Network Address Translation; Static Nat - Motorola WS5100 Series Migration Giude

Hide thumbs Also See for WS5100 Series:

Cli reference manual (492 pages)

Reference manual (444 pages)

Troubleshooting manual (100 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

Table of Contents

Apart from detecting the above attacks, this feature also performs sanity checks on every packet. These

sanity checks can drop a packet if the packet is malformed. A syslog message is generated whenever a

packet gets dropped due to these sanity checks. It provides details as to why the packet was dropped along

with the other packet information like – Source IP, Destination IP, Source Port, Destination Port, IP protocol

etc.

Some of the packet corruption types are listed below:

• Multicast Source Address.

• Unknown IP option

• IP TTL zero

• IP Fragment overflow length—last fragment length creates a packet longer than 65k.

• IP Fragment Bad Length—non-last fragment length is not multiple of 8.

• Overlapping IP Fragment IDs —fragment ID collision.

The firewall feature executes a stateful packet inspection for any packet forwarded from one subnet to

another subnet. It also applies a rate control on the number of sessions that can be created. This effectively

helps the administrator in providing a defense against various network attacks. For example–SYN flood.

10.3 Network Address Translation

Network Address translation (NAT) allows an organization to present itself to the internet with a far fewer

IP addresses than there are nodes on its internal network. NAT is implemented in router or firewall and it

converts private IP address of the machine on the internal private network to one or more public IP addresses

for the Internet. It changes the packet headers to the new address and keeps track of them via internal tables

that it builds. When packets come back from the Internet, NAT uses the tables to perform the reverse

conversion to the IP address of the client machine.

WS5100 supports NAT only for non-IPSec packets, which are routed by the switch. The following types of

NAT will be supported:

• Static NAT

• Port NAT

10.3.1 Static NAT

A Static NAT is created by manually assigning public address to each internal machine, and that assignment

is used all the time. Static NAT is used to define a one-to-one mapping between the source or destination IP

address of a packet and the NAT IP address.

If the NAT translation changes the source IP address, it is called Source NAT and Destination NAT for

destination IP address respectively. Specify the following parameters to define a Static NAT.

• IP Address— Match source or destination IP address based on the source or destination keyword.

• IP Protocol type— This is optional, either of TCP or UDP. It is valid only for destination NAT.

• Port No— This is optional and valid only with IP Protocol option and Destination NAT

• NAT IP Address— Source or destination based on the source or destination keyword.

• NAT Port— This is valid only for destination NAT.

10-5

ACL

Table of Contents

Network Address Translation; Static Nat - Motorola WS5100 Series Migration Giude

10.3 Network Address Translation

• Static NAT

Related Manuals for Motorola WS5100 Series

Related Content for Motorola WS5100 Series

Table of Contents