Install guide
50 Firewall Enhancements Release Note
Software Version 2.7.6
C613-10462-00 REV A
Enhanced Network Address and Port Translation
(ENAPT)
Software Version 2.7.6 supports Enhanced Network Address and Port
Translation (ENAPT). With ENAPT, the firewall translates private IP addresses
and ports to a public IP address and ports. It remembers the private to public
mapping and applies the same mapping for all simultaneous sessions that
involve the same private IP address and port.
ENAPT is a port restricted cone NAT, as defined in RFC 3489, STUN - Simple
Traversal of User Datagram Protocol (UDP) Through Network Address Translators
(NATs).
ENAPT combines:
■ Enhanced NAT’s ability to translate many private addresses to one public
address
■ NAPT’s ability to avoid changes to the UDP or TCP port number
When to use ENAPT ENAPT enables the firewall to work with applications in which a private
device may initiate sessions with multiple external servers or hosts. One such
application is Xbox Live ®, as shown in the following figure.
In the above figure, Xbox Live player A is behind the firewall which is
performing ENAPT. Before playing, player A registers with the Xbox Live
server (step 1) and the server replies (step 2). Likewise, player B registers with
the server (steps 3 and 4). When the players wish to start a game with each
other, the server tells each Xbox the public IP address and port of the other
Xbox, and they establish a session between them (step 5). Player A’s Xbox must
use the same public IP address and port when communicating with the server
and with player B, or player B cannot connect to player A.
ENAPT deletes the private to public mapping when the last session that uses
that mapping closes. This has no effect when using it with Xbox Live, because
the first session is initiated by the private device, but makes ENAPT less
suitable than NAPT for use with VoIP systems.
fw-enapt-xbox
Xbox
server
firewall
Xbox Live
player B
Xbox Live
player A
Internet
2
3 4
1
5