2 packet reassembly, 3 nat configurations, 4 nat configuration examples – Black Box LR1102A-T1/E1 User Manual
Page 72: Packet reassembly, Nat configurations, Nat configuration examples
Black Box LR11xx Series Router Configurations Guide
74
10.2.2 Packet Reassembly
To configure the firewall to perform IP reassembly of oversized packets that have been fragmented, enter:
10.3 NAT Configurations
Network Address Translation (NAT) was defined to serve two purposes:
Allowed LAN administrators to create secure, private, non-routable IP networks behind firewalls
Stretched the number of available IP addresses by allowing LANs to use one public (real) IP address as the gateway
with a very large pool of NAT addresses behind it.
In the most common NAT application (which is to provide secure networking behind a firewall), the device (Black Box
system) that connects the user LAN to the Internet will have two IP addresses:
A private IP address on the LAN side for the RFC 1918 address range
A public address, routable over the Internet, on the WAN side
Consider a PC on the LAN sending a packet destined for some.server.com. The source IP address and port are in the packet
together with the destination IP address and port. When the packet arrives at the Black Box system it will be de-encapsulated,
modified, and re-encapsulated. The re-encapsulated packet sent by the Black Box system destined for the Internet contains the
Black Box system’s public IP address, a source port allocated from its list of available ports, and the same destination IP
address and port number generated by the PC. The Black Box system also adds an entry into a table it keeps, which maps the
internal address and source port number that the PC generated against the port number it allocated to this session. Therefore,
when some.server.com sends a reply packet to the PC, the Black Box system can quickly determine how it needs to re-write
the packet before transmitting it back on to the LAN.
Dynamic NAT is used when packets destined for the Internet are transported from a LAN using the public source IP address
assigned to the local router. Dynamic NAT performs this task well, but it does not permit providing services to the Internet
from inside a LAN which requires the use of static NAT. Static NAT also requires a public address from the upstream service
provider. Individual PCs within a LAN are assigned RFC 1918 reserved IP addresses to enable access to other PCs within the
LAN. The Black Box system is configured with static mapping, which maps the internal RFC 1918 IP addresses for each PC
to the appropriate public IP address. When traffic is sent to the public address listed in the static mapping, the Black Box
system forwards the packets to the correct PC within the LAN, according to the mapping relationship established.
10.4 NAT Configuration Examples
Blackbox> config term
Blackbox/configure> firewall global
Blackbox/configure/firewall global> ip-reassembly
Blackbox/configure/firewall global/ip-reassembly> fragment-count
100
Blackbox/configure/firewall global/ip-reassembly> fragment-size
56
Blackbox/configure/firewall global/ip-reassembly> packet-size
2048
Blackbox/configure/firewall global/ip-reassembly> timeout 20