Manualshelf

User guide

ManualsBrandsAllied Telesis ManualsComputer equipmentAT-iMG634 - R2
431432433434435436437438439440
Network address translation - NAT Interactions of NAT and other security features
iMG/RG Software Reference Manual (IPNetwork Functions)
4-136
For outbound sessions, an address is picked from a pool by hashing the source IP address for a pool index and
then hashing again for an address index. For inbound sessions to make use of the global pool, it is necessary to
create a reserved mapping. See below for more information on reserved mappings.
4.4.2.1 Reserved mappings
Reserved mapping is used to support NAT traversal.
NAT traversal is a mechanism that makes a service (listening port) on an internal computer accessible to exter-
nal computers. NAT traversal operates by having the NAT listen for incoming messages on a selected port on
its external interface. When the NAT receives a message, it uses its internal interface to forward the packet to
the same port number on a selected internal computer (And any responses from the internal computer are for-
warded to the requesting external computer).
Reserved mappings can also be used so that different internal hosts can share a global address by mapping dif-
ferent ports to different hosts.
For example, Host A is an FTP server and Host B is a Web server.
By choosing a particular IP address in the global address pool, and mapping the FTP port on this address to the
FTP port on Host A and the HTTP port on the global address to the HTTP port on Host B, both internal hosts
can share the same global address.
To add a reserved mapping rule to an existing NAT relation, use NAT ADD RESVMAP INTERFACE command.
With this command it is possible set a mapping rule based on port number or protocol number.
Setting the protocol number to 255(0xFF) means that the mapping will apply to all protocols. Setting the port
number to 65535(0xFFFF) for TCP or UDP protocols means that the mapping will apply to all port numbers
for that protocol.
4.4.2.2 Application level gateways (ALGs)
Some applications embed address and/or port information in the payload of the packet.
The most notorious of these is FTP. For most applications, it is sufficient to create a trigger with address
replacement enabled. However, there are three applications for which a specific ALG is provided: FTP, Net-
BIOS and DNS.
4.4.3 Interactions of NAT and other security features
4.4.3.1 Firewall filters and reserved mappings.
So far, the NAT reserved mappings have been considered independently of the firewall.
If the firewall is not enabled, then all that is required to enable NAT to allow in TCP sessions to a certain port
number is to create a reserved mapping for that particular TCP port number.