User Manual

ManualsBrandsCabletron ManualsCables & InterconnectsCabletron Tpfot-2 10BT Transceiver 1 RJ45 Utp to 1 St MMf

351

352

353

354

355

356

357

358

359

360

Forcing Flows through NAT

328 Enterasys X-Pedition User Reference Manual

Setting NAT Rules

Static

You create NAT static bindings by entering the following command in Configure mode.

Dynamic

You create NAT dynamic bindings by entering the following command in Configure mode.

For dynamic address bindings, you define the address pools with previously-created ACLs. You

can also specify the enable-port-overload parameter to allow PAT.

Forcing Flows through NAT

If a host on the outside global network knows an inside local address, it can send a message directly

to the inside local address. By default, the XP will route the message to the destination. You can

force all flows between the inside local pool and the outside global network to be translated. This

prevents a host on the outside global network from being allowed to send messages directly to any

address in the local address pool. You may force address translation of all flows to and from the

inside local pool by entering the following command in Configure mode.

The XP's current ACL/NAT implementation does not make provisions for running standard or

PASV FTP sessions across a translated interface when only ports 20 (FTP data port) and 21 (FTP

control port) are open for communication. Because FTP will use other higher-numbered ports to

establish TCP sessions, FTP sessions established across a NAT-translated interface may hang if

these other TCP ports are not open for communication. In order to allow FTP to establish a TCP

session on higher-numbered ports, the NAT-associated ACL must be set up to allow incoming

traffic from any port. When running this configuration, it is suggested that NAT secure-plus is

Enable NAT with static address

binding.

nat create static protocol ip|tcp|udp local-ip <local-ip-

add/address range>

global-ip <global-ip-

add/address range>

[local-port <tcp/udp local-

port>|

any] [global-port <tcp/udp global-

port>

|any]

Enable NAT with dynamic address

binding.

nat create dynamic local-acl-pool <local-acl> global-

pool

<ip-addr/ip-addr-range/ip-addr-list/ip-addr-

mask>

[matches-interface <interface>] [enable-ip-

overload]

Force all flows to and from local

address pool to be translated.

nat set secure-plus on|off