advertisement
121
Chapter 8
Network Address Translation (NAT) Screens
This chapter discusses how to configure NAT on the BCM50a Integrated Router.
NAT overview
NAT (Network Address Translation—NAT, RFC 1631) is the translation of the
IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network, is changed to a different IP address known within another network.
NAT definitions
Inside/outside denotes where a host is located relative to the BCM50a Integrated
Router. For example, the computers of your subscribers are the inside hosts, while the Web servers on the Internet are the outside hosts.
Global/local denotes the IP address of a host in a packet as the packet traverses a router. For example, the local address refers to the IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side.
BCM50a Integrated Router Configuration — Basics
122 Chapter 8 Network Address Translation (NAT) Screens
Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the
IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside
host when the packet is on the WAN side. Table 23
summarizes this information.
Table 23 NAT definitions
Term
Inside
Outside
Local
Global
Description
This refers to the host on the LAN.
This refers to the host on the WAN.
This refers to the packet address (source or destination) as the packet travels on the LAN.
This refers to the packet address (source or destination) as the packet travels on the WAN.
Note: NAT never changes the IP address (either local or global) of an outside host.
What NAT does
In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back,
NAT translates the destination address (the inside global address) to the inside local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed.
The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers (for example a web server and a Telnet server) on your local network and make them accessible to the outside world. You can make designated servers on the LAN accessible to the outside world. If you do not define any servers (for Many-to-One and
Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection. With no servers defined, your BCM50a Integrated Router filters out all incoming inquiries, thus preventing intruders from probing your network. For more information about IP address translation, refer to The IP Network Address
Translator (NAT) (RFC 1631).
N0115790
Chapter 8 Network Address Translation (NAT) Screens 123
How NAT works
Each packet has two addresses–a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the
LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN. NAT maps private (local) IP addresses to globally unique ones required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers for
Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The BCM50a Integrated Router keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored, as illustrated in
.
Figure 32 How NAT works
BCM50a Integrated Router
Port restricted cone NAT
The BCM50a Integrated Router uses port restricted cone NAT.
Port restricted cone NAT maps all requests from the same private IP address and port to the same public IP address and port. A host on the Internet can only send a packet to the private IP address and port if the private IP address and port has previously sent a packet to the IP address and port of that host.
BCM50a Integrated Router Configuration — Basics
124 Chapter 8 Network Address Translation (NAT) Screens
In
, B can send packets, with source IP address e.f.g.h and port 20202 to
A because A previously sent a packet to IP address e.f.g.h and port 20202. B cannot send packets, with source IP address e.f.g.h and port 10101 to A because A has not sent a packet to IP address e.f.g.h and port 10101.
Figure 33 Port Restricted Cone NAT
NAT application
Figure 34 illustrates a possible NAT application, where three inside LANs
(logical LANs using IP Alias) behind the BCM50a Integrated Router can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
N0115790
Chapter 8 Network Address Translation (NAT) Screens 125
Figure 34 NAT application with IP Alias
BCM50a Integrated Router
NAT mapping types
NAT supports five types of IP/port mapping. They are:
• One to One: In One-to-One mode, the BCM50a Integrated Router maps one local IP address to one global IP address.
• Many to One: In Many-to-One mode, the BCM50a Integrated Router maps multiple local IP addresses to one global IP address. This is equivalent to
SUA (for example, PAT, port address translation), the Single User Account feature (the SUA Only option).
• Many to Many Overload: In Many-to-Many Overload mode, the BCM50a
Integrated Router maps the multiple local IP addresses to shared global IP addresses.
• Many One to One: In Many-One-to-One mode, the BCM50a Integrated
Router maps each local IP address to a unique global IP address.
• Server: With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
BCM50a Integrated Router Configuration — Basics
126 Chapter 8 Network Address Translation (NAT) Screens
Table 24 summarizes these types.
Table 24 NAT mapping type
Type
One-to-One
Many-to-One (SUA/PAT)
Many-to-Many Overload
Many-One-to-One
Server
IP Mapping
ILA1
ÅÆ IGA1
ILA1
ÅÆ IGA1
ILA2 ÅÆ IGA1
…
ILA1
ÅÆ IGA1
ILA2 ÅÆ IGA2
ILA3
ÅÆ IGA1
ILA4 ÅÆ IGA2
…
ILA1
ÅÆ IGA1
ILA2 ÅÆ IGA2
ILA3
ÅÆ IGA3
…
Server 1 IP ÅÆ IGA1
Server 2 IP
ÅÆ IGA1
Server 3 IP ÅÆ IGA1
SMT Abbreviations
1-1
M-1
M-M Ov
M-1-1
Server
Using NAT
Note: You must create a firewall rule in addition to setting up SUA/
NAT, to allow traffic from the WAN to be forwarded through the
BCM50a Integrated Router.
SUA (Single User Account) versus NAT
SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The BCM50a
Integrated Router also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Select either SUA Only or Full Feature in WAN IP.
N0115790
Chapter 8 Network Address Translation (NAT) Screens 127
SUA Server
A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though
SUA makes your whole inside network appear as a single computer to the outside world.
You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example, both FTP and web service), it is better to specify a range of port numbers. You can allocate a server IP address that corresponds to a port or a range of ports.
With many residential broadband ISP accounts you cannot run any server processes (such as a Web or FTP server) from your location. Your ISP periodically checks for servers and can suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP.
Default server IP address
In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen.
Note: If you do not assign a Default Server IP Address, the BCM50a
Integrated Router discards all packets received for ports that are not specified here or in the remote management setup.
BCM50a Integrated Router Configuration — Basics
128 Chapter 8 Network Address Translation (NAT) Screens
Port forwarding: Services and Port Numbers
The most often used port numbers are shown in
. Refer to Assigned
Numbers (RFC 1700) for further information about port numbers.
Table 25 Services and port numbers
Services
ECHO
FTP (File Transfer Protocol)
SMTP (Simple Mail Transfer Protocol)
DNS (Domain Name System)
Finger
HTTP (Hyper Text Transfer protocol or WWW, Web)
POP3 (Post Office Protocol)
NNTP (Network News Transport Protocol)
SNMP (Simple Network Management Protocol)
SNMP trap
PPTP (Point-to-Point Tunneling Protocol)
Port Number
79
80
110
119
7
21
25
53
161
162
1723
Configuring servers behind SUA (example)
For example, you want to assign ports 22-25 to one server, port 80 to another and assign a default server IP address of 192.168.1.35, as shown in
N0115790
Chapter 8 Network Address Translation (NAT) Screens 129
Figure 35 Multiple servers behind NAT example
BCM50a Integrated Router
Configuring SUA Server
Note: If you do not assign a Default Server IP Address, then all packets received for ports not specified in this screen are discarded.
Click SUA/NAT to open the SUA Server screen.
Refer to
Chapter 10, “Firewalls,” on page 145
BCM50a Integrated Router Configuration — Basics
130 Chapter 8 Network Address Translation (NAT) Screens
Figure 36 SUA/NAT setup
N0115790
Table 26 describes the fields in Figure 36
.
Table 26 SUA/NAT setup
Label
Default Server
#
Description
In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a default server IP address, then all packets received for ports not specified in this screen are discarded.
Number of an individual SUA server entry.
Chapter 8 Network Address Translation (NAT) Screens 131
Table 26 SUA/NAT setup
Label
Active
Name
Start Port
Description
Select this check box to enable the SUA server entry. Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry.
Enter a name to identify this port forwarding rule.
Enter a port number here. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port No field
End Port
Server IP
Address
Apply
Reset
Enter the inside IP address of the server here.
Click Apply to save your changes to the BCM50a Integrated Router.
Click Reset to clear your changes.
Configuring Address Mapping
Ordering your rules is important because the BCM50a Integrated Router applies the rules in the order that you specify. When a rule matches the current packet, the
BCM50a Integrated Router takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule is pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and you configure rule number 9. In the set summary screen, the new rule becomes rule 7, not 9. If you delete rule 4, rules 5 to 7 are pushed up by 1 rule, so old rules 5, 6, and 7 become new rules 4, 5, and 6.
To change the NAT address mapping settings, click SUA/NAT, then the Address
Mapping tab. The screen appears as shown in Figure 37 .
BCM50a Integrated Router Configuration — Basics
132 Chapter 8 Network Address Translation (NAT) Screens
Figure 37 Address Mapping
N0115790
Table 27 describes the fields in Figure 37
.
Table 27 Address Mapping
Label Description
Local Start IP
Local End IP
This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping.
This is the end Inside Local Address (ILA). If the rule is for all local IP addresses, then this field displays 0.0.0.0 and 255.255.255.255 as the
Local End IP address. This field is N/A for One-to-One and Server mapping types.
Global Start IP This refers to the Inside Global IP Address (IGA). 0.0.0.0 is for a dynamic IP address from your ISP with Many-to-One and Server mapping types.
Global End IP This is the ending Inside Global Address (IGA), that is the starting global IP address. This field is N/A for One-to-One, Many-to-One and
Server mapping types.
Chapter 8 Network Address Translation (NAT) Screens 133
Table 27 Address Mapping
Label
Type
Edit
Delete
Insert
Description
1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type.
2. Many-to-One mode maps multiple local IP addresses to one global
IP address. This is equivalent to SUA (that is, PAT, port address translation), the Single User Account feature.
3. Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
4. Many One-to-One mode maps each local IP address to unique global IP addresses.
5. Server permits you to specify inside servers of different services behind the NAT to be accessible to the outside world.
Click Edit to go to the Address Mapping Rule screen.
Click Delete to delete an address mapping rule.
Click Insert to insert a new mapping rule before an existing one.
Configuring Address Mapping
To edit an Address Mapping rule, click the Edit button to display the screen
BCM50a Integrated Router Configuration — Basics
134 Chapter 8 Network Address Translation (NAT) Screens
Figure 38 Address Mapping edit
N0115790
Table 28 describes the fields in Figure 38
.
Table 28 Address Mapping edit
Label
Type
Local Start IP
Local End IP
Global Start IP
Description
Choose the port mapping type from one of the following.
1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for
One-to-one NAT mapping type.
2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (for example, PAT, port address translation), the Single User Account feature.
3. Many-to-Many Ov (Overload): Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
4. Many One-to-One: Many One-to-one mode maps each local IP address to unique global IP addresses.
5. Server: With this type, you can specify inside servers of different services behind the NAT to be accessible to the outside world.
This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping.
This is the end Inside Local IP Address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address.
This field is N/A for One-to-One and Server mapping types.
This is the starting Inside Global IP Address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP.
Chapter 8 Network Address Translation (NAT) Screens 135
Table 28 Address Mapping edit
Label
Global End IP
Apply
Reset
Description
This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types.
Click Apply to save your changes to the BCM50a Integrated
Router.
Click Reset to begin configuring this screen afresh.
Trigger Port Forwarding
Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the
WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address,
Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The BCM50a Integrated Router records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a trigger port). When the WAN port on the BCM50a Integrated Router receives a response with a specific port number and protocol (incoming port), the BCM50a Integrated Router forwards the traffic to the LAN IP address of the computer that sent the request. After that connection closes, another computer on the LAN can use the service in the same manner. This way, you do not need to configure a new IP address each time you want a different LAN computer to use the application.
Trigger Port Forwarding example
Figure 39 illustrates an example of trigger port forwarding.
BCM50a Integrated Router Configuration — Basics
136 Chapter 8 Network Address Translation (NAT) Screens
Figure 39 Trigger Port Forwarding process: example
BCM50a Integrated Router
1 Jane (A) requests a file from the Real Audio server (port 7070).
2 Port 7070 is a trigger port and causes the BCM50a Integrated Router to record
Jane’s computer IP address. The BCM50a Integrated Router associates Jane's computer IP address with the incoming port range of 6970-7170.
3 The Real Audio server responds using a port number ranging between
6970-7170.
4 The BCM50a Integrated Router forwards the traffic to Jane’s computer IP address.
5 Only Jane can connect to the Real Audio server until the connection is closed or times out. The BCM50a Integrated Router times out in three minutes with
UDP (User Datagram Protocol) or two hours with TCP/IP (Transfer Control
Protocol/Internet Protocol).
Two points to remember about Trigger Ports
Trigger events only happen on data that is coming from inside the BCM50a
Integrated Router and going to the outside.
If an application needs a continuous data stream, that port (range) is tied up so that another computer on the LAN cannot trigger it.
N0115790
Chapter 8 Network Address Translation (NAT) Screens 137
Configuring Trigger Port Forwarding
To change trigger port settings of your BCM50a Integrated Router, click SUA/
NAT and the Trigger Port tab. The screen appears as shown in
.
Note: Only one LAN computer can use a trigger port (range) at a time.
Figure 40 Trigger Port
BCM50a Integrated Router Configuration — Basics
138 Chapter 8 Network Address Translation (NAT) Screens
describes the fields in Figure 40
.
Table 29 Trigger Port
Label
No.
Name
Incoming
Start Port
End Port
Trigger
Start Port
End Port
Apply
Reset
Description
This is the rule index number (read-only).
Type a unique name (up to 15 characters) for identification purposes. All characters are permitted, including spaces.
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The BCM50a Integrated Router forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Type a port number or the starting port number in a range of port numbers.
Type a port number or the ending port number in a range of port numbers.
The trigger port is a port (or a range of ports) that causes (or triggers) the BCM50a Integrated Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN.
Type a port number or the starting port number in a range of port numbers.
Type a port number or the ending port number in a range of port numbers.
Click Apply to save your changes to the BCM50a Integrated Router.
Click Reset to begin configuring this screen afresh.
N0115790
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement