- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

141

142

143

144

145

146

147

148

149

150

Configuring NAT Examples

5-40 Configuring IP

3. Optional. Add an ACL to permit NAT traffic from the 10.1.1.0 network. All other traffic is

implicitly denied.

XSR(config)#access-list 57 permit 10.1.1.0 0.0.0.255

4. Optional. Reset the default NAT timeout interval to 5 minutes:

XSR(config)#ip nat translation timeout timeout 300

5. Enable an interface; F1, for example:

XSR(config)#interface fastethernet 1

6. Bind the interface and optional ACL to the NAT pool:

XSR(config-if<F1>)#ip nat source list 57 pool NATpool

7. Optional. Enable a second interface, F2, to use the same NAT pool:

XSR(config)#interface fastethernet 2

8. Optional. Bind the second interface to NATpool:

XSR(config-if<F2>)#ip nat source pool NATpool

Note that no ACL is associated with NATpool. Alternatively, you can create a second NAT pool

which will share addresses with the first configured NAT pool.

Network Address and Port Translation

This example sets inside source address translation with overload (NAPT) XSR (Figure 5-13).

Figure 5-13 NAT Inside Source Translation with Overload (NAPT).

Configuring NAPT

Inside source address translation with overload, as shown in Figure 5-13, is configured as follows:

1. The user at address 10.1.1.1 opens a connection to host address 172.20.2.1.

2. The first packet that the XSR receives from 10.1.1.1 prompts a check of the NAPT table. If no

translation entry exists and the address 10.1.1.1 must be translated, the XSR sets up a

translation entry. So the router replaces the inside local address 10.1.1.1 with the external

address 200.20.2.1, replaces the source port with 40450, and forwards the packet.

Internet

Outside

Inside

After Translation

SA: 10.1.1.1

Request

Reply after

DA: 172.20.2.1

SA: 200.2.2.1

reverse lookup

DA: 172.20.2.1

SA: 172.20.2.1

DA: 10.1.1.1

SA: 172.20.2.1

DA: 200.2.2.1

External

172.20.2.1

10.1.1.1

172.20.2.2

NAPT Table

Protocol

TCP

Inside local

IP addr:port

Inside global

IP addr:port

Outside global

IP addr:port

10.1.1.1:1729 200.2.2.1:40450 172.2.20.2:23

TCP 10.1.1.1:1780 200.2.2.1:40460 172.2.21.2:23

200.20.2.1

interface

NAT applied to

this interface

Internal

interface

XSR