1999/6/29ComOS 3.9b10 Open Beta Release NoteIntroductionThe new Lucent Technologies ComOS(R) 3.9b10 software release is now available for open beta for the PortMaster(R) 2, PortMaster 25, and PortMaster IRX(TM). WARNING! Due to the increased size of ComOS, the amount of nonvolatile RAM (NVRAM) available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater that 64KB will lose some of their configuration. For this reason, be sure to back up your PortMaster configuration before upgrading to this release. NOTE: Any PortMaster running ComOS 3.9b10 requires 4MB of dynamic RAM (DRAM). Use 16MB if running the Border Gateway Protocol (BGP). This open beta release is provided at no charge to all Lucent customers. This open beta release is recommended only for customers who wish to test the new functionality before the release of ComOS 3.9. This release note documents commands and features added between ComOS 3.7.2 and ComOS 3.9b10 on the PortMaster 2, PortMaster 25, and PortMaster IRX. This release note applies only to the PortMaster 2, PortMaster 25, and PortMaster IRX. NOTE: Command syntax for new commands may change between this open beta release and the general availability (GA) release of ComOS 3.9. Before upgrading, thoroughly read "Limitations" and "Upgrade Instructions."
Contents
Bugs Fixed in ComOS 3.3b10* Previously, if one NAT map did not exist, neither NAT map was used. As a fix, the ComOS now checks for the existence of the map when it is set for a user/location/interface at the command line. If RADIUS is used to specify the NAT maps, no checking takes place. * NAT inbound maps now work. These failed in ComOS 3.9b5. * The "show table location" command now shows the full location name. * Unauthorized telnet connections are now timed out after 2 minutes. * The attributes associated with the user are now deleted when the user entry is deleted. For example, if a network user (netuser) named lee configured with NAT is deleted, the old NAT configuration parameters are no longer listed for any new user named lee. Reconfiguring NVRAMAfter loading the new ComOS 3.9b10 and rebooting, look for messages like the following on the console screen to verify that ComOS has loaded successfully:
done - rebooting New Features in ComOS 3.9b10The following commands and features have been added in ComOS 3.9b10. Network Address Translator (NAT)ComOS 3.9b10 supports the network address translator (NAT) based on the latest IETF NAT document draft-ietf-nat-traditional-01.txt. The basic network address translator (basic NAT) maps IP addresses from one group to another, transparently to users and applications. The network address port translator (NAPT) is an extension to basic NAT, in which multiple network addresses and their TCP and UDP ports are mapped to a single network address and its ports. ComOS supports both basic NAT and NAPT for both outbound and inbound sessions. It also supports an "outsource" mode where all NAT processing is done on the server-side of the connection. See the section titled "Configuring NAT" for more information. Assigned IP for Dial-Out LocationsUse the following command to configure a dial-out location on the PortMaster to receive a dynamically assigned address: set location Locname local-ip-address assigned Locname Name of a location table entry. In previous releases of ComOS for the PortMaster 2, PortMaster 25, and PortMaster IRX, dial-out locations could not receive a dynamic address. Enhanced PMVision SupportAdditional support has been added to ComOS 3.9b10 to allow PMVision(TM) to monitor and configure PortMaster features. See the most recent PMVision release note for details. Configuring NATComOS 3.9b10 supports the network address translator (NAT) based on the latest IETF NAT document draft-ietf-nat-traditional-01.txt. The basic network address translator (basic NAT) capability maps IP addresses from one group to another, transparently to users and applications. The network address port translator (NAPT) capability is an extension to basic NAT in which multiple network addresses and their TCP and UDP ports are mapped to a single network address and its ports. ComOS supports both basic NAT and NAPT for both outbound and inbound sessions. It also supports an "outsource" mode in which all NAT processing is done on the server-side of the connection. NOTE: While this release note covers the PortMaster 2, PortMaster 25, and PortMaster IRX only, other PortMaster products also support NAT and might be used in the examples in this section. None of the IP addresses or networks used in the examples are intended to refer to any actual real-world company or network assignment.
set Ether0 | S0 | W1 | location Locname | user Username
nat outmap defaultnapt
The port or location is your connection to the outside world. For example, on a PortMaster dialing out to location "myisp" you enter the following:
set location myisp nat outmap defaultnapt
Then connect normally. You must reset the port if the connection has already been established. If this is a dial-on-demand location, then you must also reboot the PortMaster, or follow the instructions listed below under "Handling Changes to On-Demand Locations." With the "defaultnapt" NAT configuration, all the hosts behind the PortMaster will have their addresses translated to the IP address of the interface that is assigned to the location.
This section explains some of the NAT terminology and provides hints to assist you in developing more complex NAT configurations in ComOS. For example, you might want to allow inbound connections---external connections into a web server that resides behind the PortMaster running NAT. Or you might need to renumber your network and want to use basic NAT to avoid renumbering the entire network. Private vs. Global IP Addresses: Global IP addresses are accessible from anywhere on the Internet. They are "external" to the PortMaster running NAT---at another branch office, for example, because NAT is not limited to the Internet. External hosts do not generally recognize any internal private IP addresses that you might have assigned to your local hosts. Private IP addresses are usually taken from one of the following ranges defined in RFC 1918, which are reserved specifically for this purpose:
10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
Lucent strongly recommends numbering your private IP network(s) with IP addresses from one of the reserved ranges rather then just selecting IP addresses randomly. Inbound vs. Outbound Sessions: A "session" in NAT is considered either inbound or outbound: * An inbound session is initiated to a client behind the NAT router by a host external to a private IP network. * An outbound session is initiated to an external host by a client within the NAT-covered private IP network. Basic NAT vs. NAPT: Basic NAT does a one-to-one mapping of a private IP address to a global IP address. You still must have a global IP address for every host with a private IP address that needs to connect to an external host at the same time. With basic NAT, you can configure dynamic IP address pools from which IP address allocations are made, allowing a number of private hosts to use a (possibly) smaller pool of global IP addresses. Or you can configure static IP address pools in which a static mapping exists for each host, requiring the size of the pool to match the number of hosts being translated. If you configure a dynamic pool and have fewer global IP addresses available than total private hosts, you will have a shortage of IP addresses if all the hosts try to access the external network simultaneously. This possibility needs to be accounted for in your planning. The network address port translator (NAPT) performs "port translation," allowing a number of hosts to communicate globally using only a single global IP address. Outsource Mode NAT: Outsource mode NAT allows a PortMaster to handle NAT processing and management for a connected network interface. If a remote router that the PortMaster is connected to cannot run NAT locally, the PortMaster can perform NAT services for that device. All NAT configuration is handled on the PortMaster. A central site administrator can maintain all NAT mappings for all sites on the PortMaster without having to worry about the capabilities or management of a number of entirely separate routers.
show table map Shows all map files. show map Mapname Displays a map's contents. add map Mapname Creates a new map. delete map Mapname Deletes a map. save map Saves map contents into nonvolatile RAM. NOTE: In this release of NAT, inbound maps are restricted to static address maps and/or static TCP/UDP port maps only. Outbound maps do not have this limitation. See the following section for map configuration commands.
1. To define a single dynamic pool IP address map entry or range or
list of entries, use the following command:
set map Mapname Rulenumber addressmap
Ipaddrxfrom Ipaddrxto | @ipaddr [log]
2. To define a single static pool IP address map entry or range
or list of entries, use the following command:
set map Mapname Rulenumber staticaddrmap
Ipaddrxfrom Ipaddrxto | @ipaddr [log]
3. To define a static or dynamic TCP or UDP port range map
entry or list of entries, use the following command:
set map Mapname Rulenumber statictcpudpportmap
Ipaddxfrom:Tport1 | Uport1 | Portname
Ipaddxto: Tport2 | Uport2 | Portname [log]
4 . To remove rule Rulenumber in a map file, use the following
command:
set map Mapname Rulenumber
5. To empty the contents of a map file, use the following command:
set map Mapname blank
Mapname Address map name of up to 15 characters.
Rulenumber Integer between 1 and 20
Ipaddxfrom IP address or range or list of IP addresses to be translated.
Ipaddxto IP address or range or list of IP addresses to translate to.
Tport TCP number or range of numbers---between 1 and 65535.
Uport UDP number or range of numbers---between 1 and 65535.
Portname One of the following:
telnet TCP port 23.
ftp TCP ports 20 and 21.
tftp UDP port 69.
http TCP port 80.
dns TCP/UDP port 53.
smtp TCP port 25.
@ipaddr IP address of the port being configured.
log Selectively logs events for this map entry.
The following keywords have abbreviations for ease of entry:
addressmap = am
staticaddrmap = sam
statictcpudpportmap = stupm
Values for "Ipaddxfrom" and "Ipaddxto" can be a combination of the
following, separated by commas (,):
IP address/mask
IP address - IP address
IP address1,Ip address2, ...
IP address
The value for "Portnumber" can be a single port number or a range of ports such as "6000-6010" (for an inbound X Server) that you want statically mapped. This capability prevents your needing multiple map rules to accomplish the same mapping. Address mapping is applied to the first packet of the NAT session. When an inbound address map is defined for a port with this command, the translation succeeds only when the destination IP address of the first packet matches the "Ipaddrxfrom" address in the command. Example 1: An Office Router with IP address 192.168.129.129 is running NAT on a connection using the location "myisp".
1. Configure rule 1 for inbound NAT map myisp.inmap:
set map myisp.inmap 1 statictcpudpportmap 192.168.129.129:http
10.1.1.25
2. Configure the location:
set location myisp nat inmap myisp.inmap
BEFORE Inbound packet translation:
Src: 130.65.2.3:12023 Dest: 192.168.129.129:80 (80 is http)
AFTER translation using the above map:
Src: 130.65.2.3:12023 Dest: 10.1.1.25:80 (80 is http)
Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map allows you to configure one-to-one mappings of private IP addresses to global IP addresses. Using lists of addresses for these values allows the configuration of IP address allocation pools, from which global IP addresses can be dynamically or statically allocated for outbound sessions as they are required. Example 2: As a special case, the "Ipaddrxto" value for an address map can be set to "@ipaddr", when the address map is being used for outbound or outbound outsource. The special macro "@ipaddr" uses the IP address assigned to the port for which the address map is being used. The reserved map "defaultnapt" described in the section "Configuring Locations, Ports, and Users" is equivalent to the following map:
1 addressmap 0.0.0.0/0 @ipaddr Log
Example 3: Suppose you are using the "defaultnapt" map for outbound connections and want to allow an Internet host to connect to your internal FTP server, which is running on 10.4.2.9. To do so, you configure the following as an inbound map. You also have at least one global IP address, 192.168.2.4, assigned to your PortMaster as the global source address for all hosts residing behind NAT:
1. Configure rule 1 for inbound NAT map myisp.inmap:
set map myisp.inmap 1 statictcpudpportmap 192.168.2.4:ftp
10.4.2.9:ftp
2. Configure location myisp:
set location myisp nat inmap myisp.inmap
Example 4: Here is an outbound map that maps the host with the private IP address 10.5.3.6 to the global IP address 192.168.5.3. This is considered a basic NAT configuration. Notice that the two types of address maps are equivalent ONLY if you are mapping single IP addresses.
1. Configure rule 1 for outbound NAT map myisp.outmap:
set map myisp.outmap 1 addressmap 10.5.3.6 192.168.5.3
(or)
set map myisp.outmap 1 staticaddrmap 10.5.3.6 192.168.5.3
2. Configure location myisp:
set location myisp nat outmap myisp.outmap
Example 5:
Here is a configuration using a global dynamic IP address pool range of
192.168.9.1 through 192.168.9.10 for hosts in the private network
10.9.9.0/24 for outbound NAT:
1. Configure rule 1 for outbound NAT map myisp.outmap:
set map myisp.outmap 1 addressmap 10.9.9.0/24 192.168.9.1-192.168.9.10
2. Configure the user, location, or port as shown in the previous
examples.
Example 6: The following creates a static IP address pool. The private IP address range 10.1.1.0/24 will be translated to the global IP address range 192.168.65.0/24 on the outbound transmission:
1. Configure rule 1 for outbound NAT map myisp.outmap:
set map myisp.outmap 1 staticaddrmap 1 10.1.1.0/24 192.168.65.0/24
2. To allow inbound sessions to the same set of hosts, create an
inbound map such as the following and apply it to the port:
set map myisp.inmap 1 staticaddrmap 1 149.98.65.0/24 10.1.1.0/24
Note that both sides do not have to be using the same notation---the standard "Ipaddrxfrom" and "Ipaddrxto" syntax still applies. However, the total ranges on both sides must have the same number of IP addresses; otherwise, a one-to-one mapping is not possible. If you cannot do one-to-one mapping, create a dynamic IP pool, reduce the number of IP addresses being translated, or perhaps use NAPT for all or part of the private hosts instead. Although you have NAT configured for a specified port, user, or location, you are not required to translate the addresses of all the hosts behind the PortMaster running NAT. You can choose the hosts for which NAT processing is done by designing your maps around them.
The basic command "set Ether0 | S0 | W1 | location Locname | user Username" has five NAT versions that you can use as follows---entered all on one line---to configure the NAT connection to the outside world:
1. To set the maximum idle time for a NAT session, use the following
command:
set Ether0 | S0 | W1 | location Locname | user Username
nat sessiontimeout tcp | other
Number [minutes | seconds]
2. To set logging options for a NAT session on an interface, use the
following command:
set Ether0 | S0 | W1 | location Locname | user Username
nat log sessionfail | sessionsuccess | syslog | console
on | off
3. To set the default action that the PortMaster takes if a request for
a NAT session is refused because the mapping configuration is invalid
or does not exist, use the following command:
set Ether0 | S0 | W1 | location Locname | user Username
nat session-direction-fail-action drop | icmpreject | passthrough
You can abbreviate "session-direction-fail-action" to "sdfa" for ease
of
entry.
4. To set the direction of an address map as inbound and optionally
enable the outsource function, use the following command:
set Ether0 | S0 | W1 | location Locname | user Username
nat inmap Mapname [outsource]
5. To set the direction of an address map as outbound and optionally
enable the outsource function, use the following command:
set Ether0 | S0 | W1 | location Locname | user Username
nat outmap Mapname [outsource]
Entering the command without the Mapname value removes the map entry. You can assign the reserved map name "defaultnapt" to "outmap" for an outbound-only NAPT configuration, with the following results: * When "defaultnapt" is assigned as an outbound map without the "outsource" option, all outbound IP sessions through the given port are subject to NAPT, using the IP address assigned to the port. * When "defaultnapt" is assigned as an outbound map for the outsource port---using "outsource" in the command line---all outbound IP sessions (with respect to the calling device) through the given port are subject to outsource NAPT and use the IP address assigned to the port.
The following attributes and values are included in the RADIUS 2.1 dictionary: RADIUS Dictionary Updates: ATTRIBUTE LE-NAT-TCP-Session-Timeout 14 integer Livingston ATTRIBUTE LE-NAT-Other-Session-Timeout 15 integer Livingston ATTRIBUTE LE-NAT-Log-Options 16 integer Livingston ATTRIBUTE LE-NAT-Sess-Dir-Fail-Action 17 integer Livingston ATTRIBUTE LE-NAT-Inmap 18 string Livingston ATTRIBUTE LE-NAT-Outmap 19 string Livingston ATTRIBUTE LE-NAT-Outsource-Inmap 20 string Livingston ATTRIBUTE LE-NAT-Outsource-Outmap 21 string Livingston VALUE LE-NAT-Sess-Dir-Fail-Action Drop 1 VALUE LE-NAT-Sess-Dir-Fail-Action ICMP-Reject 2 VALUE LE-NAT-Sess-Dir-Fail-Action Pass-Through 3 VALUE LE-NAT-Log-Options Session-Success-On 1 VALUE LE-NAT-Log-Options Session-Failure-On 2 VALUE LE-NAT-Log-Options Console-On 3 VALUE LE-NAT-Log-Options Syslog-On 4 VALUE LE-NAT-Log-Options Success-Off 5 VALUE LE-NAT-Log-Options Failure-Off 6 VALUE LE-NAT-Log-Options Console-Off 7 VALUE LE-NAT-Log-Options Syslog-Off 8 Each RADIUS parameter corresponds to its command line equivalent. Refer to the usage information on a particular NAT command in this release note for more information. When configuring a user profile, be sure to list multiple occurrences of the LE-NAT-Log-Options attribute, which sometimes requires multiple values, in the order in which the values are listed in the RADIUS 2.1 dictionary---the order shown above. For example:
joe Auth-Type = System, Framed-Protocol = PPP Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, LE-NAT-Outsource-Outmap = "defaultnapt", LE-NAT-Sess-Dir-Fail-Action = Drop, LE-NAT-Log-Options = Session-Failure-On, LE-NAT-Log-Options = Console-On
NAT sessions can be managed, viewed, and reset in several ways. You can display the currently active NAT sessions with the following command: show nat sessions You can limit the display to the sessions for a single port, user, or location by appending a regular expression at the end of the command line, as you can do with the "show routes" command. You can also view real-time statistics on NAT: show nat statistics This command displays statistics on a per port basis, including successful translations, failures, address shortages when you are using IP pools, and unsuccessful translations and/or lookups due to timeouts. Use the following command for debugging and to see resource usage: show nat mapusage This command displays a list of active IP address and port bindings, including a list of the remaining resources---TCP/UDP ports or IP addresses---available for use.
reset nat [Ether0 | S0 | W1] The default resets all existing NAT sessions on the PortMaster---like the "reset all" command. Specifying the name of an interface resets all NAT sessions associated with the specified interface. Use the "ifconfig" command to see a list of interfaces. CAUTION! Resetting any or all interfaces while sessions are active might cause active connections on clients and servers to be left open or terminated abruptly. Lucent recommends NOT entering this command while the PortMaster is being used because doing so can leave connections in an unknown state between the two communicating hosts. Resetting NAT affects already active NAT sessions only. If the NAT configuration on an active port has been modified, you must reset the port directly.
delete nat sessions [Sessionid]
Stopping the Advertisement of Routing Information: NAT creates a private network that cannot be advertised outside the private boundary delimited by the NAT router. As a result, you must be sure to disable network advertisements on the NAT router's global interface. For example if you are running NAT on an IRX-211, with Ether0 as your private interface and Ether1 as your global interface with NAT enabled on it, you must disable RIP broadcasts: set ether1 rip listen Or use the "off" option if you do not need to listen to route updates at all. If you are using OSPF, you must specify the private IP address range as "quiet": set ospf area 0.0.0.0 range 10.0.0.0/8 quiet If you are using BGP, you must not advertise any private IP address blocks to the outside world. Rerouting Global IP Addresses Used by NAT to Static Routing: Because NAT is not equipped to advertise routing, the global IP addresses (or networks) used by NAT, might require the addition of static routes on the routers that are external peers of the PortMaster. Particularly, if you are using basic NAT to manage a pool of global addresses, you must configure a static route for the pool of addresses on the next-hop router of the PortMaster. Avoiding Ethernet LANs: NAT does not provide Ethernet ARP services for the global IP addresses it uses. For this reason, Lucent recommends that NAT be configured on WAN interfaces instead of Ethernet interfaces. If you choose to configure basic NAT on a LAN interface, be sure to select for use with NAT a global IP address block that does not fall within the same network prefix of the LAN interface itself. Determining If Additional Security, Privacy, and/or Firewalls Are Needed: Security is viewed differently in different environments. Many people view NAT as a one-way (session) traffic filter, restricting sessions from external hosts into their network. In that context, NAT provides a certain degree of security that might be acceptable for your situation. In addition, address assignment in NAT is often done dynamically. Dynamically assigned addresses can often hinder an attacker from pointing to any specific host in the NAT domain as a potential target of attack. Partial privacy is gained because tracing an individual connection to a particular user is more difficult. You can use firewalls with NAT maps to provide other ways to filter unwanted traffic. However, NAT maps cannot by themselves transparently support all applications and often must co-exist with application-level gateways (ALGs)---for example, SOCKS. If you use NAT, you must determine the application requirements first so that you can assess the extensions to NAT and the security they provide. NAT routers have a security limitation that allows NAT and/or its application-level gateway extensions to read the packet data in the end user traffic that passes through them. This limitation is a security problem if the NAT routers are not in a trusted boundary. Although you can encrypt NAT traffic, NAT must usually be the end point to such an encryption-decryption setup. For example, you cannot configure end-to-end IP security (IPSec) with NAT routers in between. The end point(s) must be a router running NAT. Lucent does not guarantee NAT as a complete security solution. Although placing your private network behind NAT might make it seem inaccessible to the outside, this is not the intention of NAT. You must evaluate the particular configuration, network topology, and security requirement of your organization to determine whether simply installing NAT eliminates the need for further security measures such as a firewall. Mapping for DNS: When configuring DNS on the hosts behind NAT, if you add a map similar to the following on the internal interface---usually Ether0 on an Office Router---you can enter the IP address of your Office Router as the DNS server. This is a useful feature if you do not always have the same DNS server, because of multiple providers, but do not want to reconfigure all your private hosts. Use the following commands---enter each all on one line:
set map dns.inmap 1 statictcpudpportmap
@ipaddr:dns Primary_DNS_Ipaddress
set ether0 nat inmap dns.inmap
set location Locname nat outmap defaultnapt
Handling Changes to On-Demand Locations: Because of the way that on-demand locations and their corresponding interfaces are traditionally handled within ComOS, NAT configuration changes might not take effect in the way you expect. To get around this problem, you can either reboot immediately after changing the settings for a location that is currently set to on-demand, or do the following:
set location Locname maxports Original_maxports_value Manually dialed locations are unaffected.
1. Dial-Out Location Using defaultnapt with a Dynamically Assigned PPP
IP Address:
Your Office Router OR-U is dialing in to a corporate network's
PortMaster 3 (192.168.2.5). The PortMaster 3 has one dynamically
assigned IP address for the Office Router in a NAPT configuration.
Everything behind the Office Router is subject to NAPT. You configure
the Office Router as follows:
add location corporate
set location corporate phone 5558583
set location corporate username joeuser
set location corporate password secrets
set location corporate destination 192.168.2.5
set location corporate max 2
set location corporate idle 15 minutes
set location corporate on-demand
set location corporate local-ip-address assigned
set location corporate nat outmap defaultnapt
2. Preventing Address Renumbering with Basic NAT on an Office Router:
Company ABC, Inc. (198.34.4.0/24) has just merged with Big Company
(25.0.0.0/8) and must renumber its hosts to access Big Company's
network. ABC has an ISDN connection from its Office Router to Big
Company's network. Big Company has just assigned ABC the IP range
25.9.1.0/24 to use. ABC configures its Office Router as follows:
add map abc.outmap
set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24
add location bigcomp
set location bigcomp phone 5558583
set location bigcomp username abc
set location bigcomp password bigsecret
set location bigcomp destination 25.1.1.7
set location bigcomp max 2
set location bigcomp idle 15 minutes
set location bigcomp on-demand
set location bigcomp local-ip-address 25.9.1.254
set location bigcomp nat outmap abc.outmap
The abc.outmap NAT map will assign IP addresses dynamically
as needed. If ABC wants to have static translations, abc.outmap
on the Office Router must be changed as follows:
set map abc.outmap 1 staticaddrmap 198.34.4.0/24 25.9.1.0/24
3. Address Redirection to Perform Server Maintenance Using an IRX-211:
The following two servers on your Ether1 provide inbound FTP and Web
service:
* primary.web.com at 129.65.2.1
* backup.web.com at 129.65.2.2
The IP addresses of primary and backup are global IP addresses.
However, you need to take primary off-line to perform some maintenance
work. Just before shutting down primary, you configure an inbound map
on Ether0 that statically maps primary's address to backup. You use a
basic NAT setup as follows:
add map ether0.inmap
set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2
set ether0 nat inmap ether0.inmap
reset nat
As part of this configuration, you might also want to set the NAT
session-direction-fail-action (SDFA) to passthrough:
set ether0 nat sdfa passthrough
This setting prevents NAT from intercepting outbound packets from the
remapped host when primary returns to service and you want to run a
telnet or FTP session from it.
4. T1 or Fractional T1 WAN Link Using defaultnapt for Outbound and
Providing Inbound HTTP Service:
Line1 on your PortMaster 3 is a T1 (WAN) link with a private network
10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered
with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The
HTTP server in the private network resides at 10.1.1.10. You configure
the PortMaster 3 as follows:
set w24 address 192.168.44.99
set w24 destination 192.168.44.254
set w24 nat outmap defaultnapt
add map w24.inmap
set map w24.inmap 1 statictcpudpportmap 192.168.44.99:http 10.1.1.10:http
set w24 nat inmap w24.inmap
reset w24
5. Dial-In User Using defaultnapt in Outsource Mode:
You want to provide NAT service to a user by connecting him or her in
an outsource-mode NAPT configuration using the defaultnapt map on a
PortMaster 3 (192.168.96.162). The global IP address 192.168.129.130 is
assigned to the dial-up router and will be used to run NAT from.
Because this configuration uses the defaultnapt map, you do not need to
account for the IP addresses that the client's network is using. You
configure the PortMaster 3 as follows:
add netuser joeuser
set user joeuser password mysecret
set user joeuser max 2
set user joeuser protocol ppp
set user joeuser destination 192.168.129.130
set user joeuser local-ip-address 192.168.96.162
set user joeuser nat outmap defaultnapt outsource
No NAT configuration is required on the dial-up router (client) side.
If the client also wants to run an FTP server with a private IP address
of 192.168.5.1 on his network and have it accessible globally, you can
configure further as follows:
add map joeuser.inmap
set map joeuser.inmap 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp
set user joeuser nat inmap joeuser.inmap outsource
6. Dial-Out Location using a Dynamic IP Address Basic NAT Map:
Your ISP gives you a small address block (192.168.129.129/29), but you
have more hosts than global IP addresses available. You do not want to
request more global IP addresses because of the added expense. In
addition, because not all workstations use the connection at the same
time, additional addresses will be wasteful. You want to use a dynamic
IP address pool map instead. You configure your PortMaster as follows:
add map isp.outmap
set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29
add location isp
set location isp phone 5558583
set location isp username mycompany
set location isp password bigsecret
set location isp destination negotiated
set location bigcomp max 2
set location bigcomp continuous
set location bigcomp local-ip-address assigned
set location bigcomp nat outmap isp.outmap
7. Dial-Out Location Using a Static IP Address Basic NAT Map:
Your ISP gives you an address block (192.168.130.0/24). You can use a
dynamic IP address pool for your workstation IP addresses because they
do not need Internet access at the same time. However, you must give
two of your trusted systems static IP addresses for security
reasons---to perform packet filtering, for example. You configure your
PortMaster as follows:
add map isp.outmap
set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1
set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2
set map isp.outmap 3 addressmap 10.1.0.0/16 192.168.130.3-192.168.130.254
add location isp
set location isp phone 5558583
set location isp username mycompany
set location isp password bigsecret
set location isp destination negotiated
set location bigcomp max 2
set location bigcomp continuous
set location bigcomp local-ip-address assigned
set location bigcomp nat outmap isp.outmap
* Verify obvious values like correct IP addresses in map entries. * Make sure your maps match the flow of the session (inbound or outbound). Check "show nat sessions" output to make sure the correct translations are taking place. * Watch "show nat statistics" output for failed translations that can indicate incorrect session flow direction and possibly incomplete maps. * Watch the source and destination IP addresses of packets going through the PortMaster. You can find a simple ptrace debug filter for this purpose in Chapter 3 of the PortMaster Troubleshooting Guide. If you are running NAT on your WAN link, look for private IP addresses that are exiting the ptp0 interface untranslated, which can indicate either a problem with your NAT maps or that NAT is not active on the port. * Make sure that you reset the active network interface to make its NAT configuration take effect. In the case of an Ethernet interface, enter "reset nat ether0". * If a location is set to dial-on-demand, you might need to reboot the PortMaster for configuration changes to take effect. * If a port loses its network connectivity---the modem drops carrier---NAT maintains the state of any existing sessions ONLY if the IP address assigned to the port remains the same. * Because of the nature of NAT operation, some applications that work under basic NAT, might not work with NAPT. If you are using a particular application under NAPT and it is not working, try using basic NAT and see if the situation improves.
set Ether0 | S0 | W1 | location Locname | user Username
nat log sessionfail on
set Ether0 | S0 | W1 | location Locname | user Username
nat log console on
To log to syslog instead, enter "syslog" instead of "console". Syslog logging is logged at the priority level shown in "show syslog" output. If you have not set the PortMaster global option for logging NAT information to syslog, then no logging takes place, regardless of the logging options configured on any particular port. Lucent recommends that you do NAT logging at the same priority as packet filters: set syslog nat auth.notice You can also do logging more selectively for only certain map entries by appending the "log" keyword at the end of a particular map entry you want logged. For example: set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log Whenever a session from 192.168.1.1 is successfully translated to the global IP address 172.16.1.1 via this outbound map, a syslog message is sent to your loghost. Here is some sample syslog output: Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)-> (192.168.247.6:80) translated to (192.168.129.129:20001)->(192.168.247.6:80) Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)-> (192.168.247.6:80) translated to (192.168.129.129:20002)->(192.168.247.6:80) Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)-> (192.168.247.6:80) translated to (192.168.129.129:20003)->(192.168.247.6:80) Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)-> (192.168.65.50:23) translated to (255.255.255.254:20001)->(192.168.65.50:23) Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)-> (192.168.65.50:23) translated to (192.168.129.129:20001)->(192.168.65.50:23)
The following commands set ComOS debugging options for NAT:
set debug nat-ftp on | off Displays FTP payload processing.
set debug nat-icmp-err on | off Displays ICMP error payload
processing.
set debug nat-rt-interface on | off Displays NAT configuration changes
during interface binding.
set debug nat-max on | off Enables full NAT debugging.
* When using NAPT, you will not be able to run traceroute or ping inbound to the private hosts because you cannot reach them directly from the outside. But you can use the tools in an outbound direction without any problems. * When using basic NAT, you can run traceroute and ping inbound but only if you have an inbound map active. You still must include an entry for the actual host you are trying to ping or trace routes to. As with NAPT, you can do all network diagnostics in outbound mode.
* RFC 1918, Address Allocation for Private Internets Limitations
* You must NOT downgrade from ComOS 3.9b10 to any other ComOS 3.9
version without first disabling IPX and OSPF. To do so, enter the
following commands:
* Downgrading from ComOS 3.9b10 to ComOS 3.5 might change the Ether0 IP address. * Entering "reset D#" to reset a D channel while a connection is active takes ISDN lines out of service (NO-SERVICE). You must reboot the PortMaster to recover. * You cannot use Inverse ARP on a Frame Relay interface with subinterfaces . The primary Frame Relay interface does not automatically map IP addresses to data link connection identifiers (DLCIs). When you enter a "show arp frm1" command, no ARP tables appear, and the PortMaster cannot ping across the Frame Relay cloud. * The PortMaster 2 does not send SNMP or OSPF information to PMVision. * Inbound maps are restricted to static address maps and/or static TCP/UDP port maps only. Outbound maps do not have this limitation. * In outsource mode, you cannot configure the PortMaster to send an ICMP reject message if it refuses a request for a NAT session. The "icmpreject" keyword does not work as a session-direction-fail-action (SDFA) in outsource NAT mode. * A ComOS online help file is not included. The "help" command is not supported. Upgrade InstructionsYou can upgrade your PortMaster using PMVision 1.6, or pmupgrade 4.3 from PMTools. Alternatively, you can upgrade using the older programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole for Windows 3.5.1.4, or later releases. You can also upgrade using TFTP with the "tftp get comos" command from the PortMaster command line interface. See ftp://ftp.livingston.com/pub/le/software/java/pmvision16.txt for installation instructions for PMVision 1.6.
*** CAUTION! If the upgrade fails, do NOT reboot! Contact
WARNING! Due to the increased size of ComOS, the amount of nonvolatile RAM (NVRAM) available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater that 64KB will lose some of their configuration. For this reason, be sure to back up your PortMaster configuration before upgrading to this release. Because of the increased size of the ComOS, there are now seperate releases for the PortMaster 2 with ISDN running in the USA (pm2_3.9b10-usa) with ISDN running internationally (pm2_3.9b10-intl). There is only one release for the PortMaster 25 and PortMaster IRX, since those platforms do not require ISDN support.
Use pm2_3.9b10-usa if your ISDN switch type is one of:
Use pm2_3.9b10-intl if your ISDN switch type is one of:
NOTE: Any PortMaster running ComOS 3.9b10 requires 4MB of dynamic RAM (DRAM). Use 16MB if running the Border Gateway Protocol (BGP). The installation software can be retrieved by FTP from ftp://ftp.livingston.com/pub/le/software/, and the upgrade image can be found at ftp://ftp.livingston.com/pub/le/upgrades: ComOS Upgrade Image Product _________ _____________ _____________________________________ 3.9b10 pm2_3.9b10-intl PortMaster 2 (international ISDN) 3.9b10 pm2_3.9b10-usa PortMaster 2 (USA ISDN) 3.9b10 pm25_3.9b10 PortMaster 25 3.9b10 irx_3.9b10 PortMaster IRX-111, -112, -114, -211 Copyright and TrademarksCopyright 1999 Lucent Technologies. All rights reserved. PortMaster, ComOS, and ChoiceNet are registered trademarks of Lucent Technologies Inc. PMVision, IRX, and PortAuthority are trademarks of Lucent Technologies Inc. PolicyFlow is a service mark of Lucent Technologies Inc. All other marks are the property of their respective owners.
Internet service providers (ISPs) and other end users in Europe, the Middle East, Africa, India, and Pakistan should contact their authorized Lucent Remote Access sales channel partner for technical support; see http://www.livingston.com/International/EMEA/distributors.html. For North and South America and Asia Pacific customers, technical support is available Monday through Friday from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966 within the United States (including Alaska and Hawaii), Canada, and the Caribbean and Latin America (CALA), or 1-925-737-2100 from elsewhere, for voice support. For email support send to support@livingston.com (asia-support@livingston.com for Asia Pacific customers). |