21.4. Examples of NAT configuration

In this section will be shown some examples of NAT configuration.

21.4.1. Suggest an access from inside workstations to outside networks

Goal description. We have just one public IP address. Inside LAN there are more PC with private IP addresses. The Abilis must be configured to allow access from PCs to the Internet using the public IP address.

Figure 21.1. Network scheme

Network scheme

Type the following command to allow the “inside” network 192.168.1.0/24 to reach the “outside” network using the CPX IP address (88.88.88.88) as “alias” and allowing the Port Address Translation.

[08:57:46] ABILIS_CPX:_a nat pr:1 inat:in onat:out add:src snet:192.168.1.0/24 anet:88.88.88.88/32 pat:yes

COMMAND EXECUTED

[08:58:38] ABILIS_CPX:_d nat

UPNP maps not present

Configured maps
- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:          PAT:
    SIP:  DIP:         PROT:              TOUT:
-------------------------------------------------------------------------------
...
-------------------------------------------------------------------------------
1   IN            SRC  192.168.001.000/24 *                  088.088.088.088/32
    OUT                *                  *                  AUTO          YES
-------------------------------------------------------------------------------

[08:58:44] ABILIS_CPX:_init nat

COMMAND EXECUTED

[08:58:45] ABILIS_CPX:save conf

VALIDATION IN PROGRESS ...
VALIDATION SUCCESSFULLY EXECUTED

SAVE EXECUTED

After applying this rule, a host “inside” network 192.168.1.0/24 can reach the “outside” network.

Example of IP packet translation:

Table 21.1. Example of IP packet translation

 Source IP addressDestination IP address
Before translation:192.169.1.2:XXX77.77.77.77:ZZZ
After translation:88.88.88.88:YYY77.77.77.77:ZZZ

[Tip]Tip

Interesting chapter:Section 21.1.1, “NAT overview”.

21.4.2. Suggest an access from outside networks to internal servers

Goal description. We have just one public IP address. Inside LAN there are three servers with several IP addresses running the same service with different contents, e.g. a commercial web, a technical web, a restricted access web. Abilis must be configured so that each server can be reached using the public IP address.

Figure 21.2. Network scheme

Network scheme

Three of our servers are described in outside network (for example Internet) as:

  • 88.88.88.88:81 - main HTTP server of our company

  • 88.88.88.88:82 - HTTP server for technical support

  • 88.88.88.88:83 - HTTP server for developers

The following records have been added to the NAT static table:

[12:08:06] ABILIS_CPX:_a nat pr:1 inat:out onat:in add:dst dnet:88.88.88.88/32 anet:192.168.30.11/32 pat:yes prot:tcp dpo:81 apo:80

COMMAND EXECUTED

[12:08:16] ABILIS_CPX:_a nat pr:2 inat:out onat:in add:dst dnet:88.88.88.88/32 anet:192.168.30.12/32 pat:yes prot:tcp dpo:82 apo:80

COMMAND EXECUTED

[12:08:20] ABILIS_CPX:_a nat pr:3 inat:out onat:in add:dst dnet:88.88.88.88/32 anet:192.168.30.13/32 pat:yes prot:tcp dpo:83 apo:80

COMMAND EXECUTED

[12:11:16] ABILIS_CPX:_d nat

UPNP maps not present

Configured maps
- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:          PAT:
    SIP:  DIP:         PROT:              TOUT:
-------------------------------------------------------------------------------
0   IN            SRC  Ip-1               *                  OUT-IP
    OUT                *                  *                  AUTO          YES
-------------------------------------------------------------------------------
1   OUT           DST  *                  088.088.088.088/32 192.168.030.011/32
    IN                 *                  81                 http(80)      YES
    *     *            TCP                SYS
-------------------------------------------------------------------------------
2   OUT           DST  *                  088.088.088.088/32 192.168.030.012/32
    IN                 *                  82                 http(80)      YES
    *     *            TCP                SYS
-------------------------------------------------------------------------------
3   OUT           DST  *                  088.088.088.088/32 192.168.030.013/32
    IN                 *                  83                 http(80)      YES
    *     *            TCP                SYS
-------------------------------------------------------------------------------

[12:11:19] ABILIS_CPX:_init nat

COMMAND EXECUTED

[12:11:20] ABILIS_CPX:save conf

VALIDATION IN PROGRESS ...
VALIDATION SUCCESSFULLY EXECUTED

SAVE EXECUTED

Table 21.2. Example of IP packet translation

 Source IP addressDestination IP address
 Destination translation 
Before translation:XXX.XXX.XXX.XXX:YYY88.88.88.88:81
After translation:XXX.XXX.XXX.XXX:YYY192.168.30.11:80
 Destination translation 
Before translation:XXX.XXX.XXX.XXX:YYY88.88.88.88:82
After translation:XXX.XXX.XXX.XXX:YYY192.168.30.12:80
 Destination translation 
Before translation:XXX.XXX.XXX.XXX:YYY88.88.88.88:83
After translation:XXX.XXX.XXX.XXX:YYY192.168.30.13:80

[Tip]Tip

Interesting chapter:Section 21.1.1, “NAT overview”.

21.4.3. Configuring a DMZ

Connect the Ethernet cards following the scheme below

NAT resource must be configured so that:

  • servers located in the DMZ can be reachable from the external interface

  • computers inside the LAN can reach internet and servers

  • servers located in the DMZ cannot reach computers inside LAN

Figure 21.3. Network scheme

Network scheme

Assuming to have the IP address already assigned to network interfaces, IP resources must be configured in the following way:

[19:00:30] ABILIS_CPX:s p ip-1 nat:outside

COMMAND EXECUTED

[19:00:42] ABILIS_CPX:s p ip-20 nat:inside

COMMAND EXECUTED

[19:00:52] ABILIS_CPX:s p ip-21 nat:dmz

COMMAND EXECUTED

[19:01:00] ABILIS_CPX:d p ip-1

RES:Ip-1 - Not Saved (SAVE CONF), Not Refreshed (INIT) ------------------------
       - IP over LAN (LAN) ----------------------------------------------------
Run    DESCR:WAN
       OPSTATE:UP             LOG:NO               STATE-DETECT:NORMAL
       LANRES:Eth-1
       IPADD:088.088.088.088  MASK:255.255.255.255
       REDIS:YES     HIDE:NO         RP:NONE            IPSEC:NO       VRRP:NO
       NAT:OUTSIDE   UPNP:NO         DIFFSERV:NO        DDNS:NO
       OUTBUF:100    OUTQUEUE:FAIR   MTU:1500           BRD:NET
       OUTSPL:NO     
       INBUF:0                       mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:YES     TRFA-MODE:TOTALS       
       - Lan ------------------------------------------------------------------
       LLOG:NO       arpcache:200    CACHETIMER:120     rxbuf:4     txbuf:14
       VLAN-ID:UNTAG 
RES:Eth-1 ---------------------------------------------------------------------
Run    DESCR:
       LOG:DS            MODE:AUTO         DUPLEX:HALF   
       dma-rxbuf:250     dma-txbuf:25      max-vlans:0       
       ip-rxbuf:25       arp-rxbuf:5       pppoed-rxbuf:5    pppoes-rxbuf:25 

[19:01:12] ABILIS_CPX:d p ip-20

RES:Ip-20 - Not Saved (SAVE CONF), Not Refreshed (INIT) -----------------------
       - IP over LAN (LAN) ----------------------------------------------------
Run    DESCR:
       OPSTATE:UP             LOG:NO               STATE-DETECT:NORMAL
       LANRES:Eth-2
       IPADD:192.168.030.001  MASK:255.255.255.000
       REDIS:YES     HIDE:NO         RP:NONE            IPSEC:NO       VRRP:NO
       NAT:INSIDE    UPNP:NO         DIFFSERV:NO        DDNS:NO
       OUTBUF:100    OUTQUEUE:FAIR   MTU:1500           BRD:NET
       OUTSPL:NO     
       INBUF:0                       mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:YES     TRFA-MODE:TOTALS       
       - Lan ------------------------------------------------------------------
       LLOG:NO       arpcache:200    CACHETIMER:120     rxbuf:4     txbuf:14
       VLAN-ID:UNTAG 
RES:Eth-2 ---------------------------------------------------------------------
Run    DESCR:
       LOG:DS            MODE:AUTO         DUPLEX:HALF   
       dma-rxbuf:250     dma-txbuf:25      max-vlans:0       
       ip-rxbuf:25       arp-rxbuf:5       pppoed-rxbuf:5    pppoes-rxbuf:25 

[19:01:16] ABILIS_CPX:d p ip-21

RES:Ip-21 - IP over LAN (LAN) -------------------------------------------------
Run    DESCR:
       OPSTATE:UP             LOG:NO               STATE-DETECT:NORMAL
       LANRES:Eth-3
       IPADD:192.168.031.001  MASK:255.255.255.000
       REDIS:YES     HIDE:NO         RP:NONE            IPSEC:NO       VRRP:NO
       NAT:DMZ                       DIFFSERV:NO        DDNS:NO
       OUTBUF:100    OUTQUEUE:FAIR   MTU:1500           BRD:NET
       OUTSPL:NO     
       INBUF:0                       mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:YES     TRFA-MODE:TOTALS       
       - Lan ------------------------------------------------------------------
       LLOG:NO       arpcache:200    CACHETIMER:120     rxbuf:4     txbuf:14
       VLAN-ID:UNTAG 
RES:Eth-3 ---------------------------------------------------------------------
Run    DESCR:
       LOG:DS            MODE:AUTO         DUPLEX:HALF   
       dma-rxbuf:250     dma-txbuf:25      max-vlans:0       
       ip-rxbuf:25       arp-rxbuf:5       pppoed-rxbuf:5    pppoes-rxbuf:25 

[19:01:21] ABILIS_CPX:init res:ip-1

COMMAND EXECUTED

[19:01:33] ABILIS_CPX:init res:ip-20

COMMAND EXECUTED

[19:01:36] ABILIS_CPX:init res:ip-21

COMMAND EXECUTED

[19:01:38] ABILIS_CPX:save conf

VALIDATION IN PROGRESS ...
VALIDATION SUCCESSFULLY EXECUTED

SAVE EXECUTED

Add the following rules to the NAT Aliases table:

[08:33:30] ABILIS_CPX:a nat pr:1 inat:in onat:dmz add:src snet:192.168.30.0/24 dnet:192.168.31.0/24 anet:192.168.31.1/32 pat:yes

COMMAND EXECUTED

[08:34:23] ABILIS_CPX:a nat pr:2 inat:out onat:dmz add:dst snet:*  dnet:88.88.88.88/32 anet:192.168.31.100/32 pat:yes prot:tcp dpo:80 apo:80

COMMAND EXECUTED

[08:35:13] ABILIS_CPX:a nat pr:3 inat:in onat:out add:src snet:192.168.30.0/24 anet:88.88.88.88/32 pat:yes

COMMAND EXECUTED

[08:36:33] ABILIS_CPX:d nat

UPNP maps not present

Configured maps
- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:          PAT:
    SIP:  DIP:         PROT:              TOUT:
-------------------------------------------------------------------------------
...
-------------------------------------------------------------------------------
1   IN            SRC  192.168.030.000/24 192.168.031.000/24 192.168.031.001/32
    DMZ                *                  *                  AUTO          YES
-------------------------------------------------------------------------------
2   OUT           DST  *                  088.088.088.088/32 192.168.031.100/32
    DMZ                TCP                http(80)           http(80)      YES
-------------------------------------------------------------------------------
3   IN            SRC  192.168.030.000/24 *                  088.088.088.088/32
    OUT                *                  *                  AUTO          YES
-------------------------------------------------------------------------------

[08:36:40] ABILIS_CPX:init nat

COMMAND EXECUTED

[08:36:51] ABILIS_CPX:save conf

COMMAND EXECUTED

The rule PR:1 is useful to allow LAN to reach servers located in the DMZ, the rule PR:2 allows to reach a server with IP address 192.168.31.100 located in the DMZ from Internet, while PR:3 allows LAN to reach Internet.

[Tip]Tip

Interesting chapter:Section 21.1.1, “NAT overview”.

21.4.4. "Double" NAT (Source and Destination Translation)

Goal description. There are situations where both the source and destination IP addresses of a packet must be NATted. The diagram below shows a scenario where the WEB interface of Router 2 needs to be accessed from the inside using the TCP port 8080. What complicates this scenario is that the default route for PCs of LAN directs the traffic to ROUTER 1 instead of ROUTER 2. The ROUTER 2 is reachable only from the network 192.168.10.0/24.

Figure 21.4. Network scheme

Network scheme

Add the following rules to the NAT Aliases table:

[19:00:30] ABILIS_CPX:a nat pr:1 inat:in onat:out add:dst dnet:192.168.29.254/32 anet:192.168.10.1/32 pat:yes prot:tcp dpo:8080 apo:80

COMMAND EXECUTED

[19:00:42] ABILIS_CPX:a nat pr:2 inat:in onat:out add:src snet:0.0.0.0/0 dnet:192.168.10.1/32 anet:192.168.10.254/32 pat:yes prot:tcp dpo:80

COMMAND EXECUTED

[19:01:00] ABILIS_CPX:d nat

UPNP maps not present

Configured maps
-------------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:          PAT:
    SIP:  DIP:         PROT:              TOUT:
-------------------------------------------------------------------------------
...
-------------------------------------------------------------------------------
1   IN            DST  *                  192.168.029.254/32 192.168.010.001/32
    OUT                *                  8080               http(80)      YES
    *     *            TCP                SYS
-------------------------------------------------------------------------------
2   IN            SRC  000.000.000.000/00 192.168.010.001/32 192.168.010.254/32
    OUT                *                  http(80)           AUTO          YES
    *     *            TCP                SYS
-------------------------------------------------------------------------------

The rule PR:1 is used for Destination Address Translation, and the rule PR:2 is used for Source Address Translation.

[Caution]Caution

To activate the changes made on the upper case parameters, execute the initialization command init res:nat; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. With warm start command).

Example of IP packet translation:

Table 21.3. Example of IP packet translation

 Source IP addressDestination IP address
 Destination translation 
Before translation:XXX.XXX.XXX.XXX:YYY192.168.29.254:8080
After translation:XXX.XXX.XXX.XXX:YYY192.168.10.1:80
 Source translation 
Before translation:XXX.XXX.XXX.XXX:YYY192.168.10.1:80
After translation:192.168.10.254:ZZZ192.168.10.1:80

[Important]Important

Please mind: the NAT table is scanned twice:

  • The first scan is reserved for the rules which request the processing of the destination address (ADD:DST).

  • The second scan is reserved to the rules which request the processing of the source address (ADD:SRC).

[Tip]Tip

Interesting chapter:Section 21.1.1, “NAT overview”.