IBM Books

Using and Configuring Features Version 3.4

Configuring and Monitoring Network Address Translator

This chapter describes the Network Address Translator (NAT) configuring and monitoring commands and includes the following sections:

Accessing the Network Address Translator Configuration Environment

To access the NAT configuration environment, enter the following command at the Config> prompt: 

   Config> feature nat
   Network Address Protocol user configuration
   NAT config>

Network Address Translator Configuration Commands

This section explains the Network Address Translator (NAT) configuration commands. To configure NAT, enter these commands at the NAT config> prompt.

Table 54. NAT Configuration Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Change Changes public IP address reserve pools, private address translate ranges, and static mappings.
Delete Deletes public IP address reserve pools, private address translate ranges, and static mappings.
Disable Disables NAT.
Enable Enables NAT.
List Lists information about the NAT configuration.
Map Creates a static NAT or NAPT binding for a station or server.
Reserve Creates a public IP address pool and appends addresses to that pool.
Reset Causes the router to read in the NAT configuration and run according to the NAT rules that have been configured.
Set Sets timeouts.
Translate Identifies the private IP addresses to be translated by the NAT public address pool.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Change

Use the change command to change public IP address reserve pools, private IP address translate ranges, and static mappings.

Syntax:

change
reserve

translate

mappings

reserve pools
Provides prompts that enable you to change characteristics of any of the public IP address reserve pools (such as IP addresses and masks) .

Valid Values: An index number to identify the configured pool. This number is displayed when you enter the list reserve pools command.

Default Value: none

translate ranges
Provides prompts that enable you to change characteristics of any of the private IP address translate ranges (such as IP addresses and masks).

Valid Values: An index number to identify the configured translate range. This number is displayed when you enter the list translate command.

Default Value: none

mappings
Provides prompts that enable you to change characteristics of any of the static address mappings (such as IP addresses and ports).

Valid Values: An index number to identify the configured mapping. This number is displayed when you enter the list mappings command.

Default Value: none

Delete

Use the delete command to delete public IP address reserve pools, private IP address translate ranges, and mappings.

Syntax:

delete
reserve

translate

mappings

reserve pools
Provides prompts that enable you to delete any of the public IP address reserve pools.

Valid Values: An index number to identify the configured pool. This number is displayed when you enter the list reserve pools command.

Default Value: none

translate ranges
Provides prompts that enable you to delete any of the private IP address translate ranges.

Valid Values: An index number to identify the configured translate range. This number is displayed when you enter the list translate command.

Default Value: none

mappings
Provides prompts that enable you to delete any of the static address mappings.

Valid Values: An index number to identify the configured mapping. This number is displayed when you enter the list mappings command.

Default Value: none

Disable

Use the disable command to disable NAT. You can disable NAT so that it will drop packets requiring translation or you can disable NAT so that it will pass packets requiring translation.

Syntax:

disable nat

drop

pass

drop
Disables NAT so that it drops packets requiring translation.

pass
Disables NAT so that it passes packets requiring translation.

Enable

Use the enable command to enable NAT. Enabling NAT makes it ready to run, but it will not run until you use the reset command or restart the router.

Syntax:

enable nat

List

Use the list command to list the public IP address reserve pools, the private IP address translate ranges, the mappings, the global settings, or all the NAT information.

Syntax:

list
reserve
addresses
pools

translate

mappings

global

all

In the following example, times are displayed as hours, minutes, and seconds. Entry age is the time elapsed since the entry was last used. A binding means that traffic is flowing between these two addresses. The timeouts determine how much time will elapse after the last communication before a binding is dropped. See the set command for more information about timeouts.

Example: 

NAT config>list all
NAT Globals:
NAT is ENABLED
Tcp Timeout....:   24:00:00
Non-Tcp Timeout:    0:01:00
NAT Reserved Address Pool(s):
Index First Address    Mask             Count NAPT Address     Pool Name
1     9.8.7.1          255.255.255.0    3     0.0.0.0          pool1
2     9.8.7.6          255.255.255.0    12    9.8.7.9          pool1
NAT Translate Range(s):
Index IP Address       IP Mask          Associated Pool Name
1     7.1.1.0          255.255.255.0    pool1
2     10.0.0.0         255.0.0.0        pool1
NAT Static Mapping(s):
Index Private Address:Port    Public Address.:Port
1     10.1.2.3        0       9.8.7.1        0
2     7.1.1.1         21      9.8.7.9        21

Map

Use the map command to statically bind a host or server in the private network to a public address. This command, which can be used to set up servers in the private network, establishes an association at NAT startup that never changes.

Static mappings with the public and private port number 0 are NAT mappings; those with other values for the port numbers are NAPT mappings.

Syntax:

map
private-address private-port-number public-address public-port-number

private-address
The private address of the workstation.

Valid Values: an Internet host address in valid IP format. This should be the address assigned to a station in the stub network that requires permanent access from the public network, such as a server.

Default Value: none

private-port-number
The TCP/UDP port number of the application running in the device with the private address. Entering 0 creates a NAT binding and entering another value creates a NAPT binding. Common port values for NAPT are 23 for Telnet, 21 for FTP, and 80 for HTTP.

Valid Values: 0 - 65535

Default Value: 0

public-address
The public IP address to which this private address is to be mapped. This must be a NAPT address for a NAPT mapping and a NAT address for a NAT mapping.

Valid Values: a valid IP address unique to the public network. The public network can be the Internet or an intranet, depending upon the design of the network.

Default Value: none

public-port-number
The port number of the packets to be translated at the public address. The value 0 represents all ports. Common values are 23 for Telnet, 21 for FTP, and 80 for HTTP.

Valid Values: 0 - 65535

Default Value: 0

In this example, the server with private IP address 10.11.12.200 accepts all traffic from the Internet; the server with private address 10.11.12.199 is a Telnet server and an FTP server.

Example: 

map 10.11.12.200 0 9.8.7.2 0
map 10.11.12.199 23 9.8.7.9 23
map 10.11.12.199 21 9.8.7.9 21

Reserve

Use the reserve command to create and append a range of IP addresses to a public address pool. Additionally, it can be used to append a Dynamic IP interface to the public address pool.

Syntax:

reserve
dynamic [interface][public-address][mask][number-in-group] name [napt-address]
Note:The values shown in brackets are now optionally displayed.

public-address
The first public IP address in the sequence of addresses that make up this range or group in the pool. For example, if this group in the pool includes the 12 addresses in sequence from 9.8.7.6 through 9.8.7.17, this value is 9.8.7.6.
Note:To add another range of addresses to the public address pool, use the reserve command separately for each group, relating one group to another by using the same pool name. For example, addresses 9.8.7.6 through 9.8.7.17 can be configured in one group within pool1 and addresses 9.8.7.1 through 9.8.7.3 can be configured in another group within the same pool. Then, addresses 9.8.7.4 and 9.8.7.5 are not configured or used by that pool.

Valid Values: a valid IP address that is unique to the public network

Default Value: none

mask
A mask to select bits from the IP address. The mask, like an Internet address, is 32 bits long. The 1s in the mask select the network or subnet part of the address. The 0s select the host portion. For example, the address 9.8.7.6 and the mask 255.255.0.0 includes the range of all addresses of which the first two bytes are 9.8 (that is, 9.8.0.0 through 9.8.255.255).

Valid Values: any valid IP mask

Default Value: none

number-in-group
Specifies how many sequential addresses, beginning with the public-address, are included in the group. For the addresses 9.8.7.6 through 9.8.7.17, this value is 12.

Valid Values: 1 - the value that can be defined by the IP mask

Default Value: none

name
The name of the public address reserve pool. This string has to match the pool name on the corresponding translate command.

Valid Values: any name, using up to 16 printable characters; leading and trailing blanks are ignored.

Default Value: none

napt-address
The one IP address from the public address pool that will be used by Network Address Port Translation (NAPT). This address is used for TCP and UDP traffic to map multiple private addresses to the one NAPT address according to the protocol port number. Using NAPT is optional. If it is used, there can be only one NAPT address per public address pool. If there is no NAPT address for a pool or group, enter the value 0.0.0.0. You need only enter the NAPT address once for the pool.

Valid Values: one of the public IP addresses. It does not necessarily have to be included in the range of values defined in the public address pool, but it must be in the same subnet.

Default Value: 0.0.0.0 (meaning no NAPT)

Example: 

reserve no 9.8.7.1 255.255.255.0 3  pool1 0.0.0.0
reserve no 9.8.7.6 255.255.255.0 12 pool1 9.8.7.9
reserve yes 2 dynamic_ip_pool

Reset

Use the reset command to reset NAT. This command deletes all bindings, frees all memory used by NAT, and restarts NAT based on the current Talk 6 configuration. Resetting NAT does not disrupt any other components of the 2212.

Syntax:

reset nat

Note that if NAT encounters an invalid configuration, you will see a message to that effect. Review the NAT ELS messages to see why NAT initialization failed.

Set

Use the set command to set TCP and non-TCP timeouts.

Syntax:

set
tcp

nontcp

tcp timeout
The time that NAT maintains a TCP binding after the last message passes between the two bound workstations. A binding is the maintenance of the relationship between a private address and one of the public IP addresses.

Valid Values: 0 - 65535 minutes (0 minutes to about 45 days)

Default Value: 1440 minutes (24 hours)

nontcp timeout
The time that NAT maintains a binding that is not TCP after the last message passes between the two bound stations. A binding is the maintenance of the relationship between a private address and one of the public IP addresses.

Valid Values: 0 - 65535 minutes (0 minutes to about 45 days)

Default Value: 1 minute

Translate

Use the translate command to add a subnet to the list of addresses that NAT will translate. Each subnet is a translate range. This command must be entered once for each translate range that NAT must know. Any number of translate ranges can use a single public address reserve pool.

Syntax:

translate
private-address mask name

private-address
Any IP host or subnet address that should be translated.

Valid Values: an address in valid dotted decimal IP format. When ANDed with its subnet mask, this address identifies all addresses in a stub subnet. A stub subnet is a network that accesses the public network only through the router.

Default Value: none

mask
Valid Values: The network or subnet mask associated with the stub network to be translated.

Default Value: class mask of the private address

name
The name of the public address pool NAT should use for this range of private addresses.

Valid Values: any name, using up to 16 printable characters. It must match a public address pool name created by the reserve command.

Default Value: none

Accessing the Network Address Translator Monitoring Environment

To access the NAT monitoring environment, type 

   * t 5

Then, enter the following command at the + prompt: 

   + feature NAT
   NAT>

The NAT> prompt appears.

Network Address Translator Monitoring Commands

This section describes the IP Security monitoring commands. Enter these commands at the NAT> prompt.

Table 55. NAT Monitoring Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
List Lists information about NAT.
Reset Causes the router to read in the NAT configuration and run according to the NAT access rules that have been configured. NAT does not affect the running of the router until you enter the reset NAT command.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

List

Use the list command to display information about the NAT configuration.

Syntax:

list
all

binding

fragment

global

reserve

pools

addresses

statistics

translate

In the following example, times are displayed as hours, minutes, and seconds. Entry age is the time elapsed since the entry was last used. A binding means that a session is established between these two addresses. The timeouts determine how much time will elapse after the last communication before a binding is dropped. See the set command in Talk 6 for more information about timeouts.

Example: 

NAT>list all
NAT Globals:
Current State    Tcp Timeout    Non-Tcp Timeout    Memory Usage (in bytes)
ENABLED             24:00:00            0:01:00           408
 
NAT Statistics:
Requests :     Passes      Drops      Holds
       0 :          0          0          0
 
NAT Address Binding(s):
Private Address//Port  Public Address//Port  Bind Type  Entry Age
        7.1.1.1    21         9.1.1.1    21  STATIC       0:00:13
       10.1.2.3     0         9.1.1.2     0  STATIC       0:00:13
 
NAT TCP Session Information:
Private Address//Port  Public Address//Port  Tcp State  Data Delta  Entry Age
        7.1.1.1    21         9.1.1.1    21  ESTAB'ED      0        0:00:56
 
NAT Translate Range(s):
Base Ip Address        Range Mask      Associated Reserve Pool
       7.1.1.0         255.255.255.0   carol
      10.0.0.0         255.0.0.0       carol
 
NAT Reserve Pool(s):
Reserve Pool     Pool Size    NAPT Address   1st Available Address
carol                21            9.1.1.1          9.1.1.12
-----------------------------------------------------------
Number of Reserve Pools using NAPT.....:     1
Number of configured Reserved Addresses:    21
 
NAT Fragment Information:
Number of Entries    Number of Saved Fragments
           0                           0

Reset

Use the reset command to reset NAT. This command deletes all bindings, frees all memory used by NAT, and restarts NAT based on the current Talk 6 configuration. Resetting NAT does not disrupt any other components of the 2212.

Syntax:

reset nat

NAT Dynamic Reconfiguration Support

This section describes dynamic reconfiguration (DR) as it affects Talk 6 and Talk 5 commands.

CONFIG (Talk 6) Delete Interface

NAT does not support the CONFIG (Talk 6) delete interface command.

GWCON (Talk 5) Activate Interface

The GWCON (Talk 5) activate interface command is not applicable for NAT. NAT has no SRAM records associated with an interface.

GWCON (Talk 5) Reset Interface

The GWCON (Talk 5) reset interface command is not applicable for NAT. NAT has no SRAM records associated with an interface.

GWCON (Talk 5) Component Reset Commands

NAT supports the following NAT-specific GWCON (Talk 5) reset commands:

GWCON, Feature NAT, Reset NAT Command

Description:
Reset stops all NAT timers, sets NAT state to disabled, and frees all memory used by NAT. All translation mappings, packet fragments, and TCP session information is cleared. NAT's initialization routine will read NAT's state from configuration records. If NAT is enabled, pools of public addresses, ranges of private addresses, mapping tables, fragment reassembly tables, timeouts, and timers are all initialized from configuration records. At this point, NAT is again prepared for packets presented to it by IP packet filters.

Network Effect:
If NAT is was previously enabled, all TCP sessions will time out and the application will be notified. UDP and datagram mappings will be lost and packets on those datastreams will be dropped. Once NAT is re-initialized, TCP sessions can be re-established, as can UDP and other datagram packet streams.

Limitation:
IP Packet Filters must be properly configured in order for IP to pass packets to NAT.

All NAT commands are supported by the GWCON, feature nat, reset nat command.

CONFIG (Talk 6) Immediate Change Commands

NAT supports the following CONFIG commands that immediately change the operational state of the device. These changes are saved and are preserved if the device is reloaded, restarted, or you execute a dynamically reconfigurable command.
Commands
CONFIG, feature nat, reset nat

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]