packets translating. (DNS packet is UDP packet has had a source port or a destination port equal 53.) If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.

SNTP:	Time of storage for SNTP links
30	1-240 sec

This value sets the timeout for SNTP links. This links are created in process of SNTP packets translating. (SNTP packet is UDP packet has had a source port or a destination port equal 123.) If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.

FRAG-ID:	Time of storage for FRAG-ID links
30	1-240 sec

This value sets the timeout for FRAGMENT ID links. This links are created in process of IP fragments translating. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table. This value has used in PAT state of NAT only.

FRAG-PTR:	Time of storage for FRAG-PTR links
30	1-240 sec

This value sets the timeout for FRAGMENT PTR links. This value has used in PAT state of NAT only.

SNMP-ALG:	Enable/disable SNMP Application Level Gateway
NO	NO, YES

This parameter is used to enable/disable SNMP Application Level Gateway.

Statistics of the NAT port

Example on how to show state and statistics of the Control Port through the command D S:

[15:00:45] ABILIS_CPX:d s po:911

PO:911 ------------------------------------------------------------------------
NAT    STATE:READY     CUR-TRANSLATIONS:0           MAX-TRANSLATIONS:1000
       ------------------------------------------------------------------------
       REQ:529         SUCCESS:0           IGNORED:529         ERROR:0
       OVERFLOW:0                          TCP-RST:0
       -----------|--IN SRC---|--IN DST---|--OUT SRC--|--OUT DST--|
       ICMP       |0          |0          |0          |0          |
       TCP        |0          |0          |0          |0          |
       UDP        |0          |0          |0          |0          |
       OTHERS     |0          |0          |0          |0          |
       ------------------------------------------------------------------------
       FTP        |0          |0          |0          |0          |
       DNS        |0          |0          |0          |0          |
       OTHERS     |0          |0          |0          |0          |
       ------------------------------------------------------------------------
       FRAG-ID:0                   FRAG-POINTER:0
       FRAG-UNRESOLVED:0           FRAG-HEADER-FOUND:0
       ------------------------------------------------------------------------

NAT port statistics fields detailed

CUR-TRANSLATIONS:	Number of translations is currently active.
	0 - 65534

There are a number of records in NAT dynamic table have used for translation now.

MAX-TRANSLATIONS:	Limit to possible simultaneous translations
	1 - 65534

Limit to possible simultaneous translations. There is a size of NAT dynamic table.

REQ:	Requests total.
	0 - 4294967295

There are a number of translation requests, which NAT has received after start (or NAT port statistics has cleared).

SUCCESS:	Successful requests.
	0 - 4294967295

The number of requests have processed successful (i.e a source or destination address in this IP packet was changed. Or was changed an IP address in packet's body, for example when a packet has a DNS massage in its body).

IGNORED:	Ignored requests.
	0 - 4294967295

The number of ignored requests (i.e an IP packet has not changed) because a match have not found.

ERROR:	Unsuccessful requests.
	0 - 4294967295

The number of requests have not processed successful independently of error's reason.

OVERFLOW:	Table overflow.
	0 - 4294967295

The number of requests have not processed successful because the table is overflow.

TCP-RST:	TCP resets sent.
	0 - 4294967295

The number of sent TCP reset packets. The TCP RST packets may be sent only when TCP-RST parameter of NAT is equal YES.

ICMP:	The number of processed ICMP packets.
	0 - 4294967295

The number of processed ICMP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.

TCP:	The number of processed TCP packets.
	0 - 4294967295

The number of processed TCP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.

UDP:	The number of processed UDP packets.
	0 - 4294967295

The number of processed UDP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.

OTHERS:	The number of processed packets other types.
	0 - 4294967295

The number of processed packets other (not ICMP/UDP/TCP) types. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.

FTP:	The number of processed FTP packets.
	0 - 4294967295

The number of processed FTP packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.

DNS:	The number of processed DNS packets.
	0 - 4294967295

The number of processed DNS packets. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.

OTHERS:	The number of processed packets other types.
	0 - 4294967295

The number of processed packets other (not FTP/DNS) types. Each kinds of translation: Incoming Source, Incoming Destination, Outbound Source, Outbound Destination is counted separately.

FRAG-ID:	The number of processed FRAGMENT ID packets.
	0 - 4294967295

The number of processed FRAGMENT ID packets.

FRAG-POINTER:	The number of processed FRAGMENT POINTER packets.
	0 - 4294967295

The number of processed FRAGMENT POINTER packets.

FRAG-UNRESOLVED:	The number of unprocessed fragment packets.
	0 - 4294967295

The number of unprocessed fragments of IP packets because a fragment not resolved.

FRAG-HEADER-FOUND:	The number of processed fragments of IP packets.
	0 - 4294967295

There are a number of processed fragments of IP packets.

Supported protocols/applications

Terminology

Regular protocol/application: It is a protocol/application that works correctly even if IP addresses and/or TCP/UDP ports are translated. They do not require a specific treatment.
Special protocol/application: It is a protocol/application that requires further specific treatment of the packets payload after the IP addresses and/or TCP/UDP ports translation.
Supported protocol/application.: It is special a protocol/application that CPX NAT can successfully manage.
Unsupported protocol/application.: It is a protocol/application that CPX NAT cannot manage correctly, in the sense that it can only translate IP addresses and/or TCP/UDP port but it cannot modify the packet payload.

Well known regular protocols

HTTP
HTTPS
TFTP
TELNET
Any application that does NOT carry the IP addresses to be translated in the packet payload
Any application that does NOT carry the IP addresses and/or TCP/UDP ports to be translated in the packet payload

Supported protocols/applications

Below is a list of well known special protocols/applications which are supported by CPX NAT.

ICMP (used by "ping" and "traceroute" utilities)
FTP on port 21 (PORT and PASV commands)
DNS on port 53 ("A" and "PTR" queries)

Unsupported protocols/applications

Below is a list of well known special protocols/applications which cannot work with any NAT implementation, because the information in the payload is ciphered, and therefore NATs cannot modify them!

IPsec and IKE
Kerberos 4
Kerberos 5
X Windowing System

Below is a list of well known special protocols/applications which are not supported by the current CPX NAT implementation.

NetBIOS over TCP/IP
Progressive Networks' RealAudio
NetMeeting
NetMeeting Directory (Internet Locator Server)
H.323
PPTP

Print this page