Port-mapped network address translation (NAT) is a variation of
masquerade NAT.
How do they differ? In port-mapped NAT you can specify both the IP address
and the port number to translate. This allows both your internal personal
computer and the external workstation to initiate IP traffic. You can use
this if the external workstation (or client) wants to access workstations
or servers inside your network. Only IP traffic that matches both the IP address
and the port number is allowed access. Here is how it works:
Internal initiation
When the internal personal computer
with Address 1: Port 1 initiates traffic to an outside workstation,
the translating code will check the NAT rule file for Address 1: Port 1.
If both the source IP address (Address 1) and the source port number (Port
1) match the NAT rule, then NAT starts the conversation and performs the translation.
The specified values from the NAT rule replace the IP source address and source
port number. Address 1: Port 1 is replaced with Address 2: Port
2.
External initiation
An external workstation initiates
IP traffic with the destination IP address of Address 2. The destination
port number is Port 2. The NAT server will untranslate the datagram
with or without an existing conversation. In other words, NAT will automatically
create a conversation if one does not already exist. Address 2: Port 2 is
untranslated to Address 1: Port 1.
The following list highlights the features of masquerade port-mapped
NAT:
- One-to-one relationship.
- External and internal network initiation.
- The registered address the private address hides behind must be defined
on the iSeries™ server
performing the NAT operations.
- IP traffic outside of NAT operations cannot use the registered address.
However, if this address attempts to use a port number that matches the hidden
port in the NAT rule, then the traffic will be translated. The interface will
be unusable.
- Typically the port numbers are mapped to well-known port numbers, so extra
information is not necessary. For example, you can run an HTTP server bound
to port 5123, then map this to the public IP and port 80. If you want to hide
an internal port number behind another (uncommon) port number, the client
needs to be physically told the value of the destination port number. If not,
it is difficult for communication to occur.
Note: - You must set MAXCON high enough to accommodate the number
of conversations you want to use. For example, if you are using FTP, your
personal computer will have two conversations active. You will need to set MAXCON high
enough to accommodate multiple conversations for each personal computer. The
default value is 128.
- Masquerade NAT only supports the following protocols: TCP, UDP, and ICMP.
- Whenever you use NAT, you must enable IP forwarding. Use the Change TCP/IP
Attributes (CHGTCPA) command to verify that IP datagram forwarding is set
to YES.