2000/01/21

		ComOS 3.9b27 Beta Release Note
		for PortMaster Office Routers

________________ Introduction

The new Lucent Technologies ComOS(R) 3.9b27 closed beta software
release is now available for PortMaster(R) Office Routers.

This release is provided at no charge to Lucent customers taking part
in the beta test.

This release note documents the following:

* Commands and features added between ComOS 3.7.2 and ComOS 3.9b27 on
PortMaster Office Routers.

* Commands and features added between ComOS 3.7.1 and ComOS 3.9b27 on
the PortMaster Office Router AP.

This release note applies only to PortMaster Office Routers.

Before upgrading, thoroughly read "ComOS 3.9b27 Limitations"
and "Upgrade Instructions."

WARNING! Due to the increased size of ComOS, the amount of nonvolatile
RAM (NVRAM) available for saving configurations has been reduced from
128KB to 64KB. PortMaster products with configurations greater than
64KB will lose some of their configuration.  For this reason, be sure
to back up your Office Router configuration before upgrading to this
release. You can check the amount of memory used for your configuration
with the "show files" command. Ignore any files that also include an
uncompressed size. For more information, see the section "Identifying
and Correcting NVRAM Overflow."

_______________ Contents

Introduction
Bugs Fixed in ComOS 3.9b27
Providing Space for NVRAM Reconfiguration
Identifying and Correcting NVRAM Overflow
New Features in ComOS 3.9b27
	RADIUS Authentication Failover
	RADIUS Accounting Retry Interval and Count
	Network Address Translator (NAT)
	Assigned IP for Dial-Out Locations
	Enhanced PMVision Support
Configuring NAT
ComOS 3.9b27 Limitations
Upgrade Instructions
Technical Support

_______________Bugs Fixed in ComOS 3.9b27

* Unauthorized Telnet connections are now timed out after 2 minutes.

* The "set maximum pmconsole" command now takes effect immediately.
Previously, active connections on port 1643 had to be reset before
changes were applied.

* Output for the "set debug ?" command has been enhanced.

* A RADIUS Login-User with the telnet login service no longer generates
a Framed-User start record erroneously.

* Accounting records for a RADIUS Administrative-User logging in to
port S0 now show the correct service type.

* Administrative logins logged to syslog no longer have the password
sent in clear text.

* The authentication packet sent for telnet logins now reports the
correct user type to the access log. Previously, the authentication
packet erroneously reported a user type of Outbound-User.

* Startup and shutdown accounting packets are now resent like other
accounting packets.

* The "show sessions" command no longer returns garbage characters at
the end of a 12-character location name.

* The "show table location" command now shows the full location name.

* The command "set user protocol ppp" no longer deletes the
Point-to-Point Protocol (PPP) asynchronous map.

* The attributes associated with the user are now deleted when the user
entry is deleted. For example, if a network user (netuser) named lee
configured with NAT is deleted, the old NAT configuration parameters
are no longer listed for any new user named lee.

* If a RADIUS menu user fails over a Telnet connection, an
administrative user is now allowed to telnet in. Previously, the
administrative user was rejected until the Office Router was rebooted.

* When routing is disabled on a WAN port, the port status now reflects
this condition.

* Subnets included as part of an OSPF area range are now advertised as
internal OSPF routes. If not included as part of the range, they are
advertised as OSPF type 2 external (E2) routes. In previous releases,
the Office Router advertised routes in this way when they were part of
an assigned address pool, but not if they were subnets used to assign
static IP addresses.

* OSPF configuration information is now saved during an upgrade from
ComOS 3.7 to ComOS 3.9b27.

_______________ Providing Space for NVRAM Reconfiguration

Before upgrading an Office Router to ComOS 3.9b27, you MUST disable the
Open Shortest Path First (OSPF) and IPX protocols. To do so, enter the
following commands:

    set ospf disable
    set ipx off
    save all
    reboot

Disabling these protocols provides sufficient memory space for the
NVRAM reconfiguration that takes place during the upgrade process.

NOTE: Lucent strongly recommends that you save the Office Router
configuration before upgrading to ComOS 3.9b27.

After loading the new ComOS 3.9b27 and rebooting, look for the
following messages on the console screen to verify that ComOS has
loaded successfully:

Testing Low Memory....
Testing System Clock....
Testing System Memory.... A000
Checking Boot Rom....
Starting FLASH Boot.....
Booting From Flash Type Am29F040
Loading Image at 0fff0000
17172  flash copy complete
Verifying Load Module Checksum...
Starting Load Module ...
Loading kernel... 693376 bytes
Testing High Memory ... . 1024K
Loading kernel extensions... 125952 bytes
ISDN found in slot 0 - Testing memory .. 512K
Found 3 ports....
ether0 active ... 16K burst-IO
Reconfiguring FLASH...
   Malloc size 50368 at 152b20
   Malloc size 15166 at 99b8c
   Opened modules STD file
   Read 50176 bytes at 152b20
   Read 14523 bytes at 99b8c
   read 2 buffers
   Call flash format
   Call erase_config
   Call freecntl
   Call save
   Call f_open
   Write 50176 bytes at 152b20
   Write 14523 bytes at 99b8c
done - rebooting

IF YOU SEE MESSAGES LIKE THE FOLLOWING INSTEAD, you must netboot the
Office Router:

Livingston Enterprises, Inc. Boot Prom Rev K

Testing Low Memory....
Testing System Clock....
Testing System Memory.... A000
Checking Boot Rom....
Starting FLASH Boot.....
Booting From Flash Type Am29F040
Loading Image at 0fff0000
17152  flash copy complete
Verifying Load Module Checksum...
Starting Load Module ...
Loading kernel... 693384 bytes
Testing High Memory ... . 1024K
Loading kernel extensions... 125952 bytes
Found 2 ports....
ether0 active ... 64K burst-IO
Reconfiguring FLASH...
   Malloc size 26896 at 103164
   Malloc size 13232 at 109a9c
   Malloc size 11200 at 13d418
   Malloc size 5216 at 14eb80
   Malloc size 4864 at ecdc
   Malloc size 1376 at 26a18
Couldn't allocate reconfigure memory
Running ComOS...

You must have enough space to reconfigure NVRAM. If OSPF and IPX were
already disabled before the upgrade, you might have insufficient room.

_____________Identifying and Correcting NVRAM Overflow

If your configuration on an Office Router becomes too large, it will
overflow the NVRAM allocated for the configuration.  Always keep a
current backup of your Office Router's configuration in case the
configuration becomes too large and is erased.

If you see a message like the following, the configuration on your
Office Router has been erased:

   Command> save all
   Saving ports
   Saving global configuration
   Couldn't save global configuration

You cannot correct this situation by rebooting or deleting unneeded
portions of the configuration. The Office Router does not have
sufficient room to rewrite the smaller configuration while the old,
larger configuration is consuming NVRAM.  The only way to clear this
problem is to issue the "erase config" command and then enter
"reboot".

To prevent the NVRAM overflow problem, you can check the size of your
configuration and remove unneeded configuration, if necessary.  To do
so, enter "show files" and compare the total displayed to the following
total.  These values appeared on an Office Router with this problem in
the Lucent lab:

   Command> show files
   File Name		Length
   ----------------	-------
   config		2078
   passwd		216
   rti_user		112
   location		348
   script		177
   rti_loc		116
   snmp			20
   maps			58124
 			-------
   Total		61191

If your configuration is approaching this size, delete unneeded
sections of the configuration such as unused filters, users, or
locations. Enter the "save all" command after every small deletion to
save the entire configuration and ensure that enough space is still
available.

In the example above for instance, the passwd file (which stores the
users) consumes 216 bytes. If you erase some users, the file might
shrink to 150 bytes. When you enter "save all", 150 free bytes must be
available to store the passwd file.

_______________ New Features in ComOS 3.9b27

The following commands and features have been added in ComOS 3.9b27.

_______ RADIUS Authentication Failover

Authentication failover allows PortMaster Office Routers to dynamically
switch primary and alternate RADIUS authentication servers according to
their response. Use the following commands:

  set authentication interval Seconds
  set authentication failover on | off

The first command sets the response interval. The Office Router sends a
RADIUS access-request packet every "interval" number of seconds. If no
response is received from the primary RADIUS server, the Office Router
switches or "fails over" to the secondary authentication server. The
secondary RADIUS server then is treated as the primary, and is marked
with an asterisk (*) in "show global" output.

  set authentication interval Seconds

Seconds		A value between 1 and 255. The number of seconds
		that must elapse between RADIUS access-request
		retransmissions if the Office Router receives no
		response. The default is 3 seconds, and 0 resets the
		value to the default. If the primary server does not
		respond, failover occurs after two times the Seconds
		value. For example, if "set authentication interval 6"
		is used, failover occurs in 12 seconds.

The second command enables the failover feature on PortMaster Office
Routers:

  set authentication failover on | off

on	If the primary server fails to respond three times in a row,
	the Office Router sends the packet to both the primary and
	secondary servers for the next seven retransmissions. If the
	secondary server replies before the primary server, the
	Office Router switches the primary and secondary servers.
	Then on the next login attempt, the Office Router tries the
	secondary server first. If the secondary server fails to
	respond three times in a row, the Office Router sends the
	packet to both servers and designates the server that replies
	first as the new primary server.

off    	The Office Router always tries the primary server first,
	same as the current behavior. This is the default.

_____RADIUS Accounting Retry Interval and Count

The Office Router attempts to send each RADIUS accounting packet
every "interval" seconds, and sends it the "count" number of times
before giving up. If an acknowledgement is received from the RADIUS
accounting server, the Office Router no longer tries to resend the
accounting packet. If no acknowledgment is sent from the primary
server in response to the first packet, the Office Router sends the
packet to both the primary and secondary RADIUS accounting servers.

   set accounting count Number
   set accounting interval Seconds

Number 		A decimal number between 1 and 99. The number of
		times the Office Router sends a RADIUS accounting
		packet without acknowledgement from a RADIUS
		server. The default is 5.

Seconds		A decimal number between 1 and 255. The number of
		seconds that must elapse between RADIUS accounting
		packet retransmissions if not acknowledged by the
		accounting server. The default is 30 seconds.

Use the "show global" command to view the Accounting Count and the
Accounting Interval settings.

Examples:

Command> set accounting count 45
Accounting retry count changed from 23 to 45

Command> set accounting interval 60
Accounting retry interval changed from 30 to 60 sec

_______ Network Address Translator (NAT)

ComOS 3.9b27 supports the network address translator (NAT) based on RFC
2663.

The basic network address translator (basic NAT) maps IP addresses from
one group to another, transparently to users and applications. The
network address port translator (NAPT) is an extension to basic NAT, in
which multiple network addresses and their TCP and UDP ports are mapped
to a single network address and its ports.

ComOS supports both basic NAT and NAPT for both outbound and inbound
sessions. It also supports an "outsource" mode in which all NAT
processing is done on the server side of the connection.

See the section titled "Configuring NAT" for more information.

For more information about NAT commands, see the PortMaster Command
Line Reference. For detailed configuration information, see the
PortMaster Configuration Guide.

_______ Assigned IP for Dial-Out Locations

Use the following command to configure a dial-out location on
PortMaster Office Routers to receive a dynamically assigned address:

  set location Locname local-ip-address assigned  | Ipaddress

Locname		Name of a location table entry.

In previous releases of ComOS for PortMaster Office Routers, dial-out
locations could not receive a dynamic address.

_______ Enhanced PMVision support

Additional support has been added to ComOS 3.9b27 to allow PMVision(TM)
to monitor and configure ComOS 3.9b27 features on PortMaster Office
Routers. See the most recent PMVision release note for details.

_______________ Configuring NAT

ComOS 3.9b27 supports the network address translator (NAT) based on
RFC 2663.

The basic network address translator (basic NAT) capability maps IP
addresses from one group to another, transparently to users and
applications. The network address port translator (NAPT) capability is
an extension to basic NAT in which multiple network addresses and their
TCP and UDP ports are mapped to a single network address and its
ports.

ComOS supports both basic NAT and NAPT for both outbound and inbound
sessions. It also supports an "outsource" mode in which all NAT
processing is done on the server-side of the connection.

NOTE: While this release note covers only PortMaster Office Routers,
other PortMaster products support NAT and might be used in the examples
in this section. None of the IP addresses or networks used in the
examples are intended to refer to any actual real-world company or
network assignment.

_______ Quick Setup of Outbound NAPT ("Many-to-One")

Outbound NAPT is very common in a small office/home office (SOHO)
situation. To configure, use the following command---entered all on one
line:

    set Ether0 | S0 | W1 | location Locname | user Username
    nat outmap defaultnapt

The port, location, or user is your connection to the outside world.
For example, on an Office Router dialing out to location "myisp" you
enter the following:

    set location myisp nat outmap defaultnapt

Then connect normally. You must reset the port if the connection has
already been established. If this is a dial-on-demand location, then
you must also reboot the Office Router, or follow the instructions
listed in the section "Handling Changes to On-Demand Locations."

With the "defaultnapt" NAT configuration, all the hosts behind the
Office Router will have their addresses translated to the IP address of
the interface that is assigned to the location.

_______ NAT Concepts

This section explains some of the NAT terminology and provides hints to
assist you in developing more complex NAT configurations.

For example, you might want to allow inbound connections---external
connections into a web server that resides behind the Office Router
running NAT. Or you might need to renumber your network and want to use
basic NAT to avoid renumbering the entire network.

Private vs. Global IP Addresses:

Global IP addresses are accessible from anywhere on the Internet.  They
are  "external" to the Office Router running NAT---at another branch
office, for example---because NAT is not limited to the Internet.
External hosts do not generally recognize any internal private IP
addresses that you might have assigned to your local hosts. Private IP
addresses are usually taken from one of the following ranges defined in
RFC 1918, which are reserved specifically for this purpose:

    10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
    172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
    192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Lucent strongly recommends numbering your private IP network(s) with IP
addresses from one of the reserved ranges rather then just selecting IP
addresses randomly.

Inbound vs. Outbound Sessions:

A "session" in NAT is considered either inbound or outbound:

* An inbound session is initiated to a client behind the NAT router by
a host external to a private IP network.

* An outbound session is initiated to an external host by a client
within the NAT-covered private IP network.

Basic NAT vs. NAPT:

Basic NAT does a one-to-one mapping of a private IP address to a
global IP address. You still must have a global IP address for every
host with a private IP address that needs to connect to an external
host at the same time.

With basic NAT, you can configure dynamic IP address pools from
which IP address allocations are made, allowing a number of private
hosts to use a (possibly) smaller pool of global IP addresses. Or you
can configure static IP address pools in which a static mapping exists
for each host, requiring the size of the pool to match the number of
hosts being translated.

If you configure a dynamic pool and have fewer global IP addresses
available than total private hosts, you will have a shortage of IP
addresses if all the hosts try to access the external network
simultaneously. This possibility needs to be accounted for in your
planning.

The network address port translator (NAPT) performs a many-to-one
"port translation." This capability allows any number of private
hosts to communicate globally while using only a single global IP
address.

Outsource Mode NAT:

Outsource mode NAT allows an Office Router to handle NAT processing and
management for a connected network interface. If a remote router that
the Office Router is connected to cannot run NAT locally, the Office
Router can perform NAT services for that device.

All NAT configuration is handled on the Office Router. A central site
administrator can maintain all NAT mappings for all sites on the Office
Router without having to worry about the capabilities or management of
a number of entirely separate routers.

_______ Map Management

NAT maps define the mappings and translations between global and
private IP address space. The following map table commands are
supported:

   show table map		Shows all map files.

   show map Mapname	Displays a map's contents.

   add map Mapname	Creates a new map.

   delete map Mapname	Deletes a map.

   save map		Saves map contents into
			nonvolatile RAM.

NOTE: In the this release of NAT, inbound maps are restricted to static
address maps and/or static TCP/UDP port maps only. Outbound maps do not
have this limitation.

See the following section for map configuration commands.

_______ Configuring Map Contents

Entering NAT maps is very similar to configuring filters in ComOS.  The
basic command "set map Mapname" has five versions that you can use as
follows---entered all on one line:

1. To define a single dynamic pool IP address map entry or range or
    list of entries, use the following command:

    set map Mapname Rulenumber addressmap
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]

2. To define a single static pool IP address map entry or range
    or list of entries, use the following command:

    set map Mapname Rulenumber staticaddressmap
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]

3. To define a static or dynamic TCP or UDP port range map
    entry or list of entries, use the following command:

    set map Mapname Rulenumber static-tcp-udp-portmap
    	Ipaddxfrom:Tport1 | Uport1 | Portname
    	Ipaddxto: Tport2 | Uport2 | Portname [log]

4 . To remove rule Rulenumber in a map file, use the following
    command:

    set map Mapname Rulenumber

5. To empty the contents of a map file, use the following command:

    set map Mapname blank

Mapname	Address map name of up to 15 characters.

Rulenumber	Integer between 1 and 20.

Ipaddxfrom	IP address or range or list of IP addresses to be translated.

Ipaddxto 	IP address or range or list of IP addresses to translate to.

Tport		TCP number or range of numbers---between 1 and 65535.

Uport		UDP number or range of numbers---between 1 and 65535.

Portname	One of the following services:
		telnet	TCP port 23.
		ftp	TCP ports 20 and 21.
		tftp	UDP port 69.
		http	TCP port 80.
		dns	TCP/UDP port 53.
		smtp	TCP port 25.

@ipaddr		IP address of the port being configured as the
		destination address.

log		Selectively logs events for this map entry.

The following keywords have abbreviations for ease of entry:

    addressmap = am
    staticaddressmap = sam
    static-tcp-udp-portmap = stupm

Values for "Ipaddxfrom" and "Ipaddxto" can be one or more of the
following, separated by commas (,):

     IP address/mask
     IP address - IP address
     IP address1,Ipaddress2, ...
     IP address

The value for "Portnumber" can be a single port number or a range of
ports such as "6000-6010" (for an inbound X Server) that you want
statically mapped. This capability prevents your needing multiple map
rules to accomplish the same mapping.

Although you have NAT configured for a specified port, user, or
location, you are not required to translate the addresses of all the
hosts behind the Office Router running NAT. You can choose the hosts
for which NAT processing is done by designing your maps around them.

Example 1 --  Basic NAT:

When an outbound NAT map is defined for a port, the translation
succeeds when the source IP address matches the "Ipaddrxfrom" address
in the outbound map.

Here is an outbound map that maps a single host with the private IP
address 10.5.3.6 to the global IP address 192.168.5.3. This is a basic
NAT configuration.

1. Configure a map for outbound NAT named myisp.outmap:

    set map myisp.out 1 addressmap 10.5.3.6 192.168.5.3

2. Configure location myisp:

     set location myisp nat outmap myisp.out

BEFORE Outbound NAT:
    Src: 10.5.3.6:12023  Dest: 192.168.2.4:80

AFTER NAT translation using the example outbound map:
    Src: 192.168.5.3:12023  Dest: 192.168.2.4:80

Example 2 --  @ipaddr Keyword:

As a special case, the "Ipaddrxto" value for an address map can be set
to "@ipaddr" when the address map is being used for outbound or
outbound outsource connections. The special macro "@ipaddr" uses the IP
address assigned to the port on which the address map is being used.

  set map myisp.outmap 1 addressmap 10.2.3.0/0 @ipaddr

Example 3 -- defaultnapt Map:

The reserved map "defaultnapt," described in the section
"Using the Default NAPT Map," is equivalent to the following
map:

  set map myisp.outmap  1 addressmap 0.0.0.0/0 @ipaddr Log

Example 4 -- Basic NAT Pools:

Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map
allows you to configure one-to-one mappings of private IP addresses to
global IP addresses. Using lists of addresses for these values allows
the configuration of IP address allocation pools, from which global IP
addresses can be allocated for outbound sessions as they are required.

Here is a configuration using a global IP address pool range of
192.168.9.1 through 192.168.9.10 for hosts in the private network
10.9.9.0/24 for outbound NAT. This configuration allows only 10
concurrent outbound NAT sessions from the 10.9.9.0 subnet.

1. Configure rule 1 for outbound NAT map myisp.outmap:

    set map myisp.out 1 addressmap 10.9.9.0/24 192.168.9.1-192.168.9.10

2. Configure location myisp:

     set location myisp nat outmap myisp.out

Example 5 -- Basic NAT Static Maps:

If you require that private addresses always be mapped to the same
global addresses, use a static address map instead of a dynamic address
map. The following example creates a NAT mapping in which the private
IP address range 10.1.1.0/24 is translated to the global IP address
range 192.168.65.0/24 on the outbound transmission. Because this is a
static address map, it always translates 10.1.1.1 to 192.168.65.1,
10.1.1.55 to 192.168.65.55, and so on.

Configure a map for outbound NAT named myisp.out, and apply it
as an outmap to the location:

    set map myisp.out 1 staticaddressmap 10.1.1.0/24 192.168.65.0/24
    set location myisp nat outmap myisp.out

Alternatively, to allow inbound sessions to the same set of hosts,
create an inbound map named myisp.in and apply it as an inmap to the
location:

    set map myisp.in 1 staticaddressmap 192.168.65.0/24 10.1.1.0/24
    set location myisp nat inmap myisp.in

For a static address map, the total ranges on both sides must have the
same number of IP addresses; otherwise, a one-to-one static mapping is
not possible.

If you do not have sufficient global addresses to do one-to-one
mapping, use NAPT for all or part of the private hosts (see Example 6),
or reduce the number of  IP addresses being translated.

Example 6 -- Mixing Static and Dynamic Address Maps:

This example uses a combination of static address maps for
specific hosts and NAPT for the remainder of the private hosts.

    set map myisp.out 1 staticaddressmap 192.168.65.1-192.168.65.10
	10.1.1.1-10.1.1.10
    set map myisp.out 2 staticaddressmap 192.168.65.73 10.1.1.73
    set map myisp.out 3 addressmap 192.168.65.0/24 10.1.1.11
    set location myisp nat inmap myisp.out

The order of the rules in a NAT map is important. In this example, a
private host with an address of 192.168.65.73 attempting outbound
access via the myisp location uses rule 2 and is translated to address
10.1.1.73. A private host with an address of 192.168.65.74 uses rule 3
and is translated to 10.1.1.11.

Example 7 -- Fully Specified Inbound Map:

When an inbound NAT map is defined for a port, the translation succeeds
when the destination IP address matches the "Ipaddrxfrom" address in
the inbound map.

Suppose you want to allow an Internet access to your internal HTTP
server running on 10.4.2.9. To do so, configure the following as an
inbound map. You also have a global IP address 192.168.2.4 assigned to
your Office Router as the global address for all hosts residing behind
NAT:

1. Configure inbound NAT map myisp.inmap:

    set map myisp.in 1 static-tcp-udp-portmap 192.168.2.4:http 10.4.2.9

2. Configure the location:

    set location myisp nat inmap myisp.in

BEFORE Inbound NAT:
    Src: 130.65.2.3:12023  Dest: 192.168.2.4:80 (80 is http)

AFTER NAT translation using the example inbound map:
    Src: 130.65.2.3:12023  Dest: 10.4.2.9:80

_______Configuring Interfaces, Locations, and Users

The basic command "set Ether0 | S0 | W1 | location Locname | user
Username" has five NAT commands that you can use as follows---entered
all on one line---to configure NAT on an Office Router.

You must reset an active port for changes in its NAT configuration to
take effect. For more information, see the section "Resetting NAT
Sessions."

1. To configure a NAT map for outbound sessions and optionally
    enable the outsource function, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat outmap Mapname [outsource]

2. To configure a NAT map for inbound sessions and optionally
    enable the outsource function, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat inmap Mapname  [outsource]

To remove the map entry from the specified interface, user, or
location, re-enter the command, minus the "outsource" keyword, with a
space after the Mapname value.

3. To set logging options for a NAT session on an interface, use this
    command:

    set Ether0 | S0 | W1 | location Locname | user Username
	nat log sessionfail | sessionsuccess | syslog | console
	on | off

4. To set the default action that the Office Router takes if a request
for
    a NAT session is refused because the mapping configuration is invalid
    or does not exist, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat session-direction-fail-action drop | icmpreject | passthrough

5. To set the maximum idle time for a NAT session, use this command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	nat sessiontimeout  tcp | other Number [minutes | seconds]

_______ Using the Default NAPT Map

You can assign the reserved map name "defaultnapt" to an outbound-only
NAPT configuration, with the following results:

* When "defaultnapt" is assigned as an outbound map, without the
"outsource" option, all outbound IP sessions through the given port are
subject to NAPT and use the IP address assigned to the port.

* When "defaultnapt" is assigned as an outbound map for the
port---using "outsource" in the command line---all inbound IP sessions
(with respect to the calling device) through the given port are subject
to outsource NAPT and use the IP address assigned to the port.

NOTE: In the this release of NAT, inbound maps are restricted to static
address maps and/or static TCP/UDP port maps only. Outbound maps do not
have this limitation.

_______ Using RADIUS for NAT

Many NAT configuration parameters can also be configured via
RADIUS on a per-user basis. For RADIUS to support the new
vendor-specific attributes, you must be running the Lucent
RADIUS 2.1 server or another RADIUS server---such as the
NavisRadius(TM) product---that supports vendor-specific attributes.

Add the following attributes and values to your RADIUS dictionary
if they are not already there. Then stop and restart your RADIUS server.

RADIUS Dictionary Updates:

ATTRIBUTE	LE-NAT-TCP-Session-Timeout	14	integer	Livingston
ATTRIBUTE	LE-NAT-Other-Session-Timeout	15	integer	Livingston
ATTRIBUTE	LE-NAT-Log-Options		16	integer	Livingston
ATTRIBUTE	LE-NAT-Sess-Dir-Fail-Action	17	integer	Livingston
ATTRIBUTE	LE-NAT-Inmap			18	string	Livingston
ATTRIBUTE	LE-NAT-Outmap			19	string	Livingston
ATTRIBUTE	LE-NAT-Outsource-Inmap		20	string	Livingston
ATTRIBUTE	LE-NAT-Outsource-Outmap	21	string	Livingston

VALUE	LE-NAT-Sess-Dir-Fail-Action	Drop			1
VALUE	LE-NAT-Sess-Dir-Fail-Action	ICMP-Reject		2
VALUE	LE-NAT-Sess-Dir-Fail-Action	Pass-Through		3

VALUE	LE-NAT-Log-Options	Session-Success-On	1
VALUE	LE-NAT-Log-Options	Session-Failure-On	2
VALUE	LE-NAT-Log-Options	Console-On		3
VALUE	LE-NAT-Log-Options	Syslog-On		4
VALUE	LE-NAT-Log-Options	Success-Off		5
VALUE	LE-NAT-Log-Options	Failure-Off		6
VALUE	LE-NAT-Log-Options	Console-Off		7
VALUE	LE-NAT-Log-Options	Syslog-Off		8

Each RADIUS parameter corresponds to its command line equivalent. Refer
to the usage information on a particular NAT command in this release
note for more information.

When configuring a user profile, be sure to list any multiple
occurrences of the LE-NAT-Log-Options attribute, which sometimes
requires multiple values, in the order in which the values are listed
in the dictionary---the order shown above. For example:

joe	Auth-Type = System, Framed-Protocol = PPP
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-IP-Address = 255.255.255.254,
	LE-NAT-Outsource-Outmap = "defaultnapt",
	LE-NAT-Sess-Dir-Fail-Action = Drop,
	LE-NAT-Log-Options = Session-Failure-On,
	LE-NAT-Log-Options = Console-On

_______ NAT Session Management

NAT sessions can be managed, viewed, and reset in several ways.

You can display the currently active NAT sessions using the following
command:

  show nat sessions  [tcp | udp | ftp | Sessionid]

Enter "show nat sessions" to display NAT session identification
numbers.

You can also limit the display to the sessions for a single port, user,
or location by appending a regular expression at the end of the command
line, as you can do with the "show routes" command.

You can view real-time statistics on NAT:

  show nat statistics

This command displays statistics on a per-port basis, including
successful translations, failures, address shortages when you are using
IP pools, and unsuccessful translations and/or lookups due to
timeouts.

Use the following command for debugging and to see resource usage:

  show nat mapusage

This command displays a list of active IP address and port bindings,
including a list of the remaining resources---TCP/UDP ports or IP
addresses---available for use.

_______ Resetting NAT Sessions

CAUTION! Resetting any or all interfaces while sessions are active
might cause active connections on clients and servers to be left open
or terminated abruptly. Lucent recommends NOT entering this command
while the interface is being used because doing so can leave
connections in an unknown state between the two communicating hosts.

You can reset the entire NAT subsystem with the following command:

    reset nat [Ether0 | S0 | W1]

The default resets all existing NAT sessions on the Office
Router---like the "reset all" command. Specifying the name of an
interface resets all NAT sessions associated with the specified
interface. Use the "ifconfig" command to see a list of interfaces.

Resetting NAT affects active NAT sessions only. If you modify the NAT
configuration on an active port, you must reset the port directly and
also reset NAT on that interface.

_______ Deleting Individual NAT Sessions

You can delete individual NAT sessions by using the session ID. This
value is displayed in the first column of a "show nat sessions" output.
Determine the session ID and then enter the following command:

  delete nat sessions [Sessionid]

_______ NAT Administrative Concerns

Be aware that you might need to do the following when configuring your
network in the presence of a NAT.

Stopping the Advertisement of Routing Information:

NAT creates a private network that cannot be advertised outside the
private boundary delimited by the NAT router. As a result, you must be
sure to disable network advertisements on the NAT router's global
interface.

For example if you are running NAT on a PortMaster IRX(TM) Router model
IRX-211, with Ether0 as your private interface and Ether1 as your
global interface with NAT enabled on it, you must disable RIP
broadcasts:

    set ether1 rip listen

Or use the "off" option if you do not need to listen to RIP routing
updates at all.

If you are using OSPF, you must specify the private IP address range as
"quiet":

  set ospf area 0.0.0.0 range 10.0.0.0/8 quiet

Rerouting Global IP Addresses Used by NAT to Static Routing:

Because NAT is not equipped to advertise routing, the global IP
addresses (or networks) used by NAT, might require the addition of
static routes on the routers that are external peers of the Office
Router.

Particularly, if you are using basic NAT to manage a pool of global
addresses, you must configure a static route for the pool of addresses
on the next-hop router of the Office Router.

Avoiding Ethernet LANs:

NAT does not provide Ethernet ARP services for the global IP addresses
it uses. For this reason, Lucent recommends that NAT be configured on
WAN interfaces instead of Ethernet interfaces. If you choose to
configure basic NAT on a LAN interface, be sure to select for use with
NAT a global IP address block that does not fall within the same
network prefix of the LAN interface itself.

Determining If Additional Security, Privacy, and/or Firewalls Are Needed:

Security is viewed differently in different environments. Many people
view NAT as a one-way (session) traffic filter, restricting sessions
from external hosts into their network. In that context, NAT provides a
certain degree of security that might not be acceptable for your
situation.

In addition, address assignment in NAT is often done dynamically.
Dynamically assigned addresses can often hinder an attacker from
pointing to any specific host in the NAT domain as a potential target
of attack. Partial privacy is gained because tracing an individual
connection to a particular user is more difficult. You can use
firewalls with NAT maps to provide other ways to filter unwanted
traffic.

However, NAT maps cannot by themselves transparently support all
applications and often must co-exist with application-level gateways
(ALGs)---for example, SOCKS. If you use NAT, you must determine the
application requirements first so that you can assess the extensions to
NAT and the security they provide.

NAT routers have a security limitation that allows NAT and/or its
application-level gateway extensions to read the packet data in the end
user traffic that passes through them. This limitation is a security
problem if the NAT routers are not in a trusted boundary.

Although you can encrypt NAT traffic, NAT must usually be the end point
to such an encryption-decryption setup. For example, you cannot
configure an end-to-end VPN tunnel with NAT routers in between. The end
point(s) must be a router running NAT.

Lucent does not guarantee NAT as an complete security solution.
Although placing your private network behind NAT might make it seem
inaccessible to the outside, this is not the intention of NAT. You must
evaluate the particular configuration, network topology, and security
requirement of your organization to determine whether simply installing
NAT eliminates the need for further security measures such as a
firewall.

Mapping for DNS:

When configuring DNS on the hosts behind NAT, if you add a map similar
to the following on the internal interface---usually Ether0 on an
Office Router---you can enter the IP address of your Office Router as
the DNS server. This is a useful feature if you do not always have the
same DNS server, because of multiple providers, but do not want to
reconfigure all your private hosts. Use the following commands,
entering each command all on one line:

    set map dns.inmap 1 static-tcp-udp-portmap
    	@ipaddr:dns <Primary DNS IP address>
    set ether0 nat inmap dns.inmap
    set location Locname nat outmap defaultnapt

Handling Changes to On-Demand Locations:

Because of the way that on-demand locations and their corresponding
interfaces are traditionally handled within ComOS, NAT configuration
changes might not take effect in the way you expect. To get around this
problem, you can either reboot immediately after changing the settings
for a location that is currently set to on-demand, or do the
following:

1. Enter "set location Locname maxports 0".

2. Enter "reset dialer".

3. Change whatever settings you need to.

4. Enter the following:

   set location Locname maxports <Original_maxports_value>

Manually dialed locations are unaffected.

_______ NAT Examples

1. Dial-Out Location Using defaultnapt with a Dynamically Assigned
    PPP IP Address:

Your Office Router OR-U is dialing in to a corporate network's
PortMaster 3 (192.168.2.5). The PortMaster 3 has one dynamically
assigned IP address for the Office Router in a NAPT configuration.
Everything behind the Office Router is subject to NAPT. You configure
the Office Router as follows:

    add location corporate
    set location corporate phone 5558583
    set location corporate username joeuser
    set location corporate password secrets
    set location corporate destination 192.168.2.5
    set location corporate max 2
    set location corporate idle 15 minutes
    set location corporate on-demand
    set location corporate local-ip-address assigned
    set location corporate nat outmap defaultnapt

2. Preventing Address Renumbering with Basic NAT on an Office Router:

Company ABC, Inc. (198.34.4.0/24) has just merged with Big Company
(25.0.0.0/8) and must renumber its hosts to access Big Company's
network. ABC has an ISDN connection from its Office Router to Big
Company's network. Big Company has just assigned ABC the IP range
25.9.1.0/24 to use. ABC configures its Office Router as follows:

    add map abc.outmap
    set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24
    add location bigcomp
    set location bigcomp phone 5558583
    set location bigcomp username abc
    set location bigcomp password bigsecret
    set location bigcomp destination 25.1.1.7
    set location bigcomp idle 15 minutes
    set location bigcomp on-demand
    set location bigcomp local-ip-address 25.9.1.254
    set location bigcomp nat outmap abc.outmap

The abc.outmap NAT map assigns IP addresses dynamically
as needed. If ABC wants to have static translations, abc.outmap
on the Office Router must be changed as follows:

    set map abc.outmap 1 staticaddressmap 198.34.4.0/24 25.9.1.0/24

3. Address Redirection to a Backup IRX-211 to Perform Server
   Maintenance:

The following two servers on your Ether1 provide inbound FTP and Web
service:

* primary.web.com at 129.65.2.1

* backup.web.com at 129.65.2.2

The IP addresses of primary and backup are global IP addresses.
However, you need to take primary off-line to perform some maintenance
work. Just before shutting down primary, you configure an inbound map
on Ether0 that statically maps primary's address to backup. You use a
basic NAT setup as follows:

    add map ether0.inmap
    set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2
    set ether0 nat inmap ether0.inmap
    reset nat

As part of this configuration, you might also want to set the NAT
session-direction-fail-action (SDFA) to passthrough:

    set ether0 nat sdfa passthrough

This setting prevents NAT from intercepting outbound packets from the
remapped host when primary returns to service and you want to run a
Telnet or FTP session from it.

4. T1 or Fractional T1 WAN Link Using defaultnapt for Outbound and
   Providing Inbound HTTP Service:

Line1 on your PortMaster 3 is a T1 WAN link with a private network
10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered
with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The
HTTP server in the private network resides at 10.1.1.10. You configure
the PortMaster 3 as follows:

    set w24 address 192.168.44.99
    set w24 destination 192.168.44.254
    set w24 nat outmap defaultnapt
    add map w24.inmap
    set map w24.inmap 1 static-tcp-udp-portmap 192.168.44.99:http
      10.1.1.10:http
    set w24 nat inmap w24.inmap
    reset w24

5. Dial-In User Using defaultnapt in Outsource Mode:

You want to provide NAT service to a user (or incoming network) by
connecting the user (or network) in an outsource-mode NAPT
configuration using the defaultnapt map on an Office Router. The global
IP address 192.168.129.130 is assigned to the dial-up router and will
be used as the global address by NAT. Because this configuration uses
the defaultnapt map, the IP addresses that the client's network is
using are not needed in the NAPT configuration. Configure the Office
Router as follows:

    add netuser joeuser
    set user joeuser password mysecret
    set user joeuser destination 192.168.129.130
    set user joeuser nat outmap defaultnapt outsource

No NAT configuration is required on the dial-up router (client) side.
If the client also wants to run an FTP server with a private IP address
of 192.168.5.1 on his network and have it accessible globally,
you can configure further as follows:

    add map joeuser.in
    set map joeuser.in 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp
    set user joeuser nat inmap joeuser.in outsource

When you configure the NAT map for a user with outsource NAT, you can
consider the map as being on the calling router's outbound interface.

6. Dial-Out Location Using a Dynamic IP Address Basic NAT Map:

Your ISP gives you a small address block (192.168.129.129/29), but you
have more hosts then global IP addresses available. You do not want to
request more global IP addresses because of the added expense. In
addition, because not all workstations use the connection at the same
time, additional addresses will be wasteful. You want to use a dynamic
IP address pool map instead. You configure your Office Router as
follows:

    add map isp.outmap
    set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap

7. Dial-Out Location Using a Static IP Address Basic NAT Map:

Your ISP gives you an address block (192.168.130.0/24). You can use a
dynamic IP address pool for your workstation IP addresses because they
do not need Internet access at the same time. However, you must give
two of your trusted systems static IP addresses for security
reasons---to perform packet filtering, for example. You configure your
Office Router as follows:

    add map isp.outmap
    set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1
    set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2
    set map isp.outmap 3 addressmap 10.1.0.0/16
192.168.130.3-192.168.130.254
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap

_______ NAT-Unfriendly Applications:

The following applications are considered unfriendly to NAT because
they embed the IP source and/or destination addresses in the packet
data, are multicast based or broadcast based, or rely on end-to-end
node security:

* Multicast-based applications
* Routing protocols RIP and OSPF
* DNS zone transfers
* End-to-end VPN tunnels
* Anything that embeds the IP source and/or destination address(es)
  into the packet data.

_______ NAT Debugging and Troubleshooting Tips

* Verify obvious values like correct IP addresses in map entries.

* Make sure your maps match the flow of the session (inbound or
outbound). Check "show nat sessions" output to make sure the correct
translations are taking place.

* Watch "show nat statistics" output for failed translations that can
indicate incorrect session flow direction and possibly incomplete
maps.

* Watch the source and destination IP addresses of packets going
through the Office Router. You can find a simple ptrace debug filter
for this purpose in the PortMaster Troubleshooting Guide. If you are
running NAT on your WAN link, look for private IP addresses that are
exiting the ptp0 interface untranslated. If translation is not taking
place, either your NAT maps are not translated properly or NAT is not
active on the port.

* Make sure that you reset the active network interface to make its NAT
configuration take effect. In the case of an Ethernet interface, enter
"reset nat ether0".

* If a location is set to dial-on-demand, you might need to reboot the
Office Router for configuration changes to take effect.

* If a port loses its network connectivity---for example, if the modem
drops carrier---NAT maintains the state of any existing sessions ONLY
if the IP address assigned to the port remains the same.

* Because of the nature of NAT operation, some applications that work
under basic NAT might not work with NAPT. If you are using a particular
application under NAPT and it is not working, try using basic NAT and
see if the situation improves.

_______ NAT Logging Control

You can activate syslog and console logging on a per-port basis to
identify configuration errors and for auditing purposes. Enter the
following commands---all on one line---to configure logging to the
Office Router console of all NAT sessions that fail for any reason:

set Ether0 | S0 | W1 | location Locname | user Username
    	nat log sessionfail on

set Ether0 | S0 | W1 | location Locname | user Username
    	nat log console on

To log to syslog instead, enter "syslog" instead of "console".

Syslog logging is logged at the priority level shown in "show syslog"
output. If you have not set the ComOS global option for logging NAT
information to syslog, then no logging takes place, regardless of the
logging options configured on any particular port. Lucent recommends
that you log NAT activity at the same priority as packet filters:

    set syslog nat auth.notice

You can also log more selectively for only certain map entries by
appending the "log" keyword at the end of a particular map entry you
want logged. For example:

    set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log

Whenever a session from 192.168.1.1 is successfully translated to the
global IP address 172.16.1.1 via this outbound map, a syslog message is
sent to your loghost.

Here is some sample syslog output:

Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)->
 (192.168.247.6:80) translated to
(192.168.129.129:20001)->(192.168.247.6:80)

Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)->
 (192.168.247.6:80) translated to
(192.168.129.129:20002)->(192.168.247.6:80)

Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)->
 (192.168.247.6:80) translated to
(192.168.129.129:20003)->(192.168.247.6:80)

Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to
(255.255.255.254:20001)->(192.168.65.50:23)

Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to
(192.168.129.129:20001)->(192.168.65.50:23)

_______ Debugging NAT

The following commands set ComOS debugging options for NAT:

  set debug nat-ftp on | off		Displays FTP payload processing.

  set debug nat-icmp-err on | off	Displays ICMP error payload
					processing.

  set debug nat-rt-interface on | off	Displays NAT parameters changes
					during interface binding.

  set debug nat-max on | off		Enables full NAT debugging.

Remember to use "set console" before using these commands, and
"reset console" after turning off the debug process.

_______ Network Diagnostic Tools for NAT

Because NAT includes ICMP and UDP translation, the two most common
network diagnostic tools, ping and traceroute, can still be used---with
the following restrictions:

* When using NAPT, you will not be able to run traceroute or ping
inbound to the private hosts because you cannot reach them directly
from the outside. But you can use the tools in an outbound direction
without any problems.

* When using basic NAT, you can run traceroute and ping inbound but
only if you have an inbound map active. You still must include an entry
for the actual host you are trying to ping or trace routes to. As with
NAPT, you can do all network diagnostics in outbound mode.

_______ NAT References

* draft-ietf-nat-traditional-03.txt, Traditional IP Network Address
Translator (Traditional NAT)

* RFC 1918, Address Allocation for Private Internets

* RFC 2663, IP Network Address Translator (NAT) Terminology and
Considerations

_______________ ComOS 3.9b27 Limitations

* Limitations on Upgrading and Downgrading:

  - The Office Router must be running ComOS 3.5 or later to upgrade to
    ComOS 3.9b27. If you are running an earlier release of ComOS,
    upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b27.

  - Do NOT upgrade to ComOS 3.9b27 from any earlier version of
    ComOS without first disabling IPX and OSPF. To do so, enter the
    following commands:

    set ospf disable
    set ipx off
    save all
    reboot

  - Downgrading PortMaster Office Routers from ComOS 3.9b27 to a
    previous release requires two successful downgrades. After the
    first successful downgrade the Office Router is operational, but
    without system messages. The second downgrade applies the system
    messages.

  - Downgrading from ComOS 3.9b27 to ComOS 3.5 might change the
    Ether0 IP address.

* A ComOS online help file is not included in this release; therefore,
the "help" command is not supported.

* You cannot use Inverse Address Resolution Protocol (ARP) on a Frame
Relay interface with subinterfaces. The primary Frame Relay interface
does not automatically map IP addresses to data link connection
identifiers (DLCIs). When you enter a "show arp frm1" command, no ARP
tables appear, and the Office Router cannot ping across the Frame Relay
cloud.

* NAT Limitations:

 - Inbound NAT maps are restricted to static address maps and/or static
    TCP/UDP port maps only. Outbound NAT maps do not have this limitation.

 - NAT translates only TCP, UDP, and ICMP packets. Point-to-Point
    Tunneling Protocol (PPTP) traffic is not translated.

_______________ Upgrade Instructions

You can upgrade PortMaster Office Routers using PMVision 1.8 or later,
or pmupgrade 4.3 or later from PMTools. Alternatively, you can upgrade
using the older programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole
for Windows 3.5.1.4. You can also upgrade using TFTP with the "tftp get
comos" command from the PortMaster command line interface.

See ftp://ftp.livingston.com/pub/le/software/java/pmvision18.txt for
installation instructions for PMVision 1.8.

*** CAUTION!  If the upgrade fails, do NOT reboot!  Contact
*** Lucent NetCare(R) Technical Support without rebooting.

The upgrade process on PortMaster Office Routers erases the
configuration area from nonvolatile memory and saves the current
configuration into nonvolatile memory. Never interrupt the upgrade
process, or loss of configuration information can result.

WARNING! Due to the increased size of ComOS, the amount of NVRAM
available for saving configurations has been reduced from 128KB to
64KB. PortMaster products with configurations greater than 64KB will
lose some of their configuration. For this reason, be sure to back up
your Office Router configuration before upgrading to this release. You
can check the amount of memory used for your configuration with the
"show files" command. Ignore any files that also include an
uncompressed size.

WARNING! The Office Router must be running ComOS 3.5 or later to
upgrade to ComOS 3.9b27. If you are running an earlier release of
ComOS, upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS
3.9b27.

The installation software can be retrieved by FTP from
ftp://ftp.livingston.com/pub/le/software/, and the upgrade image
can be found at ftp://ftp.livingston.com/pub/le/upgrades:

ComOS		Upgrade Image	Product
_________	_____________ 	__________________________
3.9b27		pm3_3.9b27	PortMaster Office Router

_____________________________________________________________

        Copyright and Trademarks

Copyright 2000 Lucent Technologies. All rights reserved.

PortMaster, ComOS, ChoiceNet, and NetCare are registered trademarks of
Lucent Technologies. PMVision, IRX, and PortAuthority are trademarks of
Lucent Technologies. All other marks are the property of their
respective owners.

	Notices

Lucent Technologies makes no representations or warranties with respect
to the contents or use of this publication, and specifically disclaims
any express or implied warranties of merchantability or fitness for any
particular purpose. Further, Lucent Technologies reserves the right to
revise this publication and to make changes to its content, any time,
without obligation to notify any person or entity of such revisions or
changes.

	Contacting Lucent NetCare Technical Support

Lucent NetCare Professional Services provides PortMaster technical
support via voice or electronic mail, or through the World Wide Web at
http://www.livingston.com/. Specify that you are running ComOS 3.9b27
when reporting problems with this release.

Internet service providers (ISPs) and other end users in Europe, the
Middle East, Africa, India, and Pakistan should contact their authorized
Lucent NetCare sales channel partner for technical support; see
http://www.livingston.com/International/EMEA/distributors.html.

For North America, the Caribbean and Latin America (CALA), and Asia
Pacific customers, technical support is available Monday through Friday
from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966
within the United States (including Alaska and Hawaii), Canada, and
CALA, or 1-925-737-2100 from elsewhere, for voice support. For email
support, send to support@livingston.com (asia-support@livingston.com
for Asia Pacific customers).