Allied-Telesis AT-iMG624A Router Manual PDF (Setup & Configuration Guide)

Page 436 / 998 Scroll up to view Page 431 - 435

Network address translation - NAT

Overview

iMG/RG Software Reference Manual (IPNetwork Functions)

4-134

•

Use Victim Protection status (true or false)

•

DOS attack block duration (in seconds)

•

Scan attack block duration (in seconds)

•

Victim protection block duration (in seconds)

•

Maximum TCP open handshaking count allowed (per second)

•

Maximum ping count allowed (per second)

•

Maximum ICMP count allowed (per second)

Example

--> firewall show IDS

Firewall IDS:

IDS Enabled: false

Use Blacklist: false

Use Victim Protection: false

Dos Attack Block Duration: 1800

Scan Attack Block Duration: 86400

Malicious Attack Block Duration: 86400

Victim Protection Block Duration: 600

Scan Detection Threshold: 5

Scan Detection Period: 10

Port Flood Detection Threshold: 10

Host Flood Detection Threshold: 20

FloodDetectPeriod : 10

Max TCP Open Handshaking Count: 5

Max PING Count: 15

Max ICMP Count: 100

See also

security show IDS

4.4

Network address translation - NAT

4.4.1

Overview

Basic NAT is a router function (described in

RFC 1631

) that determines how to translate network IP addresses.

As data packets are received on the device’s interfaces, data in their protocol headers is compared to criteria

established in NAT rules through global pools and reserved mappings. The criteria includes ranges of source or

destination addresses. If the packet meets the criteria of one of the rules, the packet header undergoes the

translation specified by the mapping and the revised packet is forwarded. If the packet does not meet the crite-

ria, it is discarded. ISOS supports both

static

and

dynamic

versions of NAT:

Page 437 / 998

NAT support on AT-iMG Models

Network address translation - NAT

4-135

iMG/RG Software Reference Manual (IPNetwork Functions)

•

static

NAT: defines a fixed address translation from the internal network to the external network

•

dynamic

NAT: translates from a pool of local IP addresses to a pool of global IP addresses

NAT provides a mechanism for reducing the need for globally unique IP addresses. It allows you to use

addresses that are not globally unique on your internal network and translate them to a single globally unique

external address

FIGURE 4-3

Address Conservation Using NAT

4.4.2

NAT support on AT-iMG Models

AT-iMG Models NAT module is designed to provide the following features:

•

Global IP address pools

•

Reserved mappings

•

Application level gateways (algs)

NAT services are available between

External security interface

and

Internal Security interfaces

.

In order to access NAT services, the NAT module must be enabled between a a pair of interfaces by using the

NAT ENABLE command and assigning an arbitrary name to this relationship.

Note:

Before enabling NAT, the

Security

module must be already enabled using SECURITY ENABLE

command.

See XREF_HERE

Security

section for details regarding security interfaces.

Global IP Address Pools

A Global Address Pool is a pool of addresses seen from the external network. By default, each external inter-

face creates a Global Address Pool with a single address – the address assigned to that interface.

10.0.0.3

10.0.0.2

24.2.249.4

Unit

(Router with NAT)

10.0.0.4

10.0.0.1

Internet

Page 438 / 998

Network address translation - NAT

Interactions of NAT and other security features

iMG/RG Software Reference Manual (IPNetwork Functions)

4-136

For outbound sessions, an address is picked from a pool by hashing the source IP address for a pool index and

then hashing again for an address index. For inbound sessions to make use of the global pool, it is necessary to

create a reserved mapping. See below for more information on reserved mappings.

4.4.2.1 Reserved mappings

Reserved mapping is used to support NAT traversal.

NAT traversal is a mechanism that makes a service (listening port) on an internal computer accessible to exter-

nal computers. NAT traversal operates by having the NAT listen for incoming messages on a selected port on

its external interface. When the NAT receives a message, it uses its internal interface to forward the packet to

the

same port number

on a selected internal computer (And any responses from the internal computer are for-

warded to the requesting external computer).

Reserved mappings can also be used so that different internal hosts can share a global address by mapping dif-

ferent ports to different hosts.

For example, Host A is an FTP server and Host B is a Web server.

By choosing a particular IP address in the global address pool, and mapping the FTP port on this address to the

FTP port on Host A and the HTTP port on the global address to the HTTP port on Host B, both internal hosts

can share the same global address.

To add a reserved mapping rule to an existing NAT relation, use NAT ADD RESVMAP INTERFACE command.

With this command it is possible set a mapping rule based on port number or protocol number.

Setting the protocol number to 255(0xFF) means that the mapping will apply to all protocols. Setting the port

number to 65535(0xFFFF) for TCP or UDP protocols means that the mapping will apply to all port numbers

for that protocol.

4.4.2.2 Application level gateways (ALGs)

Some applications embed address and/or port information in the payload of the packet.

The most notorious of these is FTP. For most applications, it is sufficient to create a trigger with address

replacement enabled. However, there are three applications for which a specific ALG is provided:

FTP, Net-

BIOS

and

DNS

.

4.4.3

Interactions of NAT and other security features

4.4.3.1 Firewall filters and reserved mappings.

So far, the NAT reserved mappings have been considered independently of the firewall.

If the firewall is not enabled, then all that is required to enable NAT to allow in TCP sessions to a certain port

number is to create a reserved mapping for that particular TCP port number.

Page 439 / 998

NAT and secondary IP addresses

Network address translation - NAT

4-137

iMG/RG Software Reference Manual (IPNetwork Functions)

However, if the firewall is enabled, there is a matter of precedence to consider if reserved mapping has been

created for a particular TCP port but the firewall is not configured to allow in TCP data for that port.

In this case the blocking by the firewall will take precedence.

So, when the firewall has been enabled, care must be taken to ensure that when NAT reserved mapping are cre-

ated, the firewall is also configured to allow in the traffic for which the reserve mapping is defined.

4.4.3.2 NAT and dynamic port opening

The description of

Dynamic Port Opening

(see

Security

section) discussed that feature in the context of the

firewall – i.e. the

Dynamic Port Opening

feature was presented as being required to allow secondary sessions

in through the firewall.

It should be noted that, by default, incoming sessions are not allowed through by NAT either. So, if NAT is ena-

bled, even if the firewall is not enabled, then if you wish to be able to access services that involve incoming sec-

ondary sessions, then you will need to create

Dynamic Port Opening

definitions for those services.

So, for example, if you have NAT enabled on the router, and wish for users on the LAN to be able to success-

fully access external

RealServers

, it will be necessary to create a

Dynamic Port Opening

definition.

4.4.4

NAT and secondary IP addresses

NAT services work also with secondary IP addresses.

In this case it's necessary create a secondary IP address using IP INTERFACE ADD SECONDARYIPADDRESS

command and then create a security interface based on this secondary IP interface.

Then a global pool must be added and a reserved mapping configured. If using PPPoE encapsulation, secondary

IP addresses in the global pool must be on a separate subnet. If the secondary IP addresses are on the same sub-

net as the external IP address, the addresses are not visible to the external network.

4.4.5

NAT command reference

This section describes the commands available on AT-iMG Models to enable, configure and manage NAT mod-

ule.

4.4.5.1 NAT CLI commands

The table below lists the NAT commands provided by the CLI:

Page 440 / 998

Network address translation - NAT

NAT command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-138

4.4.5.1.1 NAT ENABLE

Syntax

NAT ENABLE <name> <interfacename> {INTERNAL|DMZ}

TABLE 4-7

NAT CLI Commands and Product Category

Commands

Fiber

A

Fiber

B

Fiber

C

Fiber

D

Fiber

E

Modular

ADSL

A

ADSL

B

ADSL

C

NAT ENABLE

X

NAT DISABLE

X

NAT ADD GLOBALPOOL

X

NAT ADD GLOBALPOOL

X

NAT CLEAR GLOBALPOOLS

X

NAT DELETE GLOBALPOOL

X

NAT IKETRANSLATION

X

NAT IKETRANSLATION

X

NAT LIST GLOBALPOOLS

X

NAT SHOW GLOBALPOOL

X

NAT ADD RESVMAP GLOBALIP TCP|UDP|BOTH

X

NAT ADD RESVMAP GLOBALIP

X

NAT ADD RESVMAP INTERFACENAME TCP|UDP|BOTH

X

NAT ADD RESVMAP INTERFACENAME

X

NAT CLEAR RESVMAPS

X

NAT DELETE RESVMAP

X

NAT DELETE RESVMAP

X

NAT SET RESVMAPS ENABLE|DISABLE

X

NAT SET RESVMAPS SRCIP

X

NAT SHOW RESVMAP

X

NAT STATUS

X

Rate

Popular Allied-Telesis Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share