Amer Networks E5Web GUI User Manual

is reached then an existing state with the longest idle time is replaced. If all states in the table is
active then the new connection is dropped. As a rule of thumb, the Max States value should be at
least the number of local hosts or clients that will connect to the Internet.

There is only one state table per NAT Pool so that if a single NAT Pool is re-used in multiple NAT
IP rules they share the same state table.

Stateless NAT Pools

The Stateless option means that no state table is maintained and the external IP address chosen
for each new connection is the one that has the least connections already allocated to it. This
means two connections between one internal host to the same external host may use two
different external IP addresses.

The advantage of a Stateless NAT Pool is that there is good spreading of new connections
between external IP addresses with no requirement for memory allocated to a state table and
there is less processing time involved in setting up each new connection. The disadvantage is
that it is not suitable for communication that requires a constant external IP address.

Fixed NAT Pools

The Fixed option means that each internal client or host is allocated one of the external IP
addresses through a hashing algorithm. Although the administrator has no control over which of
the external connections will be used, this scheme ensures that a particular internal client or host
will always communicate through the same external IP address.

The Fixed option has the advantage of not requiring memory for a state table and providing very
fast processing for new connection establishment. Although explicit load balancing is not part of
this option, there should be spreading of the load across the external connections due to the
random nature of the allocating algorithm.

IP Pool Usage

When allocating external IP addresses to a NAT Pool it is not necessary to explicitly state these.
Instead a cOS Core IP Pool object can be selected. IP Pools gather collections of IP addresses
automatically through DHCP and can therefore supply external IP addresses automatically to a
NAT Pool. See Section 5.4, “IP Pools” for more details about this topic.

Proxy ARP Usage

Where an external router sends ARP queries to the Clavister Security Gateway to resolve external
IP addresses included in a NAT Pool, cOS Core will need to send the correct ARP replies for this
resolution to take place through its Proxy ARP mechanism so the external router can correctly
build its routing table.

By default, the administrator must specify in NAT Pool setup which interfaces will be used by NAT
pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can
cause problems sometimes by possibly creating routes to interfaces on which packets should not
arrive. It is therefore recommended that the interface(s) to be used for the NAT Pool Proxy ARP
mechanism are explicitly specified.

Using NAT Pools

NAT Pools are used in conjunction with a normal NAT IP rule. When defining a NAT rule, the
dialog includes the option to select a NAT Pool to use with the rule. This association brings the
NAT Pool into use.

Chapter 7: Address Translation

499