friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajb_5.4.0.1/rzajbrzajb4bhidenat.htm

109 lines
7.5 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Masquerade (hide) NAT" />
<meta name="abstract" content="Masquerade (hide) network address translation (NAT) allows you to keep the outside world (outside the iSeries server) from knowing the actual address of a personal computer. NAT routes traffic from your personal computer to your iSeries server, which essentially makes the iSeries server the gateway for your personal computer." />
<meta name="description" content="Masquerade (hide) network address translation (NAT) allows you to keep the outside world (outside the iSeries server) from knowing the actual address of a personal computer. NAT routes traffic from your personal computer to your iSeries server, which essentially makes the iSeries server the gateway for your personal computer." />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb4natsd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb1bheader.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb0gexample5.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajb4b-hidenat" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Masquerade (hide) NAT</title>
</head>
<body id="rzajb4b-hidenat"><a name="rzajb4b-hidenat"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Masquerade (hide) NAT</h1>
<div><p>Masquerade (hide) network address translation (NAT) allows you
to keep the outside world (outside the iSeries™ server) from knowing the actual
address of a personal computer. NAT routes traffic from your personal computer
to your iSeries server,
which essentially makes the iSeries server the gateway for your personal computer.</p>
<p>Here is how it works.</p>
<p>Masquerade NAT allows you to translate multiple IP addresses to another
single IP address. You can use masquerade NAT to <em>hide</em> one or more IP
addresses on your internal network behind an IP address that you want to make
public. This public address is the address to which the private addresses
are translated and has to be a defined interface on your iSeries server.
To be a defined interface, you must define the public address as a <samp class="codeph">BORDER</samp> address.</p>
<div class="section"><h4 class="sectiontitle">Hide multiple addresses</h4><p>To hide multiple addresses,
you specify a range of addresses that NAT should translate through the iSeries server.
Here is the general process:</p>
<ol><li>The translated IP address replaces the source IP address. This occurs
in the IP header of the IP packet.</li>
<li>The IP source port number (if there is one) in a Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) header is replaced with a temporary
port number.</li>
<li>An existing conversation is the relationship between the new IP source
address and port number.</li>
<li>This existing conversation allows your NAT server to untranslate IP datagrams
from the outside server.</li>
</ol>
</div>
<div class="section"><p>When you use masquerade NAT, an internal system initiates traffic.
When this happens, NAT translates the IP packet as it passes through the iSeries NAT
server. Masquerade NAT is a great choice because external hosts cannot initiate
traffic into your network. As a result, your network gains additional protection
from an outside attack. Also, you only need to purchase a single public IP
address for multiple internal users. </p>
<p>The following list highlights
the features of masquerade NAT:</p>
<ul><li>Private IP address or range of IP addresses are bound behind a public
IP address on the NAT workstation</li>
<li>Internal network initiation only</li>
<li>Port numbers are associated with random port numbers. This means that
both the address and the port number are hidden from the Internet.</li>
<li>The registered address on the NAT workstation is a usable interface outside
of NAT</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> <p><img src="./delta.gif" alt="Start of change" />If parameters are not set to fit your environment,
the address translation might not function as expected, for example, the IP
addresses in the packets are not translated or the packets might be discarded.
However, it will not cause any hardware or system damage. If you want to adjust
the values of the parameters, consider the following items:<img src="./deltaend.gif" alt="End of change" /></p>
<ul><li>You must set <samp class="codeph">MAXCON</samp> high enough to accommodate the number
of conversations you want to use. For example, if you are using FTP, your
personal computer will have two conversations active. In this case, you will
need to set <samp class="codeph">MAXCON</samp> high enough to accommodate multiple conversations
for each personal computer. You need to decide how many concurrent conversations
you want to allow in your network. The default value is 128.</li>
<li>You must have <samp class="codeph">TIMEOUT</samp> (a HIDE rule statement) set high
enough to allow enough time for conversations between personal computers and
server end. For Hide NAT to occur properly, there must be an internal conversation
in progress. The timeout value tells the code how long to wait for a reply
to this internal conversation. The default value is 16.</li>
<li>Masquerade NAT only supports the following protocols: TCP, UDP, and ICMP.</li>
<li>Whenever you use NAT, you must enable IP forwarding. Use the Change TCP/IP
Attributes (CHGTCPA) command to verify that you set IP datagram forwarding
to <samp class="codeph">YES</samp>.</li>
</ul>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajb4natsd.htm" title="Network address translation (NAT) allows you to access the Internet safely without having to change your private network IP addresses.">Network address translation (NAT)</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajbrzajb1bheader.htm" title="You can create filter rules to refer to various portions of IP, TCP, UDP, and ICMP headers.">IP packet header</a></div>
<div><a href="rzajbrzajb0gexample5.htm" title="In this scenario, your company uses masquerade network address translation (NAT) to hide the private addresses of your personal computers. At the same time, your company allows your employees to access the Internet.">Scenario: Hide IP addresses using masquerade NAT</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink