Install guide

ManualsBrandsAllied Telesis ManualsSwitchAT 8648T/2SP

Software Version 2.7.6 51

Software Version 2.7.6

C613-10462-00 REV A

Creating an ENAPT:

interface-based

To add an interface-based ENAPT to a policy, use the new nat=enapt option in

the add firewall policy nat command:

add firewall policy=policy-name nat=enapt interface=interface

gblinterface=interface [gblip=ipadd[-ipadd]]

ENAPT translates packets’ private IP addresses to one of the following public

addresses:

■ the address specified by the gblip parameter, if you specify a single IP

address

■ the lowest address in the range of addresses specified by the gblip

parameter, if you specify a range.

■ the IP address of the public interface, if you do not specify gblip. This is

useful if the address of the public interface is dynamically-assigned and

therefore changes.

ENAPT also translates a private port (such as 3074 for Xbox gaming) to a public

port. The firewall randomly allocates the public port and remembers the

private to public mapping. If you want to apply ENAPT to a particular private

port, create a rule-based ENAPT instead of an interface-based ENAPT. If you

need to control the private and public port, create a rule-based NAPT instead

of using ENAPT.

Creating an ENAPT:

rule-based

To add a rule-based ENAPT to a policy, use the new nattype=enapt option in

the add firewall policy rule command:

add firewall policy=policy-name rule=rule-id action=nat

nattype=enapt interface=private-interface

protocol={protocol|all|egp|gre|icmp|ospf|sa|tcp|udp}

gblip=ipadd [ip=ipadd[-ipadd]] [port=port]

[sourceport=port]

[other-options-to-match-packets]

For more information about the IP address and port parameters that are valid

with ENAPT rules, and the translations, see “IP and port parameters in policy

rules” on page 56.

You can create a rule that only applies to Xbox Live traffic by specifying the

TCP/UDP port. All Xbox Live traffic has a source port of 3074. Traffic to the

Xbox Live server also has a destination port of 3074, but the destination port of

other Xboxes may vary. Therefore, to limit the rule to Xbox Live traffic, specify

the source port by using sourceport=3074.

Increasing ICMP

unreachable timeout

If you are configuring the firewall to allow Xbox Live sessions, also increase the

ICMP unreachable message timeout. The timeout specifies the delay before the

firewall deletes a session after it receives an ICMP unreachable message for

that session. If you do not increase it, you may be unable to connect to remote

Xboxes that are also behind a firewall. A suitable timeout is approximately 20

seconds. To set it, use the command:

set firewall policy=policy-name

icmpunreachabletimeout=seconds [other-options]