Chapter 6 Network Address Translation (NAT) Screens

P-660R-F1 Series User’s Guide

76

6.1.2

What NAT Does

In the simplest form, NAT changes the source IP address in a packet received from a subscriber

(the inside local address) to another (the inside global address) before forwarding the packet to the

WAN side.

When the response comes back, NAT translates the destination address (the inside

global address) back to the inside local address before forwarding it to the original inside host. Note

that the IP address (either local or global) of an outside host is never changed.

The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP.

In addition, you can designate servers, for example, a web server and a telnet server, on your local

network and make them accessible to the outside world. If you do not define any servers (for Many-

to-One and Many-to-Many Overload mapping – see

Table 24 on page 78

), NAT offers the additional

benefit of firewall protection. With no servers defined, your ZyXEL Device filters out all incoming

inquiries, thus preventing intruders from probing your network. For more information on IP address

translation, refer to

RFC 1631

,

The IP Network Address Translator (NAT)

.

6.1.3

How NAT Works

Each packet has two addresses – a source address and a destination address. For outgoing packets,

the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global

Address) is the source address on the WAN. For incoming packets, the ILA is the destination

address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local)

IP addresses to globally unique ones required for communication with hosts on other networks. It

replaces the original IP source address (and TCP or UDP source port numbers for Many-to-One and

Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The

ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can

have their original values restored. The following figure illustrates this.

Figure 40

How NAT Works

Chapter 6 Network Address Translation (NAT) Screens

P-660R-F1 Series User’s Guide

77

6.1.4

NAT Application

The following figure illustrates a possible NAT application, where three inside LANs (logical LANs

using IP Alias) behind the ZyXEL Device can communicate with three distinct WAN networks. More

examples follow at the end of this chapter.

Figure 41

NAT Application With IP Alias

6.1.5

NAT Mapping Types

NAT supports five types of IP/port mapping. They are:

•

One to One

: In One-to-One mode, the ZyXEL Device maps one local IP address to one global IP

address.

•

Many to One

: In Many-to-One mode, the ZyXEL Device maps multiple local IP addresses to one

global IP address. This is equivalent to SUA (for instance, PAT, port address translation), ZyXEL’s

Single User Account feature that previous ZyXEL routers supported (the

SUA Only

option in

today’s routers).

•

Many to Many Overload

: In Many-to-Many Overload mode, the ZyXEL Device maps the

multiple local IP addresses to shared global IP addresses.

•

Many-to-Many No Overload

:

In Many-to-Many No Overload mode, the ZyXEL Device maps

each local IP address to a unique global IP address.

•

Server

: This type allows you to specify inside servers of different services behind the NAT to be

accessible to the outside world.

Port numbers do NOT change for

One-to-One

and

Many-to-Many No Overload

NAT mapping

types.

Chapter 6 Network Address Translation (NAT) Screens

P-660R-F1 Series User’s Guide

78

The following table summarizes these types.

6.2

SUA (Single User Account) Versus NAT

SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types

of mapping,

Many-to-One

and

Server

. The ZyXEL Device also supports

Full Feature

NAT to map

multiple global IP addresses to multiple private LAN IP addresses of clients or servers using

mapping types as outlined in

Table 24 on page 78

.

• Choose

SUA Only

if you have just one public WAN IP address for your ZyXEL Device.

• Choose

Full Feature

if you have multiple public WAN IP addresses for your ZyXEL Device.

Table 24

NAT Mapping Types

TYPE

IP MAPPING

One-to-One

ILA1

ÅÆ

IGA1

Many-to-One (SUA/PAT)

ILA1

ÅÆ

IGA1

ILA2

ÅÆ

IGA1

…

Many-to-Many Overload

ILA1

ÅÆ

IGA1

ILA2

ÅÆ

IGA2

ILA3

ÅÆ

IGA1

ILA4

ÅÆ

IGA2

…

Many-to-Many No Overload

ILA1

ÅÆ

IGA1

ILA2

ÅÆ

IGA2

ILA3

ÅÆ

IGA3

…

Server

Server 1 IP

ÅÆ

IGA1

Server 2 IP

ÅÆ

IGA1

Server 3 IP

ÅÆ

IGA1

Chapter 6 Network Address Translation (NAT) Screens

P-660R-F1 Series User’s Guide

79

6.3

NAT General Setup

You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be

forwarded through the ZyXEL Device. Click

Network > NAT

to open the following screen. Not all

fields are available on all models.

Figure 42

NAT General

The following table describes the labels in this screen.

Table 25

NAT General

LABEL

DESCRIPTION

Active

Network

Address

Translation

(NAT)

Select this check box to enable NAT.

SUA Only

Select this radio button if you have just one public WAN IP address for your ZyXEL

Device.

Full Feature

Select this radio button if you have multiple public WAN IP addresses for your ZyXEL

Device.

Max NAT/

Firewall

Session Per

User

When computers use peer to peer applications, such as file sharing

applications, they may use a large number of NAT sessions.

If you do

not limit the number of NAT sessions a single client can establish, this can result in all

of the available NAT sessions being used. In this case, no additional NAT sessions can

be established, and users may not be able to access the Internet.

Each NAT session establishes a corresponding firewall session. Use this field to limit

the number of NAT/firewall sessions each client computer can establish through the

ZyXEL Device.

If your network has a small number of clients using peer to peer applications, you can

raise this number to ensure that their performance is not degraded by the number of

NAT sessions they can establish. If your network has a large number of users using

peer to peer applications, you can lower this number to ensure no single client is

using all of the available NAT sessions.

Apply

Click

Apply

to save your changes back to the ZyXEL Device.

Cancel

Click

Cancel

to reload the previous configuration for this screen.

Chapter 6 Network Address Translation (NAT) Screens

P-660R-F1 Series User’s Guide

80

6.4

Port Forwarding

A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP,

that you can make visible to the outside world even though NAT makes your whole inside network

appear as a single computer to the outside world.

You may enter a single port number or a range of port numbers to be forwarded, and the local IP

address of the desired server. The port number identifies a service; for example, web service is on

port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can

support more than one service (for example both FTP and web service), it might be better to

specify a range of port numbers. You can allocate a server IP address that corresponds to a port or

a range of ports.

Many residential broadband ISP accounts do not allow you to run any server processes (such as a

Web or FTP server) from your location. Your ISP may periodically check for servers and may

suspend your account if it discovers any active services at your location. If you are unsure, refer to

your ISP.

6.4.1

Default Server IP Address

In addition to the servers for specified services, NAT supports a default server IP address. A default

server receives packets from ports that are not specified in this screen.

Note: If you do not assign a

Default Server

IP address, the ZyXEL Device discards all

packets received for ports that are not specified here or in the remote management

setup.

6.4.2

Port Forwarding: Services and Port Numbers

Use the

Port Forwarding

screen to forward incoming service requests to the server(s) on your

local network.

The most often used port numbers are shown in the following table. Please refer to RFC 1700 for

further information about port numbers.

Table 26

Services and Port Numbers

SERVICES

PORT NUMBER

ECHO

7

FTP (File Transfer Protocol)

21

SMTP (Simple Mail Transfer Protocol)

25

DNS (Domain Name System)

53

Finger

79

HTTP (Hyper Text Transfer protocol or WWW, Web)

80

POP3 (Post Office Protocol)

110

NNTP (Network News Transport Protocol)

119

SNMP (Simple Network Management Protocol)

161

SNMP trap

162

PPTP (Point-to-Point Tunneling Protocol)

1723