Overriding NAT Configuration

Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit. This enables mapping one IP address to another to protect wireless controller, service platform or Access Point managed network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address.

Additionally, NAT is a process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping one IP address to another. In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address.

NAT can provide a profile outbound internet access to wired and wireless hosts connected to a controller, service platform or Access Point. Many-to-one NAT is the most common NAT technique for outbound internet access. Many-to-one NAT allows a controller, service platform or Access Point to translate one or more internal private IP addresses to a single, public facing, IP address assigned to a 10/100/1000 Ethernet port or 3G card.

To define or override a NAT configuration that can be applied to a profile:

  1. Select Configuration > Devices from the web UI.
    The Device Configuration screen displays a list of managed devices or peer controllers, service platforms, or access points.
  2. Select Profile Overrides > Security.
  3. Select NAT.
    The NAT Pool screen displays by default. The NAT Pool screen lists the NAT policies that have been created thus far. Any of these policies can be selected and applied to a profile.
    Note

    Note

    A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click Clear Overrides. This removes all overrides from the device.
  4. Click Add to create a new NAT policy that can be applied to a profile.
    Click Edit to modify or override the attributes of a existing policy, or click Delete to remove obsolete NAT policies from the list of those available to a profile.
  5. If you are adding a new NAT policy or editing the configuration of an existing policy, define the following parameters:
    Name If you are adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters.
    IP Address Range Define a range of IP addresses that are hidden from the public internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device. NAT only provides IP address translation and does not provide a firewall. A branch deployment with NAT by itself will not block traffic from potentially being routed through a NAT device. Consequently, NAT should be deployed with a stateful firewall.
  6. Click + Add Row as needed to append additional rows to the IP Address Range table.
  7. Click OK to save the changes made to the profile's NAT pool configuration.
    Click Reset to revert to the last saved configuration.
  8. Select the Static NAT tab.
    The Source tab displays by default and lists existing static NAT configurations. Existing static NAT configurations are not editable, but new configurations can be added or existing ones deleted as they become obsolete.

    Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a web server on a perimeter interface with the internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host.

  9. Select + Add Row to create a new static NAT configuration.
  10. Define the following Source NAT parameters:
    Source IP Enter the address used at the (internal) end of the static NAT configuration. This address (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination.
    NAT IP Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified.
    Network Select Inside or Outside NAT as the network direction. Inside NAT is the default setting.

    Select Inside to create a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a web server on a perimeter interface with the internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host.

  11. Select the Destination tab to view destination NAT configurations and to definethe way in which packets passing through the NAT on the way back to the LAN are searched against the records kept by the NAT engine.
    The destination IP address is changed back to the specific internal private class IP address to reach the LAN over the network.
  12. Click Add to create a new NAT destination configuration, or click Delete to permanently remove a NAT destination.
    Existing NAT destination configurations cannot be edited.
  13. Set or override the following destination configuration parameters.

    Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a web server on a perimeter interface with the internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host.

    Protocol Select the protocol for use with static translation. Available options are TCP, UDP, and Any. The default setting is Any.

    TCP is a transport layer protocol used by applications requiring guaranteed delivery. It is a sliding window protocol handling both timeouts and retransmissions. TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a TCP port number.

    The User Datagram Protocol (UDP) offers only a minimal transport service, non-guaranteed datagram delivery, and provides applications direct access to the datagram service of the IP layer. UDP is used by applications not requiring the level of service of TCP or are using communications services (multicast or broadcast delivery) not available from TCP.

    Destination IP Enter the local address used at the (source) end of the static NAT configuration. This address (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination
    Destination Port Set the local port number used at the (source) end of the static NAT configuration. The default value is port 1.
    NAT IP Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified.
    NAT Port Enter the port number of the matching packet to the specified value. This option is valid only if the direction specified is destination.
    Network Select Inside or Outside NAT as the network direction. Inside is the default setting.
  14. Click OK to save the changes made to the static NAT configuration.
    Click Reset to revert to the last saved configuration.
  15. Select the Dynamic NAT tab.

    Dynamic NAT configurations translate the IP address of packets going out from one interface to another interface based on configured conditions. Dynamic NAT requires packets be switched through a NAT router to generate translations in the translation table.

  16. Refer to the following to determine whether a new dynamic NAT configuration needs to be created, or whether an existing one can be edited or deleted:
    Source List ACL Lists an ACL to define the packet selection criteria for the NAT configuration. NAT is applied only on packets which match a rule defined in the access-list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with the remote destination.
    Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration.
    Interface Lists the VLAN (from 1 - 4094) used as the communication medium between the source and destination points within the NAT configuration.
    Overload Type Displays the overload type used when several internal addresses are NATed to only one or a few external addresses. Options include NAT Pool, One Global Address, and Interface IP Address. Interface IP Address is the default setting.
    NAT Pool Displays the name of an existing NAT pool used with the dynamic NAT configuration.
    Overload IP If One Global IP Address is selected as the Overload Type, define an IP address to use as a filter address for the IP ACL rule.
    ACL Precedence Lists the administrator-assigned priority set for the listed source list ACL. The lower the value listed, the higher the priority assigned to this ACL rule.
  17. Click Add to create a new dynamic NAT configuration, Edit to modify or override an existing configuration, or Delete to permanently remove a configuration.
  18. Set or override the following to define the Dynamic NAT configuration:
    Source List ACL Select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access-list. These addresses (once translated) will not be exposed to the outside world when the translation address is used to interact with the remote destination.
    Network Select Inside or Outside NAT as the network direction for the dynamic NAT configuration. Inside is the default setting.
    ACL Precedence Set the priority (from 1 - 5000) for the source list ACL. The lower the value, the higher the priority assigned to the ACL rule.
    Interface Select the VLAN (from 1 - 4094) or WWAN used as the communication medium between the source and destination points within the NAT configuration. Ensure that the VLAN selected adequately supports the intended network traffic within the NAT supported configuration. VLAN1 is available by default.
    Overload Type Define the overload type used when several internal addresses are NATed to only one or a few external addresses. Options include NAT Pool, One Global Address, and Interface IP Address. Interface IP Address is the default setting.
    NAT Pool Provide the name of an existing NAT pool for use with the dynamic NAT configuration.
    Overload IP If One Global IP Address is selected as the Overload Type, define an IP address to use as a filter address for the IP ACL rule.
  19. Click OK to save the changes made to the dynamic NAT configuration.
    Click Reset to revert to the last saved configuration.