Black Box LR11xx Series Router Configurations Guide

10.2.2 Packet Reassembly

To configure the firewall to perform IP reassembly of oversized packets that have been fragmented, enter:

Blackbox> config term Blackbox/configure> firewall global Blackbox/configure/firewall global> ip-reassembly Blackbox/configure/firewall global/ip-reassembly> fragment-count 100

Blackbox/configure/firewall global/ip-reassembly> fragment-size 56

Blackbox/configure/firewall global/ip-reassembly> packet-size 2048

Blackbox/configure/firewall global/ip-reassembly> timeout 20

10.3 NAT Configurations

Network Address Translation (NAT) was defined to serve two purposes:

„

„

Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls

Stretched the number of available IP addresses by allowing LANs to use one public (real) IP address as the gateway with a very large pool of NAT addresses behind it.

In the most common NAT application (which is to provide secure networking behind a firewall), the device (Black Box system) that connects the user LAN to the Internet will have two IP addresses:

„

„

A private IP address on the LAN side for the RFC 1918 address range

A public address, routable over the Internet, on the WAN side

Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the packet together with the destination IP address and port. When the packet arrives at the Black Box system it will be de-encapsulated, modified, and re-encapsulated. The re-encapsulated packet sent by the Black Box system destined for the Internet contains the Black Box system’s public IP address, a source port allocated from its list of available ports, and the same destination IP address and port number generated by the PC. The Black Box system also adds an entry into a table it keeps, which maps the internal address and source port number that the PC generated against the port number it allocated to this session. Therefore, when some.server.com sends a reply packet to the PC, the Black Box system can quickly determine how it needs to re-write the packet before transmitting it back on to the LAN.

Dynamic NAT is used when packets destined for the Internet are transported from a LAN using the public source IP address assigned to the local router. Dynamic NAT performs this task well, but it does not permit providing services to the Internet from inside a LAN which requires the use of static NAT. Static NAT also requires a public address from the upstream service provider. Individual PCs within a LAN are assigned RFC 1918 reserved IP addresses to enable access to other PCs within the LAN. The Black Box system is configured with static mapping, which maps the internal RFC 1918 IP addresses for each PC to the appropriate public IP address. When traffic is sent to the public address listed in the static mapping, the Black Box system forwards the packets to the correct PC within the LAN, according to the mapping relationship established.

10.4 NAT Configuration Examples

74

Page 71 Page 73
Page 72
Image 72
Black Box LR1112A-T1/E1, LR1114A-T1/E1, LR1104A-T1/E1 NAT Configurations, NAT Configuration Examples, Packet Reassembly
Page 71 Page 73
Top Page Image Contents