User guide

ManualsBrandsExtreme Networks ManualsComputer equipmentSummit Summit4

111

112

113

114

115

116

117

118

119

120

116 Summit24e3 Switch Installation and User Guide

Network Address Translation (NAT)

This rule uses auto-constrain NAT. Remember that each inside IP address will be restricted in the

number of simultaneous connections. Most installations should use portmap mode.

Auto-Constrain Example

config nat add out_vlan_3 map source 192.168.3.0/24 to 216.52.8.64/32 both

auto-constrain

Advanced Rule Matching

By default, NAT rules only match connections based on the source IP address of the outgoing packets.

Using the

L4-port and destination keywords, you can further limit the scope of the NAT rule so that

it only applied to specific TCP/UDP Layer 4 port numbers, or specific outside destination IP addresses.

NOTE

Once a single rule is matched, no other rules are processed.

Destination Specific NAT

config nat [add|delete] vlan <outside_vlan> map source [any | <ipaddress> [/<bits>|

<netmask>]] {destination <ipaddress/mask> } to <ipaddress> [/<mask> | <netmask> | -

<ipaddress>]

The addition of the destination optional keyword after the source IP address and mask allows the

NAT rule to be applied to only packets with a specific destination IP address.

L4-Port Specific NAT

The addition of the L4-port optional keyword after the source IP address and mask allows the NAT

rule to be applied to only packets with a specific L4 source or destination port. If you use the L4-port

command after the source IP/mask, the rule will only match if the port(s) specified are the source

L4-ports. If you use the L4-port command after the destination IP/mask, the rule will only match if the

port(s) specified are the destination L4-ports. Both options may be used together to further limit the

rule.

Configuring Timeouts

When an inside host initiates a session, a session table entry is created. Depending on the type of traffic

or the current TCP state, the table entries timeout after the configured timeout expires.

Table 28 describes the commands used to configure timeout periods.

Table 28: NAT Timeout Commands

Command Description

config nat finrst-timeout <seconds> Configures the timeout for a TCP session

that has been torn down or reset. The

default setting is 60 seconds.

config nat icmp-timeout <seconds> Configures the timeout for an ICMP packet.

The default setting is 3 seconds.