ServerIron ADX Security Guide 105
53-1002440-03
Stateless static IP NAT 4
The finrst-timeout keyword identifies TCP FIN (finish) and RST (reset) packets, which normally
terminate TCP connections. The default is 120 seconds. This timer is not related to tcp-timeout,
which applies to packets to or from a host address that is mapped to an global IP address and a
TCP port number (PAT feature). The finrst-timeout applies to packets that terminate a TCP session,
regardless of the host address or whether PAT is used.
The icmp-timeout keyword indicates timeout for NAT ICMP flows
The syn-timeout keyword indicates timeout for NAT TCP flows after a SYN
The tcp-timeout keyword indicates dynamic entries that use PAT based on TCP port numbers. The
default is 120 seconds. This timer applies only to TCP sessions that do not end “gracefully”, with a
TCP FIN or TCP RST.
The udp-timeout keyword indicates dynamic entries that use PAT based on UDP port numbers. The
default is 120 seconds.
The <secs> parameter specifies number of seconds, 0– 3600. Use maximum to set the maximum
timeout value. For example, 3,600 seconds.
The max-entries <number-of-entries> parameter specifies the maximum number of NAT entries
Stateless static IP NAT
A ServerIron ADX creates sessions for Static NAT by default. You can prevent a ServerIron ADX from
creating sessions for static NAT traffic with the following command.
ServerIronADX(config)# [no] ip nat stateless
Syntax: ip nat stateless
For “ip nat stateless“ to work, the existing command, “ip nat inside source static” must already be
configured.
Example
ip nat inside source static 10.45.16.103 10.45.16.10
NOTE
FTP, RTSP and other similar complex protocols are not supported. The traffic applicable for IP NAT
Stateless are TCP, UDP, and ICMP.
NOTE
You must reload a ServerIron ADX whenever changes are made to a running IP NAT configuration.
Redundancy
The IP NAT Redundancy feature implements a separate protocol to negotiate IP address ownership
of NAT IP addresses.