Compatible Systems Setup Guides: Network Address Translation Configuration Guide Document ID: 17621 Contents − Network Address Translation Configuration Guide IMPORTANT DISCLAIMERS EXPLANATION OF NAT FUNCTIONALITY Internet sources for Network Address Translation documents Reasons for Network Address Translation NAT EXAMPLE NETWORKS Example One: Network Address Translation "private" Network Example Two: Network Address Translation "private" Network and user's network with "global" IP addresses Example Three
EXTERNAL NAT PORT INTERNAL NAT PORT [ IP < Secton ID > ] configure commands and example keywords for Example Three EXTER NAL NAT PORT INTERNAL NAT PORT NAT PASSTHRU RANGE FINAL NOTES IMPORTANT DISCLAIMERS 1. Not all Compatible Systems devices have Network Address Translation ability. Due to memory limitations and software code size, the following routers do not have NAT software: ♦ MicroRouter 900i ♦ MicroRouter 1000R ♦ RISC Router 3000E ♦ RISC Router 3400R ♦ RISC Router 3800R 2.
single IP address supplied by an ISP or the company System Administrator, rather than an IP address for each workstation −− a savings of nine valuable IP addresses. Local Network Security Another useful feature of NAT is its ability to act as a "firewall." The workstations on the NAT Network may freely establish connections with the External Network/Internet. The opposite case is possible, but is controlled by NAT.
Example Three: Very similar to Example Two, except that the External NAT Port, Internal NAT Port, and the port for the NAT PassThru Range are all located on the same physical port, by using sub−interfaces on this physical port. EXAMPLE ONE The Example One network, which was used in the development of the NAT software at Compatible Systems, is using a MicroRouter 2220R as the NAT Router.
CONFIGURATION SECTION. In Example One this is the Ethernet 0 IP interface. 3. The IP Interface which is communicating with the External Network or Internet must be the only interface which has NatMap = On. It is important that one, and only one, IP interface on a NAT Router have its NatMap variable set to On. Point C is probably the most important, and least obvious, configuration requirement. In Example One, Ethernet 0 and Ethernet 1 both seem to be participating in Network Address Translation.
On inbound packets, in response, all External NAT destination IP addresses {198.41.9.219} are changed to Internal NAT IP addresses {10.5.3.10}. The NAT Session, which was created by the outbound IP packet from the NAT Network, is what allows this translation to take place. NAT Sessions can be displayed in the Command Line interface with the command show nat sessions.
because other descriptions of NAT on the Internet have not explicitly said this and initially caused confusion. CONDITION 1: A NAT SESSION INITIATED FROM THE OUTSIDE Let's make one change to the network of Example One − the NT workstation is now a Web server. Is this possible with Compatible Systems NAT? If possible, is it really useful? For security (and practicality) reasons, NAT Sessions are generated by IP packets traveling from the NAT Network to the Internet.
allows the NAT Router to make the NAT Web server appear to be at 198.41.9.194. This NAT Map Database entry allows the NAT software to create a NAT Session when the site at 128.138.240.11 initiates an IP session to the NAT External Range IP address:port combination of 198.41.9.195:80. Remember that the NAT software cannot establish a NAT Session initiated by a source on the External Network/Internet unless such a "one−to−one" translation pair is defined in the NAT Map Database.
(*) NOTES: Private IP Addresses for the Frane Relay connection across the "WAN Cloud". (**) NOTES: All of the machines in the NAT network must address their IP packets to the Internal Interface of the MR 2220 "NAT Router" (Ethernet 1). Unlike Example 1, only part of the network behind this NAT Router is actually a NAT Network. Again, the part of the IP network connected to Ethernet 0 is accessible as part of the Internet.
Systems NAT functionality: 1. The NAT External Range in the NAT Router does not have to be directly related to the IP address of the External NAT Port. However, the NAT External Range does have to be a "global" IP address and it must be "routable." The network must be able to deliver IP packets with addresses in the NAT External Range to the External NAT Port. 2.
(*) NOTES: IP sub−interface ports Ethernet 0.1 and 0.2 are shown as seperate connections in FIGURE 3 for clarity, but they really connect through the physical connection of Ethernet 0 and the "External Ethernet Hub" to the MR 1250i Router at IP address 198.41.10.98, the MR 2250R Router at IP address 198.41.9.196 and Macintosh at the NAT 'private' address of 10.5.0.5.
CONCLUDING EXPLANATION REMARKS If these example explanations have not made the functionality of Network Address Translation a little clearer, please see one of the Web sites listed at the beginning of the document for more explanation.
TCP FIN timeout period (sec.): Entered Internal ranges(s): 180 10.5.3.0/27 Entered External ranges(s): 198.41.9.219 198.41.9.195 198.41.9.194 Entered Pass Thru ranges(s): 198.41.9.{205−210} [ NAT Map Database ] Total Number of Entries in NAT Map Database: 2 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Internal External LineNo. −> 1 −> 2 −> The line−by−line description of this display follows.
TCP SYN timeout period (sec.): 180 The router will remove an active NAT Session for TCP after 180 seconds (three minutes) if a SYN TCP packet has not been answered. TCP FIN timeout period (sec.): 180 The router will remove an active NAT Session for TCP after 180 seconds (three minutes) if a FIN TCP packet has not been answered. Entered Internal range(s): 10.5.3.
address 10.5.3.20 and sent to the Internal NAT Network by the router. Line 1 shows a different option for the one−to−one address translation pairs. It lists IP address:port combinations such that a site on the Internet could access a Web server on the workstation at the NAT Network address of 10.5.3.11. SHOW NAT MAP This display was described at the end of the previous section, but several other details will be presented here.
10.5.3.20:0 −>198.41.9.194:0 10.5.3.10:29841 −>198.41.9.219:29841 10.5.3.10:1899 −>198.41.9.219:1899 10.5.3.10:1900 −>198.41.9.219:1900 198.41.9.215:0 105.00 198.41.9.30:53 33.93 198.41.9.12:80 25.67 198.41.9.12:80 30.24 ICMP 104.00 UDP 33.50 TCP 0.16 TCP 15.83 236/922 255/976 983/680 984/681 The Active Map is the IP Address:Port (if applicable) Internal to External address translation and is read in the same format as the display for the NAT Map Database.
Sessions Timed Out is the number of NAT Sessions removed from the NAT hash database as a result of a time limit being exceeded. This can occur in one of three ways: 1. a SYN packet in a session does not receive a response within the time limit defined by the NAT variable "TCP SYN timeout period" (described earlier); these are tallied in SYN Timeouts 2.
| +−−−−−−−−− 10.5.3.20(#)(%) 198.41.9.192 −−−−−−−−−+−−−−−−−−− 198.41.9.194(@)(%) (255.255.255.224) | +−−−−−−−−− 198.41.9.195($)(@)(%)() | +−−−−−−−−− | +−−−−−−−−− | +−−−−−−−−− | +−−−−−−−−− | +−−−−−−−−− | +−−−−−−−−− | +−−−−−−−−− 198.41.9.205(*) 198.41.9.206(*) 198.41.9.207(*) 198.41.9.208(*) 198.41.9.209(*) 198.41.9.210(*) 198.41.9.219(@) (all have masks of 255.255.255.
= To find a list of valid keywords and additional help enter "?" [ NAT Global ]# ? Valid keywords for the 'NAT Global' section: UDPTimeout UDP Timeout for NAT in seconds (note: 0 {zero} disables UDPTimeout) TCPTimeout TCP Timeout for NAT in seconds (note: 0 {zero} disables TCPTimeout) TCPSynTimeout TCP SYN Timeout for NAT in seconds TCPFinTimeout TCP FIN Timeout for NAT in seconds InternalRange Strings for Internal IP addresses, (parsed like filters) ExternalRange Strings for External IP a
(defined next). The NAT Router and the LANs and or WANs to which it is connected must be configured so that IP packets with addresses in the InternalRange enter the NAT Router through the Internal NAT Port. This variable is parsed, and can be entered, using the same syntaxes used for the IP addresses in the IP filters with one important addition. An inclusive range of addresses can be defined using a dash notation (V.W.X.{Y−Z}).
be able to communicate with/configure the NAT Router via the Command Line interface. Enabled Overall NAT capability in Router After the InternalRange and ExternalRange, Enabled is probably the most important keyword in this section. It allows the router to perform Network Address Translations between the internal and External Networks. The default value is Off. The router will not "NAT" if Enabled is Off.
Nat_2220> sh nat map [ NAT Map Database ] Total Number of Entries in NAT Map Database: 2 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Internal External LineNo. −> 1 −> 2 −> Important points about the one−to−one translation pairs in the NAT Map Database: 1. The Internal IP Address must be entered first, followed by "−>" or " = ", followed by the External IP Address. 2.
Ethernet 0 is the External NAT Port, Ethernet 1 is the Internal NAT Port. The IP protocol on the Bridge, Wan 0, and Wan 1 has been disabled in this example. Note: Again, the NAT software is currently designed and has only been tested with one External IP Port on a router. In the latest releases of Compatible Systems device software (versions 4.3 and later), the display in response to the show ip config will display which IP interface has the variable NatMap enabled (NatMap = On).
INTERNAL NAT PORT, EXAMPLE 1 The configuration of the Internal NAT Port and its relation to the [NAT Global] section is shown next. Nat_2220> config ip ethernet 1 Enter Password: Configure parameters in this section by entering: = To find a list of valid keywords and additional help enter "?" [ IP Ethernet 1 ] # list [ IP Ethernet 1 ] RIPVersion = V2 Mode = Routed SubnetMask = 255.255.255.224 IPAddress = 10.5.3.1 The NatMap is not set to On for this Internal NAT Port.
NAT functionality enabled (On/Off): NAT Response to external ICMPs (On/Off): Communicate w/ Router through IP Ports (On/Off): Configured Ports: Ether0 UDP timeout period (sec.): 300 TCP timeout period (sec.): 86400 TCP SYN timeout period (sec.): 180 TCP FIN timeout period (sec.): 180 Entered Internal range(s): 10.5.0.0/24 Entered External range(s): 198.41.9.204 Entered Pass Thru range(s): 198.41.10.
= To find a list of [ IP Ethernet 0 ] [ IP Ethernet 0 ] Mode RIPVersion SubnetMask IPAddress NatMap valid keywords and additional help enter "?" # list = = = = = Routed V2 255.255.255.224 198.41.9.197 On The most important keyword here is NatMap. If this keyword is not set to On, the IP Port will not perform Network Address Translation. Note: The NatMap keyword needs to be turned On only on the External NAT Port. NatMap should not be set to On in the Internal Nat Port.
and in [ IP Ethernet 0.1 ]: SubnetMask IPAddress = 255.255.0.0 = 10.5.0.1 Notes: All workstations on the LAN directly connected to the Internal NAT Port must have this IP Port's address (10.5.0.1, in this example) set as their Gateway route in their IP applications. NAT PASSTHRU RANGE, EXAMPLE 3 Finally, configuration of the other Ethernet IP sub−interface port and its relation to the [NAT Global] section are shown. [ IP Ethernet 0.1 ] # config ip ethernet 0.
All contents copyright © 1992−−2001 Cisco Systems Inc. Important Notices and Privacy Statement.