Enterasys Networks DFE-Gold Series Network Address Translation (NAT) Configuration

Enterasys Matrix DFE-Gold Series Configuration Guide 18-1

Network Address Translation (NAT) Configuration

ThischapterdescribestheNetworkAddressTranslation(NAT)configurationsetofcommands

andhowtousethem.

TheEnterasysNetworkAddressTranslation(NAT)implementationsupportsBasicNATand

NetworkAddressPortTranslation(NAPT).Inaddition,thefollowingfeaturesarealsosupported:

•StaticandDynamicNATPoolBinding

•FTP,DNS,TELNET,SSH,TFTP,HTTP,NTP(NetworkTimeProtocol),andICMP(withfive

differenterrormessages)softwarepathNATtranslation

•ForceFlows(SecurePlus)

BothbasicNATandNAPTarereferredtoastraditionalNATandprovideamechanismtoconnect

arealmwithprivateaddressestoanexternalrealmwithgloballyuniqueregisteredaddresses.

BasicNATisamethodbywhichIPaddressesaremappedfromonegrouptoanother,transparent

totheenduser.NAPTisamethodbywhichmanynetworkaddresses,alongwiththeirassociated

TCP/UDPports,aretranslatedintoasinglenetworkaddressanditsassociatedTCP/UDPports.

ThestaticaddressbindingfeatureisdesignedforboththebasicNATandNAPTimplementations

tosupportstaticandnoexpirebinding,betweeninsideandoutsideNATaddresstranslation.It

supportsone‐to‐onebinding,localaddressestoglobaladdresses,andTCP/UDPportnumber

translations.

ThedynamicaddressbindingfeatureisdesignedforboththebasicNATandNAPT

implementationstosupportdynamicbindingbetweenanaddressfromanaccess‐listoflocal

addressestoanaddressfromapoolofglobaladdresses.IPaddressesdefinedfordynamic

bindingarereassignedwhenevertheybecomeavailablefromtheglobaladdresspool.NAPT

allowsportaddresstranslationforeachIPaddressintheglobalpool.Theportsaredynamically

assignedbetweenarangeof1024to4999.

Itissometimespossibleforahostontheoutsideglobalnetworkthatknowsaninsidelocal

address,tobeabletosendamessagedirectlytotheinsidelocaladdresswithoutNATtranslation.

Theforceflowsfeature,setusingthecommandipnatsecure‐plusonpage 18‐7,isdesignedtoforce

allflowsbetweentheinsidelocalpoolandtheoutsideglobalnetworktobetranslated.

Router: Unless otherwise noted, the commands covered in this chapter can be executed only

when the device is in router mode. For details on how to enable router configuration modes, refer to

“Enabling Router Configuration Modes” on page 2-103.

Note: An Enterasys Feature Guide document that contains a complete discussion on NAT

configuration exists at the following Enterasys web site: http://www.enterasys.com/support/

manuals/