In this section:

This section describes how to configure Network Address Translation (NAT) on the EdgeMarc to allow two connected networks to use different and incompatible IP addressing schemes.

Overview

NAT is a method of allowing two connected networks to use different and incompatible IP addressing schemes. Address translation allows hosts on a private internal network to communicate transparently with devices on an external network and vice versa. NAT is only supported in IPv4. NAT expands the number of hosts that can interact on the Internet by allowing them to share public IP addresses. Because IPv6 has a significantly larger address space, NAT is not required in IPv6.

Static NAT allows you to use a WAN public IP address for data servers (for example, web, mail, or FTP) connected behind the EdgeMarc. These servers can then be configured with private IP addresses for additional security.
The NAT process maps a public address on the system and the IP port number associated with a particular session to the private address and port number of the appropriate IP phone device.

NAT allows many private IP addresses to be mapped to a single public address. However, devices behind NAT are hidden and not directly addressable from a public network. Because IP phone devices need to accept calls from the public network, the system implements ALG/B2BUA to map the common public address to unique private addresses.

Refer to Configuring VoIP Settings.  

Configuring Dynamic NAT

Dynamic NAT allows a device with a private address to access resources on a public network. Requests from the device are remapped to use the public IP address of the system. A different public IP address other than the system IP address can be specified. NAT can be used to translate LAN IP addresses to the public routable IP address that is assigned to the WAN port.

To configure dynamic NAT:

  1. Choose Network > NAT.

  2. Configure settings using the information in the table below as a guide. When you have finished configuring settings, click Submit to make your changes take effect.

    Dynamic NAT Parameters

    ParameterDescription
    Enable Dynamic NAT

    Select the Enable Dynamic NAT check-box.

    Public IP Addresses

    These settings apply to services that are running on the system.

    Primary WLR InterfaceEnter an IP address in the Primary WLR Interface field or leave the default WAN_IP to use the system WAN IP address.

    Secondary WLR Interface

    		(Optional) Enter an IP address in the Secondary WLR Interface field or leave the default WAN_IP to use the system WAN IP address.

    Private Networks

    Configures private networks. See Configuring Private Networks.

Configuring Private Networks

By default, all internal addresses are assumed private and are remapped to the public IP address. You can also specify which networks are private and are therefore NAT-enabled. If one or more networks are specified, all other networks are routed rather than NAT-enabled.

Routed networks still require Pass-Through Rules in order for traffic to traverse the firewall. To configure Pass-Through Rules, choose Network > Pass-Through Rules and refer to Configuring Pass-Through Rules.

Configuring a Private Network

Configure a Private Network as follows:

  1. Choose Network > NAT.

  2. Scroll to Private Networks.

  3. Configure settings using the table below as a guide.

  4. Click Submit to save your settings.

    NAT Settings - Private Networks

    ParameterDescription
    IP Network

    Enter an IP address.

    Network MaskEnter a netmask.
    Private Networks

    Lists configured private networks. 

Deleting a Private Network

Delete a Private Network as follows:

  1. Choose Network > NAT (Figure 3-29).
  2. In the Private Networks list, select check-boxes for the entries that you want to delete or click All to choose all. Click None to clear your selections.
  3. Click Delete.
  4. Click OK to confirm.

Configuring Port Forwarding

Port Forwarding allows you to configure Static Network Address Translation on the system. Port Forwarding rewrites the inbound packets destination address and port to an address and port of a host behind the system. When using Port Forwarding, you can access hosts with private addresses from the public network.

For Port Forwarding rules to be applied, Dynamic NAT must be enabled. See Configuring Dynamic NAT.

Adding a Port Forwarding Rule

  1. Enable Dynamic NAT by choosing Network > NAT and following the instructions in Configuring Dynamic NAT at the top of the NAT configuration page.

  2. Choose Network > NAT > Port Forwarding from the Configuration Menu. 

  3. Configure settings using the table below as a guide. When you have finished configuring settings.

  4. Click Submit.

    Port Forwarding Parameters

    ParameterDescription
    Protocol

    Choose a protocol for the WAN interface from the drop-down list: TCP, UDP, or Any.

    WAN Interface IP

    Enter the device WAN interface IP address or a different public IP address

    If you choose different public IP options, the system creates a virtual interface with the WAN address and attaches the virtual interface to the device WAN interface.

    Packets destined to the WAN address and the WAN port (defined in the Src Port field) are translated to the LAN address and port defined in the Dest Port field. Specify the “WAN_IP” token to signify a system Primary WAN address.

    The WAN Address may change dynamically if the WAN interface is using DHCP or PPP. The NAT feature automatically aligns itself to the dynamic WAN IP when using the 'WAN_IP' token.

    Specify the “HA_VIP” token to signify the High Availability Virtual IP address. Only the MASTER in the High Availability pair sets this rule. See Configuring High Availability.

    WAN Interface NetmaskEnter the device WAN subnet or the subnet of the virtual interface. This field sets the “WAN_SUBNET” token to specify the system's Primary WAN Netmask.

    The WAN Netmask may change dynamically if the WAN interface is using DHCP or PPP. The NAT feature automatically aligns itself to the dynamic WAN Netmask by using the “WAN_SUBNET” token.
    Src Port

    Enter the source WAN port.

    When the protocol is TCP or UDP, you must define the port on the target host. 

    Packets destined to the WAN address and port will be mapped to the LAN address and port.

    You can specify a range of ports. In that case, the size of the WAN range must match the size of the LAN range. Ranges must be colon-delimited, so “301:304” would specify a range of four ports.

    NOTE: If the protocol is 'any', both the WAN and LAN Ports must also be specified as 'any' (port mapping is disabled for this rule).

    When the protocol is TCP or UDP, you must define the WAN and LAN ports. Packets destined to the WAN address and port are translated to the LAN IP address and LAN Dest Port.

    NOTE: When “any” is specified, all packets destined for the public IP address are translated and sent to the private IP address specified.

    Port forwarding rules that use a common WAN IP address are treated as an ordered list. Port forwarding rules that appear before the “any” rule for a WAN IP are applied before the “any” rule. Rules for a WAN IP address placed after the “any” rule have no effect. The “any” rule translates and forwards all remaining packets to the selected LAN IP.

    WARNING: When “any” is used, it is recommended that the LAN IP address be protected by a firewall. All packets destined for the specified WAN IP address are translated and forwarded to the LAN IP address. The management services for the system may become unavailable.

    The management packets could be sent to the specified LAN IP. Make sure an alternative access method is available for management access before adding “any” for the system WAN IP address.

    LAN IP

    Enter the LAN IP address of the target host behind the voice appliance.

    Dest Port

    Enter the LAN port on the target host when the protocol is TCP or UDP. Packets destined to the WAN address and port are mapped to a LAN address and port.

    NOTE: The LAN port is not used if the protocol chosen is “any.”

    Private Networks

    Lists configured private networks. 

Deleting Port Forwarding Rules

  1. Choose Network > NAT > Port Forwarding.
  2. In the Port Forwarding Rules list, select check-boxes for the Port Forwarding entries that you want to delete.
  3. Click All to choose all the entries or None to clear your selections.
  4. Click Delete. 
  5. Click OK to confirm.