Foundry Networks AR3201-CL, AR3202-CL, AR1204, AR1216, AR1208 Packet Reassembly, NAT Configurations

Security Features

Foundry# config term

Foundry/configure# firewall global

Foundry/configure/firewall global# dos-protect

Foundry/configure/firewall global/dos-protect# enable-all

Foundry/configure/firewall global/dos-protect# exit 2

Foundry/configure#

Packet Reassembly

To configure the firewall to perform IP reassembly of oversized packets that have been fragmented, enter:

Foundry# config term Foundry/configure# firewall global Foundry/configure/firewall global# ip-reassembly Foundry/configure/firewall global/ip-reassembly# fragment-count 100

Foundry/configure/firewall global/ip-reassembly# fragment-size 56 Foundry/configure/firewall global/ip-reassembly# packet-size 2048 Foundry/configure/firewall global/ip-reassembly# timeout 20 Foundry/configure/firewall global/ip-reassembly# exit 2 Foundry/configure#

NAT Configurations

Network Address Translation (NAT) was defined to serve two purposes:

•Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls

•Stretched the number of available IP addresses by allowing LANs to use one public (real) IP address as the gateway with a very large pool of NAT addresses behind it.

In the most common NAT application (which is to provide secure networking behind a firewall), the device (Foundry system) that connects the user LAN to the Internet will have two IP addresses:

•A private IP address on the LAN side for the RFC 1918 address range

•A public address, routable over the Internet, on the WAN side

Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the packet together with the destination IP address and port. When the packet arrives at the Foundry system it will be de-encapsulated, modified, and re-encapsulated. The re-encapsulated packet sent by the Foundry system destined for the Internet contains the Foundry system’s public IP address, a source port allocated from its list of available ports, and the same destination IP address and port number generated by the PC. The Foundry system also adds an entry into a table it keeps, which maps the internal address and source port number that the PC generated against the port number it allocated to this session. Therefore, when some.server.com sends a reply packet to the PC, the Foundry system can quickly determine how it needs to re-write the packet before transmitting it back on to the LAN.

Dynamic NAT is used when packets destined for the Internet are transported from a LAN using the public source IP address assigned to the local router. Dynamic NAT performs this task well, but it does not permit providing services to the Internet from inside a LAN which requires the use of static NAT. Static NAT also requires a public address from the upstream service provider. Individual PCs within a LAN are assigned RFC 1918 reserved IP addresses to enable access to other PCs within the LAN. The Foundry system is configured with static mapping, which maps the internal RFC 1918 IP addresses for each PC to the appropriate public IP address. When traffic is sent to the public address listed in the static mapping, the Foundry system forwards the packets to the correct PC within the LAN, according to the mapping relationship established.