NAT Configuration

Public interfaces

The first step to NAT configuration is to specify the interface(s) connected to the public network (also known as public interface(s)). In case of several public interfaces, classical IP routing will select the outgoing interface. For each public interface, NAT processing is associated to dynamic and static translation rules (allowing to translate specific flows and/or to let others pass untouched).

The overall NAT configuration is hence defined on a per-interface basis.

Configuring the parameters associated to a specific public interface is done in the corresponding sub-context. To enter a public interface sub-context, use the command below:

router{conf:myconfig-nat}public interface INTERFACE
INTERFACE
Name of one of Turbo IPsec interfaces.

Example

router{conf:myconfig-nat}public interface eth2_0
router{conf:myconfig-nat-eth2_0}

Activating NAT

NAT activation/deactivation is done within a public interface sub-context, using the following commands:

router{conf:myconfig-nat-eth2_0}nat enable
router{conf:myconfig-nat-eth2_0}nat disable

Dynamic NAT

Dynamic mode corresponds to the minimal NAT configuration. In this mode, translation is possible only if the traffic is initiated from the private part of the network.

When activated without any specific rule, NAT has a default translation rule: translate all traffic that goes out through the public interface, using its primary address as source address.

It is however possible to define more precise and selective translation sets of rules, using the following command within a public interface sub-context:

router{conf:myconfig-nat-eth2_0}dynamic ID A.B.C.D|A.B.C.D/M [protocol PROTOCOL] passthrough|(to X.Y.Z.T|primary-address|A.B.C.D-E.F.G.H) [port-range PORT1 PORT2]

The first part allows traffic selection, based on private address and protocol value:

ID
A rule number between 1 and 4096; the rules are checked in ascending order and the first matching rule is applied.
A.B.C.D
A single IPv4 address.
A.B.C.D/M
A full IPv4 prefix.
protocol PROTOCOL
Specify the next header field of the IPv4 header; it is a either a numerical value between 1 and 255, or a well-known name such as udp, tcp, esp, ah, etc.;

The second part defines the action to perform:

passthrough
Lets the traffic go out untouched;
to X.Y.Z.T
Specify to perform translation, using X.Y.Z.T as IPv4 source address;
to primary-address
Specify to perform translation, using, the primary IPv4 address of the public interface as source address; this address does not need to be known in advance and can appear dynamically later;
to A.B.C.D-E.F.G.H
Specify to perform translation, picking up the IPv4 source address in the specified pool;
port-range PORT1 PORT2
Specify a range of source ports to use, instead of the default source port selection heuristics. The possible values are between 0 and 65535.

Examples

router{conf:myconfig-nat}public interface eth2_0
router{conf:myconfig-nat-eth2_0}dynamic 10 192.168.1.0/24 protocol esp passthrough
router{conf:myconfig-nat-eth2_0}dynamic 20 192.168.2.0/24 to 10.1.2.3
router{conf:myconfig-nat-eth2_0}dynamic 30 0.0.0.0/0 to 10.1.2.4 port-range 10000-20000

To remove a translation rule, use the following command:

router{conf:myconfig-nat-eth2_0}delete dynamic ID|all
all
Stands for ALL translation rules.
ID
A rule number between 1 and 4096.

Caution

As soon as ONE rule is defined, the default behaviour is to let unmatched packets pass through untouched. So it is recommended to configure a default rule (rule matching any packet, with the highest rule number).

Static NAT

Once dynamic NAT is configured, several static translation rules can be added for a specific public interface.

For every outgoing packet on the public interface, if the IPv4 source address (and/or port) matches the private part of a static translation rule, then it is translated using the public part (IPv4 address and/or port).

For every incoming packet on the public interface, if the IPv4 destination address (and/or port) matches the public part of a static translation rule, then it is translated using the private part (IPv4 address and/or port).

To configure static translation rules, use the following command within a public interface sub-context:

router{conf:myconfig-nat-eth2_0}static ID [protocol PROTOCOL]
[(public (A.B.C.D[:PORT])|:PORT)] passthrough|(private E.F.G.H[:PORT])
ID
A rule number between 1 and 4096; the rules are checked in ascending order and the first matching rule is applied.
protocol PROTOCOL
Protocol definition. It can be either a numerical value between 1 and 255, or a well known protocol such as udp, tcp, esp, ah, etc.. This argument is optional, unless a port is specified in the public part of the static association.
public (A.B.C.D[:PORT])|:PORT

Specify the public part of the static association. This part may be omitted if the passthrough argument is specified.

A.B.C.D specifies the IPv4 address that should match the packet’s local public address (which ‘belongs’ to the NAT box). If not specified, the primary address of the public interface is used.

PORT specifies the TCP or UDP port of the packet. If specified, then PROTOCOL must be specified and set to udp or tcp.

passthrough
Specify to let packets matching the public or/and protocol parts of the rule pass untouched.
private E.F.G.H[:PORT]

Specify the IPv4 address that should match the packet’s local private address (which ‘belongs’ to the host in private LAN).

PORT is an optional argument specifying the TCP or UDP port of the packet. If specified, then PROTOCOL must be specified and set to udp or tcp.

Example

In the following example, every received packet on the NAT box with destination address 212.234.238.114 is translated to host 10.0.0.2. This enables incoming or outgoing connections between the private host 10.0.0.2 and any public host.

Every TCP packet received from outside to 10.1.2.3 port 80 (HTTP) is translated using the private address 192.168.2.254 port 8080 (internal HTTP). This enables any public host to initiate an HTTP session with the private host 192.168.2.254, via the IPv4 address of the NAT public interface.

router{conf:myconfig-nat}public interface eth2_0
router{conf:myconfig-nat-eth2_0}static 100 public 212.234.238.114 private 10.0.0.2
router{conf:myconfig-nat-eth2_0}static 200 protocol tcp public 10.1.2.3:80 private 192.168.2.254:8080

Removing a static translation rule is done using the following command:

router{conf:myconfig-nat-eth2_0}delete static ID|all
all
stands for ALL static translation rules.
ID
A rule number between 1 and 4096.

NAT timeouts

Different translation timeouts can be applied to the NAT for UDP, TCP and ICMP protocols.

To change translation timeout for UDP, use the following command from the NAT root content:

router{conf:myconfig-nat}nat udp timeout mapping|stream <1,2^32>|default
mapping
Stands for UDP unreplied packets.
stream
Stands for UDP assured streams.
default
30 seconds for mapping and 180 seconds for stream.

To change translation timeout for TCP, use the following command from the NAT root content:

router{conf:myconfig-nat}nat tcp timeout TCP-STATE <1,2^32>|default

TCP-STATE can be:

max-retrans
For maximum retransmission timeout
close
For close state timeout
time-wait
For time-wait state timeout
last-ack
For last-ack state timeout
close-wait
For close-wait state timeout
fin-wait
For fin-wait state timeout
established
For established state timeout
syn-recv
For syn-recv state timeout
syn-sent

For syn-sent state timeout

Default is:

300 seconds
For maximum retransmission timeout
10 seconds
For close state timeout
120 seconds
For time-wait state timeout
30 seconds
For last-ack state timeout
60 seconds
For close-wait state timeout
120 seconds
For fin-wait state timeout
432000 seconds
For established state timeout
60 seconds
For syn-recv state timeout
120 seconds
For syn-sent state timeout

To change translation timeout for ICMP query sessions, use the following command from the NAT root content:

router{conf:myconfig-nat}nat icmp timeout query-session <1,2^32>|default
default
30 seconds.