NAT and SuperNAT Services

• Introduction
• Standard NAT
• SuperNAT
• Configure NAT
• Configure Port Map

Introduction

Network Address Translation (NAT) is a service where the IP address of a host (the Internal IP address) is translated into another IP address (the External or Globally Unique IP Address) before being forwarded to the external network. Typical uses of NAT are in the following situations:

• The external IP address(es) may change or change frequently. Individual hosts are configured on a one time basis and subsequent changes are limited to the router (TABLE MODE).
• Only a limited number of hosts need access to the external network. A small number of Globally Unique (External) IP addresses are used but the Internal network may have many times this number of hosts using a non-globally unique address range (TABLE MODE).
• Only a limited (or single) Globally Unique (External) IP address is available. In this case all Internal IP addresses are translated to this address (PROXY
• A mixture of fixed IP addresses and shared (Proxied) IP addresses are required (SHARE MODE)

Back to Top

Standard NAT

The ZyTrax Standard NAT (Network Address Translation) service allows the user to configure incoming and outgoing address translation (internal to external IP) on a one-for-one basis. Up to 16 address translations may be defined (see also point c below).

Back to Top

SuperNAT

The ZyTrax SuperNAT services allows a number of extensions to standard NAT:

1. Internal IP addresses may be excluded from the routing service (these addresses are not allowed access to routing/forwarding services and are limited to internal access services only).
2. IP addresses may be excluded from NAT i.e. a mixed NAT and static address configuration is in use. In this type of configuration a number of hosts with Global/External addresses may provide Web services, FTP services etc. in a mixed configuration with all other hosts that use non-globally unique addresses internally but require external (NAT) access. The exclusion feature works with TABLE, PROXY or SHARE MODE configurations.
3. Certain internal IP addresses must be fixed to external IP addresses but all others will share a single (Proxied) IP external address (SHARE MODE). This configuration may arise when External servers are not (or cannot be) multi-homed and/or where insufficient IP addresses exist to serve all internal addresses.
4. Thin Proxy’ service - Internal IP addresses may be mapped to a single IP address which may be 'static' or ‘dynamically’ acquired from the ISP or remote network (dynamic acquisition is done at link establishment). In this mode a Proxy service is created which is transparent to software i.e. the user DOES NOT have to select use of a PROXY service on any software (e.g. browsers etc.). This service automatically adjusts the NAT translation for incoming FTP PORT commands.
5. When using a 'Thin Proxy' service the user may define a 'Port Map' in which incoming IP requests for a port (or a port range) are directed to a specific Internal IP addresses e.g. If the user wishes to support a Web site then the HTTP port is 'mapped' to a specific Internal IP address, if an FTP site, then the FTP port is 'mapped' to a specific IP address etc.. Up to 8 such ports or services may be defined. This service automatically adjusts itself for incoming FTP PASV commands.
6. The user may configure 'Proxy DNS address(es)' in the Hosts (PCs) that will be translated to the 'real' DNS address. This allows configuration changes to be limited to the router only if, say the ISP is changed. One or two DNS address may be defined in this manner.

The ZyTrax NAT and SuperNAT services may be used in conjunction with the ZyTrax LockBox (firewall) service.

Back to Top

Configuring NAT

SuperNAT services are configured using MIB entries in the natTable. The NAT route is defined in the routing table (ipRouteTable) and if using PROXY mode the dynamic or static Proxy IP address acquisition connection is defined in the linkParams field of the userProfile.

Using CoolFig (version 2.0 or higher) or Control Server (version 4.00 or higher) (both available here). The following entries are required (zytrax\router\natDhcp\natTable\natEntry):

MIB Name	Meaning
natMode	May take one of the following values: 0 = NAT OFF (the NAT and SuperNAT service is not active (default)). 1 = TABLE Mode (the natTable entries define the Internal to External IP address translation) 2 = PROXY Mode (all Internal IP addresses are translated to a single static or dynamically assigned External IP address). 3 = SHARE MODE (the natTable entries define the Internal to External IP address translation and the unique shared (Proxied) IP address (250.0.0.2)
natExcludeIP	Defines the IP address(es) (used together with natMask) that are to be excluded from the NAT service (these addresses will continue to receive forwarding services – see note 2 below). The value 255.255.255.255 indicates that no addresses will be excluded.
natExcludeMask	The mask that will be AND'd with nat Exclude IP to determine the range of IP addresses to be excluded from the NAT service. The mask 255.255.255.255 means the single IP address natExcludeIP will be excluded. The value 0.0.0.0 means that ALL IP addresses will be excluded from NAT translation. NOTE: This value overrides any defined NAT lists.
InternalIP	The Internal IP address that will be used by the NAT and SuperNAT translation into the corresponding ExternalIP address. If PROXY mode is in use these entries are only required if specific IP addresses are NOT to be forwarded (see ExternalIP). If not being used this value should be set to 255.255.255.255. In SHARE MODE ONLY the entry 250.0.0.2 indicates that all Internal IP addresses not defined in this table will be translated to the corresponding External IP address (a default Proxy service).
ExternalIP	In TABLE MODE this defines the external IP address that the corresponding InternalIP address will be translated to before forwarding to the external network. In all MODES the value 0.0.0.0 means that this IP address will NOT be translated OR forwarded to the network. In PROXY mode these entries may be used to exclude individual IP addresses from all forwarding services or to define Proxy DNS entries by using the special address 250.0.0.1. A Proxy DNS address means that when a DNS request to the corresponding InternalIP is received it is translated to one of the DNS Server entries (defined in serverTable).

NOTES:

1. In TABLE or SHARE mode multiple internal addresses may be translated into a single ExternalIP address, in this case the InternalIP address will change but the ExternalIP address will remain the same. Within the total limit of 16 entries there is no restriction on how addresses may be mapped.
2. Defining an ExternalIP address of 0.0.0.0 will BLOCK ALL outgoing activity for the corresponding InternalIP.
3. The exclusion feature (defined using natExcludeIP and natExcludeMask) provides normal  forwarding (routing) services but will NOT translate the defined IP address(es).

Configuring the NAT Route

To allow additional flexibility on configuration the ZyTrax SuperNAT system does not assume that the default route is the NAT route (even though this is the most common configuration). Instead the NAT route (or routes) are configured in the static routing table entries using the ipRouteFlags field (zytrax\router\routing\ipRouteTable\ipRouteEntry) as follows:

MIB Name	Meaning
ipRouteFlags	Set bit 7 of this field to 1 (e.g. 0x80) to indicate that NAT translation should be performed on traffic to and from this route. Any number of NAT routes may be defined in this manner.

NOTE

1. If configuring using NT_Ser this field is encoded as a decimal field so to set bit 7 use the decimal value of 128. CoolFig uses bit significant fields so this restriction does not apply.
2. Any number of routes may be defined as requiring NAT service.

Configuring the Dynamic Proxy Address

ZyTrax routers allow multiple concurrent ISDN connections, to allow flexibility in defining the dynamic IP (only necessary in PROXY MODE) you must indicate in the linkParams field of the userProfile definition (zytrax\router\linkUsers\userProfileTable\userProfileEntry\linkParams) which profile will provide the IP address to be used as the external proxy IP address as follows:

MIB Name	Meaning
linkParams	Set bit 0 of this field to indicate the IP address negotiated (statically or dynamically) in ipcpLocalAddress will be used as the proxy field. Only one userProfile may be defined in this manner.

NOTE: If configuring using NT_Ser this field is encoded as a decimal field so to set bit 0 set this value to 1 decimal If additional bits are set you will have to calculate the decimal version of this field. CoolFig uses bit significant fields so this restriction does not apply.

Back to Top

Configuring PORT MAP Entries

The Port MAP entries allow the user to define specific ports or port ranges that will be mapped to a specific Internal IP address e.g. an FTP service will always go to Internal IP address 207.0.0.125, web service to 127.0.0.23 or the SNMP port will always go to the Router. Up to 8 Port Map entries may be defined. The Port MAP entries are defined in the ipPolicyTable (zytrax\router\routing\ipPolcyTable\ipPolicyEntry) as follows.

MIB Name	Meaning
policyMode	10 = PORT MAP entry in which case the following entries are are used. NOTE: Entries not defined are ignored for this entry type.
policyIPType	The type of traffic as follows 1 = ICMP 6 = TCP 17 = UDP NOTE: 0 is not a valid value for PORT MAP entries.
policyIP	The Internal IP address that the traffic will be translated for and forwarded to. The value 0.0.0.0 may be optionally used to mean that the traffic will be forwarded to this router.
policyLowPort	The lowest (if PolicyHighPort defined) or only (PolicyHighPort = 0) port number of the traffic to be forwarded to the defined Internal IP ( PolicyIP).
policyHighPort	If 0 then the single port defined by PolicyLowPort will be used. Otherwise any port in the range defined by PolicyLowPort to PolicyHighPort will be translated and forwarded to PolicyIP.

Notes

1. To remove an entry from the PORT MAP table set PolicyMode to 20 or greater.
2. Writing any value to the MIB entry natMode will cause an immediate (LIVE MIB) update of all NAT and SuperNAT values.

Back to Top