OCR 812 V1.1.97 and NAT

[mgrisoli]

Hi folks !
I would to map a remote dynamic address port 81 to be redirected to my private address 192.168.157.001:81
When I try to add the mentioned NAT port in my 3com Office Remote Router the following message appears:
UMNMI: Add - no required password
192.168.157.001 is the default workstation setted in NAT but any external requisitions is remapped to it.
Sugestions ?

 

[MWM]

As I understand it, port mapping on routers is -- for security purposes -- a one-way mapping, that is, from the inside out. This is called Port Address Translation and is parallel to NAT.

The purpose is to translate inside addresses to one global outside, routable address. The same with PAT. The packets coming from the outside are required to be in response to an initial inside source, for example, you query a web site.

The reverse -- to achieve "firewall" security -- does not happen. An uninvited packet does not translate to an inside address because it is dropped by the router when it cannot find a match in its tables for a previous outgoing packet.

The ability to predetermine port translations is specific to your router. And, be aware, routers vary widely in their abilities and the documentation and tech support required to achieve such noble ends.

That's one reason Cisco is widely adopted: they have an operating system that is published and supported and very capable. (And, for people who don't make their living doing this work, a formidable learning and cost undertaking.)

Yours,
Mike

 

[mgrisoli]

Thanks for answering Mike !

3Com documentation saids that remapping is possible.
But dont shows exactly how.
And about PAT resource, can we disable it ?
On this case each private computer can manage its own protection.


Regards,

Mgrisolia.

 

[jimbopalmer]

did you find all this documentation?

http://www.3com.com/products/en_US/result.jsp?selected=2&sort=effdt&order=desc&sku=3CR414492-US

I tried to remain child-like, all I acheived was childish.

 

[MWM]

Port mapping is part of NAT because the packets returning from the outside world are headed, of course, to your one and only router outside IP, which in turn feeds multiple inside machines. Which one is the returning packet to be sent to?

This is determined by the port identify. When the packet left originally it carried a port number, along with its source IP and port number. The port number is tracked by the router, so when a returning packet is examined, it is translated to the correct inside IP. Otherwise, the one global outside address would not know where to forward the returning packet.

This process allows, also, one inside machine to launch multiple, ongoing streams,--say, ftp--without getting confused as to which returning packet is supposed to go to which machine, and once it gets to that machine, which socket port is to be used. This socket business happens at the upper level of the 7-layer OSI model.

At some point, if you want outside traffic to be allowed into your system (without initiating the conversation from the inside) you may need to create a static access list identifying specific outside addresses (and their port numbers) to be allowed in, firstly, and secondly, to be directed to the inside address (and port).

This is router-specific.

Yours,
Mike