Re: (ASCEND) Nat won't, nailed ain't!

To: Adam Chappell <adamc@colt.net>
Subject: Re: (ASCEND) Nat won't, nailed ain't!
From: Darkshot <darkshot@chudys.com>
Date: Thu, 28 May 1998 17:56:31 -0400
CC: ascend-users@bungi.com
References: <356D9E94.3F54@chudys.com> <x4lnrmw0ra.fsf@aloysius.snuffleupagus.noc.colt.net>
Sender: owner-ascend-users@max.bungi.com

Adam Chappell wrote:

> 
> As far as I understand NAT on the pipeline, an incoming ping just
> doesn't work. Only TCP and UDP are supported as protocols eligible for
> address translation inbound. Ping works outbound from a masqueraded
> address, but ICMP-based traceroute programs (eg. Win95 tracert) only
> seem show the last hop.
> 
> I'm not sure if the lack of incoming ping-ability is broken behaviour
> or not: RFC1631 (NAPT) seems to be the closest thing to defining the
> official spec. that I've seen. A cisco 2501 running IOS 11.2 seemed to
> do the same thing: you couldn't ping the single 'public' address
> (admittedly, though, the version I saw seemed to be cut down and
> didn't support incoming static NAT maps either).
> 
> I've seen other reports of static NAT maps not operating properly on
> the Pipeline, but I can confirm that in the P130 cases I've seen on
> 5.1Ap4, 5.1Ap9 and 6.0.X the static maps *do* seem to work without
> grief.
> 
> The real problem is with the dynamic maps built for outgoing
> connections - ie. the maps viewable via the diagnostic command
> NAPT. There seems to be a static limit of 500 dynamic mappings across
> the router at any one time - this would be fine, but the pipeline
> doesn't seem to delete the mappings on the passing of a TCP RST or FIN
> packet, instead letting them timeout after 24 hours. In my experience,
> this usually tends to lead to a P130 refusing to map any more outgoing
> connections for ~20 hours. For more details se:
> 
>  http://www.noc.colt.net/ascend/grief/2.html
> 
> Ascend have no fix for this as I'm far as I'maware. If I were you I'd
> steer clean of Ascend Pipeline Single-IP NAT with the possible
> exceptions of single user setups where you could be fairly sure that
> less than 500 TCP/UDP sessions within 24 hours would be required.  :<
> 
> -- Adam.

Well, in the words of General Custer, "I wish I had known this before."
Ok, it doesn't have to ping; that was just me trying to test it, but
it does not do any mapping. This is almost as simple as a single-user
site, in that I want port 23 to be mapped to the Pipeline's local
address (so I can change it from here) and I want ports 25 and 80
mapped to the one server, for sendmail and web respectively. Nothing
else is needed and traffic will be very light.

I've done this in the static map tables (local 23, dst 23 etc...)
but it doesn't work. Is this wrong? I used the 192.168.101.* address
as the local IP address- couldn't imagine using anything else.

I tried to RTFM but couldn't find anything on Ascend's website.

Thanks for the help.

'Shot

-- 
Darkshot (Michael B. Garrett)
<http://www.gloryroad.net>
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) Nat won't, nailed ain't!

From: Adam Chappell <adamc@colt.net>

References:

(ASCEND) Nat won't, nailed ain't!

From: Darkshot <darkshot@chudys.com>

Re: (ASCEND) Nat won't, nailed ain't!

From: Adam Chappell <adamc@colt.net>

Prev by Date: Re: (ASCEND) Year 2000 problem with Ascend Radius
Next by Date: (ASCEND) P75 NAT setup
Prev by thread: Re: (ASCEND) Nat won't, nailed ain't!
Next by thread: Re: (ASCEND) Nat won't, nailed ain't!
Index(es):
- Main
- Thread