Using Multi-NAT
NAT (Network Address Translation-NAT RFC 1631) is the translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and "unmaps" the global IP addresses on incoming packets back into local IP addresses. The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP. In addition, you can designate servers, e.g., a web server and a telnet server, on your local network and make them accessible to the outside world. If you do not define any servers, NAT offers the additional benefit of firewall protection. In such case, all incoming connections to your network will be filtered out by the Prestige 324, thus preventing intruders from probing your network.
The SUA feature that the Prestige 324 supports previously operates by mapping the private
IP addresses to a global IP address. It is only one subset of the NAT. The Prestige 324
supports the most of the features of the NAT based on RFC 1631, and we call this feature
as 'Multi-NAT'. For more information on IP address translation, please refer to RFC
1631, The IP Network Address Translator (NAT).
If we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA), see the following figure. The term 'inside' refers to the set of networks that are subject to translation. NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks. It replaces the original IP source address (and TCP or UDP source port numbers) and then forwards each packet to the Internet ISP, thus making them appear as if they had come from the NAT system itself (e.g., the Prestige 324 router). The Prestige 324 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored.
NAT supports five types of IP/port mapping. They are:
In One-to-One mode, the Prestige 324 maps one ILA to one IGA.
In Many-to-One mode, the Prestige 324 maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers).
In Many-to-Many Overload mode, the Prestige 324 maps the multiple ILA to shared IGA.
In Many-to-Many No Overload mode, the Prestige 324 maps each ILA to unique IGA.
In Server mode, the Prestige 324 maps multiple inside servers to one global IP address. This allows us to specify multiple servers of different types behind the NAT for outside access. Note, if you want to map each server to one unique IGA please use the One-to-One mode.
The following table summarizes these types.
NAT Type | IP Mapping |
One-to-One | ILA1<--->IGA1 |
Many-to-One (SUA/PAT) | ILA1<--->IGA1 ILA2<--->IGA1 ... |
Many-to-Many Overload | ILA1<--->IGA1 ILA2<--->IGA2 ILA3<--->IGA1 ILA4<--->IGA2 ... |
Many-to-Many No Overload | ILA1<--->IGA1 ILA2<--->IGA2 ILA3<--->IGA3 ILA4<--->IGA4 ... |
Server | Server 1 IP<--->IGA1 Server 2 IP<--->IGA1 |
SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules,
Many-to-One and Server. The Prestige 324 now has Full Feature NAT support to map
global IP addresses to local IP addresses of clients or servers. With multiple global IP
addresses, multiple severs of the same type (e.g., FTP servers) are allowed on the LAN for
outside access. In previous ZyNOS versions (that supported SUA 'visible' servers had to be
of different types. The Prestige 324 supports NAT sets on a remote node basis. They are
reusable, but only one set is allowed for each remote node. The Prestige 324 supports 2 sets
since there is only one remote node. The default SUA (Read Only) Set in menu 15.1 is a
convenient, pre-configured, read only, Many-to-One mapping set, sufficient for most
purposes and helpful to people already familiar with SUA in previous ZyNOS versions.
1. Applying NAT in the SMT Menus
You apply NAT via menus 4 and 11.3 as displayed next. The next figure how you apply NAT
for Internet access in menu 4. Enter 4 from the Main Menu to go to Menu 4-Internet
Access Setup.
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
IP Address Assignment= Dynamic
Press ENTER to Confirm or ESC to Cancel: |
The following figure shows how you apply NAT to the remote node in menu 11.3.
Menu 11.3 - Remote Node Network Layer Options
IP Address Assignment= Dynamic
Network Address Translation= SUA Only
Enter here to CONFIRM or ESC to CANCEL: |
Step 1. Enter 11 from the Main Menu.
Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the default No
to Yes, then press [ENTER] to bring up Menu 11.3-Remote Node Network Layer
Options.
The following table describes the options for Network Address Translation.
Field | Options | Description |
Network Address Translation | Full Feature | When you select this option the SMT will use Address Mapping Set 1 (Menu 15.1-see later for further discussion). |
None | NAT is disabled when you select this option. | |
SUA Only | When you select this option the SMT will use Address Mapping Set 255 (Menu 15.1-see later for further discussion). This option use basically Many-to-One Overload mapping. Select Full Feature when you require other mapping types. It is a convenient, pre-configured, read only, Many-to-One mapping set, sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions. Note that there is also a Server type whose IGA is 0.0.0.0 in this set. |
Table: Applying NAT in Menu 4 and Menu 11.3
To configure NAT, enter 15 from the Main Menu to bring up the following screen.
Menu 15 - NAT Setup
1. Address Mapping Sets |
3. Address Mapping Sets and NAT Server Sets
Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients. Each remote node must specify which NAT Address Mapping Set to use. The Prestige 324 has one remote node and so allows you to configure only 1 NAT Address Mapping Set. You can see two NAT Address Mapping sets in Menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set1. When you select SUA Only, the SMT will use Set 255. For the P100IH, there are 8 remote nodes and so allows you to configure 8 NAT Address Mapping Sets.
The NAT Server Set is a list of LAN side servers mapped to external ports. To use this set (one set for the Prestige 324), a server rule must be set up inside the NAT Address Mapping set. Please see NAT Server Sets for further information on these menus.
Enter 1 to bring up Menu 15.1-Address Mapping Sets
Menu 15.1 - Address Mapping Sets
1.
Enter Set Number to Edit: |
Let's first look at Option 255. Option 255 is equivalent to SUA in previous ZyXEL routers. The fields in this menu cannot be changed. Entering 255 brings up this screen.
Menu 15.1.255 - Address Mapping Rules Set Name= SUA (Read Only) Idx Local Start IP Local End IP
Global Start IP Global End IP Type
Press ESC or RETURN to Exit: |
The following table explains the fields in this screen. Please note that the fields in
this menu are read-only.
Field | Description | Option/Example |
Set Name | This is the name of the set you selected in Menu 15.1 or enter the name of a new set you want to create. | SUA |
Idx | This is the index or rule number. | 1 |
Local Start IP | This is the starting local IP address (ILA). | 0.0.0.0 for the Many-to-One type. |
Local End IP | This is the starting local IP address (ILA). If the rule is for all local IPs, then the Start IP is 0.0.0.0 and the End IP is 255.255.255.255. | 255.255.255.255 |
Global Start IP | This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP. | 0.0.0.0 |
Global End IP | This is the ending global IP address (IGA). | N/A |
Type | This is the NAT mapping types. | Many-to-One and Server |
Please note that the fields in this menu are read-only. However, the settings of the
server set 1 can be modified in menu 15.2.1.
Now let's look at Option 1 in Menu 15.1. Enter 1 to bring up this menu.
Menu 15.1.1 - Address Mapping Rules Set Name= ? Idx Local Start IP Local End IP
Global Start IP Global End IP Type Action= Edit , Select Rule= 0
Press ENTER to Confirm or ESC to Cancel: |
We will just look at the differences from the previous menu. Note that, this screen is not read only, so we have extra Action and Select Rule fields. Not also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. The description of the other fields is as described above. The Type, Local and Global Start/End IPs are configured in Menu 15.1.1 (described later) and the values are displayed here.
Field | Description | Option |
Set Name | Enter a name for this set of rules. This is a required field. Please note that if this field is left blank, the entire set will be deleted. | Rule1 |
Action | They are 4 actions. The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a new rule before the rule selected. The rule after the selected rule will then be moved down by one rule. Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule. Save Set means to save the whole set (note when you choose this action the Select Rule item will be disabled). | Edit Insert Before Delete Save Set |
Select Rule | When you choose Edit, Insert Before or Save Set in the previous field the cursor jumps to this field to allow you to select the rule to apply the action in question. | 1 |
Note: Save Set in the Action field means to save the whole set. You must do this if you make any changes to the set-including deleting a rule. No changes to the set take place until this action is taken. Be careful when ordering your rules as each rule is executed in turn beginning from the first rule.
Selecting Edit in the Action field and then selecting a rule brings up the following menu, Menu 15.1.1.1-Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs displayed in Menu 15.1.1.
Menu 15.1.1.1 - - Rule 1 Type: One-to-One
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
The following table describes the fields in this screen.
Field | Description | Option/Example | |
Type | Press [SPACEBAR] to toggle through a total of 5 types. These are the mapping types discussed above plus a server type. Some examples follow to clarify these a little more. | One-to-One Many-to-One Many-to-Many Overload Many-to-Many No Overload Server |
|
Local IP | Start | This is the starting local IP address (ILA) | 0.0.0.0 |
End | This is the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as 0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for One-to-One type. | 255.255.255.255 | |
Global IP | Start | This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP. | 0.0.0.0 |
End | This is the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server types. | 172.16.23.55 |
Note: For all Local and Global IPs, the End IP address must begin after the IP Start
address, i.e., you cannot have an End IP address beginning before the Start IP address.
The NAT Server Set is a list of LAN side servers mapped to external ports (similar to the old SUA menu of before). If you wish, you can make inside servers for different services, e.g., Web or FTP, visible to the outside users, even though NAT makes your network appears as a single machine to the outside world. A server is identified by the port number, e.g., Web service is on port 80 and FTP on port 21.
As an example (see the following figure), if you have a Web server at 192.168.1.36 and a FTP server at 192.168.1.33, then you need to specify for port 80 (Web) the server at IP address 192.168.1.36 and for port 21 (FTP) another at IP address 192.168.1.33.
Please note that a server can support more than one service, e.g., a server can provide both FTP and Mail service, while another provides only Web service.
The following procedures show how to configure a server behind NAT.
Step 1. Enter 15 in the Main Menu to go to Menu 15-NAT Setup.
Step 2. Enter 2 to go to Menu 15.2-NAT Server Setup.
Step 3. Enter the service port number in the Port# field and the inside IP address
of the server in the IP Address field.
Step 4. Press [SPACEBAR] at the 'Press ENTER to confirm...' prompt to save your
configuration after you define all the servers or press ESC at any time to cancel.
Menu 15.2 - NAT Server Setup
Port # IP Address
Press ENTER to Confirm or ESC to Cancel: |
The most often used port numbers are shown in the following table. Please refer RFC
1700 for further information about port numbers.
Service | Port Number |
FTP | 21 |
Telnet | 23 |
SMTP | 25 |
DNS (Domain Name Server) | 53 |
www-http (Web) | 80 |
PPTP (Point-to-Point Tunneling Protocol) | 1723 |
In our Internet Access example, we only need one rule where all our ILAs map to one IGA assigned by the ISP. See the following figure.
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
IP Address Assignment= Dynamic
Press ENTER to Confirm or ESC to Cancel: |
From Menu 4 shown above simply choose the SUA Only option from the NAT
field. This is the Many-to-One mapping discussed earlier. The SUA read only option
from the NAT field in menu 4 and 11.3 is specifically pre-configured to handle this case.
2. Internet Access with an Internal Server
In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2.1-NAT Server Setup (Used for SUA Only) to specify the Internet Server behind the NAT as shown in the NAT as shown below.
Menu 15.2.1 - NAT Server Setup (Used for SUA Only)
Port # IP Address
Press ENTER to Confirm or ESC to Cancel: |
3. Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types are used)
In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal general server for the web and mail. In this case, we want to assign the 3 IGAs by the following way using 4 NAT rules.
Step 1:
In this case, we need to configure Address Mapping Set 1 from Menu 15.1-Address Mapping Sets. Therefore we must choose the Full Feature option from the NAT field in menu 4 or menu 11.3.
Menu 4 - Internet Access Setup
ISP's Name= ChangeMe
IP Address Assignment= Dynamic Press ENTER to Confirm or ESC to Cancel: |
Step 2:
Go to menu 15.1 and choose 1 (not 255, SUA this time) to begin configuring this new set. Enter a Set Name, choose the Edit Action and then select 1 from Select Rule field. Press [ENTER] to confirm. See the following setup for the four rules in our case.
Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1.
Menu 15.1.1.1 - - Rule 1 Type: One-to-One
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2.
Menu 15.1.1.2 - - Rule 2 Type: One-to-One
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3.
Menu 15.1.1.3 - - Rule 3 Type: Many-to-One
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3.
Menu 15.1.1.4 - - Rule 4 Type: Server
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
When we have configured all four rules Menu 15.1.1 should look as follows.
Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP Local End IP
Global Start IP Global End IP Type
Press ESC or RETURN to Exit: |
Step 3:
Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15.2.2 - NAT Server Setup (not Set 1, Set 1 is used for SUA Only case).
Menu 15.2.2 - NAT Server Setup
Port # IP Address
Press ENTER to Confirm or ESC to Cancel: |
4. Support Non NAT Friendly Applications
Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. The following figure illustrates this.
One rule configured for using Many-to-Many No Overload mapping type is shown below.
Menu 15.1.1.1 - - Rule 1 Type: Many-to-Many No Overload
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
The three rules configured for using One-to-One mapping type is shown below.
Menu 15.1.1.1 - - Rule 1 Type: One-to-One
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
Menu 15.1.1.2 - - Rule 2 Type: One-to-One
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
Menu 15.1.1.3 - - Rule 3 Type: One-to-One
Local IP:
Global IP:
Press ENTER to Confirm or ESC to Cancel: |
All contents copyright (c) 2000 ZyXEL Communications Corporation.