F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices NAT and ALG Configuration Guide-6PW100
Table Of Contents
- Title Page
- Table of Contents
- Configuring NAT
- Overview
- Configuration guidelines
- Configuring NAT in the Web interface
- Recommended configuration procedure
- Creating an address pool
- Configuring dynamic NAT on an interface
- Creating a static address mapping
- Enabling static NAT on an interface
- Configuring an internal server
- Configuring ACL-based NAT on the internal server
- Configuring DNS mapping
- NAT configuration example
- Internal server configuration example
- Configuring NAT at the CLI
- NAT configuration task list
- Configuring static NAT
- Configuring dynamic NAT
- Configuring an internal server
- Configuring ACL-based NAT on an internal server
- Configuring DNS mapping
- Displaying and maintaining NAT
- One-to-one static NAT configuration example
- Dynamic NAT configuration example
- Common internal server configuration example
- NAT DNS mapping configuration example
- Troubleshooting NAT
- Configuring NAT-PT
- Feature and hardware compatibility
- Overview
- NAT-PT configuration task list
- Configuration prerequisites
- Enabling NAT-PT
- Configuring a NAT-PT prefix
- Configuring IPv4/IPv6 address mappings on the IPv6 side
- Configuring IPv4/IPv6 address mappings on the IPv4 side
- Setting the ToS field after NAT-PT translation
- Setting the traffic class field after NAT-PT translation
- Configuring static NAPT-PT mappings of IPv6 servers
- Displaying and maintaining NAT-PT
- NAT-PT configuration examples
- Troubleshooting NAT-PT
- NAT444
- Configuring ALG
- Support and other resources
- Index
47
83BStatic mappings
Figure 35 User tracing process
Transition technology deployment scheme contains two IP-port mapping modes: static and dynamic.
• Static IP-port mapping mode—AAA and Carrier Grade NAT (CGN) set parameters through the
network management system and execute the same algorithm for generating mappings. During
address tracing process, AAA and CGN do not exchange mappings with each other, and trace the
address directly.
• Dynamic IP-port mapping mode—CGN reports the mappings between user addresses and port
blocks to the log server or AAA server through syslogs or RADIUS packets. During address tracing
process, AAA requests the log server for mappings.
The dynamic IP-port mapping mode applies to Broadband Remote Access Server (BRAS) cards. After
assigning an IP address to an online user, BRAS dynamically determines the public address and port
block used by the user, generates an address mapping table, and then reports the table to the AAA
server through extended RADIUS packets. This mode can use port block resources effectively in theory,
but only takes effect at any time when no user accesses any service for a long time.
The followings may affect user tracing:
• When a great number of users are going online and offline, generation of large number of syslogs
and RADIUS packets increases the load of AAA servers or log servers. Thus, log servers cannot
meet the requirements and AAA servers' performance may be affected.
• Syslogs and RADIUS packets are UDP packets and dynamic IP-port mappings may be lost.
• In dynamic IP-port mapping mode, storing mappings is supposed to be time-phrased. Therefore, it
is required for the AAA servers and log servers to have large storage space.
84BNAT unlimited connection
NAT unlimited connection can make sure NAT addresses and port numbers be reused unlimitedly.
As shown in
275HFigure 36, different sources (different addresses or different ports) can reuse a NAT address
and port number as long as the destination address or destination port number is different.