This document provides the following information about configuring Network Address
Translation on the Enterasys Matrix® N‐Series platform.
NAT Overview 3
Configuring NAT 9
NAT Overview
This section provides an overview of NAT configuration.
Notes: NAT is currently supported on the Enterasys Matrix® N-Series products. This document
details the configuration of NAT for the Matrix N-Series products.
NAT is an advanced routing feature that must be enabled with a license key. If you have purchased
an advanced license key, and have enabled routing on the device, you must activate your license
as described in the configuration guide that comes with your Enterasys Matrix DFE or NSA product
in order to enable the NAT command set. If you wish to purchase an advanced routing license,
contact Enterasys Networks Sales.
A minimum of 256 MB of memory is required on all modules in order to enable NAT. See the
SDRAM field of the show system hardware command to display the amount of memory installed
on a module. Module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory kit.
NAT Configuration
A traditional NAT configuration is made up of a private network or intranet, a public network,
and a router that interconnects the two networks. The private network is made up of one or more
hosts and devices each assigned an inside (internal) address that is not intended to be directly
connectable to a public network host or device. The public network hosts or devices have outside
(external) uniquely registered public addresses. The router interconnecting the private and public
networks support traditional NAT. It is NAT’s responsibility to translate the inside address to a
unique outside address to facilitate communication with the public network for intranet devices.
NAT allows translations between IP addresses. NAPT allows translations between multiple inside
addresses and their associated ports and a single outside IP address and its associated ports. NAT
and NAPT support both static and dynamic inside address translation.
External Internal
Public Private
Network Network
NAT
DA: 200.1.1.50 ROUTER DA: 200.1.1.50
SA: 200.1.1.1 SA: 10.1.1.1
External Internal
Public Private
Network Network
Server1
200.1.1.50
Client2
10.1.1.2
Client1 Walkthrough:
A packet arrives at the NAT router from Client1 with a source address of 10.1.1.1, but leaves the
NAT router with a source address from the assigned pool, in this case: 200.1.1.2. In both cases the
destination is for Server1’s IP address of 200.1.1.50. From Server1’s point of view, Client1’s IP
address is 200.1.1.2. Server1 doesn’t know anything about its actual IP address of 10.1.1.1.
When Server1 responds to Client1, its packet arrives at the NAT router with Client1’s translated
address of 200.1.1.2 as the destination address, but leaves the NAT router with Client1’s actual
address of 10.1.1.1 as the destination address. Server1’s response is delivered to IP address 10.1.1.1.
Internal
External Private
Public Network
Network
DA: 200.1.1.50
DA: 200.1.1.50 SA: 10.1.1.2
SA: 200.1.1.1
DA: 10.1.1.2
DA: 200.1.1.1 SA: 200.1.1.50
SA: 200.1.1.50
NAT
DA: 200.1.1.50 ROUTER Client2
SA: 200.1.1.2 10.1.1.2
Server1
DA: 200.1.1.2
200.1.1.50
SA: 200.1.1.50
DA: 200.1.1.50
SA: 10.1.1.1
DA: 10.1.1.1
SA: 200.1.1.50
Client1
10.1.1.1
Client2 Walkthrough:
A packet arrives at the NAT router from Client2 with a source address of 10.1.1.2, but leaves the
NAT router with the remaining available source address from the assigned pool, in this case:
200.1.1.1. In both cases the destination is for Server1’s IP address of 200.1.1.50. From Server1’s
point of view, Client2’s IP address is 200.1.1.1. Server1 doesn’t know anything about its actual IP
address of 10.1.1.2.
When Server1 responds to Client2, its packet arrives at the NAT router with Client2’s translated
address of 200.1.1.1 as the destination address, but leaves the NAT router with Client2’s actual
address of 10.1.1.2 as the destination address. Server1’s response is delivered to IP address 10.1.1.2.
Client1 Walkthrough:
A packet arrives at the NAT router from Client1 with a source address of 10.1.1.1:125, but leaves
the NAT router with a source address of 200.1.1.1:1024. In both cases the destination is for
Server1’s IP address of 200.1.1.50:80. From Server1’s point of view, Client1’s IP address is
200.1.1.1:1024. Server1 doesn’t know anything about its actual IP address of 10.1.1.1:125.
When Server1 responds to Client1, its packet arrives at the NAT router with Client1’s translated
address of 200.1.1.1:1024 as the destination address, but leaves the NAT router with Client1’s
actual address of 10.1.1.1:125 as the destination address. Server1’s response is delivered to IP
address 10.1.1.1:125.
Internal
External Private
Public Network
Network
DA: 200.1.1.50:80
DA: 200.1.1.50:80 SA: 10.1.1.2:125
SA: 200.1.1.1:1025
DA: 10.1.1.2:125
DA: 200.1.1.1:1025 SA: 200.1.1.50:80
SA: 200.1.1.50:80
NAT
DA: 200.1.1.50:80 ROUTER Client2
SA: 200.1.1.1:1024 10.1.1.2
Server1
DA: 200.1.1.1:1024
200.1.1.50
SA: 200.1.1.50:80
DA: 200.1.1.50:80
SA: 10.1.1.1:125
DA: 10.1.1.1:125
SA: 200.1.1.50:80
Client1
10.1.1.1
Client2 Walkthrough:
A packet arrives at the NAT router from Client2 with a source address of 10.1.1.2:125, but leaves
the NAT router with a source address of 200.1.1.1:1025. In both cases the destination is for
Server1’s IP address of 200.1.1.50:80. From Server1’s point of view, Client2’s IP address is
200.1.1.1:1025. Server1 doesn’t know anything about its actual IP address of 10.1.1.2:125.
When Server1 responds to Client2, its packet arrives at the NAT router with Client2’s translated
address of 200.1.1.1:1025 as the destination address, but leaves the NAT router with Client1’s
actual address of 10.1.1.2:125 as the destination address. Server1’s response is delivered to IP
address 10.1.1.2:125.
The NAT implementation also supports the translation of the IP address embedded in the data
portion of following types of ICMP error message: destination unreachable (type3), source quench
(type4), redirect (type5), time exceeded (type 11) and parameter problem (type 12).
Force Flows
It is sometimes possible for a host on the outside global network that knows an inside local
address to be able to send a message directly to the inside local address without NAT translation.
The force flows feature, refered to as Secure‐Plus in the N‐Series implementation, forces all flows
between an inside NAT address to an outside NAT enabled interface to be translated.
NAT Timeouts
The maximum timeout value in seconds per flow is configurable for the following flow types:
• Dynamic translation
• UDP and TCP
• ICMP
• DNS
• FTP
Note: The maximum number of bindings and cache available should only be modified to assure
availability to functionalities that share these resources such as TWCB, NAT and LSNAT. It is
recommended that you consult with Enterasys customer support before modifying these parameter
values.
NAT Binding
A NAT flow has two devices associated with it that are in communication with each other: the
client device belonging to the inside (private) network and the server device belonging to the
outside (public) network. Each active NAT flow has a binding resource associated with it. Each
flow is based upon the following criteria:
If it is a non‐FTP NAT flow:
• Source IP Address ‐ The inside client IP address
• Destination IP Address ‐ The outside server IP address
If it is a NAPT or FTP flow:
• Source IP Address ‐ The inside client IP address
• Destination IP Address ‐ The outside server IP address
• Source Port ‐ The inside client source port
• Destination Port ‐ The outside server destination port
Enabling NAT
When traffic subject to translation originates from or is destined to an interface, that interface must
be enabled for NAT. If the interface is part of the internal private network, it should be enabled as
an inside interface. If the interface is part of the external public network, it should be enabled as an
outside interface.
Configuring NAT
This section provides details for the configuration of NAT on the Matrix N‐Series products.
Table 1 lists NAT parameters and their default values.
Pool IP Address Range Specifies the start and end of a range None.
of IP addresses for this NAT pool.
2. Enable any static NAT translations of inside ip nat inside source static local-ip global-ip
source addresses.
3. Enable any static NAPT translations of inside ip nat inside source static {tcp | udp}
source addresses, specifying whether the L4 local-ip local-port global-ip global-port
port is a TCP or UDP port.
2. Define an access-list of permits for all inside access-list list-number {deny | permit}
addresses to be used by this dynamic source
translation.
3. Define a NAT address pool for all outside ip nat pool name start-ip-address
addresses to be used by this dynamic end-ip-address {netmask netmask |
translation. prefix-length prefix-length}
4. Enable dynamic translation of inside source ip nat inside source [list access-list] pool
addresses. Specify the overload option for pool-name [overload | interface vlan vlan-id
NAPT translations. Optionally specify an outside [overload]]
interface VLAN.
6. Clear a specific active simple NAT translation. clear ip nat translation inside global-ip
local-ip
7. Clear a specific dynamic NAT translation. clear ip nat translation {tcp | upd} inside
global-ip global-port local-ip local-port
Note: For purposes of our examples we will not modify the maximum number of translation entries
or any NAT router limits. These parameters should only be modified to assure availability to
functionalities that share these resources such as TWCB and LSNAT. It is recommended that you
consult with Enterasys customer support before modifying these parameter values.
We will also assume that the FTP control port will use the default value.
External Internal
Public Private
Network Network
Server1
200.1.1.50 DA: 200.1.1.2:1025
200.1.1.50:80 SA: 200.1.1.50:80
DA: 200.1.1.50:80
SA: 10.1.1.2:125
DA: 10.1.1.2:125
SA: 200.1.1.50:80
Client2
10.1.1.2.125
Finally, we enable Secure‐Plus on the NAT router to assure that inside addresses are not visible to
the public network.
External
Public
Network
DA: 200.1.1.50
SA: 200.1.1.1 Internal
Private
DA: 200.1.1.1 Network
SA: 200.1.1.50
DA: 200.1.1.50
DA: 200.1.1.50 SA: 10.1.1.1
SA: 200.1.1.2
DA: 10.1.1.1
DA: 200.1.1.2 SA: 200.1.1.50
SA: 200.1.1.50
VLAN 10
VLAN 100 Client1
NAT 10.1.1.1
ROUTER
VLAN 200
Server1
200.1.1.50 DA: 200.1.1.50:80 DA: 200.1.1.50
200.1.1.50:80 SA: 200.1.1.3:1025 SA: 10.1.1.2
DA: 10.1.1.3:125
SA: 200.1.1.50:80
Client3
10.1.1.3
VLAN 20
DA: 200.1.1.50:80
SA: 10.1.1.4:125
DA: 10.1.1.4:125
SA: 200.1.1.50:80
Client4
10.1.1.4
To configure Client3 and Client4 for dynamic NAPT translation on the NAT router, we define
access‐list 2 to permit the local IP addresses 10.1.1.3 and 10.1.1.4. We then configure NAT pool
dynamicpool with a global range of 200.1.1.3 to 200.1.1.3. We then enable dynamic translation of
inside addresses for overload associating access‐list 2 with the NAT pool naptpool.
Finally, we enable Secure‐Plus on the NAT router to assure that inside addresses are not visible to
the public network.
Enable NAT outside interface:
Matrix->Router(config)#interface vlan 100
Matrix->Router(config-if(Vlan 100))#ip nat outside
Matrix->Router(config-if(Vlan 100))#exit
Matrix->Router(config)#interface vlan 200
Matrix->Router(config-if(Vlan 200))#ip nat outside
Matrix->Router(config-if(Vlan 200))#exit
Matrix->Router(config)#
Dynamic Address Provides a binding based upon an internal algorithm between an address from an
Binding access-list of local addresses to an address from a pool of global addresses for NAT
and TCP/UDP port number translations for NAPT.
Force Flows Forces all flows between the inside local pool and the outside global network to be
(Secure-Plus) translated.
Inside (private) An IP address internal to the network only reachable by the external network by
address translation.
NAT Address Pool A grouping of global addresses used by both NAT and NAPT dynamic address
binding.
Network Address Provides a mechanism to connect a realm with private addresses to an external
Port Translation realm with globally unique registered addresses by mapping many network
(NAPT) addresses, along with their associated TCP/UDP ports into a single network address
and its associated TCP/UDP ports.
Network Address Provides a mechanism to connect an internal realm with private addresses to an
Translation (NAT) external realm with globally unique registered addresses by mapping IP addresses
from one group to another, transparent to the end user.
Outside (public) A registered global IP address external to the private network that the inside address
address is translated to.
Secure-Plus (Force Assures that all flows between inside local addresses and outside NAT enabled
Flows) interfaces are translated.
Static Address Provides a one-to-one binding between local addresses to global addresses for NAT
Binding and TCP/UDP port number translations for NAPT.
02/12/2009 In ip nat inside source context made clear that VLAN option was for an outside VLAN.
04/16/2009 Input an advanced routing license notice that includes the 256 MB requirement on all modules
statement.
Enterasys Networks reserves the right to make changes in specifications and other information contained in this
document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to
determine whether any such changes have been made.
The hardware, firmware, or software described in this document is subject to change without notice.
IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL,
OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS)
ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN
THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN
OF, THE POSSIBILITY OF SUCH DAMAGES.
ENTERASYS, ENTERASYS NETWORKS, ENTERASYS MATRIX, and any logos associated therewith, are
trademarks or registered trademarks of Enterasys Networks, Inc., in the United States and other countries. For a
complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective
companies.