NAT/NAPT configuration task list 137SmartWare Software Configuration Guide 12 • NAT/NAPT configurationNAPT traversalProtocols that do not build on UDP or TCP but directly on IP (e.g. GRE, ESP), and protocols that open addi-tional connections unknown to the NAT/NAPT component (e.g. FTP, H.323, SIP), do not easily traverse aNAPT.The SmartWare NAPT can handle one GRE (Generic Routing Encapsulation) connection and one ESP(Encapsulating Security Payload) connection at a time. It also routes ICMP messages back to the source of theconcerned connection or to the source of an ICMP Ping message.To enable NAPT traversal of protocols that open additional connections, the NAPT component must analyzethese protocols at the Application Level in order to understand which NAPT entries for additional connectionsit should create and which IP addresses/ports it must modify (e.g. for voice connections in addition to signal-ing connections). It performs this task for the protocol FTP. Other protocols such as H.323 and SIP cannottraverse the SmartWare NAPT.NAT/NAPT configuration task listTo configure the NAT/NAPT component, perform the tasks in the following sections:• Creating a NAPT profile (see page 137)• Activating NAT/NAPT (see page 137)• Displaying NAT/NAPT configuration information (see page 139)Creating a NAPT profileA NAPT profile defines the behavior of the NAT/NAPT component, comprising all four types of NAT/NAPT(this profile is called ‘NAPT profile’ and not ‘NAT/NAPT profile for historical reasons). Several NAPT profilesare admissible but there is only one NAT/NAPT component.Procedure: To create a NAPT profile and to configure the required types of NAT/NAPTMode: ConfigureCommand PurposeStep 1node(cfg)#profile naptname Creates the NAPT profilename and activates thebasic behavior of the Dynamic NAPTStep 2(optional)node(pf-napt)[name]#rangelocal-ip-range-start local-ip-range-stopglobal-ipConfigures and activates the enhanced behavior ofthe Dynamic NAPT:local-ip-range-start andlocal-ip-range-stop define the subset of local hosts that usethe global NAT addressglobal-ip to access to globalnetwork.(max. 20 entries)The IP ranges of different Dynamic NAPT entries mustnot overlap each other.
