Support for special protocols, Nat multiple-instance, Low-priority address pool – H3C Technologies H3C SecBlade FW Cards User Manual
Page 12
5
Support for special protocols
Besides basic address translation functions, NAT also provides a perfect application layer gateway (ALG)
mechanism that supports address/port translation for some special application protocols (IP addresses
or port numbers contained in such protocol messages may need address translation) without requiring
the NAT platform to be modified, featuring high scalability.
The special protocols that NAT supports include: File Transfer Protocol (FTP), Point-to-Point Tunneling
Protocol (PPTP), Internet Control Message Protocol (ICMP), Domain Name System (DNS), Internet Locator
Service (ILS), Real-Time Streaming Protocol (RTSP), H.323, Session Initiation Protocol (SIP), Netmeeting
3.01, and NetBIOS over TCP/IP (NBT).
NOTE:
The firewall supports FTP and DNS.
NAT multiple-instance
This feature allows users from different VPNs to access external networks through the same outbound
interface. It also allows them to have the same internal address. NAT multiple-instance operates as
follows:
When a VPN host sends a packet to a public host, NAT replaces its private source IP address and port
number with a public IP address and port number, and records the NAT entry with the relevant VPN
information, such as the protocol type and router distinguisher (RD). When a response packet arrives, the
NAT gateway translates its public destination IP address and port number to the private ones and sends
it to the VPN host. Both NAT and NAPT support multiple-instance.
NAT also supports internal server multiple-instance to allow external users to access VPN hosts. For
example, in VPN 1, a Web server has a private address of 10.110.1.1. You can assign public IP address
202.110.10.20 to the server on the NAT device so that Internet hosts can access it.
Low-priority address pool
An address pool is a set of consecutive public IP addresses. A NAT gateway selects addresses from the
address pool and uses them as the translated source addresses.
When two devices in a stateful failover implementation carry out NAT, identical address pools must be
configured on both devices, helping ensure that service traffic is successfully taken over by the other
device if one device fails. However, if the devices select the same IP addresses from their address pool
and assign them the same port numbers, reverse sessions on the two devices are the same. As a result,
session data cannot be backed up between the devices.
To solve the problem, the low-priority address pool attribute is introduced to NAT. You can configure
address pools on the two devices to have different priorities. For example, suppose that two addresses
pools, 100.0.0.1 through 100.0.0.5 (A), and 100.0.0.6 through 100.0.0.10 (B), are configured on the
two devices. You can configure A as the low-priority address pool on a device and configure B as the
low-priority address pool on the other device. Because addresses in the low-priority address pool are not
selected by NAT. The two devices use different addresses as translated source addresses, and thus
session data can be backed up successfully.
NOTE:
For information about stateful failover configuraiton, see the
High Availability Configuration Guide.