In this section will be shown some examples of NAT configuration.
Goal description. We have just one public IP address. Inside LAN there are more PC with private IP addresses. The Abilis must be configured to allow access from PCs to the Internet using the public IP address.
Type the following command to allow the “inside” network 192.168.1.0/24 to reach the “outside” network using the CPX IP address (88.88.88.88) as “alias” and allowing the Port Address Translation.
[08:57:46] ABILIS_CPX:a nat pr:1 inat:in onat:out add:src snet:192.168.1.0/24 anet:88.88.88.88/32 pat:yes
COMMAND EXECUTED [08:58:38] ABILIS_CPX:d nat
UPNP maps not present Configured maps - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------- 1 IN SRC 192.168.001.000/24 * 088.088.088.088/32 OUT * * AUTO YES ------------------------------------------------------------------------------- [08:58:44] ABILIS_CPX:init nat
COMMAND EXECUTED [08:58:45] ABILIS_CPX:save conf
VALIDATION IN PROGRESS ... VALIDATION SUCCESSFULLY EXECUTED SAVE EXECUTED
After applying this rule, a host “inside” network 192.168.1.0/24 can reach the “outside” network.
Example of IP packet translation:
Table 24.1. Example of IP packet translation
Source IP address | Destination IP address | |
---|---|---|
Before translation: | 192.169.1.2:XXX | 77.77.77.77:ZZZ |
After translation: | 88.88.88.88:YYY | 77.77.77.77:ZZZ |
Tip | |
---|---|
Interesting chapter:Section 24.1.1, “NAT overview”. |
Goal description. We have just one public IP address. Inside LAN there are three servers with several IP addresses running the same service with different contents, e.g. a commercial web, a technical web, a restricted access web. Abilis must be configured so that each server can be reached using the public IP address.
Three of our servers are described in outside network (for example Internet) as:
88.88.88.88:81 - main HTTP server of our company
88.88.88.88:82 - HTTP server for technical support
88.88.88.88:83 - HTTP server for developers
The following records have been added to the NAT static table:
[12:08:06] ABILIS_CPX:a nat pr:1 inat:out onat:in add:dst dnet:88.88.88.88/32 anet:192.168.30.11/32 pat:yes prot:tcp dpo:81 apo:80
COMMAND EXECUTED [12:08:16] ABILIS_CPX:a nat pr:2 inat:out onat:in add:dst dnet:88.88.88.88/32 anet:192.168.30.12/32 pat:yes prot:tcp dpo:82 apo:80
COMMAND EXECUTED [12:08:20] ABILIS_CPX:a nat pr:3 inat:out onat:in add:dst dnet:88.88.88.88/32 anet:192.168.30.13/32 pat:yes prot:tcp dpo:83 apo:80
COMMAND EXECUTED [12:11:16] ABILIS_CPX:d nat
UPNP maps not present Configured maps - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- 0 IN SRC Ip-1 * OUT-IP OUT * * AUTO YES ------------------------------------------------------------------------------- 1 OUT DST * 088.088.088.088/32 192.168.030.011/32 IN * 81 http(80) YES * * TCP SYS ------------------------------------------------------------------------------- 2 OUT DST * 088.088.088.088/32 192.168.030.012/32 IN * 82 http(80) YES * * TCP SYS ------------------------------------------------------------------------------- 3 OUT DST * 088.088.088.088/32 192.168.030.013/32 IN * 83 http(80) YES * * TCP SYS ------------------------------------------------------------------------------- [12:11:19] ABILIS_CPX:init nat
COMMAND EXECUTED [12:11:20] ABILIS_CPX:save conf
VALIDATION IN PROGRESS ... VALIDATION SUCCESSFULLY EXECUTED SAVE EXECUTED
Table 24.2. Example of IP packet translation
Source IP address | Destination IP address | |
Destination translation | ||
Before translation: | XXX.XXX.XXX.XXX:YYY | 88.88.88.88:81 |
After translation: | XXX.XXX.XXX.XXX:YYY | 192.168.30.11:80 |
Destination translation | ||
Before translation: | XXX.XXX.XXX.XXX:YYY | 88.88.88.88:82 |
After translation: | XXX.XXX.XXX.XXX:YYY | 192.168.30.12:80 |
Destination translation | ||
Before translation: | XXX.XXX.XXX.XXX:YYY | 88.88.88.88:83 |
After translation: | XXX.XXX.XXX.XXX:YYY | 192.168.30.13:80 |
Tip | |
---|---|
Interesting chapter:Section 24.1.1, “NAT overview”. |
Connect the Ethernet cards following the scheme below
NAT resource must be configured so that:
servers located in the DMZ can be reachable from the external interface
computers inside the LAN can reach internet and servers
servers located in the DMZ cannot reach computers inside LAN
Assuming to have the IP address already assigned to network interfaces, IP resources must be configured in the following way:
[19:00:30] ABILIS_CPX:s p ip-1 nat:outside
COMMAND EXECUTED [19:00:42] ABILIS_CPX:s p ip-20 nat:inside
COMMAND EXECUTED [19:00:52] ABILIS_CPX:s p ip-21 nat:dmz
COMMAND EXECUTED [19:01:00] ABILIS_CPX:d p ip-1
RES:Ip-1 - Not Saved (SAVE CONF), Not Refreshed (INIT) ------------------------ - IP over LAN (LAN) ---------------------------------------------------- Run DESCR:WAN OPSTATE:UP LOG:NO STATE-DETECT:NORMAL LANRES:Eth-1 IPADD:088.088.088.088 MASK:255.255.255.255 REDIS:YES HIDE:NO RP:NONE IPSEC:NO VRRP:NO NAT:OUTSIDE UPNP:NO DIFFSERV:NO DDNS:NO OUTBUF:100 OUTQUEUE:FAIR MTU:1500 OUTSPL:NO INBUF:0 mru:1500 SRCV:NO - TRFA section --------------------------------------------------------- TRFA:YES TRFA-MODE:TOTALS - Lan ------------------------------------------------------------------ LLOG:NO arpcache:200 CACHETIMER:120 rxbuf:4 txbuf:14 VLAN-ID:UNTAG RES:Eth-1 --------------------------------------------------------------------- Run DESCR: LOG:DS MODE:AUTO DUPLEX:HALF MAC-ADDR:FACTORY (00-E0-C5-54-A2-78) dma-rxbuf:250 dma-txbuf:25 max-vlans:0 ip-rxbuf:25 arp-rxbuf:5 pppoed-rxbuf:5 pppoes-rxbuf:25 [19:01:12] ABILIS_CPX:d p ip-20
RES:Ip-20 - Not Saved (SAVE CONF), Not Refreshed (INIT) ----------------------- - IP over LAN (LAN) ---------------------------------------------------- Run DESCR: OPSTATE:UP LOG:NO STATE-DETECT:NORMAL LANRES:Eth-2 IPADD:192.168.030.001 MASK:255.255.255.000 REDIS:YES HIDE:NO RP:NONE IPSEC:NO VRRP:NO NAT:INSIDE UPNP:NO DIFFSERV:NO DDNS:NO OUTBUF:100 OUTQUEUE:FAIR MTU:1500 OUTSPL:NO INBUF:0 mru:1500 SRCV:NO - TRFA section --------------------------------------------------------- TRFA:YES TRFA-MODE:TOTALS - Lan ------------------------------------------------------------------ LLOG:NO arpcache:200 CACHETIMER:120 rxbuf:4 txbuf:14 VLAN-ID:UNTAG RES:Eth-2 --------------------------------------------------------------------- Run DESCR: LOG:DS MODE:AUTO DUPLEX:HALF MAC-ADDR:FACTORY (00-E0-4C-20-07-17) dma-rxbuf:250 dma-txbuf:25 max-vlans:0 ip-rxbuf:25 arp-rxbuf:5 pppoed-rxbuf:5 pppoes-rxbuf:25 [19:01:16] ABILIS_CPX:d p ip-21
RES:Ip-21 - IP over LAN (LAN) ------------------------------------------------- Run DESCR: OPSTATE:UP LOG:NO STATE-DETECT:NORMAL LANRES:Eth-3 IPADD:192.168.031.001 MASK:255.255.255.000 REDIS:YES HIDE:NO RP:NONE IPSEC:NO VRRP:NO NAT:DMZ DIFFSERV:NO DDNS:NO OUTBUF:100 OUTQUEUE:FAIR MTU:1500 OUTSPL:NO INBUF:0 mru:1500 SRCV:NO - TRFA section --------------------------------------------------------- TRFA:YES TRFA-MODE:TOTALS - Lan ------------------------------------------------------------------ LLOG:NO arpcache:200 CACHETIMER:120 rxbuf:4 txbuf:14 VLAN-ID:UNTAG RES:Eth-3 --------------------------------------------------------------------- Run DESCR: LOG:DS MODE:AUTO DUPLEX:HALF MAC-ADDR:FACTORY (00-E0-4C-20-04-29) dma-rxbuf:250 dma-txbuf:25 max-vlans:25 ip-rxbuf:25 arp-rxbuf:5 pppoed-rxbuf:5 pppoes-rxbuf:25 [19:01:21] ABILIS_CPX:init res:ip-1
COMMAND EXECUTED [19:01:33] ABILIS_CPX:init res:ip-20
COMMAND EXECUTED [19:01:36] ABILIS_CPX:init res:ip-21
COMMAND EXECUTED [19:01:38] ABILIS_CPX:save conf
VALIDATION IN PROGRESS ... VALIDATION SUCCESSFULLY EXECUTED SAVE EXECUTED
Add the following rules to the NAT Aliases table:
[08:33:30] ABILIS_CPX:a nat pr:1 inat:in onat:dmz add:src snet:192.168.30.0/24 dnet:192.168.31.0/24 anet:192.168.31.1/32 pat:yes
COMMAND EXECUTED [08:34:23] ABILIS_CPX:a nat pr:2 inat:out onat:dmz add:dst snet:* dnet:88.88.88.88/32 anet:192.168.31.100/32 pat:yes prot:tcp dpo:80 apo:80
COMMAND EXECUTED [08:35:13] ABILIS_CPX:a nat pr:3 inat:in onat:out add:src snet:192.168.30.0/24 anet:88.88.88.88/32 pat:yes
COMMAND EXECUTED [08:36:33] ABILIS_CPX:d nat
UPNP maps not present Configured maps - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------- 1 IN SRC 192.168.030.000/24 192.168.031.000/24 192.168.031.001/32 DMZ * * AUTO YES ------------------------------------------------------------------------------- 2 OUT DST * 088.088.088.088/32 192.168.031.100/32 DMZ TCP http(80) http(80) YES ------------------------------------------------------------------------------- 3 IN SRC 192.168.030.000/24 * 088.088.088.088/32 OUT * * AUTO YES ------------------------------------------------------------------------------- [08:36:40] ABILIS_CPX:init nat
COMMAND EXECUTED [08:36:51] ABILIS_CPX:save conf
COMMAND EXECUTED
The rule PR
:1
is useful to
allow LAN to reach servers located in the DMZ, the rule
PR
:2
allows to reach a server with
IP address 192.168.31.100 located in the DMZ from Internet, while
PR
:3
allows LAN to reach
Internet.
Tip | |
---|---|
Interesting chapter:Section 24.1.1, “NAT overview”. |
Goal description. There are situations where both the source and destination IP addresses of a packet must be NATted. The diagram below shows a scenario where the WEB interface of Router 2 needs to be accessed from the inside using the TCP port 8080. What complicates this scenario is that the default route for PCs of LAN directs the traffic to ROUTER 1 instead of ROUTER 2. The ROUTER 2 is reachable only from the network 192.168.10.0/24.
Add the following rules to the NAT Aliases table:
[19:00:30] ABILIS_CPX:a nat pr:1 inat:in onat:out add:dst dnet:192.168.29.254/32 anet:192.168.10.1/32 pat:yes prot:tcp dpo:8080 apo:80
COMMAND EXECUTED [19:00:42] ABILIS_CPX:a nat pr:2 inat:in onat:out add:src snet:0.0.0.0/0 dnet:192.168.10.1/32 anet:192.168.10.254/32 pat:yes prot:tcp dpo:80
COMMAND EXECUTED [19:01:00] ABILIS_CPX:d nat
UPNP maps not present Configured maps ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------- 1 IN DST * 192.168.029.254/32 192.168.010.001/32 OUT * 8080 http(80) YES * * TCP SYS ------------------------------------------------------------------------------- 2 IN SRC 000.000.000.000/00 192.168.010.001/32 192.168.010.254/32 OUT * http(80) AUTO YES * * TCP SYS -------------------------------------------------------------------------------
The rule PR
:1
is used for
Destination Address Translation, and the rule
PR
:2
is used for Source Address
Translation.
Caution | |
---|---|
To activate the changes made on the upper case parameters, execute the initialization command init res:nat; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. With warm start command). |
Example of IP packet translation:
Table 24.3. Example of IP packet translation
Source IP address | Destination IP address | |
Destination translation | ||
Before translation: | XXX.XXX.XXX.XXX:YYY | 192.168.29.254:8080 |
After translation: | XXX.XXX.XXX.XXX:YYY | 192.168.10.1:80 |
Source translation | ||
Before translation: | XXX.XXX.XXX.XXX:YYY | 192.168.10.1:80 |
After translation: | 192.168.10.254:ZZZ | 192.168.10.1:80 |
Important | |
---|---|
Please mind: the NAT table is scanned twice:
|
Tip | |
---|---|
Interesting chapter:Section 24.1.1, “NAT overview”. |