Masquerade (hide) network address translation (NAT) allows you to keep the outside world (outside the iSeries™ server) from knowing the actual address of a personal computer. NAT routes traffic from your personal computer to your iSeries server, which essentially makes the iSeries server the gateway for your personal computer.
Here is how it works.
Masquerade NAT allows you to translate multiple IP addresses to another single IP address. You can use masquerade NAT to hide one or more IP addresses on your internal network behind an IP address that you want to make public. This public address is the address to which the private addresses are translated and has to be a defined interface on your iSeries server. To be a defined interface, you must define the public address as a BORDER address.
Hide multiple addresses
To hide multiple addresses, you specify a range of addresses that NAT should translate through the iSeries server. Here is the general process:
- The translated IP address replaces the source IP address. This occurs in the IP header of the IP packet.
- The IP source port number (if there is one) in a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header is replaced with a temporary port number.
- An existing conversation is the relationship between the new IP source address and port number.
- This existing conversation allows your NAT server to untranslate IP datagrams from the outside server.
When you use masquerade NAT, an internal system initiates traffic. When this happens, NAT translates the IP packet as it passes through the iSeries NAT server. Masquerade NAT is a great choice because external hosts cannot initiate traffic into your network. As a result, your network gains additional protection from an outside attack. Also, you only need to purchase a single public IP address for multiple internal users.
The following list highlights the features of masquerade NAT:
- Private IP address or range of IP addresses are bound behind a public IP address on the NAT workstation
- Internal network initiation only
- Port numbers are associated with random port numbers. This means that both the address and the port number are hidden from the Internet.
- The registered address on the NAT workstation is a usable interface outside of NAT
If parameters are not set to fit your environment,
the address translation might not function as expected, for example, the IP
addresses in the packets are not translated or the packets might be discarded.
However, it will not cause any hardware or system damage. If you want to adjust
the values of the parameters, consider the following items:
- You must set MAXCON high enough to accommodate the number of conversations you want to use. For example, if you are using FTP, your personal computer will have two conversations active. In this case, you will need to set MAXCON high enough to accommodate multiple conversations for each personal computer. You need to decide how many concurrent conversations you want to allow in your network. The default value is 128.
- You must have TIMEOUT (a HIDE rule statement) set high enough to allow enough time for conversations between personal computers and server end. For Hide NAT to occur properly, there must be an internal conversation in progress. The timeout value tells the code how long to wait for a reply to this internal conversation. The default value is 16.
- Masquerade NAT only supports the following protocols: TCP, UDP, and ICMP.
- Whenever you use NAT, you must enable IP forwarding. Use the Change TCP/IP Attributes (CHGTCPA) command to verify that you set IP datagram forwarding to YES.