Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) NAT, Pipe75, stops routing. (fwd)



Once upon a time Robert Fournerat shaped the electrons to say...
>In a "single address NAT" environment:

NAPT - Network Address and Port Translation - right?

>1) Have you tried to POP mail from a client on the WAN side of
>   the interface to a POP server on the LAN side of the NAT'ed
>   environment? (Or just try to telnet to port 110...)

NAPT is unfreadly to *inbound* traffic, this is rather commonly
discussed in the NAT/NAPT WG.  The only way this can work is if you
can hardmap port 110 to point only to one server on the inside at 
port 110.  Of this hard mapping is not done, or is not possible, then
this isn't going to work.  Basically you need to poke a hole through
the wall NAPT creates.

NAT - whish does no port translation - doesn't have the same problem,
but you would need to have a one-to-one hard map with IP addresses.

>2) Have you ping'ed, tracerouted, or had success with *ANY* ICMP 
>   based traffic where the traffic is directed from the WAN
>   side to the LAN side?

You shouldn't be able to ping ot traceroute, etc, through a router
running NAPT - not inbound.  The IPs on the inside are not visible
to the outside.

>I believe that if you try these tests, that they will fail.
>If any one of them fails, would you agree that Ascend's 
>implementation of single address NAT is flawed?  Last time I 

No.  NAT/NAPT WILL CAUSE SOME PROTOCOLS TO FAIL!  Period.  That is
something you have to accept, or don't run them.  Tunneling and
security protocols don't like NAT/NAPT at all either - IPSec will
not work with this in the middle, nor will many other systems.

The NAT/NAPT WG is working on a list of protocols which are just
incompatible with NAT/NAPT, and also a list of protocols that have a 
hard time with NAT/NAPT and require extra effort on the part of the router.
Mainly protocols that embed IP and/or port data in the payload and
not just in the packet header - FTP is the major example here - so that
the NAT/NAPT router needs to actually change the payload.  Some of these
issues are likely to not be solved in the router, but with an application
gateway program on a host working on conjunction with the router.

-MZ
-- 
<URL:mailto:megazone@megazone.org> Gweep, author, webmaster, human being, me
"A little nonsense now and then, is relished by the wisest men" 781-788-0130
<URL:mailto:megazone@gweep.net> <URL:http://www.megazone.org/> Hail Discordia!



++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>