Page 2
United States government. The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.
Identifies command names, keywords, and command options. italic text Identifies a variable. value In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, for example, --show WWN. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
OEM/Solution Provider for all of your product support needs. ® • OEM/Solution Providers are trained and certified by Brocade to support Brocade products. • Brocade provides backline support for issues that cannot be resolved by the OEM/Solution Provider. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
• By sending your feedback to documentation@brocade.com. Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, as well as your suggestions for improvement. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
About This Guide This guide describes how to configure NAT on the Brocade 5600 vRouter (referred to as a virtual router, vRouter, or router in the guide). Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 10
About This Guide Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Be aware that, although NAT can minimize the possibility that internal computers make unsafe connections to the external network, it provides no protection to a computer that, for one reason or Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
• NAT enhances security. IP addresses within a private (internal) network are hidden from the public (external) network. This hiding of addresses makes it more difficult for hackers to initiate an attack on an internal host. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
IP address of the outbound interface. The destination address of return packets is automatically translated back to the IP address of the source host. NOTE SNAT is performed after the routing decision is made. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Bidirectional NAT is typically used when internal hosts need to initiate sessions with external hosts and external hosts need to initiate sessions with internal hosts. The following figure shows an example of bidirectional NAT. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
This rewrite requires that the router modify the Ethernet and the IP headers. For more information about the IPv4 and IPv6 address formats, refer to RFC 6052 (section 2.2). Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
• Address formats as specified in section 2.2 of RFC 6052. • Stateful connection tracking and validation (by way of the NPF session table). • Selective packet filtering of source and destination prefixes on the inbound interface of the IPv6 network. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
For example, if you are using DNAT, you should take care not to set up the system to route packets based on particular external addresses. This routing method would not have the expected result Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Note that DNAT operates on the packets before the routing decision. This sequence means that routing decisions based on the destination address are made relative to the translated destination address—not the original destination address; refer to the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 19
On the other hand, routing decisions are made before SNAT. This sequence means that routing decisions based on the source address are made on the original source address—not the translated source address. NOTE SNAT routing decisions are based on original source address. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
In this scenario, packets are destined for a process within the Brocade vRouter. When firewall rule sets are applied to locally bound packets on an interface, the firewall rules are applied before DNAT (that is, on the translated destination address); refer to the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 21
SNAT firewall rules are applied on original source address. FIGURE 15 Pass-through SNAT firewall decisions Scenario 2b: SNAT—Packets originating from the Brocade vRouter In this scenario, packets originate with a process in the Brocade vRouter. Firewall rule sets are not involved. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
The Brocade vRouter allows you to configure SNAT and DNAT rules. To implement bidirectional NAT, you define a NAT rule for SNAT and one for DNAT. The following example shows how to define a SNAT rule, rule 10. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
The following example shows how to apply a SNAT rule, rule 10, to TCP protocol packets. Only TCP packets have address translation performed. Filtering packets by protocol vyatta@vyatta# set service nat source rule 10 protocol tcp Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
30 destination address 12.34.56.78 Address conversion: translation addresses The translation address defines the address conversion that takes place. It specifies the information that is substituted into the packet for the original address. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
10.0.0.0 through 10.0.0.3 as the range of destination IP addresses for inbound packets that match its filter criteria. Substituting a range of destination IP addresses vyatta@vyatta# set service nat destination rule 50 translation address 10.0.0.0-10.0.0.3 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
• An internal news server, a Network News Time Protocol (NTTP) device, needs to connect to an external news server. • The external news server accepts connections only from known clients. • The internal news server does not receive connections from outside the local network. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
The following figure shows an example of SNAT in which many different “inside” addresses are dynamically translated to a single “outside” address. In this example, all hosts on the 10.0.0.0/24 subnet show the same source address externally. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
For this reason, the mapping can provide more capacity for outbound translations. The following figure shows a large private address space (a /8 network prefix, here represented as three /16 subnets) mapped to a small range of external addresses. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
The scenario described in this section is less common. In this scenario, a single test-source device behind the NAT device appears externally to be multiple devices, as shown in the following figure. One application of this scenario might be to test an upstream load-balancing device. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Specifying masquerade as the translation address instructs the system to use the IP address currently assigned to the outbound interface as the translation address. Masquerade NAT rules typically consist of match conditions that contain the following characteristics: Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
10 Show the configuration. outbound-interface dp0p1p1 source { address 10.0.0.0/24 translation { address masquerade Destination NAT (one-to-one) Destination NAT (DNAT) is used when only inbound traffic is expected. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Scenario 2: Packets destined for an internal SSH server In this scenario, all traffic destined for the SSH port is passed through to a host containing an SSH server, as shown in the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Another application where DNAT might be used is a scenario in which there are multiple instances (each on a different port) of the server inside a private network. To configure NAT for this particular scenario, perform the following steps in configuration mode. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Bidirectional NAT is simply a combination of source and destination NAT. A typical scenario might use SNAT on the outbound traffic of an entire private network and DNAT for specific internal services (for example, mail or web); refer to the following figure. FIGURE 24 Bidirectional NAT Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
10.0.0.0/24 network to the 11.22.33.0/24 network, which maps 10.0.0.1 through 11.22.33.1, 10.0.0.2 through 11.22.33.2, and so on. The networks must be the same size, that is, they must have the same network mask, as shown in the following figure. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 37
10 inbound-interface dp0p1p1 vyatta@vyatta# set service nat destination rule Use 10.0.0.x as the destination address in 10 translation address 10.0.0.0/24 incoming packets. vyatta@vyatta# commit Commit the change. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
20 Use the primary IP address of the outbound translation address masquerade interface as the translation address. vyatta@vyatta# commit Commit the change. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
You can do this by using an exclusion rule, as shown in the following figure. FIGURE 26 Source NAT and VPN To configure NAT in this way, perform the following steps in configuration mode. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
(exclamation mark [!]). The following example shows how to provide the same functionality as in the previous example but use the negation operator instead of the exclude option. NOTE You can use the negation operator with IP addresses but not with port addresses. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 41
192.168.0.0/24 translation { address masquerade This combination of rules does not exclude the 192.168.50.0/24 and 172.16.50.0/24 networks. As previously explained, these NAT rules are evaluated sequentially; when a packet arrives, it is tested Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Commit the changes. vyatta@vyatta# show service nat source rule 200 Show the NAT outbound-interface dp0s224 configuration. protocol tcp source { address foo port bar translation { address 20.20.10.0/24 port http Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Clears counters for active NAT rules. Syntax clear nat Command Default Counters for all NAT rules. Modes Operational mode Usage Guidelines Use this command to clear counters for active NAT rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to enable, create, or modify the NAT configuration. Use the delete form of this command to remove NAT configuration and disable NAT on the system. Use the show form of this command to view NAT configuration. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to define a NAT rule number. Use the delete form of this command to remove a NAT rule number. Use the show form of this command to view a NAT rule number. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to provide a description of a rule. Use the delete form of this command to remove the description of a rule. Use the show form of this command to view the description of a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify a destination address and port to match a NAT rule (destination filter). Use the delete form of this command to remove a destination filter. Use the show form of this command to view a destination filter. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to disable a NAT rule. Use the delete form of this command to return a rule to its enabled state. Use the show form of this command to view a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify that packets matching this rule are excluded from NAT. Use the delete form of this command to remove an exclusion rule. Use the show form of this command to view an exclusion rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set for of this command to specify the data plane interface on which inbound traffic has DNAT rules applied. Use the delete form of this command to remove an inbound interface. Use the show form of this command to view an inbound interface. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the delete form of this command to restore the default NAT logging, that is, the logging of NAT destination entries is not generated. Use the show form of this command to view the state of NAT logging. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the delete form of this command to remove a protocol from a NAT destination rule. Use the show form of this command to view a protocol for a NAT destination rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify a source address and port to match in a NAT rule (source filter). Use the delete form of this command to remove a source filter. Use the show form of this command to view a source filter. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the delete form of this command to remove a translated address, port, or both from a NAT rule. Use the show form of this command to view a translated address, port, or both of a NAT rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify the NAT IPv6-to-IPv4 rule to apply to the IPv6 prefix for the destination. Use the delete form of this command to delete the NAT IPv6-to-IPv4 rule. Use the show form of this command to display the configured NAT IPv6-to-IPv4 rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify the service IPv6-to-IPv4 rule to apply to the inbound interface. Use the delete form of this command to delete the service IPv6-to-IPv4 rule. Use the show form of this command to display the configured IPv6-to-IPv4 rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify the service IPv6-to-IPv4 rule to apply to the source prefix for the destination. Use the delete form of this command to delete the service IPv6-to-IPv4 rule. Use the show form of this command to display the configured IPv6-to-IPv4 rules. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to provide a description of a rule. Use the delete form of this command to remove the description of a rule. Use the show form of this command to view the description of a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the delete form of this command to remove a destination filter for a NAT source rule. Use the show form of this command to view a destination filter for a NAT source rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to disable a NAT rule. Use the delete form of this command to return a rule to its enabled state. Use the show form of this command to view a rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify that packets matching this rule are excluded from NAT. Use the delete form of this command to remove an exclusion rule. Use the show form of this command to view an exclusion rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the delete form of this command to restore the default NAT logging, that is, the logging of NAT source entries is not generated. Use the show form of this command to view the state of NAT logging. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify the data plane interface on which outbound traffic has SNAT rules applied. Use the delete form of this command to remove an outbound interface. Use the show form of this command to view an outbound interface. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the delete form of this command to remove a protocol from a NAT source rule. Use the show form of this command to view a protocol for a NAT source rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the set form of this command to specify a source address and port to match in a NAT source rule (source filter). Use the delete form of this command to remove a source filter. Use the show form of this command to view a source filter. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Use the delete form of this command to remove a translated address, port, or both from a NAT rule. Use the show form of this command to view a translated address, port, or both of a NAT rule. Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
SNAT cannot. In SNAT, if the translation space is exhausted, the remaining packets are dropped. The following example shows how to display destination NAT translation information. vyatta@vyatta:~$ show nat destination translations Pre-NAT Post-NAT Prot Timeout 172.16.139.100:80 10.0.0.102:80 Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Defines a group of IP addresses that are referenced in firewall rules. (Refer to Basic Routing Reference Guide) resources group port‐group <group‐name> Defines a group of ports that are referenced in firewall rules. (Refer to Basic Routing Reference Guide) Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Domain Name System DSCP Differentiated Services Code Point Digital Subscriber Line eBGP external BGP Amazon Elastic Block Storage Amazon Elastic Compute Cloud Exterior Gateway Protocol ECMP equal-cost multipath Encapsulating Security Payload Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 74
Link Layer Discovery Protocol medium access control mGRE multipoint GRE Management Information Base Multicast Listener Discovery MLPPP multilink PPP MRRU maximum received reconstructed unit maximum transmission unit Network Address Translation NBMA Non-Broadcast Multi-Access Neighbor Discovery Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 75
Reverse Path Forwarding Rivest, Shamir, and Adleman receive Amazon Simple Storage Service SLAAC Stateless Address Auto-Configuration SNMP Simple Network Management Protocol SMTP Simple Mail Transfer Protocol SONET Synchronous Optical Network Shortest Path Tree Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Page 76
User Datagram Protocol virtual hard disk virtual interface VLAN virtual LAN Amazon virtual private cloud virtual private network VRRP Virtual Router Redundancy Protocol wide area network wireless access point Wired Protected Access Brocade 5600 vRouter NAT Reference Guide 53-1003718-03...
Need help?
Do you have a question about the 5600 and is the answer not in the manual?
Questions and answers