One-To-One Nat; Colubris Intercept - Colubris Networks CN3000 Administrator's Manual

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2
Important: If you use NAT to enable a secure (HTTPS) Web server on the internal
network, remote access to the management tool will no longer be possible, as all
incoming HTTPS requests will be routed to the internal Web server and not the
management tool .
Important: If you create a static mapping, the firewall is automatically opened to accept
the traffic. However, this firewall rule will not be visible on the Firewall configuration
page.
The following table indicates how some common applications are affected by NAT.
Most Web browsers execute FTP in active mode. Some browsers provide a
configuration option that enables you to alter this. For example, in Internet Explorer
choose Internet options on the Tools menu, click the Advanced tab, and then under
Browsing enable Use Passive FTP for compatibility with some firewalls and DSL
modems.
The CN3000 provides a list of preset settings for many commonly used applications.

One-to-one NAT

In its default configuration, NAT translates all internal IP address to a single external
one. This means that all client station sessions to an external resource appear to
originate from the same IP address. Certain applications do not allow multiple
connections from the same IP address, or impose a limit. For example: some PPTP
servers want a unique IP address for each client station.
To resolve this problem, the CN3000 allows you to assign multiple IP addresses to the
Internet port and use them to distinguish outgoing NAT traffic for customers making
VPN connections.
How it works
One-to-one NAT functions as follows:
• Define alternate static addresses for the Internet port on the Network > Ports >
• Define the attribute "one-to-one-nat" in the RADIUS account for each customer that
• When a customer with one-to-one NAT support logs into the public access interface
Colubris When the Colubris-Intercept attribute is active for a customer, the CN3200 will return the
NAT port range that the customer's traffic is being sent/received on. This applies to TCP
intercept
and UDP traffic only.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Application NAT
FTP (passive mode) Mapping required
FTP (active mode) Mapping required
Telnet Mapping required
Internet Port > Static page. These addresses must be valid on the Internet.
requires a unique IP address. Or define the "default-user-one-to-one-nat" attribute in
the RADIUS account for the CN3000. See "Default user one-to-one NAT" on page 162
and "One-to-one NAT" on page 169 for details.
and establishes a VPN session, the CN3000 reserves the next available alternate IP
address for that customer. If all alternate IP addresses are in use, or none have been
defined, then the default IP address of the Internet port is used.
The address is reserved for as long as the customer is logged in and using a VPN
connection. Therefore, you need to define enough alternate IP addresses to support
the maximum number of active VPN sessions you expect to have at any one time.
Application NAT
Windows No effect
networking
NetMeeting Mapping required