Lucent Technologies SLC ConnectReach User & Service Manual page 517


$SSHQGL[ (
Configuring IP Packet Filters to Bypass
NAT
Introduction
Procedure
If you need to bypass the NAT module from an IP host or from all hosts on a
network, you can use the following procedures. The filters can be used on both
source and destination IP addresses.
In order for host A to bypass the NAT module to host B, and vice versa, where
host A is located on the WAN side of the SLC ConnectReach system, and host B
is located on the LAN side of the SLC ConnectReach system, take these steps:
1. To navigate to IP Packet Filter Group configuration, enter the
configuration and IPFirewall commands, and, for the Inbound Firewall
Group, enter INFilterGroup.
2. At the config:IPFirewall:INFilterGroup prompt, enter the following
1 deny dst B 255.255.255.255 src A 255.255.255.255 NAT
3. Exit the INFilterGroup menu, enter the OUTFilterGroup command, then
enter
1 deny dst A 255.255.255.255 src B 255.255.255.255 NAT
In order for all hosts on network A to bypass the NAT module if destined for all
hosts on Network B (and vice versa), assuming that network A is on the WAN side
of the SLC ConnectReach system, and network B is on the LAN side of the SLC
ConnectReach system, take these steps:
Step Procedure
1 To navigate to IP Packet Filter Group configuration, enter the
configuration and IPFirewall commands, and, for the Inbound Firewall
Group, enter INFilterGroup.
2 At the config:IPFirewall:INFilterGroup prompt, enter the following
1 deny dst netB maskB src netA maskA NAT
3 Exit the INFilterGroup menu, enter the OUTFilterGroup command, then
enter
1 deny dst netA maskA src netB maskB NAT
NOTE:
The SLC ConnectReach system has 64 filters in both OUT and IN
Filter Groups. The first filter has the highest priority. Therefore, it is
best to use the last filters for 'deny...NAT' commands. Keep in
mind, however, that higher priority filters can cancel those below
them in the order.
-XQH 
F-11
Issue 4