Hyper-NAT Configuration Guidecondel.cc/.../dokumendid/Thomson/ConfigGuide_HyperNAT.pdfContents...

SpeedTouch™DSL Gateways and Routers

Hyper-NAT Configuration Guide

Release R5.4 and higher

Po

wer

Eth

ern

et

WLA

N

Plu

g-i

n

ISD

N

Inte

rnet

DS

L

Eth

ern

et

WLAN

DSL

Pow

er

Inte

rnet

Voic

e

SpeedTouch™

Hyper-NAT Configuration Guide

Copyright

Copyright ©1999-2006 THOMSON. All rights reserved.

Distribution and copying of this document, use and communication of its contents is not permitted without written authorization from THOMSON. The content of this document is furnished for informational use only, may be subject to change without notice, and should not be construed as a commitment by THOMSON. THOMSON assumes no responsibility or liability for any errors or inaccuracies that may appear in this document.

Thomson Telecom BelgiumPrins Boudewijnlaan, 47 B-2650 Edegem Belgium

www.speedtouch.com

Trademarks

The following trademarks are used in this document:

SpeedTouch™ is a trademark of THOMSON.

DECT is a trademark of ETSI.

Bluetooth® word mark and logos are owned by the Bluetooth SIG, Inc.

Ethernet™ is a trademark of Xerox Corporation.

Wi-Fi® and the Wi-Fi logo are registered trademarks of the Wi-Fi Alliance. "Wi-Fi CERTIFIED", "Wi-Fi ZONE", "Wi-Fi Alli-ance", their respective logos and "Wi-Fi Protected Access" are trademarks of the Wi-Fi Alliance.

UPnP™ is a certification mark of the UPnP™ Implementers Corporation.

Microsoft®, MS-DOS®, Windows® and Windows NT® are either registered trademarks or trademarks of Microsoft Corpo-ration in the United States and/or other countries.

Apple® and Mac OS® are registered trademarks of Apple Computer, Incorporated, registered in the United States and other countries.

UNIX® is a registered trademark of UNIX System Laboratories, Incorporated.

Adobe®, the Adobe logo, Acrobat and Acrobat Reader are trademarks or registered trademarks of Adobe Systems, Incor-porated, registered in the United States and/or other countries.

Netscape® and Netscape Navigator® are registered trademarks of Netscape Communications Corporation.

Other brands and product names may be trademarks or registered trademarks of their respective holders.

Document Information

Status: v1.0 (April 2006)Reference: E-DOC-CTC-20051017-0166Short Title: Config Guide: Hyper-NAT - R5.4 and higher

http://www.speedtouch.com

Contents

Contents

About this Hyper-NAT Configuration Guide ............. 1

1 Introduction................................................................... 3

1.1 The need for address translation ................................................... 4

1.2 What is address translation............................................................ 5

2 Network Address Translation methods...................... 7

3 Dynamic and static address translation ..................... 9

4 Address translation techniques................................. 13

4.1 Traditional, unidirectional or outbound address translation ....... 14

4.1.1 Basic NAT ....................................................................................................................... 15

4.1.2 Network Address Port Translation (NAPT) .................................................................. 16

4.2 Two-Way, bidirectional or inbound NAT ...................................... 17

4.3 N-N NAT or Multi-NAT ................................................................. 18

4.4 X-Y NAT ....................................................................................... 19

4.5 Transparent NAT.......................................................................... 20

4.6 Port range shifting ....................................................................... 21

4.7 Translation templates .................................................................. 22

E-DOC-CTC-20051017-0166 v1.0i

Contents

5 Application Level Gateways ...................................... 23

5.1 Application Level Gateways in general........................................ 24

5.2 Application Level Gateways in the SpeedTouch™....................... 26

5.3 NAT Applications Compatibility .................................................. 27

5.3.1 Traditional protocols deployed across the NAT module............................................ 28

5.3.2 Most common application (client and server) behind the SpeedTouch™ NAT module29

5.3.3 Most common games or game servers behind the SpeedTouch™ NAT module ... 30

5.3.4 VPN pass-through support across the SpeedTouch™ NAT module......................... 32

5.3.5 IPv6 nodes isolated behind the SpeedTouch™ NAT device ...................................... 34

5.3.6 SIP User Agents behind the SpeedTouch™ NAT device ........................................... 35

6 Network address translation configuration on the

SpeedTouch™ ............................................................. 37

6.1 Configuring address translation on the Web pages ..................... 38

6.1.1 Configuring Hyper-NAT using the Web pages............................................................ 39

6.1.2 Enabling/disabling address translation on an interface ............................................. 40

6.1.3 Creating an address translation mapping ................................................................... 41

6.1.4 Creating a template ....................................................................................................... 44

6.2 Configuring address translation on the CLI ................................. 47

6.3 Configuring Hyper-NAT mappings ............................................... 50

6.3.1 Basic NAT ....................................................................................................................... 51

6.3.2 Two-Way NAT................................................................................................................ 52

6.3.3 N-N NAT ......................................................................................................................... 53

6.3.4 X-Y NAT.......................................................................................................................... 55

6.3.5 Transparent NAT............................................................................................................ 57

6.4 Configure NAPT maps.................................................................. 59

6.4.1 Basic NAPT..................................................................................................................... 60

6.4.2 NAPT using default server ............................................................................................ 62

6.4.3 NAPT using transparent default server and port range constraint ........................... 64

6.4.4 NAPT using dynamic port range constraint ................................................................ 66

6.5 Configure inbound port shifting .................................................. 67

E-DOC-CTC-20051017-0166 v1.0ii

Contents

6.6 Configure templates .................................................................... 69

6.6.1 X+n templates ................................................................................................................ 71

E-DOC-CTC-20051017-0166 v1.0iii

Contents

E-DOC-CTC-20051017-0166 v1.0iv

About this Hyper-NAT Configuration Guide


Used Symbols The following symbols are used in this Configuration Guide:

Typographical Conventions Following typographical convention is used throughout this manual:

Sample text indicates a hyperlink to a Web site.

Example: For more information, visit us at www.speedtouch.com.

Sample text indicates an internal cross-reference.

Example: If you want to know more about guide, see “1 Introduction” on page 7”.

Sample text indicates an important content-related word.

Example: To enter the network, you must authenticate yourself.

Sample text indicates a GUI element (commands on menus and buttons, dialog box elements, file names, paths and folders).

Example: On the File menu, click Open to open a file.

Sample text indicates a CLI command to be input after the CLI prompt.

Example: To obtain a list of all available command groups, type help at the top level.

Sample text indicates input in the CLI interface.

Sample text indicates comment explaining output in the CLI interface.

Example:

Documentation andsoftware updates

THOMSON continuously develops new solutions, but is also committed to improve its existing products.

For suggestions regarding this document, please contact [email protected].

For more information on THOMSON's latest technological innovations, documents and software releases, visit us at www.speedtouch.com.

A note provides additional information about a topic.

A tip provides an alternative method or shortcut to perform an action.

! A caution warns you about potential problems or specific precautions that need to be taken.

=> language list

CODE LANGUAGE VERSION FILENAMEen* english 4.2.0.1 <system> Only one language is available

Output

Input

Comments

E-DOC-CTC-20051017-0166 v1.01

mailto:[email protected]?subject=Documentation feedback



E-DOC-CTC-20051017-0166 v1.02

Chapter 1Introduction

1 Introduction

Introduction Internet technology is based on the IP protocol and in order to communicate via IP, each device participating in the communication must have a unique IP address. This causes a problem since the Internet is expanding at an exponential rate, resulting in a depletion of available IP addresses. Address translation is a method for connecting multiple computers to the Internet (or any other IP network) sharing one public IP address. This allows home users and small businesses to connect their network to the Internet cheaply and efficiently.

The increasing use of address translation is caused by:

A worldwide shortage of IP addresses

Security needs

Ease and flexibility of network administration

E-DOC-CTC-20051017-0166 v1.03


1.1 The need for address translation

Available IP addresses Although the number of available addresses seems large, the Internet is growing at such a pace that they will soon be exhausted. The next generation IP protocol, IPv6, offers a multiple of available addresses. However, it will take several years before the existing network infrastructure will be fully migrated to the new protocol.

Address translation allows a single device, such as the SpeedTouch™, to act as an agent between the Internet (or public network) and a local (or private) network. This means that only one, unique IP address is required to represent an entire group of computers. The outside world is unaware of the internal division and thinks that only one computer is connected.

Security Many people view the Internet as a "one-way street"; they forget that while their computer is connected to the Internet, the Internet is also connected to their computer. That means that anybody with Internet access can potentially access resources on their computers (such as files, e-mail, company network, etc.). Most personal computer operating systems are not designed with security in mind, leaving them wide open to attacks from the Internet.

The security implications can be disastrous. Confidential company information such as product plans or marketing strategies can be stolen, which can lead to major financial losses or even cause the company to fold.

Implementing address translation automatically provides firewall-style protection between your private network and public networks (the Internet or other public networks). Address translation only allows connections that originate from inside the private network. Basically, this means that a computer on a public network cannot connect to your computer unless your computer has initiated the contact. You can browse the Internet and connect to a site, and even download a file; but somebody else cannot latch onto your IP address and use it to connect to a port on your computer.

In specific circumstances (static address translation) devices from public networks are allowed to initiate connections to computers on the private network. This is only done when specifically granted by the local network after appropriate configuration.

Administration A real benefit of address translation is apparent in network administration. For example, it is possible to move a Web server or FTP server to another host without having to worry about broken links. Simply change the inbound mapping at the Internet Gateway to reflect the new host location. Also changes in the private network are easily made without any problems, because the only public IP address either belongs to the Internet Gateway or comes from a pool of global addresses.

! The device performing address translation should be secure/protected.

E-DOC-CTC-20051017-0166 v1.04


1.2 What is address translation

Introduction Using address translation, the IP and/or TCP/UDP port identifications can change while traversing the network.

IP address translation Most private networks use internal IP addresses, meaning that their hosts are not known (and as such cannot be routed) within the Internet (= public network). When such a host would like to enter the Internet, an IP identification that is allowed in the public network, must be assigned.

To enter the Internet, the private network requires an exit point towards the public network (typically called a gateway) that will convert the IP address of the private network into a valid public IP address. The reverse procedure is followed when a packet is received from the public network.

A small pool of available public IP addresses on the WAN interface of the SpeedTouch™ will be sufficient, because

Address translation is only performed on-demand.

Not all private hosts need access to the public network at the same time.

As a result, less IP addresses are required.

TCP/UDP port translation Port translation will commonly be used in conjunction with IP address translation; not only the IP address will be changed, but also the port number.

The main advantage of this way of working is that the same public IP address can be assigned to two different private LAN nodes, yet using a different port numbering scheme, which in fact boils down to IP address multiplexing.

As several nodes can use the same IP address, a considerable saving is done on the amount of public IP addresses needed.

E-DOC-CTC-20051017-0166 v1.05


E-DOC-CTC-20051017-0166 v1.06

Chapter 2Network Address Translation methods

2 Network Address Translation methods

Introduction Three methods of address translation exist, namely:

Network Address Translation (NAT): a private IP address X is translated into a public IP address Y.

Port Address Translation (PAT): a UDP/TCP port number X is translated into a port number Y.

Network Address and Port Translation (NAPT): both the private IP address and port number are translated.

NAT When NAT is enabled, a private IP address is changed into a temporary public IP address. The NAT translation method is often used for dial-up or on-demand connections in which remote connections go up and down frequently.

When making connection, an public IP address is assigned.Once the user disconnects, the public IP address is released and becomes available for use again.

HTTP to 30.0.0.1

Figure 1: NAT example

As illustrated above, the SpeedTouch™ NAT module has an internally configured mapping from the private IP address to a public one and vice versa. It is transparent for NAT whether this table information is persistent or not.

Important is that 30.0.0.1 thinks he receives a message from 20.0.0.1 instead of 192.168.0.1. So, applying NAT hides the original source.

PAT PAT only changes the port number (TCP or UDP) of the packet. In most cases PAT is used in combination with NAT. When NAT and PAT are used together, this is called NAPT.

A common practice is that for outgoing packets the source port number is changed and for incoming packets it will be the destination port.

192.168.0.1

192.168.0.254 20.0.0.1

Private

192.168.0.1

Public

20.0.0.1

30.0.0.1SpeedTouch

Public

Src: 192.168.0.1 Dst: 30.0.0.1

Src: 30.0.0.1 Dst: 20.0.0.1

Src: 20.0.0.1

Dst: 30.0.0.1

Src: 30.0.0.1 Dst: 192.168.0.1

E-DOC-CTC-20051017-0166 v1.07

Chapter 2Network Address Translation methods

NAPT Network Address & Port Translation (NAPT) is the most popular form of address translation. It is almost exclusively used by access devices designed to hide small-to-medium sized networks behind a single public IP address. NAPT works by translating the source IP address and the source port number on the public interface.

HTTP 30.0.0.1

Figure 2: NAPT example

In case a HTTP session is initiated which has to pass the NAPT enabled module, both the source IP address and source port number will be translated for outgoing packets. For incoming connections (belonging to the outgoing connections), the destination IP address and port number will be changed.

Figure 3: NAPT for multiple hosts (share the same IP address)

Suppose that two hosts want to share one common IP address. For outgoing traffic there will be no issue: both the IP addresses “192.168.0.1” and “192.168.0.2” are translated into this same IP address. But, as soon as packets come back (incoming), the NAPT module has to know to which of the two 192.168.0.x addresses the address translation needs to be performed.

This is where port translation comes into action: the destination port number in the incoming packet will be used as input to decide to which of the 192.168.0.x addresses to translate the address.

192.168.0.1

192.168.0.254 20.0.0.1

Private

192.168.0.1/600

Public

20.0.0.1/1025

30.0.0.1SpeedTouch

Public

Src: 192.168.0.1/600

Dst: 30.0.0.1/80

Src: 30.0.0.1/80 Dst: 20.0.0.1/1025

Src: 20.0.0.1/1025

Dst: 30.0.0.1/80

Src: 30.0.0.1/80 Dst: 192.168.0.1/600

192.168.0.1

192.168.0.2

192.168.0.254 20.0.0.1

Private

192.168.0.1/734

192.168.0.2/521

Public

20.0.0.1/403

20.0.0.2/908

30.0.0.1SpeedTouch

Public

E-DOC-CTC-20051017-0166 v1.08

Chapter 3Dynamic and static address translation

3 Dynamic and static address translation

Address translation perinterface

When several public IP addresses are assigned to a network device that gives access to the public network, the routing logic of the network device will decide to which interface a packet coming from the private network needs to be sent. For each interface to the public network, it is possible to activate or deactivate address trans-lation.

Figure 4: Address translation per interface

SpeedTouch™ addresstranslation modes

In the SpeedTouch™, interfaces can be set to one of the following three modes:

Disabled: no address translation on the interface, the packet passes without address translation.

Enabled: address translation is enabled, but when no address translation map is defined, the packet is dropped.

Transparent: address translation is only performed when an address translation map is defined. When no address translation map is defined, the packet passes without address translation.

When a packet arrives at the Hyper-NAT module and an address translation map is found, the packet will be translated when the interface is in enabled or transparent mode. If no address translation map is found, the packet will be dropped in enabled mode but, will be passed in transparent mode.

Private Public

SpeedTouch

The Transparent mode has nothing to do with “4.5 Transparent NAT” on page 20, but with the behaviour of the interface.

An address translation map is used for mapping one or more private IP addresses into one or more public IP addresses on a specific interface.

E-DOC-CTC-20051017-0166 v1.09


Inbound/outboundconnections

Depending on the direction of a connection to the Hyper-NAT module, two types of connections are defined:

Inbound connections: all connections arriving at the Hyper-NAT module interfaces.

Outbound connections: all connections leaving the Hyper-NAT module interfaces.

Figure 5: Inbound/outbound connections

Dynamic addresstranslation

Outgoing connections typically use dynamic address translation. For example a connection initiated from IP address X in the private network will be translated into public IP address Y on an enabled public interface. This mapping will be added dynamically in an internal table of the device and will exist only for the lifetime of that connection.

This also implies that, when resetting the device, this dynamic – non-persistent – table entry will be lost. It is necessary to enable address translation on a public interface to take profit of this dynamic translation.

Static addresstranslation

Connections initiated from the public network (so called incoming connections) make use of static address mapping. An incoming initiator packet will need to pass the static address translation table before being forwarded to the private network. This information is non-volatile and needs to be configured in advance. Different configuration flavours exist to configure this static mapping (individual, template, default) and will be discussed further on in the document.

SpeedTouch

Network B

Inbound connections

NAT-enabled interface

Network A

Outbound connections

SpeedTouch

Network B

Outbound connections

NAT-enabled interface

Network A

Inbound connections

E-DOC-CTC-20051017-0166 v1.010


When using addresstranslation

Address translation is used in case:

Multiple private hosts access a public network through the same gateway (single public address on the gateway).

The inside address is not routable on the outside network.

The user wants to prevent the inside address(es) from outside attacks.

The user wants to avoid network renumbering when changing service provider.

The user wants to make servers accessible from the outside network.

E-DOC-CTC-20051017-0166 v1.011


E-DOC-CTC-20051017-0166 v1.012

Chapter 4Address translation techniques

4 Address translation techniques

Introduction Network Address Translation is a technique by which IP addresses are mapped from one address realm to another, providing transparent routing to end hosts.

Several techniques of network address translation transforms can be defined depending on the relationship between inside IP addresses and outside IP addresses.

Topic Page

4.1 Traditional, unidirectional or outbound address translation 14

4.2 Two-Way, bidirectional or inbound NAT 17

4.3 N-N NAT or Multi-NAT 18

4.4 X-Y NAT 19

4.5 Transparent NAT 20

4.6 Port range shifting 21

4.7 Translation templates 22

E-DOC-CTC-20051017-0166 v1.013


4.1 Traditional, unidirectional or outbound address translation

Introduction Traditional NAT (also referred to as unidirectional or outbound address translation) is the most common technique of using address translation. Its primary use is to translate private addresses into legal addresses for use in a public network. When configured for dynamic operation, hosts within a private network can initiate access to the public network. Nodes on the outside network, however, will not be able to access the private network.

Two types of traditional NAT exist — basic NAT and NAPT.

E-DOC-CTC-20051017-0166 v1.014


4.1.1 Basic NAT

What is basic NAT With Basic NAT, a block of public addresses are set aside for translating addresses of hosts in a private domain when they initiate sessions to the public domain.

Basic NAT only involves address translation, no port mapping is done. This requires an external IP address for each simultaneous connection.

Basic NAT example In this example, host 192.168.0.1 sends a packet to the Web server 30.0.0.1. As soon as the packet is processed by the SpeedTouch™ its source IP address is translated into the outside IP address 20.0.0.1 and forwarded to the Web server.

Figure 6: Basic NAT example

!Basic NAT is the least secure translation technique. By not defining the translation to the port level, and accepting return information on any port, basic NAT can leave private hosts open to port access.

192.168.0.1

192.168.0.2

192.168.0.254 20.0.0.1

Inside IP Dest. IP

192.168.0.1

192.168.0.2

NAT Module Internal Mappings

Outside IP

20.0.0.1

20.0.0.2

30.0.0.1

30.0.0.2

Src IP Dest. portDest. IP Src port

192.168.0.1 80550030.0.0.1


30.0.0.1 550080192.168.0.1


20.0.0.1 80550030.0.0.1


30.0.0.1 55008020.0.0.1

30.0.0.1SpeedTouch

Public

E-DOC-CTC-20051017-0166 v1.015


4.1.2 Network Address Port Translation (NAPT)

What is NAPT NAPT extends the notion of translation one step further by also translating the transport identifier (for example TCP and UDP port numbers, ICMP query identifiers). NAPT allows a set of hosts to share one single public address.

NAPT example In this example, host 192.168.0.1 and 192.168.0.2 both send a packet to the Web server 30.0.0.1. The SpeedTouch™ translates the inside IP addresses into the outside IP address 20.0.0.1.

For returning packets, the SpeedTouch™ needs to know to which 192.168.0.x address the translation needs to be performed, that’s why the SpeedTouch™ also translates the source port numbers.

Figure 7: NAPT example

NAPT can be combined with Basic NAT so that a pool of public addresses are used in conjunction with port translation.

192.168.0.1

192.168.0.2

192.168.0.254 20.0.0.1


192.168.0.1 80550030.0.0.1


192.168.0.2 80550030.0.0.1


20.0.0.1 80201330.0.0.1


20.0.0.1 80401330.0.0.1

30.0.0.1SpeedTouch

Inside IP Dest. IP

192.168.0.1

192.168.0.2

Outside IP

20.0.0.1

20.0.0.1

30.0.0.1

30.0.0.1

Inside Port Dest. Port

5500

5500

Outside Port

2013

4013

80

80


Public

E-DOC-CTC-20051017-0166 v1.016


4.2 Two-Way, bidirectional or inbound NAT

Introduction Traditional NAT is designed to handle only outbound transactions; clients on the local network initiate requests and devices on the Internet send back responses. However, in some circumstances, we may want to go in the opposite direction. That is, we may want to have a device on the outside network initiate a transaction with one on the inside. To permit this, we need a more capable type of NAT. This enhancement goes by various names, most commonly known as Bidirectional NAT, Two-Way NAT and Inbound NAT. All of these convey the concept that this kind of NAT allows both the type of transaction we saw in the previous topic and also transactions initiated from the outside network.

Two-way NAT example In this example, host 30.0.0.1 wants to make a connection to the Web server 192.168.0.1 on the private network.

A static mapping is configured in the SpeedTouch™, mapping the private IP address 192.168.0.1 to 20.0.0.1. Host 30.0.0.1 knows IP address 20.0.0.1 and sends the packet to the SpeedTouch™. The SpeedTouch™ translates the outside address 20.0.0.1 to the inside address 192.168.0.1 and forwards the packet.

Figure 8: Two-Way NAT example

30.0.0.1

192.168.0.254 20.0.0.1


30.0.0.1 805500192.168.0.1


192.168.0.2 55008030.0.0.1


30.0.0.1 80550020.0.0.1


20.0.0.1 55008030.0.0.1

192.168.0.1SpeedTouch

Inside IP Dest. IP

192.168.0.1

Outside IP

20.0.0.1 30.0.0.1

Inside Port Dest. Port

5500

Outside Port

5500 80


Public

E-DOC-CTC-20051017-0166 v1.017


4.3 N-N NAT or Multi-NAT

Introduction N-N NAT is the generalization of Two-Way NAT or Basic NAT.

A chosen range of inside hosts (N inside IP addresses) can be mapped to an equivalent range of outside IP addresses (N outside IP addresses) for inbound and outbound traffic.

The unique mapping between inside and outside addresses allows to unambiguously associating inbound and outbound traffic and so the translation is quite simple.

N-N NAT functioning When applying N:N NAT, the Hyper-NAT module operates as follows:

For outgoing packets traversing the Hyper-NAT module, it substitutes the source IP address, taken from the inside addressing domain, with addresses from the outside addressing domain. The destination IP address remains unchanged.

for incoming packets traversing the Hyper-NAT module, it performs the reverse translation on the destination address of packets; the destination IP address is retranslated to the associated inside IP address and the source IP address remains unchanged.

E-DOC-CTC-20051017-0166 v1.018


4.4 X-Y NAT

Introduction A chosen set of inside hosts (X inside IP addresses) can be mapped to a set of outside IP addresses (Y outside IP addresses) for outbound traffic only. This feature is called Many-to-Few NAT: X-Y NAT (with X >Y).

X-Y NAT functioning When applying X:Y NAT, the Hyper-NAT module operates as follows:

For outgoing packets traversing the NAT module, it substitutes the source IP address with addresses from the outside addressing domain and the source TCP/UDP port with an outside TCP/UDP port. The destination IP address and port remain unchanged.

For incoming packets traversing the NAT module, it performs the reverse translation on the destination address and port of packets; the destination IP address is retranslated to the associated inside IP address and the destination TCP/UDP port is retranslated to the associated inside TCP/UDP port number. The source IP address and port remain unchanged.

X-Y NAT example In the following example you can see that a pool of public addresses is used. The first host that wants to make a connection to the public network gets the first address of the pool. The second host gets the second address of the pool and so on.

Figure 9: X-Y NAT example

192.168.0.1

192.168.0.2

192.168.0.254 20.0.0.1

Inside IP Dest. IP

192.168.0.1

192.168.0.2


Outside IP

20.0.0.1

20.0.0.2

30.0.0.1

30.0.0.2


192.168.0.1 80550030.0.0.1


30.0.0.1 805500192.168.0.1


20.0.0.1 80550030.0.0.1


30.0.0.1 80550020.0.0.1

30.0.0.1SpeedTouch

Public

E-DOC-CTC-20051017-0166 v1.019


4.5 Transparent NAT

Introduction This type of NAT is mostly used in combination with other flavours, as it is quite a special one. In fact no address translation is performed; the packets are transparently forwarded from the public into the private segment of the network, where a host is configured with that particular public IP address. This feature is useful in cases where an interface is in ‘NAT mode’, but some of the IP addresses on it should not be translated. In that case, for these IP addresses, a transparent NAT entry should be defined.

Transparent NAT translates an inside address into the identical outside IP address. So, no translation is performed and the IP packets passing the Hyper-NAT module remain unchanged.

Transparent NAT example In the following example you can see that one local host is presented as if is the public node. Host 20.0.0.1 receives the same address as the outside public IP address. In fact there is no translation.

The SpeedTouch™ just forwards the packets.

Do not confuse Transparent NAT with Transparent Interface. For more information about the latter, see “ Address translation per interface” on page 9.

The

When to use transparent NAT is explained in section “6.3.5 Transparent NAT” on page 57.

20.0.0.1

192.168.0.254 20.0.0.1

Inside IP

20.0.0.1


Outside IP

20.0.0.1


20.0.0.1 80550030.0.0.1


30.0.0.1 55008020.0.0.1


20.0.0.1 80550030.0.0.1


30.0.0.1 55008020.0.0.1

30.0.0.1SpeedTouch

Public

E-DOC-CTC-20051017-0166 v1.020


4.6 Port range shifting

Introduction For inbound traffic, port shifting allows to shift a UDP/TCP outside port range to a UDP/TCP inside port range.

Port range shifting is used in case:

Multiple private hosts serving the same service must be accessible from the outside network.

A well-known port for a service must be hidden from the outside network.

Port range shiftingexample

In the following examples, the first entry listed in the address translation table, the outside port 25 is mapped to inside port 25. So there’s no change.

In the second entry outside port 8080 is mapped to inside port 80. This is to hide the Web service from the outside network.

Figure 10: Port range shifting example

192.168.0.1

192.168.0.2

192.168.0.254 20.0.0.1


30.0.0.1 259483192.168.0.1


30.0.0.1 805098192.168.0.2


30.0.0.1 25948320.0.0.6


30.0.0.1 8080509820.0.0.6

30.0.0.1SpeedTouch

Inside IP Inside Port

192.168.0.1

192.168.0.2

Outside IP

20.0.0.6

20.0.0.6

25

80

Outside Port

25

8080


Public

E-DOC-CTC-20051017-0166 v1.021


4.7 Translation templates

Introduction Life is easy and nice in case the interface on the public network has a permanently assigned IP address. However, what to do with public interfaces which have a dynamically assigned IP address? For example in the case of PPPoA, 50.0.0.1 can change to 50.0.0.x the next time the dial-up connection is established.

In order to still be able to configure incoming connections for these types of interfaces, the concept of templates is available.

A template assigns a wildcard (0.0.0.x) to the IP address of the public interface. When a PPP session is established, the wildcard is replaced by the effectively dynamically assigned IP address of the PPP interface.

Translation templateexample

In the following example, the first entry listed in the address translation table is the template we created and is persistently stored. The second one is a temporary entry which was added to the PPP setup, it is an “instance” of the template. This instance is now a fully functional static address mapping entry with a lifetime equal to the lifetime of the PPP connection.

Figure 11: Template example

192.168.0.1

192.168.0.254 50.0.0.12


50.0.0.200 550080192.168.0.1


50.0.0.200 20138050.0.0.12

50.0.0.200SpeedTouch

Inside IP Dest. IP

192.168.0.1

192.168.0.1

Outside IP

0.0.0.1

50.0.0.12

50.0.0.200

50.0.0.200

Inside Port

5500

5500

Outside Port

2013

2013


Public

E-DOC-CTC-20051017-0166 v1.022

Chapter 5Application Level Gateways

5 Application Level Gateways

What are Application LevelGateways

Some protocols and applications have more complicated requirements than traditional ones resulting in significant problems when deployed in combination with NAT implementations.

For those applications address translation is assisted by specific software that execute the specific processing required to provide a transparent routing solution to end hosts. This customised software is called Application Level Gateway (ALG). The ALGs determine what kind of packet is being processed and if needed examine and adjust packet’s payload fields.

Overview In this chapter you can find:

Topic Page

5.1 Application Level Gateways in general 24

5.2 Application Level Gateways in the SpeedTouch™ 26

5.3 NAT Applications Compatibility 27

E-DOC-CTC-20051017-0166 v1.023


5.1 Application Level Gateways in general

NAT critical circumstances When using NAT in following circumstances, it will results in malfunctioning when no ALGs are applied:

Bundled session applications.

Use of ephemeral (dynamic and greater than 1024) ports in the connection call setup process.

Included IP address and port information within the packet payload.

Specific session information required to demultiplex incoming traffic.

Bundled sessionapplications

Some advanced applications use several connections for a single call. They exchange IP address and port parameters within control sessions to establish the subsequent data sessions. Address translation engines cannot know the inter-dependency of the bundled sessions and would treat each session as to be unrelated to another one.

For example:

H.323 uses two TCP connections and several UDP sessions for a single call.

A SIP call may use a TCP control connection or several UDP sessions for data transfer.

Jabber uses one TCP control connection and several TCP sessions for data transfer.

In the FTP protocol, the control messages and the data transfer use entirely separate TCP connections.

During an RTSP session, an RTSP client may open and close several sessions to the server to issue RTSP requests.

Use of ephemeral (dynamicand greater than 1024)ports in the connection call

setup process

Extra information required

For example:

H.323 protocol: the H.245 and the RTP connections use ephemeral ports.

SIP protocol: the RTP connection use momentary ports.

Passive mode FTP uses a random ephemeral port for data transfer.

E-DOC-CTC-20051017-0166 v1.024


Included IP address andport information within

the packet payload

As explained before, NAT replaces in each IP packet the private IP address/port with the public IP address/port (for outbound connections, for inbound connections NAT functions the other way around).

This causes problems for some applications because they are based on protocols that embed IP address/port information within the payload of the IP packet. The NAT module can not identify the IP address/port in the IP payload.

For example:

H.323 & SIP protocols have addressing information for the data connections buried in the control packets payload.

Internet Locater Service (ILS): the ILS logins, carried in the packet payload, conclude the source IP address of the caller.

FTP: the FTP layer 3 connection addressing is embedded within the payload of a control packet (‘PORT’, ‘PASV’ messages).

Internet Relay Chat (IRC) service: Commands carried over the IRC-DCC (Direct Client To Client Protocol) connection include the IP address and the TCP port where the Acceptor client should connect to the Initiator client

For the buildup of a RTSP session, the setup message includes the expected UDP port for the client and the server.

RealAudio clients set up an outgoing TCP control connection to initiate conversation with a real-audio server. Audio session parameters, including the port number on which the incoming audio traffic will be received by the clients, are embedded in the TCP control session as byte stream.

The IPv6-to-IPv4 protocol defines a mechanism for interconnecting IPv6 sites over an IPv4 network and its implicit tunnel setup requires that IP addressing information is carried in the IPv6 packet payload.

Specific sessioninformation required to

demultiplex incomingtraffic

Extra information required

The following protocols can be given as examples:

IPSec: The “SPI” field available in the ESP protocol is used to identify a session.

PPTP: In GREv1 frames, the “CallID” field is used as a demultiplexing identifier.

6to4 protocol: The “InterfaceID” field, contained in the IPv6 header of a packet, is used to identify each session.

E-DOC-CTC-20051017-0166 v1.025


5.2 Application Level Gateways in the SpeedTouch™

Embedded ALGs inSpeedTouch™ routers

The following ALGs are embedded in the SpeedTouch™routers; they are bound to the mentioned default ports:

Loose UDP: allows temporary inbound UDP to specific LAN host.

Game ALG: aggregate many inbound connections in a single connection.

Cone ALG: STUN NAT helper.

UPnP NAT Traversal For some applications working in a UPnP infrastructure, you can also rely on the UPnP NAT Traversal capability of the SpeedTouch™ to support them across address translation.

UPnP NAT Traversal is a set of capabilities that allows applications to

Discover they are behind an address translation device,

Learn the outside IP address,

Configure automatically appropriate static NAT mapping on the address translation module so that incoming packets be routed back properly to the application.

If the host’s IP address and port are included in packet payloads, the applications also update them directly with the proper outside IP address & port. Applications running on recent Windows platforms support UPnP NAT Traversal.

To enable UPnP feature on the SpeedTouch™, use the following CLI command:

:connection bindlistApplication Proto Portrange FlagsLOOSE<UDP> udp 69LOOSE<UDP> udp 67GAME<UDP> udp 27010-27011JABBER tcp 15222JABBER tcp 5222FTP tcp 21IRC tcp 6660-6669H323 tcp 1720ILS tcp 1002ILS tcp 389RTSP tcp 554RAUDIO(PNA) tcp 7070CU/SeeMe udp 7648SIP udp 5060IKE udp 500ESP esp 0PPTP tcp 1723CONE udp 0IP6TO4 6to4 0

:system config upnp=enabled:system configupnp discovery: enabledmdap discovery: enableddrst support: enableddigest authentication: enabled

E-DOC-CTC-20051017-0166 v1.026


5.3 NAT Applications Compatibility

Topic Page

5.3.1 Traditional protocols deployed across the NAT module 28

5.3.2 Most common application (client and server) behind the SpeedTouch™ NAT module

29

5.3.3 Most common games or game servers behind the SpeedTouch™ NAT module

30

5.3.4 VPN pass-through support across the SpeedTouch™ NAT module 32

5.3.5 IPv6 nodes isolated behind the SpeedTouch™ NAT device 34

5.3.6 SIP User Agents behind the SpeedTouch™ NAT device 35

E-DOC-CTC-20051017-0166 v1.027


5.3.1 Traditional protocols deployed across the NAT module

Overview of supportedprotocols

The following table identifies the widespread protocols that are supported through NAT in the SpeedTouch™ routers and, or for each of them, we indicate if the user has to add static NAT mapping for this protocol to function across NAT.

Finger, gopher, echo, systat, Daytime, Quote Of The Day, Kermit are also supported across the SpeedTouch™ NAT devices, configuring a single static X:Y NAT entry for inbound sessions.

Protocols Required settings

Outbound session Inbound session

DNS (RFC 1035) None Not supported

ICMP (RFC 792) (embedded ALG)

None Static N:N NAT

IDENT (RFC 1413) None Static X:Y NAT: 103 (TCP)

IMAP (RFC 2060) None Static X:Y NAT: 143 (TCP + UDP)

FTP (RFC 959)(Active & Passive mode) (embedded ALG)

NoneStatic X:Y NAT: 21 (TCP), 20(TCP)

HTTP (RFC 2068) None Static X:Y NAT: 80 (TCP)

HTTPS (RFC 2660) None Static X:Y NAT: 443 (TCP)

NNTP (RFC 977) None Static X:Y NAT: 119 (TCP)

NNTP (RFC 958) None Static X:Y NAT: 123 (TCP + UDP)

POP3 (RFC 1939) None Static X:Y NAT: 110 (TCP)

RTSP (RFC 2326) (embedded ALG)

None Not supported

Shoutcast None Static X:Y NAT: 8000 (TCP)

SMTP (RFC 821) None Static X:Y NAT: 25 (TCP)

SSH None Static X:Y NAT: 22 (TCP)

Telnet (RFC 854) None Static X:Y NAT: 23 (TCP)

E-DOC-CTC-20051017-0166 v1.028


5.3.2 Most common application (client and server) behind the SpeedTouch™ NAT module

Settings for Internetapplications

The required settings that have to be added to support the widespread Internet applications through SpeedTouch™ NAT routers are described in the following table.

Application Application version

Required settings

Outbound session Inbound session

Direct Connect None STATIC X:Y NAT: 375-425(TCP)

MIRC client1

(embedded ALG)

1. Both "Server" and "Normal" look-up method are supported.

Windows IRC None N/A

MSN Messenger Windows Messenger 5.02

2. Supported OS: XP, ME, 2000, 98SE, 98. DirectX 8.1 or higher required. Voice & File transfer services across the.NET platform and in a SIP network environment are supported. Video service (XP to XP only) is also supported.

None UPnP

Netmeeting3 (embedded ALG)

3. Both "with ILS service" and "without ILS service" are supported.

Microsoft NetMeeting 2.1 & 2.11

None Static X:Y NAT:4 1720 (TCP)1503 (TCP)

4. When ILS service is used, no static entries are required for incoming connections.

PC Anywhere None Static X:Y NAT: 5631(TCP)5632 (UDP)

RealAudio/Video5 (embedded ALG)

5. Files in audio format are supported with the help of the RealAudio ALG. The RTSP ALG assists a video files transfer.

RealAudioRealPlayerRealPlayerG2RealOne Player

None N/A

Applications based on Jabber protocol

Voila messager - Version 3.1.0

None Static X:Y NAT:1720(TCP) for

audio & video.

SIP phones6 (embedded ALG)

6. The SIP ALG only supports non-encrypted and non-compressed UDP SIP traffic, encoded in a text format (SDP). The SIP ALG also supports audio services across a SIP network provided by Windows Messenger 4.7 or higher.

PingtelSnomUbiquity UA

None Static X:Y NAT: 5060(TCP)7 5060(UDP) 5061(TLS over TCP)

7. Each SIP phone needs its own signalling port; Increment port number by one for each phone. If the SIP_PBX feature is enabled on the SpeedTouch™ 610 device, a single port can be used for multiple incoming connections.

E-DOC-CTC-20051017-0166 v1.029


5.3.3 Most common games or game servers behind the SpeedTouch™ NAT module

Overview This is a list of the most common configurations needed to run a game or a game server from behind a NAT device like the SpeedTouch™router. As you can see, most games work fine without configuration when making an outgoing connection. All games need some kind of port forwarding when you need to act as a server to take incoming connections.

Games Required settings

Outbound connection

Inbound connection

Age Of Empires (Microsoft)

None Defserver

Battle.Net games Blizzard Diablo Blizzard Diablo 2 Blizzard Starcraft Blizzard Warcarft

None Static X:Y NAT: 4000(TCP)6112 to 6119(TCP) 4000(UDP)6112 to 6119(TCP)

Bungie.net None Static X:Y NAT:3453 (TCP)

Delta Force STATIC X:Y NAT: 17478 (TCP)

Defserver or Static N:N NAT

Diablo 2 games None Static X:Y NAT:4000 (TCP) 4000 (UDP)

DirectX 7 Games UPnP after DirectX upgrade to DirectX version 8 or higher.

Defserver, Static N:N NAT or UPnP after DirectX upgrade to DirectX version 8 or higher.

DirectX 8 games1 UPnP Defserver, Static N:N NAT or UPnP

eDonkey2000 None Static X:Y NAT:4662(TCP)4665(UDP)

Everquest None Defserver or Static N:N NAT

KaZaA, Grokster None Static X:Y NAT:214(TCP)

Heretic 2 None Static X:Y NAT:28910(TCP)

Hexen 2 None Static X:Y NAT:26900(+1)(TCP)2

Kali None Static X:Y NAT:3

2213(+1)(TCP)6666 (TCP)

E-DOC-CTC-20051017-0166 v1.030


Gnutella, Morpheus, LimeWire, BearShare, Xolox

None Static X:Y NAT:6346(TCP)

Quake 2 Static X:Y NAT: 27910 (TCP)27910 (UDP)

Static X:Y NAT:27910 (TCP)27910 (UDP)

Quake 3 Arena None Static X:Y NAT:27960 (TCP)27960 (UDP)

Rainbow 6 Static X:Y NAT: 2346(TCP)

Static X:Y NAT:2346(TCP)

Return to Castle Wolfenstein

None Static X:Y NAT:27960 (TCP)27960 (UDP)

Rogue Spear Static X:Y NAT: 2436(TCP)

Static X:Y NAT:2436(TCP)

Starcarft games None Static X:Y NAT:6112(UDP)

Unreal Tournament None Static X:Y NAT:7777-7779(TCP)27900 (UDP)

WinMX None Static X:Y NAT:6699(TCP)6257(UDP)

1. A list of DirectX games is available at: http://support.microsoft.com/default.aspx?scid=KB;en-us;q240429. To determine if a game is DirectX 8 compliant, follow instructions detailed in this document.

2. Each player needs his own port. Increment the port number by one for each person.3. Each player needs his own port. Increment the port number by one for each person.

Games Required settings

Outbound connection

Inbound connection

E-DOC-CTC-20051017-0166 v1.031


5.3.4 VPN pass-through support across the SpeedTouch™ NAT module

What is a VPN A Virtual Private Network (VPN) is a secure, private communication tunnel between two endpoints across a public network (e.g.: Internet network). A VPN client creates a secure VPN tunnel across the Internet, and into another network fronted by a VPN server (also named "VPN gateway").

Communicationscenarios

The SpeedTouch™NAT module transparently supports the most popular VPN protocols (IPSec, PPTP and L2TP) in following communication scenarios:

1:1 communication scenario refers to an end-user establishing a single VPN session with a VPN server located at his/her Corporate HQ.

N:N communication scenario refers to N end-users being able to establish a session with N VPN servers. The restriction is that the relation between clients and servers is strictly one-to-one. A real life example would be, both parents working at home but employed by different companies.

X:Y communication scenario refers to multiple VPN clients establishing sessions to the same server. A typical situation could be a branch office in which all employees require equal access to the HQ's IT infrastructure.

Embedded VPN ALGs An IPSec ALG is embedded in the SpeedTouch™ NAT module in order to cope with IPSec-NAT Compatibility.

A PPTP ALG is embedded in the SpeedTouch™ NAT module in order to assist the incoming data traffic demultiplexing.

The SpeedTouch™ NAT module can be used either on the VPN client side (outbound connections) or on the VPN gateway side (inbound connections) and the required settings for VPN pass-through are summarized in the following table:

Application Application version Required settings

Outbound session

Inbound session

IPSec multi-sessions1 (embedded ALG)

Nortel (VPN server/ Connectivity client)

Cisco (GW model 1710/client)

Checkpoint (VPN GW, SecureRemote VPN-1)

SpeedTouch™ VPN client

None Static X:Y NAT:500(TCP)

PPTP multi-sessions2 (embedded ALG)

Microsoft PPTP VPNLinux PPTP VPN

None Static X:Y NAT:1723 (TCP)

GRE

PPTP multi-sessions (embedded ALG)

Microsoft L2TP VPN None Static X:Y NAT:1701 (UDP)

E-DOC-CTC-20051017-0166 v1.032


1. Only ESP in transport mode is supported. Both ESP over IP and ESP over UDP are supported. Re-keying limitation:When the VPN client is on the LAN side of the SpeedTouch™ device, Quick mode re-keying, initiated from the VPN gateway, is supported.When the VPN gateway is on the LAN side, Quick mode and Main-mode re-keying, initiated from the VPN client are supported.Only fixed IKE source port is supported.Only one simultaneous set-up phase towards the same remote Ipsec Gateway is supported.

2. Only control traffic in clear is supported.

To ensure interoperability with various older IPSec VPN client/server (for example Nortel Contivity) that have problems with a floating source port of inbound IKE traffic, you can configure via the CLI's :nat config ike_port=<{fixed|floated}> whether the IPSec NAPT ALG should fix the source port to 500 for inbound IKEv1 traffic, or allow it to float.

E-DOC-CTC-20051017-0166 v1.033


5.3.5 IPv6 nodes isolated behind the SpeedTouch™ NAT device

IPv4 to IPv6 migrationscenario

The SpeedTouch™NAT module is not limited to operating in an IPv4-only environment but it can also transparently be used in a migration scenario from an IPv4 network to an IPv6 network.

A very likely IPv4 to IPv6 migration scenario is that some IPv6 networks will appear at the periphery of the IPv4 Internet. Via IPv6/IPv4 tunnelling techniques, these IPv6 islands can be interconnected without requiring a native IPv6 infrastructure.

The 6to4 protocol, is one of these tunnelling methods. It defines a mechanism for IPv6 sites to communicate with others IPv6 sites or with native IPv6 networks over an IPv4 network without explicit tunnel setup. 6to4 routers, located at the intersections of the IPv6/IPv4 networks, encapsulates/de-encapsulates IPv6 packets in IPv4 packets.

Embedded ALGs The SpeedTouch™NAT module embeds a 6to4 ALG in order to transparently support multi outbound 6to4 sessions. All the communication scenarios described in “5.3.4 VPN pass-through support across the SpeedTouch™ NAT module” on page 32 are supported with Microsoft 6to4 hosts and routers.

E-DOC-CTC-20051017-0166 v1.034


5.3.6 SIP User Agents behind the SpeedTouch™ NAT device

Introduction Session Initiation Protocol (SIP) is a signalling protocol used for initiating, modifying and terminating sessions (e.g. voice calls, video calls, text, chat sessions, etc.) in an IP network.

The SIP ALG enables you to use SIP behind a NAT-enabled modem.

Registration phase When a User Agent (UA) on the Local Area Network (LAN) wants to register to an outbound registrar, following actions takes place:

1 The UA sends a REGISTER request.

2 The SIP ALG creates a NAT entry for this UA:Every UA on the LAN will receive a different port number. This allows you to use several users agents over a single Internet connection.

3 The SIP ALG translates the REGISTER request in accordance with the newly created NAT entry.

4 The SpeedTouch™forwards the REGISTER request to the outbound proxy.

The NAT entry created during this process will be used for translating SIP messages to/from the registered UA.

SIP messagestranslation

When a SIP message traverses the SpeedTouch™, following actions takes place:

1 The SIP ALG selects the appropriate NAT entry linked to the user agent on the LAN.

2 The SIP ALG translates the SIP message in accordance with the selected NAT entry. This translation alters following components:

The SIP headers (except the Call-ID field)Header fields are named attributes that provide additional information about a SIP message (for example routing information).

The Session Description Protocol (SDP) bodyThe SDP body contains information about the parameters that will be used during the multimedia session.

3 The SpeedTouch™forwards the translated message to the next hop.

The SpeedTouch™ 610SIP PBX

The SpeedTouch™ 610 offers you the possibility to extend its functionality with the SIP Multi-Media Private Branch eXchange (PBX) through activation by means of a software module key. Using the SpeedTouch™ 610 integrated multi-media SIP PBX, the user can secure the SIP communications and manage certain local services such as registration blocking, session screening, session logging without involvement of the operator.

When enabling the SpeedTouch™ SIP PBX via the SpeedTouch™ web pages or CLI, following NAPT template is automatically created:

:nat listIndx Prot Inside-address:Port Outside-address:Port Foreign-address:Port Flgs Expir 0 17 127.0.0.1:5060 0.0.0.0:5060 0.0.0.0:0 template

E-DOC-CTC-20051017-0166 v1.035


This NAPT template routes all inbound SIP packets to the SpeedTouch™SIP PBX. The SIP port number used by this template corresponds with the SIP port number you configured via the SpeedTouch™ SIP Web page or via the CLI.

For more information, see the application note "The SpeedTouch™ Integrated SIP multi-media PBX".

E-DOC-CTC-20051017-0166 v1.036

Chapter 6Network address translation configuration on the SpeedTouch™

6 Network address translation configuration on the SpeedTouch™

Overview This chapter covers the following topics:

Network setup The following network setup will be used for all scenarios in this chapter.

Figure 12: Network setup

Topic Page

6.1 Configuring address translation on the Web pages 38

6.3 Configuring Hyper-NAT mappings 50

6.4 Configure NAPT maps 59

6.5 Configure inbound port shifting 67

6.6 Configure templates 69

192.168.0.1/24

192.168.0.2/24

SpeedTouch

Internet

192.168.0.254/24 20.0.0.1/8

PPPoA

30.0.0.1/8

E-DOC-CTC-20051017-0166 v1.037


6.1 Configuring address translation on the Web pages

Introduction This chapters covers following topics:

Configuring Hyper-NAT using the Web pages

Enabling/disabling address translation on an interface

Creating an address translation mapping

Creating a template

E-DOC-CTC-20051017-0166 v1.038


6.1.1 Configuring Hyper-NAT using the Web pages

Only on business products Configuring Hyper-NAT is only possible on business products, because to configure NAT you need the Expert Mode.

Configuring NAT To configure NAT:

1 Open a Web browser and go to the SpeedTouch™ Web pages at http://speedtouch.lan or http://192.168.1.254.

2 Click Expert mode

3 Click IP router > NAT

E-DOC-CTC-20051017-0166 v1.039

http://speedtouch.lan

http://speedtouch.lan

http://192.168.1.254


6.1.2 Enabling/disabling address translation on an interface

Enabling/disabling addresstranslation

To enable or disable address translation on an interface:

1 Click the Interfaces tab

2 Select the Interface on which address translation has to be enabled/disabled.

3 Click Save All to make the settings permanent.

E-DOC-CTC-20051017-0166 v1.040


6.1.3 Creating an address translation mapping

Introduction An address translation map is used for mapping one or more private IP addresses into one or more public IP address on a specific interface.

Creating a NAT map To create a NAT map:

1 Click the Mappings tab and click New to create a new map

2 Select NAT from the Type list.

3 Select or type all required information:

Interface: The name of the IP interface on which address translation has to be applied.Any implies all interfaces.

Protocol: The IP protocol on which address translation has to be applied.Advantage: To link specific traffic (protocol dependent) to a chosen private host.Any implies all protocols.

Outside address: The outside (typically public) IP address(es).

Inside address: The inside (typically private) IP address(es) to enable inbound sessions.

Access list: You can use the access list to define the address(es) that are allowed to use the outbound connections.

Foreign address: The foreign address is used to define the address(es) that are allowed to use the inbound connections.

The interface must previously have been NAT enabled, see “6.1.2 Enabling/disabling address translation on an interface” on page 40.

E-DOC-CTC-20051017-0166 v1.041


4 Click Apply.


Creating a NAPT map To create a NAPT map:

1 Click the Mappings tab and click New to create a new map

2 Select NAPT from the Type list.


Interface: The name of the IP interface on which address translation has to be applied.


Outside address: The outside (typically public) IP address(es) (range).-> Portrange: The output port number or range.

Inside address: The inside (typically private) IP address(es) to enable inbound sessions.-> Portrange: The inside port number or range.




E-DOC-CTC-20051017-0166 v1.042


4 Click Apply.


E-DOC-CTC-20051017-0166 v1.043


6.1.4 Creating a template

Creating a NAT template To create a NAT template:

1 Click the Templates tab and click New to create a new template.

2 Select NAT from the Type list.



Group: The IP interface group scope for this template.


Outside address: The outside (typically public) IP address(es) (range).

0.0.0.1 is the first IP address of an interface, 0.0.0.2 is the second IP address of an interface, 0.0.0.3 is the third IP address of an interface,... This is important, specifically when using a PPP connection with the IPCP subnet mask option (this means that multiple public IP addresses are given dynamically to one PPP).


E-DOC-CTC-20051017-0166 v1.044


Inside address: The inside (typically private) IP address(es) to enable inbound sessions.



4 Click Apply.


Creating a NAPT template To create a NAPT template:

1 Click the Templates tab and click New to create a new template.

2 Select NAPT from the Type list.

E-DOC-CTC-20051017-0166 v1.045




Group: The IP interface group scope for this template.


Outside address: The outside (typically public) IP address(es) (range).-> Portrange: The output port number or range.

Inside address: The inside (typically private) IP address(es) to enable inbound sessions.-> Portrange: The inside port number or range.



4 Click Apply.



E-DOC-CTC-20051017-0166 v1.046


6.2 Configuring address translation on the CLI

Introduction This covers following topics:

Available NAT commands

Viewing the status of the interfaces

Enabling/disabling address translation on an interface

Creating an address translation mapping

Creating a template

Available NAT commands To view all NAT commands, execute nat help.

Viewing the status of theinterfaces

To view all available interfaces and their status, execute :nat iflist.

Enabling/disabling addresstranslation on an interface

To enable/disable address translating on a specific interface, execute :nat ifconfig with the specific interface and mode, for example:

=>nat helpFollowing commands are available :

ifconfig : Modify address translation on an IP interface.iflist : Display all interfaces.mapadd : Add an address mapping to a nat enabled interface.mapdelete : Delete an address mapping from a nat enabled interface.maplist : Display address mappings.tmpladd : Add an address mapping template.tmpldelete : Delete an address mapping template.tmpllist : Display address mapping templates.tmplinst : Instantiate address mapping templates for a given dynamic

address.config : Display/Modify global NAT configuration.flush : Flush current NAT configuration.=>

=>:nat iflistInterface NATloop disabledInternet enabledlan1 transparentwan1 enableddmz1 disabledguest1 disabledppp_pppoa disabled=>

:nat ifconfig intf=ppp_pppoa translation=enabled

E-DOC-CTC-20051017-0166 v1.047


Creating an addresstranslation mapping

To create a NAT address translation map:

1 Execute menu.

2 Execute nat mapadd and complete the portmap properties.

intf: The name of the IP interface on which address translation has to be applied.

type: The type of the template, NAT of NAPT.

outside addr: The outside (typically public) IP address(es) (range).

inside addr: The inside (typically private) IP address(es) (range).

access list: You can use the access list to define the address (es) that are allowed to use the outbound connections.

foreign addr: The foreign address is used to define the address (es) that are allowed to use the inbound connections.

protocol: The IP protocol on which address translation has to be applied.Advantage: To link specific traffic (protocol dependent) to a chosen private host. Any protocol means all protocols.

outside port: The outside port number or range.

inside port: The inside port number or range.

Creating a template To create a template:

1 Execute menu.

2 Execute nat tmpladd and complete the portmap properties.

=>:nat mapaddintf = ppp_pppoa[type] = nat [outside_addr] = [inside_addr] = [access_list] = [foreign_addr] = [protocol] = [outside_port] = [inside_port] =

The interface must previously have been enabled for address translation, see “6.1.2 Enabling/disabling address translation on an interface” on page 40.

=>:nat tmpladd[intf] = ppp_pppoa[group] = [timeout] = [type] = [outside_addr] = 0.0.0.1[inside_addr] = [access_list] = [foreign_addr] = [protocol] = [outside_port] = [inside_port] =

E-DOC-CTC-20051017-0166 v1.048


intf: The name of the IP interface on which address translation has to be applied.

group: The IP interface group scope for this template.

timeout: The lifetime for the template.

type: The type of the template, NAT of NAPT.

outside addr: The outside (typically public) IP address(es) (range).

inside addr: The inside (typically private) IP address(es) (range).

access list: You can use the access list to define the address (es) that are allowed to use the outbound connections.

foreign addr: The foreign address is used to define the address (es) that are allowed to use the inbound connections.

protocol: The IP protocol on which address translation has to be applied.Advantage: To link specific traffic (protocol dependent) to a chosen private host. Any protocol means all protocols.

outside port: The outside port number or range.

inside port: The inside port number or range.

The interface must previously have been enabled for address translation, see “6.1.2 Enabling/disabling address translation on an interface” on page 40.

E-DOC-CTC-20051017-0166 v1.049


6.3 Configuring Hyper-NAT mappings

Introduction This section explains the configuration of the different Hyper-NAT mappings.

General information You can configure your SpeedTouch™ using the Web pages or using CLI commands. Depending on the specific NAT flavour you would like to enable, Portmap Properties are mandatory or not. In case you leave a non-mandatory Portmap Property empty, the mandatory settings will be valid for all of the non-mandatory parameters.

Topic Page

6.3.1 Basic NAT 51

6.3.2 Two-Way NAT 52

6.3.3 N-N NAT 53

6.3.4 X-Y NAT 55

6.3.5 Transparent NAT 57

E-DOC-CTC-20051017-0166 v1.050


6.3.1 Basic NAT

Introduction To enable Basic NAT on a SpeedTouch™interface, map your public (outside) address to an interface for outbound traffic. Inbound traffic cannot be initiated.Only one inside host can use this type of NAT at the same time.

Web Pages To enable Basic NAT using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

Basic NAT example usingWeb pages

The following example uses the Web pages to enable Basic NAT. Basic NAT is enabled on the ppp_pppoa interface using the public address 20.0.0.1.

CLI To enable Basic NAT using CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

Basic NAT example usingCLI

The following example uses the CLI to enable Basic NAT. Basic Nat is enabled on the ppp_pppoa interface using the public address 20.0.0.1

The Portmap Properties Interface and Outside address are mandatory. Protocol and Access list are not.


:nat mapadd intf=ppp_pppoa type=nat outside_addr=20.0.0.1

E-DOC-CTC-20051017-0166 v1.051


6.3.2 Two-Way NAT

Introduction To enable Two-way NAT on a SpeedTouch™ interface:

Map your public (outside) address for outbound traffic.

Map inbound traffic to an inside address.

Web pages To enable Two-Way NAT using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

Two-Way NAT exampleusing Web pages

The following example uses the Web pages to enable Two-way NAT. Two-Way Nat is enabled on the ppp_pppoa interface using the outside address 20.0.0.1 and the inside address 192.168.1.64.

Traffic can be initiated from the inside address 192.168.1.64 or from any outside address.

CLI To configure Two-Way NAT using CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

Two-Way NAT exampleusing CLI

The following example uses the CLI to enable Two-Way NAT. Two-way NAT is enabled on the ppp_pppoa interface using the public address 20.0.0.1 and the inside address 192.168.1.64.

Traffic can be initiated from the inside address 192.168.1.64 or from any outside address.

The Portmap Properties Interface, Outside address and Inside address are mandatory. Protocol and Access list are not.


=>:nat mapadd intf=ppp_pppoa type=nat outside_addr=20.0.0.1 inside_addr 192.168.1.64

E-DOC-CTC-20051017-0166 v1.052


6.3.3 N-N NAT

Introduction To enable N-N NAT on a SpeedTouch™ interface:

Map your range of public (outside) address for outbound traffic.

Map inbound traffic to a range of inside addresses.

Web pages To enable N-N NAT using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

N-N NAT example usingWeb pages

The following example uses the Web pages to enable N-N NAT. N-N Nat is enabled on the ppp_pppoa interface using the outside address range 20.0.0.1 up to 20.0.0.2 and the inside address 192.168.1.64 up to 192.168.1.65. In this example two simultaneous connections are possible.

Traffic can be initiated from the inside addresses 192.168.1.64 or 192.168.1.65 or from any outside address.

CLI To enable N-N NAT using CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

N-N NAT is an extension of Two-Way NAT to multiple hosts.The number of addresses in the inside address range and the outside address range must be equal.There can only be as many simultaneous connections as the number of addresses specified in the range.

The Portmap Properties Interface and range of Outside addresses and range of Inside addresses are mandatory. Protocol and Access list are not.

The Portmap Properties Interface and range of Outside addresses and range of Inside addresses are mandatory. Protocol and Access list are not.

E-DOC-CTC-20051017-0166 v1.053


N-N NAT example usingCLI

The following example uses the CLI to enable N-N NAT. N-N Nat is enabled on the ppp_pppoa interface using the outside address range 20.0.0.1 up to 20.0.0.2 and the inside address 192.168.1.64 up to 192.168.1.65. In this example two simultaneous connections are possible.Traffic can be initiated from the inside addresses 192.168.1.64 or 192.168.1.65 or from any outside address.

=>:nat mapadd intf=ppp_pppoa type=nat outside_addr=20.0.0.[1-2] inside_addr=192.168.1.[64-65]

E-DOC-CTC-20051017-0166 v1.054


6.3.4 X-Y NAT

Introduction To enable X-Y NAT on a SpeedTouch™ interface, map your range of public (outside) address for outbound traffic.When an inside host (within the access list) connects to an outside host, the SpeedTouch™ selects an available outside address (this means not used for another connection yet) to allow outbound traffic.When all outside addresses are in use, no other connection is allowed to use the NAT map.

Web pages To enable X-Y NAT using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

X-Y NAT example usingWeb pages

The following example uses the Web pages to enable X-Y NAT. X-Y Nat is enabled on the ppp_pppoa interface using the outside address range 20.0.0.1 up to 20.0.0.2.

CLI To enable X-Y NAT using CLI, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

X-Y NAT example usingCLI

The following example uses the CLI to enable X-Y NAT. X-Y Nat is enabled on the ppp_pppoa interface using the outside address range 20.0.0.1 up to 20.0.0.2

The Portmap Properties Interface and range of Outside addresses are mandatory. Protocol and Access list are not.

The Portmap Properties Interface and range of Outside addresses are mandatory. Protocol and Access list are not.

=>:nat mapadd intf=ppp_pppoa type=nat outside_addr=20.0.0.[1-2]

E-DOC-CTC-20051017-0166 v1.055


Template instantiation The following example shows an instantiated NAT mapping:

The entry with outside address 20.0.0.[1..2]:The created NAT map.

The entry with outside address 20.0.0.1: Inside host 192.168.1.64 makes a connection to an outside host (for example 30.0.0.1)The SpeedTouch™ uses the first available address 20.0.0.1 to make an outbound connection.

The entry with outside address 20.0.0.2:Inside host 192.168.1.65 makes a connection to an outside host (for example 30.0.0.1)The SpeedTouch™ uses the second available address 20.0.0.2 to make an outbound connection.

As soon as the association between internal and external IP address is made, also inbound connections can be made.

E-DOC-CTC-20051017-0166 v1.056


6.3.5 Transparent NAT

Introduction A transparent NAT map is considered as transparent in case both inside and outside addresses are the same. No translation is performed on packet headers. A transparent map is used in order to avoid issues with NAT-unfriendly applications (for example, when the host address is included in the packet payload).

There are different transparent maps:

Transparent Basic NAT

Transparent Two-Way NAT

Transparent N-N NAT

Transparent Basic NAT Create a new NAT map and select or type all required information.

Transparent Basic NAT is only for outbound sessions. In this case the access list and the outside address will be the same. For example 40.0.0.1.

Transparent Basic NAT is applicable for protocols with the host address in the payload. NAT would translate the host address, but not the payload, by which the packet becomes invalid.

!For every transparent natmap, you must add:

An interface route on the SpeedTouch™ to the LAN device (inside address).

A proxy ARP on the SpeedTouch™, to reach the default gateway (BAS) from the LAN device.

E-DOC-CTC-20051017-0166 v1.057


Transparent Two-Way NAT This example describes transparent two-way NAT.

Transparent Two-Way NAT is especially used for inbound sessions, for example to send packets to a private server with his private IP address. This to avoid reconfiguration.

Another applicability for transparent NAT is IP-pass through, see “6.4.3 NAPT using transparent default server and port range constraint” on page 64.

Transparent N-N NAT Just like transparent Two-Way NAT, transparent N-N NAT is especially used for inbound sessions, but for multiple host. The number of addresses in the inside address range and the outside address ranges must be equal.

E-DOC-CTC-20051017-0166 v1.058


6.4 Configure NAPT maps

Introduction This section explains the configuration of the different NAPT maps.

Topic Page

6.4.1 Basic NAPT 60

6.4.2 NAPT using default server 62

6.4.3 NAPT using transparent default server and port range constraint 64

6.4.4 NAPT using dynamic port range constraint 66

E-DOC-CTC-20051017-0166 v1.059


6.4.1 Basic NAPT

Introduction To enable Basic NAPT on a SpeedTouch™interface, map your public (outside) address to the interfaces for outbound traffic. Port translation is used to differentiate traffic. Inbound traffic cannot be initiated.Only one inside host can use this type of NAT at the same time.

The NAPT map is mapped when an inside host (within the access list) connects to an outside host.All of the interfaces can use the NAPT map at the same time.

Web pages To enable Basic NAPT using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

Basic NAPT example usingWeb pages

The following example uses the Web pages to enable Basic NAPT. Basic NAPT is enabled on the ppp_pppoa interface using the public address 20.0.0.1.

CLI To enable Basic NAPT using CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

Basic NAPT example usingCLI

The following example uses the CLI to enable Basic NAPT. Basic NAPT is enabled on the ppp_pppoa interface using the public address 20.0.0.1.



:nat mapadd intf=ppp_pppoa type=napt outside_addr=20.0.0.1

E-DOC-CTC-20051017-0166 v1.060


Special scenarios With NAPT mapping following three special scenarios may occur:

NAPT using transparent default server

When the inside and outside address are identical, transparent address translation applies for inbound traffic. No translation must be performed. This type of NAT mapping is called ‘NAPT using transparent default server’.Since there might occur port overlapping, this is not an optimal NAPT configuration. A better scenario is described in “6.4.3 NAPT using transparent default server and port range constraint” on page 64.

NAPT using host function

When the inside address is the IP address of the SpeedTouch™, the NATPT mapping is called ‘NAPT using host function’. Traffic can be initiated inbound and outbound, all inbound traffic is sent to the SpeedTouch™.

NAPT using transparent host function

When the inside and outside address is the IP address of the SpeedTouch™, the NAPT mapping is called ‘NAPT using transparent host function’. Traffic can be initiated inbound and outbound, all inbound traffic is sent to the SpeedTouch™.

E-DOC-CTC-20051017-0166 v1.061


6.4.2 NAPT using default server

Introduction To enable NAPT using default server on a SpeedTouch™interface, map your inside host addresses to the outside address for outbound traffic. Port translation is used to differentiate traffic. For inbound traffic, map the outside address to the inside host address (default server).

Web pages To enable NAPT using default server with Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

NAPT using default serverexample with Web pages

The following example uses the Web pages to enable NAPT using default server. NAPT using default server is enabled on the ppp_pppoa interface using the public address 20.0.0.1 and the default server 192.168.1.64.

All inbound packets received on public interface 20.0.0.1, for which no NAT context exist, will be forwarded to the default server 192.168.1.64. Outbound packets can be send from any part within the private network.

CLI To enable NAPT using default server with CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

If there are many servers running on the same computer and you don't feel like creating a long list of static translations, a public IP address server is your answer. It forwards all unsolicited traffic to a single computer. Traffic can be initiated inbound and outbound.



E-DOC-CTC-20051017-0166 v1.062


NAPT using default serverwith CLI

The following example uses the CLI to enable NAPT using default server. NAPT using default server is enabled on the ppp_pppoa interface using the public address 20.0.0.1 and the default server 192.168.1.64.

=>:nat mapadd intf=ppp_pppoa type=napt outside_addr=20.0.0.1 inside_addr 192.168.1.64

E-DOC-CTC-20051017-0166 v1.063


6.4.3 NAPT using transparent default server and port range constraint

Introduction If you pass an IP address coming from a DHCP server in the WAN site, to a host in the private network, then you need a transparant NAT map to make it available.

Web pages To enable NAPT using transparent default server and port range constraint using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

Example using Web pages The following example uses the Web pages to enable NAPT using transparent default server and port range constraint. It is enabled on the ppp_pppoa interface using the outside address 20.0.0.1 with the portrange 50 000 up to 60 000 and the inside address 192.168.1.64.

CLI To enable NAPT using transparent default server and port range constraint using CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

NAPT using transparent default server and port range constraint is also called IP pass through

The Portmap Properties Interface, Outside address with the Portrange and Inside address are mandatory. Protocol and Access list are not.

The Portmap Properties Interface, Outside address with the Portrange and Inside address are mandatory. Protocol and Access list are not.

E-DOC-CTC-20051017-0166 v1.064


Example using CLI The following example uses the CLI to enable NAPT using transparent default server and port range constraint. It is enabled on the ppp_pppoa interface using the outside address 20.0.0.1 with the portrange 50 000 up to 60 000 and the inside address 192.168.1.64.

=>:nat mapadd intf=ppp_pppoa type=napt outside_addr=20.0.0.1 inside_addr 192.168.1.64outside_port=50000-60000

E-DOC-CTC-20051017-0166 v1.065


6.4.4 NAPT using dynamic port range constraint

Introduction To enable NAPT using dynamic port range constraint on a SpeedTouch™interface, map your inside host addresses to the outside address for outbound traffic. Port translation is used to differentiate traffic. The dynamic port range used for the translation is restricted to a chosen port rangeInbound traffic cannot be initiated.

Web pages To enable NAPT using dynamic port range constraint using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

Example using Web pages The following example uses the Web pages to enable NAPT using dynamic port range constraint. It is enabled on the ppp_pppoa interface using the outside address 20.0.0.1 with the portrange 10 000 up to 20 000.

The NAPT map will be mapped when an inside host connects to an outside host.Port translation will always be between port 10000 and 20000.

CLI To enable NAPT using dynamic port range constraint using CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

Example using CLI The following example uses the CLI to enable NAPT using dynamic port range constraint. It is enabled on the ppp_pppoa interface using the outside address 20.0.0.1 with the portrange 10 000 up to 20 000.

The Portmap Properties Interface and Outside address with the Portrange are mandatory. Protocol and Access list are not.

The Portmap Properties Interface and Outside address with the Portrange are mandatory. Protocol and Access list are not.

=>:nat mapadd intf=ppp_pppoa type=napt outside_addr=20.0.0.1 outside_port=10000-20000

E-DOC-CTC-20051017-0166 v1.066


6.5 Configure inbound port shifting

Introduction This is an extension of Two-Way NAT where ports of inbound traffic are statically translated from outside port range to inside port range. Port ranges must have the same size.

Web pages To enable inbound port shifting using Web pages, create a new NAT map as described in “ Creating a NAT map” on page 41 and complete the required information.

Inbound port shifting usingWeb pages

The following example uses the Web pages to enable inbound port shifting. Inbound port shifting is enabled on the ppp_pppoa interface using the outside address 20.0.0.1 with the portrange 8080 up to 8081 and the inside address 192.168.1.64 with the portrange 80 up to 81. When you select the tcp protocol address translation will only be applied on TCP packets.

An inbound connection to 20.0.0.1 on port 8080, will be forwarded to inside address 192.168.1.64 on port 80

An inbound connection to 20.0.0.1 on port 8081, will be forwarded to inside address 192.168.1.64 on port 81.

CLI To enable inbound port shifting using CLI, create a new map as described in “ Creating an address translation mapping” on page 48.

The Portmap Properties Interface, Outside address with the Portrange and Inside address with Portrange are mandatory. Protocol and Access list are not.

The Portmap Properties Interface, Outside address with the Portrange and Inside address with portrange are mandatory. Protocol and Access list are not.

E-DOC-CTC-20051017-0166 v1.067


Example using CLI The following example uses the CLI to enable inbound port shifting. It is enabled on the ppp_pppoa interface using the outside address 20.0.0.1 with the portrange 8080 up to 8081 and the inside address 192.168.1.64 with the portrange 80 up to 81.

=>:nat mapadd intf=ppp_pppoa type=napt outside_addr=20.0.0.1 inside_addr=192.168.1.64 outside_port=8080-8081 inside_port=80-81

E-DOC-CTC-20051017-0166 v1.068


6.6 Configure templates

Introduction Templates are used when the public interfaces get dynamically assigned IP address. A template assigns a wildcard (0.0.0.x) to the IP address of the public interface.

Network setup Following network setup is assumed:

Web pages To configure a NAT template using Web pages, create a new NAT template as described in “6.1.4 Creating a template” on page 44 and complete the required information.

When a PPP connection is established, the wildcard is replaced by the dynamically assigned IP address of the PPP interface. Select the Mappings menu.

192.168.0.1

192.168.0.2

SpeedTouch

Public network 101.101.101.x

192.168.0.254 Wildcard: 0.0.0.1

PPPoA

E-DOC-CTC-20051017-0166 v1.069


This is the automatically created NAT map, based on the template. The wildcard is replaced by the dynamically assigned IP address 101.101.101.47. Any inside address can use this mapping.

CLI To configure a NAT template using CLI, create a new template as described in “ Creating a template” on page 48

=>:nat tmpladd intf=any group=any type=nat outside_addr=0.0.0.1

E-DOC-CTC-20051017-0166 v1.070


6.6.1 X+n templates

Introduction An X+n template behaves like a normal template but defines a whole range of mappings.

Web pages To configure a X+n template using Web pages, create a new NAT template as described in “6.1.4 Creating a template” on page 44 and complete the required information.

CLI To configure an X+n template using CLI, create a new template as described in “ Creating a template” on page 48 and complete the required information.

=>:nat tmpladd intf=any group=any type=nat outside_addr=0.0.0.[3-5] inside_addr=192.168.1.[64-66]

E-DOC-CTC-20051017-0166 v1.071


E-DOC-CTC-20051017-0166 v1.072

Need more help?Additional help is available online at www.speedtouch.com

©T

HO

MS

ON

2006. All rig

hts reserved

.E-D

OC

-CT

C-20051017-0166

v1.0.


Date post:	20-Jun-2018
Category:	Documents
Upload:	lyhanh
View:	222 times
Download:	0 times

Hyper-NAT Configuration Guidecondel.cc/.../dokumendid/Thomson/ConfigGuide_HyperNAT.pdfContents...

Documents