1999/3/31

			ComOS 3.9b8 Open Beta Release Note


________________ Introduction

The new Lucent Technologies ComOS(R) 3.9b8 is now available for open
beta for the PortMaster(R) 3 Integrated Access Server.

This open beta release is provided at no charge to all Lucent
customers.

This open beta release is recommended only for customers who wish to test
the new functionality before the FCS release of ComOS 3.9.

This release note documents commands and features added between ComOS
3.8.2 and ComOS 3.9b8 on the PortMaster 3. The modem code in ComOS
3.9b8 is the same modem code included in ComOS 3.8.2 for the PortMaster 3.

NOTE: Command syntax for new commands may change between this open beta
release and the general availability (GA) release of ComOS 3.9.

This release note applies only to the PortMaster 3.

Before upgrading, thoroughly read "Limitations" and "Upgrade
Instructions."

WARNING! The amount of nonvolatile ram (NVRAM) available for saving
configurations has been reduced from 128KB to 64KB. PortMaster
products with configurations greater that 64KB will lose some of
their configuration. For this reason, be sure to backup your
PortMaster configuration before upgrading to this release.

NOTE: Any PortMaster running ComOS 3.9b8 requires 4Mb of dynamic
RAM (DRAM).  Use 16MB if running BGP.


_______________ Export Restrictions

This open beta release of ComOS 3.9b8 does not include support for the
DES and 3DES encryption methods, and is available to any Lucent
customer worldwide.

The AH MD5 authentication feature of the coprocessor card is available
worldwide and is included in ComOS 3.9b8.

Because of export restrictions, the DES and 3DES features for ComOS 3.9b8
will be handled on a case by case basis outside of the standard beta
release process.  Any U.S. or Canadian owned company wishing to participate
in the beta of this feature should call Cary Hayward at 1-925-730-2637.  
This restricted release of ComOS 3.9b8enc168 which supports DES and 3DES
is available in open beta to Lucent customers in the USA and Canada.
To use DES or 3DES for encrypting data payloads you must install the
Coprocessor Card (PM3-VPN).  

Versions of ComOS 3.9 supporting DES and 3DES on the coprocessor card
will be made available to customers in other countries as export
licensing permits. Licensing approval is being sought at this time.

For more information, see the sections on "IP Security" and
"Coprocessor Card for PortMaster 3".


_______________ Contents

Introduction
Export Restrictions
Bugs Fixed in 3.9b8
New Features
	Non-Facility Associated Signaling (NFAS)
	Layer 2 Tunneling Protocol (L2TP)
	IP Security (IPSec)
	Coprocessor Card for PortMaster 3
	Network Address Translator (NAT)
	Assigned IP for Dial-Out Locations
	Enhanced PMVision Support
Configuring NFAS
Configuring L2TP
Configuring IPSec
Configuring NAT
Limitations
Upgrade Instructions
Technical Support



_______________ Bugs Fixed in ComOS 3.9b8

No bugs have been fixed in ComOS 3.9b8.



_______________ New Features in ComOS 3.9b8

The following commands and features have been added in ComOS 3.9b8.


_______ Non-Facility Associated Signaling (NFAS)

Non-facility associated signaling (NFAS) is a service offered by
telephone companies that permits a single D channel to provide the
signaling for a group of PRIs. This service allows the channel that
is normally used for signaling on the remaining PRIs to be used as a
B channel.

Because combining the signaling onto a single D channel increases the
consequences if communication with that channel fails, some telephone
companies use the D channel backup (DCBU) system. DCBU requires two
D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS and
NFAS with DCBU across up to 20 PRIs.

See the section titled "Configuring NFAS" for NFAS configuration
information.


_______ Layer 2 Tunneling Protocol (L2TP)

ComOS 3.9b8 on the PortMaster 3 supports Layer 2 Tunneling Protocol
(L2TP). You can configure the PortMaster 3 as both an L2TP access
concentrator (LAC) and an L2TP network server (LNS).

See the section titled "Configuring L2TP" for L2TP configuration
information.


_______ IP Security (IPSec)

ComOS 3.9b8 on the PortMaster 3 supports virtual private networks (VPNs)
and IP Security (IPSec). A properly configured PortMaster is capable of
tunneling using the IP Encapsulation within IP (IPIP) and IPSec protocols
and a Lucent proprietary Proxy-Tunnel protocol. Tunneling allows you to
create custom network topologies that are independent of the underlying
physical topology of the network, with or without additional security and
authentication.

See the section titled "Configuring IPSec" for more information.


_______ Coprocessor Card for PortMaster 3

ComOS 3.9b8 now supports the coprocessor card (PM3-VPN, PortMaster 3
Coprocessor Card).  To use IPSec, the coprocessor card must be
installed in the PortMaster 3, into the same interface on the
motherboard used by the Stac compression card (PM3-CMP).  The
PortMaster 3 can support either the Stac compression card or the
coprocessor card, not both.

The PortMaster 3 does not require the coprocessor card to run the IPIP
or Proxy-Tunnel protocols.

The following message is displayed on the console port at boot time if
the coprocessor card is installed correctly and operating:

  Found MIPS 4640 daughterboard with 512Kb bytes of memory

The coprocessor card is booted from the file named "mipsboot" on the
NVRAM file system. You can use the "show files" command to verify that
it exists. If it does not, you must upgrade your release of ComOS. To
see which encryption algorithms and protocols are supported, use the
"show ipsec modules" command.



_______ Network Address Translator (NAT)

ComOS 3.9b8 supports the network address translator (NAT) based on the
latest IETF NAT document draft-ietf-nat-traditional-01.txt.

The basic network address translator (basic NAT) maps IP addresses from
one group to another, transparently to users and applications. The
network address port translator (NAPT) is an extension to Basic NAT, in
which multiple network addresses and their TCP and UDP ports are mapped
to a single network address and its ports.

ComOS supports both basic NAT and NAPT for both outbound and inbound
sessions. It also supports an "outsource" mode where all NAT
processing is done on the server-side of the connection.

See the section titled "Configuring NAT" for more information.


_______ Assigned IP for Dial-Out Locations

Use the following command to configure a dial-out location on the
PortMaster 3 to receive a dynamically assigned address:

  set location Locname local-ip-address assigned

Locname		Name of a location table entry.

In previous releases of ComOS for the PortMaster 3, dial-out locations
could not receive a dynamic address.


_______ Enhanced PMVision support

Additional support has been added to ComOS 3.9b8 to allow PMVision(TM) to
monitor and configure PortMaster features. See PMVision 1.4 release notes
for details.



_______________ Configuring NFAS

Non-facility associated signaling (NFAS) is a service offered by
telephone companies that permits a single D channel to provide the
signaling for a group of PRIs. This service allows the channel that
is normally used for signaling on the remaining PRIs to be used as a
B channel.

Because combining the signaling onto a single D channel increases the
consequences if communication with that channel fails, some telephone
companies use the D channel backup (DCBU) system. DCBU requires two
D channels per NFAS group, one as a primary and one as a secondary.

The Lucent ComOS implementation of NFAS supports both standard NFAS and
NFAS with DCBU across up to 20 PRIs.

See the "Limitations" section before using NFAS.


_______ Configuration

To configure a line for NFAS operation, use the following command:

  set Line0 nfas Mode Identifier Group

Line0		line0 or line1.
Mode:
  primary	This PRI contains the primary D channel.
  secondary	This PRI contains the secondary D channel.
  slave		This PRI contains no D channel.
  disabled	Clear this PRI's NFAS configuration.
Identifier      Number between 0 and 19 that is unique among all PRI
		interfaces in the same NFAS group.
Group           Number between 1 and 99 identifying which NFAS group
		this PRI belongs to.

The following example shows how to configure four PortMaster 3s on a
common Ethernet with two NFAS groups, one with DCBU and one without.
Each group contains two PortMaster 3s.

NFAS bundle #1 (with DCBU)
  PM3-1 (Line0 contains the primary D channel. Line1 is a slave line.):
    set line0 nfas primary 0 1
    set line1 nfas slave   1 1
    save all
    reboot

  PM3-2 (Line0 is a slave line, and Line1 contains the secondary
  D channel):
    set line0 nfas slave     2 1
    set line1 nfas secondary 3 1
    save all
    reboot

NFAS bundle #2 (without DCBU)
  PM3-3 (Line0 contains the primary D channel, and Line1 is a
  slave line):
    set line0 nfas primary 0 2
    set line1 nfas slave   1 2
    save all
    reboot

  PM3-4 (Line0 and Line1 are slave lines):
    set line0 nfas slave 2 2
    set line1 nfas slave 3 2
    save all
    reboot


_______ Displaying General Information

Several commands are available to display statistics and information
specific to NFAS operation.

  show nfas

The "show nfas" command displays neighboring PortMasters in the same
NFAS group as this one and shows in-service D channel information and
slave status.

  show nfas history

The "show nfas history" command displays the last 40 significant
messages exchanged between this PortMaster and its neighbors.

  show nfas stat

The "show nfas stat" command displays the status of NFAS calls for
PortMasters in the same group(s) as this one.


_______ Displaying Debugging Information

A new debug command has been added to aid in diagnosing problems that
might occur in testing.

set debug nfas on | off

This command enables or disables the logging of NFAS events to the
console. Remember to use "set console" before using this command.



_______________ Configuring L2TP

ComOS 3.9b8 on the PortMaster 3 supports Layer 2 Tunneling Protocol
(L2TP). You can configure the PortMaster 3 as both an L2TP access
concentrator (LAC) and an L2TP network server (LNS).

The implementation of L2TP in ComOS 3.9b8 is based on the latest IETF
L2TP draft (revision 12 and 13 as of this writing). For specific
details of operation and protocol implementation of L2TP, refer to the
IETF Internet-Drafts.

L2TP allows PPP frames to be tunneled as follows from one PortMaster
that answers an incoming call (LAC) to another PortMaster that
processes the PPP frames (LNS):

End user--->incoming call--->LAC--->LNS--->network access


_______ Description and Applications

The Layer 2 Tunneling Protocol (L2TP) provides tunneling of PPP
connections, to separate the functionality normally provided by a
single NAS into two parts:

 * The L2TP access concentrator (LAC) provides the "physical"
   connection point between the telephone network (and therefore the
   dial-in user) and the host network.

 * The L2TP network server (LNS) terminates the PPP sessions and
   handles the "server-side" of the connection, such as authentication
   of the user, routing network traffic to and from the PPP user, and
   so forth. The LNS does not have any actual physical ports, only
   virtual interfaces.

An outsourcer can use L2TP to provide dial-up ports to customers using
a central and "shared" common physical dial-up pool. The pool resides
in a shared access server (the LAC). The outsourcer's customers
maintain a home gateway (the LNS) and some type of IP connectivity to
the outsourcer. L2TP provides virtual dial-up ports to the outsourcer's
customers. This use of L2TP is sometimes referred to as a virtual
private dial-up network (VPDN).

The service is transparent to the customer because users still
terminate PPP sessions on the customer network via the LNS. RADIUS
authentication, accounting, and IP address assignment are all done by
the customer. The LAC does no PPP processing unless it is using partial
authentication for determining the tunnel end point. It only accepts
the call and establishes a tunnel to the LNS for that PPP session. The
tunnel can be established based upon Called-Station-Id or User-Name
(where partial authentication occurs on the LAC before tunnel
establishment).

For example, if you use Called-Station-Id and call-check with L2TP,
the session follows these steps:

1. The end user places a call.
2. The LAC detects the incoming call.
3. The LAC using call-check sends an authentication request to a RADIUS
   server containing the Called-Station-Id and Calling-Station-Id check 
   items before answering the call.
4. If the RADIUS server accepts the user, an access-accept message is
   returned to the LAC along with information on how to create the L2TP
   tunnel for this session: the type of tunnel, IP address of the LNS,
   and so on.
5. The LAC then creates a tunnel to the LNS by encapsulating the PPP
   frames into IP packets and forwarding those packets to the LNS.
6. The LNS negotiates PPP normally with the end user.


_______ RADIUS Dictionary Updates for L2TP

Add the following lines to your RADIUS dictionary:

VALUE         Service-Type            Call-Check              10
VALUE         NAS-Port-Type           Virtual                 5

ATTRIBUTE               Tunnel-Type             64      integer
ATTRIBUTE               Tunnel-Medium-Type      65      integer
ATTRIBUTE               Tunnel-Server-Endpoint  67      string
ATTRIBUTE               Tunnel-Password         69      string
VALUE                   Tunnel-Type                     L2TP    3
VALUE                   Tunnel-Medium-Type              IP      1

The RADIUS daemon must be stopped and restarted to read the new
dictionary.


_______ RADIUS User Profiles for L2TP

The user profiles for the LNS are the same as for your users who do not
use L2TP.

For the LAC, some new user profiles are required. Exactly which ones
are dependent on whether you are using call-check or partial
username-based tunneling on the LAC. The following profiles can be used
on the RADIUS server serving the LAC for each scenario:

# Using Called-Station-Id with Call-Check to route callers who dial
# 555-1313 to the LNS "172.16.1.221".
# Note that the LNS address must be enclosed in double quotation marks
# because it is sent as a string, not as a 32-bit integer.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "172.16.1.221"

# Same as the previous profile, but with a shared secret to 
# authenticate the session to the LNS.

DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Password = "mrsparkle",
        Tunnel-Server-Endpoint = "172.16.1.221"

In both these user profiles, the first line contains the RADIUS check
item, with the Called-Station-ID being used to match the entry before
the call is answered. The L2TP tunnel parameters from the matching
entry are then sent in the RADIUS access-accept message.

The Tunnel-Type specifies the tunneling protocol to be used. The
Tunnel-Medium-Type specifies the transport medium over which the tunnel
is created, IP for now. Tunnel-Server-Endpoint indicates the other end
of the tunnel, the LNS in the case of L2TP.

Note that the LNS address must be enclosed in double quotation marks
because it is sent as a string, not as a 32-bit integer.

If you are not using call-check and are instead providing partial
authentication based on User-Name, the following user profile works.
The user "bgerald" dials in to the LAC, which initiates a L2TP tunnel
on the user's behalf to LNS 172.16.1.55.

bgerald Password = "wackamole"
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "172.16.1.55"


_______ L2TP and RADIUS Accounting

The LAC and LNS both log user sessions to RADIUS accounting, but
different accounting data is available from each.

If you are using call-check to establish the tunnel, the LAC's
accounting data shows the Calling-Station-Id, but not the user's name
because that information has not been passed over the link yet. The
LNS accounting data shows both the Calling-Station-Id and the User-Name
along with the assigned IP address.

If partial authentication (instead of call-check) is taking place on
the LAC, then the username might be available to it. In that case,
the username appears in the RADIUS accounting logs for both the LNS
and the LAC.

In both cases, the LNS shows the NAS-Port-Type as "Virtual", while
the LAC shows the NAS-Port-Type set to the actual physical
interface's connection type.

The LNS starts its NAS-Port numbering at 100.


_______ Redundant Tunnel Server End Points

To increase the robustness of L2TP, a user profile can be configured to
contain redundant tunnel server end points. If the primary LNS fails,
inbound L2TP tunnels can be redirected to other machines.

Up to three redundant tunnel server end points can be specified.
Any more than three are ignored by the LAC.

The following example shows a RADIUS user profile with multiple
redundant tunnel server end points. Each tunnel server end point is
preceded by the tunnel medium type for that tunnel.

DEFAULT Service-Type = Call-Check, Called-Station-Id = "5551234"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Tunnel-Type = L2TP,
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.11.2",
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.11.17",
        Tunnel-Medium-Type = IP,
        Tunnel-Server-Endpoint = "192.168.230.97"

This feature provides redundant LNS backup, not load balancing.


_______ L2TP Command Summary

set l2tp noconfig | disable | enable lac | enable lns
set l2tp authenticate-remote on | off
set l2tp secret [ String15 | none ]
show l2tp global | sessions | stats | tunnels
reset l2tp [ stats | tunnel ]
create l2tp tunnel udp Endpoint [ Password | none]
set l2tp choose-random-tunnel-endpoint on | off
set debug l2tp max | packets | rpc | setup | stats

Use the following command to have the PortMaster load the L2TP feature
on startup:

  set l2tp noconfig | disable | enable lac | enable lns

noconfig        Sets the PortMaster to have no configuration for L2TP.

disable         Sets L2TP off. L2TP is not used.

enable lac	Sets the PortMaster to be a LAC.

enable lns	Sets the PortMaster to be an LNS.

When the PortMaster is configured to be an LNS, the line ports are
configured for T1 and cannot be used for dial-in. The virtual S0 ports
follow the W1 ports.

Example:
Command 0> set l2tp enable lns
L2TP LNS will be enabled after next reboot

After using the "set l2tp" command, you must use the "save all" command
to save the configuration and the "reboot" command for the L2TP module
to load.


_______ Configuring L2TP to Initiate Authentication

The following command configures L2TP to initiate tunnel authentication:

  set l2tp authenticate-remote on | off

on      The PortMaster initiates authentication with the other end point
	of the tunnel before a tunnel is established.

off     The PortMaster does not initiate authentication.

This command determines only whether the PortMaster initiates the
authentication. It does not determine how the PortMaster responds to
an authentication request. The "set l2tp authenticate-remote" command
functions the same on both a LAC and an LNS.


_______ Configuring an L2TP Secret

The "set l2tp secret" global command configures the L2TP password that
the PortMaster uses to respond to all L2TP tunnel authentication
requests.

set l2tp secret String15 | none

String15        0 to 15 character string used as a password when
		responding the L2TP tunnel authentication requests.

none            Removes the L2TP secret. This is the default.

The "set l2tp secret" command sets the L2TP secret for the entire
PortMaster.

If a PortMaster configured as a LAC receives a tunnel authentication
request, it uses the Tunnel-Password from the RADIUS access-accept
packet, if present, instead of the global L2TP secret.


_______ Displaying L2TP Information

The following command shows information on how L2TP is functioning:

  show l2tp global | sessions | stats | tunnels

The formats shown here are subject to change for the general 
availability release of ComOS 3.9.

Command> show l2tp global
debug packets debug stats debug setup
Tunnel Authentication Enabled
Initiation of Authentication Remote Tunnel Disabled
Default Board Configuration

Command> show l2tp sessions
Id     Assign-Id  Tunnel-Id Portname
  2305         1          1  S0

Command> show l2tp stats
NEW_SESSION 1
NEW_TUNNEL 4
TUNNEL_CLOSED 3
HANDLE_CLOSED 3
L2TP_STATS_MEDIUM_HANDLE 3
INTERNAL_ERROR 14
CTL_SEND    9
CTL_REXMIT  1
CTL_RCV     10
MSG_CHANGE_STATE   4
WRONG_AVP_VALUE 3
EVENT_CHANGE_STATE 3

Command> show l2tp tunnels
Id     Assign-Id   Hnd State         Server-Endpoint        Client-Endpoint
     1         1    24 L2T_ESTABLISHE 192.168.6.13           192.168.10.28


_______ Resetting L2TP

Use the "reset l2tp" command to reset an L2TP tunnel or the L2TP
statistics counters.

  reset l2tp [ stats | tunnel Id ]

stats           Resets the L2TP counters displayed by "show l2tp stat"
		to zero.
tunnel          If no tunnel ID is specified, all the L2TP tunnels are
		destroyed.
Id              A tunnel ID from 1 to 100. If a tunnel ID is
		specified, then only that one tunnel is destroyed. The
		"show l2tp tunnels" command displays a list of active
		tunnel IDs.


_______ Creating an L2TP Tunnel Manually

The following command manually brings up a L2TP tunnel for testing and
troubleshooting:

  create l2tp tunnel udp Endpoint [ Password | none ]

Endpoint	IP address of the L2TP tunnel end point.
Password        Password to use when responding to a tunnel
		authentication request from the peer. If none is
		specified, the global L2TP secret is used if
		configured.

Example:
Command> create l2tp tunnel udp 149.198.110.19
OK


_______ Selecting a Tunnel End point

The following command determines in what order to choose an end point
when multiple tunnel end points are returned in a RADIUS access-accept
packet.

  set l2tp choose-random-tunnel-end point on | off

on      Causes the tunnel end point to be chosen randomly from the list
	of tunnel end points returned by RADIUS.

off	Selects the first tunnel end point that can be reached.

Normally, when L2TP is configured with multiple tunnel end points the
end points are chosen serially, always beginning with the first. If a
tunnel cannot be established with the first, then the second is tried,
and then the third. When this feature is on, a random tunnel end point
is selected from those returned in the RADIUS access-accept packet.


_______ Debugging L2TP

The following command is used to troubleshoot L2TP problems:

  set debug l2tp max | packets Size | setup | stats

max		Provides the same debugging as setup, and stats combined.

packets         Shows a representation of the L2TP packets, similar to
		the "ptrace dump" command.

Size		0 to 1500, number of bytes to display.

setup		Shows L2TP control messages and errors.

stats           Displays information that appears in "show l2tp stats"
		in more detail.



_______________ Configuring IPSec

ComOS 3.9b8 on the PortMaster 3 supports virtual private networks (VPNs)
and IP Security (IPSec). A properly configured PortMaster is capable of
tunneling using the IP Encapsulation within IP (IPIP) and IPSec protocols
and a Lucent proprietary Proxy-Tunnel protocol. Tunneling allows you to
create custom network toplogies that are independent of the underlying
physical topology of the network, with or without additional security and
authentication.

For example, you can use VPN and IPSec to do the following on a
PortMaster 3:

* Encapsulate, encrypt, and/or authenticate IP packets

* Outsource tunnels by user, location or interface

* Redirect packets in the clear

* Perform UDP packet forwarding services

IPSec tunneling encapsulates, encrypts, and/or authenticates IP
packets.

IPIP ("IP within IP") tunneling encapsulates IP packets inside IP
packets, with no encryption or authentication.

Tunnel-Proxy is a Lucent proprietary tunneling protocol. Tunnel-Proxy
places IP packets into UDP packets with the RSA Data Security, Inc. MD5
Message-Digest Algorithm signature for authentication.


_______ Security Associations

The security of the communications between two nodes is described
manually by a security association (SA) table entry. This security
association describes the parameters necessary to accomplish the
desired security (security association bundle) between a pair of
gateway nodes. Multiple security associations can be created to match
different security policies for different peers or types of traffic.

The following files are created in the PortMaster nonvolatile RAM file
system:

vpn		Contains the saved security association table.
random		Contains random seed data for the next reboot.
mipsboot	Encryption card image.


_______ IPSec Command Line Summary

show sa Name
show table sa
show ipsec module
add sa Name
delete sa Name
reset ipsec S0
set sa Name ah-inb-key | ah-inbound-key Key[/Bits]
set sa Name ah-inb-spi | ah-inbound-spi SPI
set sa Name ah-outb-key | ah-outbound-key Key[/Bits]
set sa Name ah-outb-spi | ah-outbound-spi SPI
set sa Name esp-inb-key | esp-inbound-key Key[/Bits]
set sa Name esp-inb-spi | esp-inbound-spi SPI
set sa Name esp-outb-key | esp-outbound-key Key[/Bits]
set sa Name esp-outb-spi | esp-outbound-spi SPI
set sa Name local-address @ether0 | @ipaddr
set sa Name mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none
set sa Name peer-identifier Ipaddress
set sa Name proxy-destport Uport
set sa Name proxy-localport Uport
set sa Name proxy-secret Key[/Bits]
set sa Name sec-proposal Method [Method2]

Name		Security association name up to 15 characters long.
Key		A number in decimal, hexadecimal or binary. 
Bits            The key length in bits optionally follows the key
		value, separated by a slash "/".
SPI		Number in decimal, hex or binary---a 32-bit value 256 or
		higher.
Ether0		Ethernet interface.
Ipaddress	IP address in dotted decimal format, or hostname up to 
		39 characters long.
Uport		UDP port between 1 and 65535.
Method		Supported security method.
Method2		Supported security method.


_______ Displaying Security Association Information

The "show sa Name" command shows the entire configuration for the
security association called Name. The output varies with the protocol
used for that security association.  The command also displays the
status of the coprocessor card (PM3-VPN) if the card is not installed
or not operating correctly.

The "show sa table" command displays all security associations in a
summary format.

The "show ipsec module" command displays available IPSec methods.  See
the section titled "SEC-IPIP Commands" for more information.


_______ Creating Security Associations

Use the following commands to create the security association and
define the mode (protocol) that it uses:

  add sa Name
  set sa Name mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none

The "set sa Name mode" command can also be used to change the mode of
an existing security association.  Setting the security association mode
erases any keys that were
previously associated with this security association.

ipip-tunnel     Encapsulates packets into other IP packets.
		No security is provided. See the "IPIP Commands"
		section.

proxy-tunnel   	This is a Lucent proprietary tunneling protocol.
		Tunnel-Proxy places IP packets into UDP packets with an
		MD5 signature for authentication. See the "Proxy-Tunnel
		Commands" section.

sec-ipip-tunnel	Encapsulates packets using the IPSec protocols in
		tunnel mode.  See the "IPSec Commands" section.

none           	Null configuration mode. Packets received on
		this security association are dropped.


_______ Deleting Security Associations

The following command deletes a security association:

  delete sa Name


_______ Common Security Association Configuration Commands

Each security association has a few common commands, and a few 
mode-specific commands. The common commands are listed in this 
section.

The following command sets the IP address of the peer at the other 
end of this tunnel.

  set sa Name peer-identifier Ipaddress

The following command sets the IP address of this end of this tunnel.
The default is to use the address of the Ether0 interface.

  set sa local-address @ether0 | @ipaddr


_______ IPSec Commands

To set up an security association using IPSec, you must configure 
the following information. First create the security association
and set the mode to "sec-ipip-tunnel" as follows:

  add sa Name
  set sa Name mode sec-ipip-tunnel


Security Parameter Index:

The Security Parameter Index (SPI) is a 32-bit number.  The first 256
values are reserved and cannot be entered by users.  The inbound SPI
set on an IPSec gateway must match the outbound SPI set on the peer.
Be careful not to assign the same SPI to two security associations on
the same PortMaster.

  set sa Name ah-inb-spi | ah-inbound-spi SPI
  set sa Name ah-outb-spi | ah-outbound-spi SPI
  set sa Name esp-inb-spi | esp-inbound-spi SPI
  set sa Name esp-outb-spi | esp-outbound-spi SPI

Examples:
Command> set sa net172 esp-inbound-spi 11111111
Command> set sa net172 esp-outbound-spi 11110000
Command> set sa net172 ah-inbound-spi 11112222
Command> set sa net172 ah-outbound-spi 22220000


Authentication Header (AH) and Encapsulating Security Payload (ESP):

Configure the security proposal to define the methods used for the
Authentication Header (AH) and Encapsulating Security Payload (ESP)
protocols.

ESP is the method used to encrypt the actual data (the "payload")
contained in a packet.

AH is used to authenticate a packet. Authentication guarantees that
the packet comes from the node with which you share a security
association and was not tampered with during transit.

Use the "show ipsec module" command to see which methods are available.

To use both ESP and AH together, specify two methods. Otherwise, just
specify one in the following command:

  set sa Name sec-proposal Method [ Method2 ]

The following methods are supported in ComOS 3.9b8:

esp-des-rfc1827		Uses the Data Encryption Standard-cipher block
			chaining (DES-CBC) encryption protocol defined
			in RFC 1827 and 1829. The keys must be exactly
			64 bits in length.

esp-3des-rfc1827	Uses the triple-DES (3DES) encryption protocol.
			The keys must be exactly 192 bits in length.

ah-md5-rfc1826          Uses the message digest 5 (MD5) hashing protocol
			defined in RFC 1826 and 1828. The keys must be
			between 32 bits and 128 bits in length.

Use the following commands to set inbound and outbound keys for the
chosen protocols:

  set sa Name esp-inbound-key Key[/Bits]
  set sa Name esp-outbound-key Key[/Bits]
  set sa Name ah-inbound-key Key[/Bits]
  set sa Name ah-outbound-key Key[/Bits]

Name	Security association name up to 15 characters long.
Key	Decimal, hexadecimal, or binary key. 
Bits	The key length in bits optionally follows the key value.

Example:  
Command> set sa net172 esp-inbound-key 0x0123456789abcd/64
Command> set sa net172 esp-outbound-key 0x0123456789abcd/64 
Command> set sa net172 ah-inbound-key 0x0123456789abcd/128 
Command> set sa net172 ah-outbound-key 0x0123456789abcd/128 

While these examples use the same key for both inbound and outbound,
and for both ESP and AH, you can use different keys for each of these.


_______ Entering Static Keys

You can enter keys as the following types of numbers:

* Hexadecimal (hex)---base 16, starting with 0x
* Decimal (the default)---base 10
* Binary---base 2, starting with 0b

The key value is optionally followed by a slash ("/") and the key
length in bits.

For example:
* 0x12345678/32 is a 32-bit key in hexadecimal.
* 65535/16 is a 16-bit key in decimal.
* 0b1111000011110000/16 is a 16-bit key in binary.

Keys must fall on 8-bit boundaries. Some protocols allow only specific
key lengths, while others allow a range of lengths. Keys are displayed
in hexadecimal format.  High-order bits not specified are zero-filled.
For example, 0x12/32 is the same as 0x00000012/32.  Once the key is
entered, you cannot see it again.

The security of your network depends on picking appropriate keys.  You
can have the PortMaster generate a key by using the special key value
"random".  For example:

  set sa Name esp-inbound-key random

This command generates a random key of the correct length for the
protocol. You must then copy this key to the peer in a secure fashion.


_______ IPIP Commands

To use the IPIP protocol, set the security association to IPIP mode
using the following command:

  set sa Name mode ipip-tunnel


_______ Proxy-Tunnel Commands

To use the Lucent proprietary Proxy-Tunnel protocol, set the security
association mode using the following command:

  set sa Name mode proxy-tunnel

Each end of the tunnel chooses a UDP port between 1 and 65535 for
sending and receiving packets. Lucent strongly recommends using a port
that does not conflict with well known services. The same port number
can be used at both ends, if desired.

  set sa Name proxy-localport Uport
  set sa Name proxy-destport Uport

Each end of the tunnel chooses a shared secret and configures it.
Lucent supports secrets from 8 to 512 bits long, and each secret
must be a multiple of 8 bits long.

  set sa Name proxy-secret Key/Bits

Name		Security association name up to 15 characters long.
Key		Number in decimal, hexadecimal, or binary. 
Bits		Key length in bits.
Uport		UDP Port between 1 and 65535.

Example:
Command> add sa lu77
Command> set sa lu77 proxy-tunnel
Command> set sa lu77 proxy-localport 1050
Command> set sa lu77 proxy-destport 1051
Command> set sa lu77 proxy-secret 0x123456789/64


_______ Configuring Security Profiles

An IPSec profile defines a set of characteristics -- the security
association and the policy filter -- used on a router interface.
A profile can be attached directly to a network interface, user, or
location, or be assigned to a user with RADIUS.  IPSec profiles use
security association and policy filters to transfer packets. Profile
names can be up to 15 characters long.

Use the following commands to configure IPSec security profiles:

  show table sec-profile
  show sec-profile Name
  show ipsec stat
  add sec-profile Name
  delete sec-profile Name
  set S0 ipsec pda drop | icmp reject | passthrough
  set S0 | W1 | Ether0 ipsec active-profile Name
  set sec-profile Name blank
  set sec-profile Name Number pfilter | policy-filter PFName | none
  set sec-profile Name Number static-sa SAName | none
  set user Username ipsec outsource-profile Name
  set location Locname ipsec outsource-profile Name

Name	Security profile name up to 15 characters long.
Number	Rule number, 1 or higher
PFName	Policy filter name up to 15 characters long.
SAName	Security association name up to 15 characters long


________ Displaying Security Profile Information

The "show table sec-profile" command displays a summary of 
all the sec-profiles.

The "show sec-profile Name" command displays information about the
security profile named.

The "show ipsec stat " command displays a summary of all the
sec-profiles, and the traffic generated:

Router  Profile  Sec-Assoc Mode    In-pkts Out-pkts In-Bad Out-Dropped
port    Type     Name                               Pkts   Pkts
--- ------------------------------------------------------------------
ether0 Active-pr local     sec-ip   3678    4534     0         0
ptp0   Active-pr remote    ipip     2987    3768     0         0


_______ Adding Security Profiles

Use the following command to add a security profile:

  add sec-profile Name

Name	Security profile name up to 15 characters long.


_______ Deleting Security Profiles

Use the following command to delete a security profile:

  delete sec-profile Name

Name	Security profile name.


_______ Setting Security Profiles

Use the following commands to configure a security profile after
adding it:

  set sec-profile Name Number policy-filter PFName
  set sec-profile Name Number static-sa SAName

A profile can be an active profile, a passive profile, or an outsource
profile.

An active profile is applied to outbound traffic and identifies a set of
peers with which the PortMaster knows how to communicate.

Passive profile is not supported in this release.

An outsource profile refers to security associations established from any
port of the PortMaster, based on the inbound traffic on a port. The
policies set are based on the wire traffic, just as with the policies
on other profiles.


_______ Policy Filters

Policy filters determine which data the PortMaster sends through its
IPSec profiles. Policy filtering takes place right before the
PortMaster routes a packet. The packet is compared against all the
defined policy filters in a security profile. If none apply, the packet
is routed as usual, without any VPN processing.

NOTE: You must be very careful to not create security filters that
might overlap each other in their coverage. For example, IP address
ranges in two filters might overlap. If two filters overlap, only one
security association is applied to the packet and you cannot determine
which one.

Policy filters are created like packet filters. For example, to process
all packets destined for the network 10.200.1.0/24, you can create the
following filter:

  add filter internal.sec
  set filter internal.sec 1 permit 0.0.0.0/0 10.200.1.0/24

Then you add and configure your security profile "examplespf":

  set sec-profile examplespf 1 policy-filter internal.sec

You can also selectively process only certain types of traffic, and not
others using "deny" statements.  For example, you might use the 
following filter to encrypt all traffic except packets to TCP port 80 
for HTTP:

  add filter internal.sec
  set filter internal.sec 1 deny tcp dst eq 80
  set filter internal.sec 2 permit

A "deny" keyword in a policy filter does not block packets that meet 
its criteria. Instead, the "deny" keeps the security association from 
being applied to those packets and passes the IP traffic through, 
unprocessed. If you want to block the traffic entirely, you must place 
input or output packet filters on the appropriate interface(s).


_______ Attaching a Security Profile to a Network Interface

Use the following commands to attach a security profile to a network
interface:

set S0|W1|Ether0 ipsec active-profile Name

S0	Serial port.
W1	Synchronous serial port.
Ether0	Ethernet interface.
Name	Security profile name.


_______ Attaching a Security Profile to a User

Use the following command to attach a security profile to a user so
that when the user logs in, the profile is attached to the user's
interface:

  set user Username ipsec outsource-profile Name

Username	Name of a user in the user table.
Name		Security profile name.


_______ Attaching a Security Profile to a Location

Use the following command to attach a security profile to a location so
that when the PortMaster connects to that location, the profile is
attached to the resulting interface.

  set location Locname ipsec outsource-profile Name

Locname		Name of a location in the location table.
Name		Security profile name.


_______ Filter Extensions

The IPSec and IPIP protocols use their own protocols on top of IP,
instead of using UDP or TCP.  You can filter these protocols in packet
filter rules, as in this example:

  add filter eg
  set filter eg 1 permit  esp
  set filter eg 2 permit  ah
  set filter eg 3 permit  ipip

You can also specify the protocol number in the filter as in
this example:

  set filter eg 4 permit proto 4

IPIP is protocol type 4, ESP is protocol type 50, and AH is protocol
type 51.


_______ Resetting IPSec on a Port

The following command resets VPN and IPSec on the designated port:

  reset ipsec S0

S0	Port name.


_______ Debugging and Troubleshooting IPSec

The profiles keep statistics of their traffic.  Use the "show ipsec
stat" command to show how much traffic was sent or received, and 
any invalid packets.

Use the "set console" command, along with the following debug 
commands, to display any errors generated:

  set debug ipsec-max | ipsec-packets | ipsec-state [ on | off ]
  show ipsec modules

The following command turns on all IPSec debugging:

  set debug ipsec-max on

The following command shows packets going through the IPSec subsystem:

  set debug ipsec-packets on

The following command shows state changes in the IPSec processor:

  set debug ipsec-state on

The following command shows which protocols are in this ComOS, and
provides version information for the "mipsboot" file that is run on the
coprocessor card (PM3-VPN):

  show ipsec modules


_______ IPSec Logging

Use the following command to determine which IPSec activities are
logged by the PortMaster:

  set Port ipsec log  safail | sasuccess | syslog | console  [ on | off ]

The "safail" and "console" options are on by default.

safail
sasuccess
syslog
console


_______ Policy Deny Action

Use the following command for to determine what should be done
with packets denied by policy filters.

  set Port ipsec pda drop | icmpreject | passthrough

drop		Default
icmpreject
passthrough


_______ Using RADIUS

IPSec parameters can be configured on a per-user basis with RADIUS.
You must be running Lucent RADIUS server 2.1b6 or another RADIUS server
that supports vendor-specific attributes.

Add the following lines to your RADIUS dictionary, then stop and
restart your RADIUS server:

ATTRIBUTE       Vendor-Specific         26      string

ATTRIBUTE       LE-Terminate-Detail             2   string  Livingston
ATTRIBUTE       LE-Advice-of-Charge             3   string  Livingston
ATTRIBUTE       LE-Connect-Detail               4   string  Livingston
ATTRIBUTE       LE-SA-Id                        5   string  Livingston
ATTRIBUTE       LE-IPSec-Log-Options            9   integer Livingston
ATTRIBUTE       LE-IPSec-Policy-Deny            10  integer Livingston
ATTRIBUTE       LE-IPSec-Active-Profile         11  string  Livingston
ATTRIBUTE       LE-IPSec-Outsource-Profile      12  string  Livingston
ATTRIBUTE       LE-IPSec-Passive-Profile        13  string  Livingston

#
#       IPSEC PROTOCOL TYPES
#
VALUE           LE-IPSec-Log-Options    SA-Success-On   1
VALUE           LE-IPSec-Log-Options    SA-Failure-On   2
VALUE           LE-IPSec-Log-Options    Console-On      3
VALUE           LE-IPSec-Log-Options    Syslog-On       4

VALUE           LE-IPSec-Log-Options    SA-Success-Off  5
VALUE           LE-IPSec-Log-Options    SA-Failure-Off  6
VALUE           LE-IPSec-Log-Options    Console-Off     7
VALUE           LE-IPSec-Log-Options    Syslog-Off      8

#
#       IPSEC POLICY DENY ACTION VALUES
#
VALUE           LE-IPSec-Policy-Deny            Drop            1
VALUE           LE-IPSec-Policy-Deny            ICMP-Reject     2
VALUE           LE-IPSec-Policy-Deny            Pass-Through    3

Each RADIUS attribute or value corresponds to its command line 
equivalent. Refer to the usage information on a particular IPSec 
command in this release note for more information. 

Here is a sample RADIUS user profile for a user configured for IPSec:

pepi    Password = "notpepzi"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
        LE-IPSec-Log-Options = Console-On,
        LE-IPSec-Outsource-Profile = "mypro"


_______ Example Configurations

The following are three examples of IPSec configuration.  In each
example, a remote office is configured to connect back to headquarters
via an ISP. The first example uses an IPSec tunnel, the second uses an
IPIP tunnel, and the third uses a Proxy-Tunnel tunnel.

The remote office has a Frame Relay connection to a nearby ISP. The
office has been assigned the network 192.168.1.0/24. The corporate
headquarters uses the network 172.16.0.0/16. Headquarters uses the
packet filter rules for the AH and ESP protocols to configure a
firewall that allows IPSec traffic from the 192.168.1.0/24 network to
pass through.  Each location is using a PortMaster 3.

NOTE: These examples use simple keys for readability. For best results
in your configurations, take advantage of the full length of the key.


_______ Example 1: Using IPSec

Both locations are using the PortMaster 3 with the coprocessor card and
need to do both encryption (ESP) and authentication (AH) using DES and
MD5.  The headquarters firewall is configured to allow IPSec traffic
from the 192.168.1.0/24 network through, using the packet filter rules
for AH and ESP.

For IPSec:
* On the remote PortMaster 3, create security association "corp" with
appropriate SPIs, keys, and filter. Then create security profile
"corp-pro" and attach it to a synchronous serial port.

* On the PortMaster at headquarters, create security association "remote"
with appropriate SPIs, keys, and filter. Then create security profile
"remote-pro" and attach it to a synchronous serial port.

pm3-remote (192.168.1.254):
  add sa corp
  set sa corp mode sec-ipip-tunnel
  set sa corp peer-identifier 172.16.1.1
  set sa corp esp-inbound-spi 1001
  set sa corp esp-outbound-spi 1002
  set sa corp ah-inbound-spi 2001
  set sa corp ah-outbound-spi 2002
  set sa corp sec-proposal esp-des-rfc1827 ah-md5-rfc1826
  set sa corp esp-inbound-key 0x9876543210/64
  set sa corp esp-outbound-key 0x1234567890/64
  set sa corp ah-inbound-key 0x98761234/128
  set sa corp ah-outbound-key 0x12349876/128

  add filter corp.sec
  set filter corp.sec 1 permit 192.168.1.0/24 172.16.0.0/16

  add sec-profile corp_pro
  set sec-profile corp_pro 1 policy-filter corp.sec
  set sec-profile corp_pro 1 static-sa corp

  set w0 ipsec active-profile corp_pro
  save all

pm3-corp (172.16.1.1):
  add sa remote
  set sa remote mode sec-ipip-tunnel
  set sa remote peer-identifier 192.168.1.254
  set sa remote esp-inbound-spi 1002
  set sa remote esp-outbound-spi  1001
  set sa remote ah-inbound-spi 2002
  set sa remote ah-outbound-spi 2001
  set sa remote sec-proposal esp-des-rfc1827 ah-md5-rfc1826
  set sa remote esp-inbound-key 0x1234567890/64
  set sa remote esp-outbound-key 0x9876543210/64
  set sa remote ah-inbound-key 0x12349876/128
  set sa remote ah-outbound-key 0x98761234/128

  add filter remote.sec
  set filter remote.sec 1 permit 172.16.0.0/16 192.168.1.0/24

  add sec-profile remote_pro
  set sec-profile remote_pro policy-filter remote.sec
  set sec-profile remote_pro 1 static-sa remote

  set w48 ipsec active-profile remote_pro
  save all


_______ Example 2: Using IPIP

For IPIP, create a new security associations "corp-ipip" and
"remote-ipip." Then create an IPIP tunnel and add each new security
association to the appropriate security profile as a static security
association.

pm3-remote (192.168.1.254):
  add sa corp_ipip
  set sa corp_ipip mode ipip-tunnel
  set sa corp_ipip peer-identifier 172.16.1.1
  set sec-profile corp_pro 1 static-sa corp_ipip

pm3-corp (172.16.1.1):
  add sa remote_ipip
  set sa remote_ipip mode ipip-tunnel
  set sa remote_ipip peer-identifier 192.168.1.254
  set sec-profile remote_pro 1 static-sa remote_ipip


_______ Example 3: Using Proxy-Tunnel Protocol

For the Proxy-Tunnel protocol, create a new security associations
"corp-prox" and "remote-prox." Then create a proxy tunnel and add each
new security association to the appropriate security profile as a static
security association.

pm3-remote (192.168.1.254):
  add sa corp_prox
  set sa corp_prox mode proxy-tunnel
  set sa corp_prox peer-identifier 172.16.1.1
  set sa corp_prox proxy-localport 1050
  set sa corp_prox proxy-destport 1051
  set sa corp_prox proxy-secret 0x123456789/64
  set sec-profile corp_pro 1 static-sa corp_prox

pm3-corp (172.16.1.1):
  add sa remote_prox
  set sa remote_prox mode proxy-tunnel
  set sa remote_prox proxy-localport 1051
  set sa remote_prox proxy-destport 1050
  set sa remote_prox proxy-secret 0x123456789/64
  set sec-profile remote_pro 1 static-sa remote-prox


_______ Security Concerns

Be aware of the following security concerns when using IPSec:

* Denial of Service. If a large amount of random data has a valid SPI,
the coprocessor card must decrypt the data and then dump it as invalid.
The unnecessary decryption degrades performance and can cause denial of
service for encrypted traffic. However, because the CPU on the
coprocessor card handles only encryption, unencrypted traffic remains
uninterrupted.  Legitimate, but very heavy, traffic can also cause this
problem.

* No Byte Count. Most security protocols recommend that you do not use
the same key for more than a certain number of bytes, depending on the
protocol. Because the keys are manually configured, ComOS does not
count the bytes sent with each key. As a result, you cannot
automatically limit key use by byte count. This limitation will
disappear when key management protocols are implemented in a future
ComOS release.


_______ References

The implementation of IPSec in ComOS is based on the information in the
following sources: 

* RFC 1321, The MD5 Message-Digest Algorithm
* RFC 1825, Security Architecture for the Internet Protocol
* RFC 1826, IP Authentication Header (AH)
* RFC 1827, IP Encapsulating Security Payload (ESP)
* RFC 1828, IP Authentication using Keyed MD5 (AH-MD5)
* RFC 1829, The ESP DES-CBC Transform (ESPDES)
* RFC 2003, IP Encapsulation within IP (IPIP)
* "Applied Cryptography", Bruce Schneier. New York, NY: John Wiley and
  Sons, Inc., 1994. (ISBN 0-471-59756-2):
   - Diffie-Hellman algorithm
   - DES algorithm and DES-CBC method
   - Triple-DES (3DES)



_______________ Configuring NAT

ComOS 3.9b8 supports the network address translator (NAT) based
on the latest IETF NAT document draft-ietf-nat-traditional-01.txt.
The basic network address translator (basic NAT) capability maps IP
addresses from one group to another, transparently to users and
applications. The network address port translator (NAPT) capability
is an extension to basic NAT in which multiple network addresses
and their TCP and UDP ports are mapped to a single network
address and its ports.

ComOS supports both basic NAT and NAPT for both outbound and inbound
sessions. It also supports an "outsource" mode in which all NAT
processing is done on the server-side of the connection.

While this release note only covers the PortMaster 3, other PortMaster
products will also be supporting NAT and may be used in the examples in
this section.  None of the IP addresses or networks used in the
examples are intended to refer to any actual real-world company or
network assignment.

_______ Quick Setup of Outbound NAPT ("Many-->One")

Outbound NAPT is very common in a small office/home office (SOHO)
situation. To configure, use the following command---entered all on one
line:

    set Ether0 | S0 | W1 | location Locname | user Username
    nat outmap defaultnapt

The port, location, or user is your connection to the outside world.
For example, on a PortMaster dialing out to location "myisp" you enter
the following:

    set location myisp nat outmap defaultnapt

Then connect normally. You must reset the port if the connection
has already been established. If this is a dial-on-demand location,
then you must also reboot the PortMaster.

With the "defaultnapt" NAT configuration, all the hosts behind the
PortMaster will have their addresses translated to the IP address of
the interface that is assigned to the location.


_______ Concepts

This section explains some of the terminology and hints to assist you
in developing more complex NAT configurations in ComOS.

For example, you might want to allow inbound connections---external
connections into a web server that resides behind the PortMaster
running NAT. Or you might need to renumber your network and want to use
basic NAT to avoid renumbering the entire network.


Private vs. Global IP Addresses:

Global IP addresses are accessible from anywhere on the Internet.  They
are  "external" to the PortMaster running NAT---at another branch
office, for example, because NAT is not limited to the Internet.
External hosts do not generally recognize any internal private IP
addresses that you might have assigned to your local hosts.  Private IP
addresses are usually taken from one of the following ranges defined in
RFC 1918, which are reserved specifically for this purpose:

    10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
    172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
    192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Lucent strongly recommends numbering your private IP network(s) with IP
addresses from one of the reserved ranges rather then just selecting IP
addresses randomly.


Inbound vs. Outbound Sessions:

A "session" in NAT is considered either inbound or outbound:

* An inbound session is initiated to a client behind the NAT router by
a host external to a private IP network.

* An outbound session is initiated to an external host by a client within
the NAT-covered private IP network.


Basic NAT vs. NAPT:

Basic NAT does a one-to-one mapping of a private IP address to a global
IP address. You still must have a global IP address for every host with
a private IP address that needs to connect to an external host at the
same time.

With basic NAT, you can configure dynamic IP address pools from which
IP address allocations are made, allowing a number of private hosts to
use a (possibly) smaller pool of global IP addresses. Or you can
configure

static IP address pools in which a static mapping exists for each host,
requiring the size of the pool to match the number of hosts being
translated.

If you configure a dynamic pool and have fewer global IP addresses
available than total private hosts, you will have a shortage of IP
addresses if all the hosts try to access the external network
simultaneously. This possibility needs to be accounted for in your
planning.

The network address port translator (NAPT) performs "port translation,"
allowing a number of hosts to communicate globally using only a single
global IP address.


Outsource Mode NAT:

Outsource mode NAT allows a PortMaster to handle NAT processing and
management for a connected network interface. If a remote router that
the PortMaster is connected to can not run NAT locally, the PortMaster
can perform NAT services for that device.

All NAT configuration is handled on the PortMaster. A central site
administrator can maintain all NAT mappings for all sites on the
PortMaster without having to worry about the capabilities or management
of a number of entirely separate routers.


_______ Map Management

NAT maps define the mappings and translations between global and
private IP address space. The following map table commands are
supported:

   show table map		Shows all map files.
   show map Mapname		Displays a map's contents.
   add map Mapname		Creates a new map.
   delete map Mapname		Deletes a map.
   save map			Saves map contents into nonvolatile RAM.

See the following section for map configuration commands.


_______ Configuring Map Contents

Entering NAT maps is very similar to configuring filters in ComOS.  The
basic command "set map Mapname" has five versions that you can use as
follows---entered all on one line:

1.  To define a single dynamic pool IP address map entry or range or
    list of entries, use the following command:

    set map Mapname Rulenumber addressmap 
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]

2.  To define a single static pool IP address map entry or range
    or list of entries, use the following command:

    set map Mapname Rulenumber staticaddressmap
	Ipaddrxfrom Ipaddrxto | @ipaddr [log]

3.  To define a static or dynamic TCP or UDP port range map
    entry or list of entries, use the following command:

    set map Mapname Rulenumber static-tcp-udp-portmap
    	Ipaddxfrom:Tport1 | Uport1 | Portname
    	Ipaddxto: Tport2 | Uport2 | Portname [log]

4 . To remove rule Rulenumber in a map file, use the following
    command:

    set map Mapname Rulenumber

5.  To empty the contents of a map file, use the following command:

    set map Mapname blank

Mapname		Address map name of up to 15 characters.
Rulenumber	Integer between 1 and 20
Ipaddxfrom	IP address or range or list of IP addresses to be translated.
Ipaddxto	IP address or range or list of IP addresses to translate to.
Tport		TCP number or range of numbers---between 1 and 65535.
Uport		UDP number or range of numbers---between 1 and 65535.
Portname	One of the following:
		telnet	TCP port 23.
		ftp	TCP ports 20 and 21.
		tftp	UDP port 69.
		http	TCP port 80.
		dns	TCP/UDP port 53.
		smtp	TCP port 25.
@ipaddr		IP address of the port being configured as the destination
		address.
log		Selectively logs events for this map entry.

The following keywords have abbreviations for ease of entry:

    addressmap = amap
    staticaddressmap = samap
    static-tcp-udp-portmap = stupm

Values for "Ipaddxfrom" and "Ipaddxto" can be a combination of the
following, separated by commas (,):

     IP address/mask
     IP address - IP address
     IP address1,Ipaddress2, ...
     IP address

The value for "Portnumber" can be a single port number or a range of
ports such as "6000-6010" (for an inbound X Server) that you want
statically mapped. This capability prevents your needing 10 map rules
to accomplish the same mapping.

Address mapping is applied to the first packet of the NAT session.
When an inbound address map is defined for a port with this command,
the translation succeeds only when the destination IP address of the
first packet matches the "Ipaddrxfrom" address in the command.  

Example 1:

An Office Router with IP address 192.168.129.129 is running NAT on a
connection using the location "myisp".

1. Configure rule 1 for inbound NAT map myisp.inmap:

    set map myisp.inmap 1 static-tcp-udp-portmap 192.168.129.129:http
	10.1.1.25

2. Configure the location:

    set location myisp nat inmap myisp.inmap

    BEFORE Inbound packet translation:

    Src: 130.65.2.3:12023  Dest: 192.168.129.129:80 (80 is http)

    AFTER translation using the above map:

    Src: 130.65.2.3:12023  Dest: 10.1.1.25:80 (80 is http)

Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map
allows you to configure one-to-one mappings of private IP addresses to
global IP addresses. Using lists of addresses for these values allows
the configuration of IP address allocation pools, from which global IPs
can be dynamically or statically allocated for outbound sessions as
they are required.

Example 2:

As a special case, the "Ipaddrxto" value for an address map can be set
to "@ipaddr", when the address map is being used for outbound or
outbound outsource. The special macro "@ipaddr" uses the IP address
assigned to the port for which the address map is being used. The
reserved map "defaultnapt" described in the section "Configuring
Locations, Ports, and Users" is equivalent to the following map:

    1 AddressMap 0.0.0.0/0 @ipaddr Log

Example 3:

Suppose you are using the "defaultnapt" map for outbound connections
and want to allow an Internet host to connect to your internal FTP
server, which is running on 10.4.2.9. To do so, you configure the
following as an inbound map. You also have at least one global IP
address, 192.168.2.4, assigned to your PortMaster as the global source
address for all hosts residing behind NAT:

1. Configure rule 1 for inbound NAT map myisp.inmap:

    set map myisp.inmap 1 static-tcp-udp-portmap 192.168.2.4:ftp
	10.4.2.9:ftp

2. Configure location myisp:

    set location myisp nat inmap myisp.inmap

Example 4:

Here is an outbound map that maps the host with the private IP address
10.5.3.6 to the global IP address 192.168.5.3. This is considered a
basic NAT configuration. Notice that the two types of address maps are
equivalent ONLY if you are mapping single IP addresses.

1. Configure rule 1 for outbound NAT map myisp.outmap:

    set map mysip.outmap 1 addressmap 10.5.3.6 192.168.5.3
        (or)
    set map mysip.outmap 1 staticaddressmap 10.5.3.6 192.168.5.3

2. Configure location myisp:

     set location myisp nat outmap myisp.outmap

Example 5:

Here is a configuration using a global dynamic IP address pool range of
192.168.9.1 through 192.168.9.10 for hosts in the private network
10.9.9.0/24 for outbound NAT:

1. Configure rule 1 for outbound NAT map myisp.outmap:

    set map myisp.outmap 1 AddressMap 10.9.9.0/24 192.168.9.1-192.168.9.10

2. Configure the user, location, or port as shown in the previous
   examples.

Example 6:

The following creates a static IP address pool. The private IP address
range 10.1.1.0/24 will be translated to the global IP address range
192.168.65.0/24 on the outbound transmission:

1. Configure rule 1 for outbound NAT map myisp.outmap:

    set map myisp.outmap 1 staticaddressmap 1 10.1.1.0/24 192.168.65.0/24

2. To allow inbound sessions to the same set of hosts, create an
inbound map such as the following and apply it to the port:

    set map myisp.inmap 1 staticaddressmap 1 149.98.65.0/24 10.1.1.0/24

Note that both sides do not have to be using the same notation---the
standard "Ipaddrxfrom" and "Ipaddrxto" syntax still applies. However,
the total ranges on both sides must have the same number of IP
addresses; otherwise, a one-to-one mapping is not possible. If you
cannot do one-to-one mapping, create a dynamic IP pool, reduce the
number of IP addresses being translated, or perhaps use NAPT for all or
part of the private hosts instead.

Although you have NAT configured for a specified port, user, or
location, you are not required to translate the addresses of all the
hosts behind the PortMaster running NAT. You can choose the hosts that
NAT processing is done for by designing your maps around them.


_______Configuring Locations, Ports, and Users

The basic command "set Ether0 | S0 | W1 | location Locname | user
Username" has five NAT versions that you can use as follows---entered
all on one line---to configure the NAT connection to the outside
world:

1.  To set the maximum idle time for a NAT session, use the following
    command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	sessiontimeout  tcp | other Number [minutes | seconds]

2.  To set logging options for a NAT session on an interface, use the
    following command:

    set Ether0 | S0 | W1 | location Locname | user Username
	log sessionfail | sessionsuccess | syslog | console
	on | off

3.  To set the default action that the PortMaster takes if a request for
    a NAT session is refused because the mapping configuration is invalid
    or does not exist, use the following command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	session-direction-fail-action drop | icmpeject | passthrough

4.  To set the direction of an address map as inbound and optionally
    enable the outsource function, use the following command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	inmap Mapname [outsource]

5.  To set the direction of an address map as outbound and optionally
    enable the outsource function, use the following command:

    set Ether0 | S0 | W1 | location Locname | user Username
    	outmap Mapname [outsource]

Leaving off the Mapname removes the map entry.

You can assign the reserved map name "defaultnapt" to "outmap" for an
outbound-only NAPT configuration, with the following results:

* When "defaultnapt" is assigned as an outbound map, without the
"outsource" option,all outbound IP sessions through the given port are
subject to NAPT, using the IP address assigned to the port.

* When "defaultnapt" is assigned to as an outbound map for the
outsource port---using "outsource" in the command line)---all inbound
IP sessions through the given port are subject to outsource NAPT using
the IP address assigned to the port.

NOTE: In the this release of NAT, inbound maps are restricted to static
address maps and/or static TCP/UDP port maps only. Outbound maps
do not have this limitation.


_______ Using RADIUS

Many NAT configuration parameters can also be configured via RADIUS on
a per-user basis. For RADIUS to support the new vendor-specific
attributes, you must be running Lucent RADIUS server 2.1b6 or later and
must add the following to your RADIUS dictionary, then stop and restart
your RADIUS server.

RADIUS Dictionary Updates:

ATTRIBUTE	LE-NAT-TCP-Session-Timeout	14	integer	Livingston
ATTRIBUTE	LE-NAT-Other-Session-Timeout	15	integer	Livingston
ATTRIBUTE	LE-NAT-Log-Options		16	integer	Livingston
ATTRIBUTE	LE-NAT-Sess-Dir-Fail-Action	17	integer	Livingston
ATTRIBUTE	LE-NAT-Inmap			18	string	Livingston
ATTRIBUTE	LE-NAT-Outmap			19	string	Livingston
ATTRIBUTE	LE-NAT-Outsource-Inmap		20	string	Livingston
ATTRIBUTE	LE-NAT-Outsource-Outmap		21	string	Livingston

VALUE	LE-NAT-Sess-Dir-Fail-Action	Drop		1
VALUE	LE-NAT-Sess-Dir-Fail-Action	ICMP-Reject	2
VALUE	LE-NAT-Sess-Dir-Fail-Action	Pass-Through	3

VALUE	LE-NAT-Log-Options	Session-Success-On	1
VALUE	LE-NAT-Log-Options	Session-Failure-On	2
VALUE	LE-NAT-Log-Options	Console-On	3
VALUE	LE-NAT-Log-Options	Syslog-On	4
VALUE	LE-NAT-Log-Options	Success-Off	5
VALUE	LE-NAT-Log-Options	Failure-Off	6
VALUE	LE-NAT-Log-Options	Console-Off	7
VALUE	LE-NAT-Log-Options	Syslog-Off	8

Each RADIUS parameter corresponds to its command line equivalent. Refer
to the usage information on a particular NAT command in this release
note for more information.

The LE-NAT-Log-Options attribute, which sometimes requires multiple
values, must have the values listed in succession one after another as
in the following user profile:

joe	Auth-Type = System, Framed-Protocol = PPP
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-IP-Address = 255.255.255.254,
	LE-NAT-Outmap = "defaultnapt",
	LE-NAT-Sess-Dir-Fail-Action = Drop,
	LE-NAT-Log-Options = Session-Failure-On,
	LE-NAT-Log-Options = Console-On


_______ Session Management

NAT sessions can be managed, viewed, and reset in several ways.

You can display the currently active NAT sessions using the following
command:

  show nat sessions

You can limit the display to the sessions for a single port, user, or
location by appending a regular expression at the end of the command
line, as you can do with the "show routes" command.  

You can also view real-time statistics on NAT:

  show nat statistics

This command displays statistics on a per port basis, including
successful translations, failures, address shortages when you are
using IP pools, and unsuccessful translations and/or lookups due
to timeouts.

Use the following command for debugging and to see resource usage:

  show nat mapusage

This command displays a list of active IP address and port bindings,
including a list of the remaining resources---TCP/UDP ports or IP
addresses---available for use.


_______ Resetting NAT Sessions

You can reset the entire NAT subsystem with the following command:

    reset nat [Ether0 | S0 | W1]

The default resets all existing NAT sessions on the PortMaster---like
the "reset all" command. Specifying the name of an interface resets all
NAT sessions associated with the specified interface. Use the
"ifconfig" command to see a list of interfaces.

CAUTION! Resetting any or all interfaces while sessions are active
might cause active connections on clients and servers to be left open
or terminated abruptly. Lucent recommends NOT entering this command
while the PortMaster is being used because doing so can leave
connections in an unknown state between the two communicating hosts.

Resetting NAT affects already active NAT sessions only. If the NAT
configuration on an active port has been modified, you must reset the
port directly.


_______ Resetting Individual NAT Sessions

You can delete individual NAT sessions by using the session ID. This
value is displayed in the first column of a "show nat sessions"
output.  Determine the session ID and then enter the following
command:

  delete nat sessions [Sessionid]


_______ Administrative Concerns

Be aware that you might need to do the following when configuring your
network in the presence of a NAT.

Stopping the Advertisement of Routing Information:

NAT creates a private network that cannot be advertised outside the
private boundary delimited by the NAT router. As a result, you must be
sure to disable network advertisements on the NAT router's global
interface.

For example if you are running NAT on an IRX-211, with Ether0 as your
private interface and Ether1 as your global interface with NAT enabled
on it, you must disable RIP broadcasts:

    set ether1 rip listen

Or use the "off" option if you do not need to listen to route updates at
all.

If you are using OSPF, you must specify the private IP address range as
"quiet":

  set ospf area 0.0.0.0 range 10.0.0.0/8 quiet

If you are using BGP, you must not advertise any private IP address
blocks to the outside world.

Rerouting Global IPs Used by NAT to Static Routing:

Because NAT is not equipped to advertise routing, the global IP
addresses (or networks) used by NAT, might require the addition of
static routes on the routers that are external peers of the
PortMaster.

Particularly, if you are using basic NAT to manage a pool of global
addresses, you must configure a static route for the pool of addresses
on the next-hop router of the PortMaster.


Avoiding Ethernet LANs:

NAT does not provide Ethernet ARP services for the global IP addresses
it uses. For this reason, Lucent recommends that NAT be configured on
WAN interfaces instead of Ethernet interfaces. If you choose to
configure basic NAT on a LAN interface, be sure to select for use with
NAT a global IP address block that does not fall within the same
network prefix of the LAN interface itself.


Determining If Additional Security, Privacy, and/or Firewalls Are Needed:

Security is viewed differently in different environments. Many people
view NAT as a one-way (session) traffic filter, restricting sessions
from external hosts into their network. In that context, NAT provides a
certain degree of security that might not be acceptable for your
situation.

In addition, address assignment in NAT is often done dynamically.
Dynamically assigned addresses can often hinder an attacker from
pointing to any specific host in the NAT domain as a potential target
of attack. Partial privacy is gained because tracing an individual
connection to a particular user is more difficult.  You can use
firewalls with NAT maps to provide other ways to filter unwanted
traffic. However, NAT maps cannot by themselves transparently support
all applications and often must co-exist with application-level
gateways (ALGs)---for example, SOCKS. If you use NAT, you must
determine the application requirements first so that you can assess the
extensions to NAT and the security they provide.

NAT routers have a security limitation that allows NAT and/or its
application-level gateway extensions to read the packet data in the end
user traffic that passes through them. This limitation is a security
problem if the NAT routers are not in a trusted boundary.

Although you can encrypt NAT traffic, NAT must usually be the end point
to such an encryption-decryption setup. For example, you cannot
configure end-to-end IPSec with NAT routers in between. The end
point(s) must be a router running NAT.

Lucent does not guarantee NAT as an complete security solution.
Although placing your private network behind NAT might make it
seem inaccessible to the outside, this is not the intention of NAT.
You must evaluate the particular configuration, network topology,
and security requirement of your organization to determine whether
simply installing NAT eliminates the need for further security measures
such as a firewall.


Mapping for DNS:

When configuring DNS on the hosts behind NAT, if you add a map similar
to the following on the internal interface---usually Ether0 on an
Office Router---you can enter the IP address of your Office Router as
the DNS server. This is a useful feature if you do not always have the
same DNS server, because of multiple providers, but do not want to
reconfigure all your private hosts. Use the following commands---enter
each all on one line:

    set map dns.inmap 1 static-tcp-udp-portmap
    	@ipaddr:dns <Primary DNS IP address>
    set ether0 nat inmap dns.inmap
    set location Locname nat outmap defaultnapt


Handling Changes to On-Demand Locations:

Because of the way that on-demand locations and their corresponding
interfaces are traditionally handled within ComOS, NAT configuration
changes might not take effect in the way you expect. To get around
this problem, you can either reboot immediately after changing the
settings for a location that is currently set to on-demand, or do the
following:

1. Enter "set location Locname maxports 0".

2. Enter "reset dialer".

3. Change whatever settings you need to.

4. Enter the following:

   set location Locname maxports <old_max_ports>

Manually dialed locations are unaffected.


_______ NAT Examples

1.  Dial-Out Location Using defaultnapt with a Dynamically Assigned PPP
    IP Address:

Your Office Router OR-U is dialing into a corporate network's
PortMaster 3 (192.168.2.5). The PortMaster 3 has one dynamically
assigned IP address for the Office Router in a NAPT configuration.
Everything behind the Office Router is subject to NAPT. You configure
the Office Router as follows:

    add location corporate
    set location corporate phone 5558583
    set location corporate username joeuser
    set location corporate password secrets
    set location corporate destination 192.168.2.5
    set location corporate max 2
    set location corporate idle 15 minutes
    set location corporate on-demand
    set location corporate local-ip-address assigned
    set location corporate nat outmap defaultnapt


2. Preventing Address Renumbering Using Basic NAT on an Office Router:

Company ABC, Inc. (198.34.4.0/24) has just merged with Big Company
(25.0.0.0/8) and must renumber its hosts to access Big Company's
network. ABC has an ISDN connection from its Office Router to Big
Company's network. Big Company has just assigned ABC the IP range
25.9.1.0/24 to use. ABC configures its Office Router as follows:

    add map abc.outmap
    set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24
    add location bigcomp
    set location bigcomp phone 5558583
    set location bigcomp username abc
    set location bigcomp password bigsecret
    set location bigcomp destination 25.1.1.7
    set location bigcomp max 2
    set location bigcomp idle 15 minutes
    set location bigcomp on-demand
    set location bigcomp local-ip-address 25.9.1.254
    set location bigcomp nat outmap abc.outmap

The abc.outmap NAT map will assign IP addresses dynamically
as needed. If ABC wants to have static translations, abc.outmap
on the Office Router must be changed as follows:

    set map abc.outmap 1 staticaddressmap 198.34.4.0/24 25.9.1.0/24


3. Address Redirection to Perform Server Maintenance Using an IRX-211:

The following two servers on your Ether1 provide inbound FTP and Web
service:

* primary.web.com at 129.65.2.1

* backup.web.com at 129.65.2.2

The IP addresses of primary and backup are global IP addresses.
However, you need to take primary off-line to perform some maintenance
work. Just before shutting down primary, you configure an inbound map
on Ether0 that statically maps primary's address to backup. You use a
basic NAT setup as follows:

    add map ether0.inmap
    set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2
    set ether0 nat inmap ether0.inmap
    reset nat

As part of this configuration, you might also want to set the NAT
session-direction-fail-action (SDFA) to passthrough:

    set ether0 nat sdfa passthrough

This setting prevents NAT from intercepting outbound packets from the
remapped host when primary returns to service and you want to run a
telnet or FTP session from it.


4. T1 or Fractional T1 (WAN) Link Using defaultnapt for Outbound and
   Providing Inbound HTTP Service:

Line1 on your PortMaster 3 is a T1 (WAN) link with a private network
10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered
with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The
HTTP server in the private network resides at 10.1.1.10. You configure
the PortMaster 3 as follows:

    set w24 address 192.168.44.99
    set w24 destination 192.168.44.254
    set w24 nat outmap defaultnapt
    add map w24.inmap
    set map w24.inmap 1 static-tcp-udp-portmap 192.168.44.99:http 10.1.1.10:http
    set w24 nat inmap w24.inmap
    reset w24


5. Dial-In User Using defaultnapt in Outsource Mode:

You want to provide NAT service to a user by connecting him or her in
an outsource-mode NAPT configuration using the defaultnapt map on a
PortMaster 3 (192.168.96.162). The global IP address 192.168.129.130 is
assigned to the dial-up router and will be used to run NAT from.
Because this configuration uses the defaultnapt map, you do not need to
account for the IP addresses that the client's network is using. You
configure the PortMaster 3 as follows:

    add netuser joeuser
    set user joeuser password mysecret
    set user joeuser max 2
    set user joeuser protocol ppp
    set user joeuser destination 192.168.129.130
    set user joeuser local-ip-address 192.168.96.162
    set user joeuser nat outmap defaultnapt outsource

No NAT configuration is required on the dial-up router (client) side.
If the client also wants to run an FTP server with a private IP address
of 192.168.5.1 on his network and have it accessible globally, you can
configure further as follows:

    add map joeuser.inmap
    set map joeuser.inmap 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp
    set user joeuser nat inmap joeuser.inmap outsource


6.  Dial-Out Location using a Dynamic IP Address Basic NAT Map:

Your ISP gives you a small address block (192.168.129.129/29), but you
have more hosts then global IP addresses available. You do not want to
request more global IP addresses because of the added expense. In
addition, because not all workstations use the connection at the same
time, additional addresses will be wasteful. You want to use a dynamic
IP address pool map instead. You configure your PortMaster as follows:

    add map isp.outmap
    set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap


7.  Dial-Out Location Using a Static IP Address Basic NAT Map:

Your ISP gives you an address block (192.168.130.0/24). You can use a
dynamic IP address pool for your workstation IP addresses because they
do not need Internet access at the same time. However, you must give
two of your trusted systems static IP addresses for security
reasons---to perform packet filtering, for example. You configure your
PortMaster as follows:

    add map isp.outmap

    set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1
    set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2
    set map isp.outmap 3 addressmap 10.1.0.0/16 192.168.130.3-192.168.130.254
    add location isp
    set location isp phone 5558583
    set location isp username mycompany
    set location isp password bigsecret
    set location isp destination negotiated
    set location bigcomp max 2
    set location bigcomp continuous
    set location bigcomp local-ip-address assigned
    set location bigcomp nat outmap isp.outmap


_______ NAT-Unfriendly Applications:

The following applications are considered NAT unfriendly, either
because they embed the IP source and/or destination addresses in the
packet data, are multicast or broadcast based, or rely on end-to-end
node security:

* Multicast-based applications
* Routing protocols RIP and OSPF
* DNS zone transfers
* End-to-end IPSec
* Anything that embeds the IP source and/or destination address(es)
  into the packet data.


_______ Debugging and Troubleshooting Tips

* Verify obvious values like correct IP addresses in map entries.

* Make sure your maps match the flow of the session (inbound or
outbound). Check "show nat sessions" output to make sure the correct
translations are taking place.

* Watch "show nat statistics" output for failed translations that can
indicate incorrect session flow direction and possibly incomplete
maps.

* Watch the source and destination IP addresses of packets going
through the PortMaster. You can find a simple ptrace debug filter for
this purpose in the PortMaster Troubleshooting Guide. If you are
running NAT on your WAN link, look for private IP addresses that are
exiting the ptpXX interface untranslated, which can indicate either a
problem with your NAT maps or that NAT is not active on the port.

* Make sure that you reset the active network interface to make its NAT
configuration take effect. In the case of an Ethernet interface, enter
"reset nat ether0".

* If a location is set to dial-on-demand, you might need to reboot the
PortMaster for configuration changes to take effect.

* If a port loses its network connectivity---the modem drops
carrier---NAT maintains the state of any existing sessions ONLY if the
IP address assigned to the port remains the same.

* Because of the nature of NAT operation, some applications that work
under basic NAT, might not work with NAPT.  If you are using a
particular application under NAPT and it is not working, try using
basic NAT and see if the situation improves.


_______ Logging Control

You can activate syslog and console logging on a per-port basis to
identify configuration errors and for auditing purposes. Enter the
following command to configure logging of all NAT sessions that fail
for any reason to the PortMaster console:

    set Ether0 | S0 | W1 | location Locname | user Username
    log sessionfail console on 

To log to syslog instead, enter "syslog" instead of "sessionfail".

Syslog logging is logged at the priority level shown in "show syslog"
output. If you have not set the PortMaster global option for logging
NAT information to syslog, then no logging takes place, regardless of
the logging options configured on any particular port.  Lucent
recommends that you do NAT logging at the same priority as packet
filters:

    set syslog nat auth.notice

You can also more selectively do logging for only certain map entries
by appending the "log" keyword at the end of a particular map entry you
want logged. For example:

    set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log

Whenever a session from 192.168.1.1 is successfully translated to the
global IP address 172.16.1.1 via this outbound map, a syslog message
is sent to your loghost.

Here is some sample syslog output:

Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)->
 (192.168.247.6:80) translated to (192.168.129.129:20001)->(192.168.247.6:80)

Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)->
 (192.168.247.6:80) translated to (192.168.129.129:20002)->(192.168.247.6:80)

Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)->
 (192.168.247.6:80) translated to (192.168.129.129:20003)->(192.168.247.6:80)

Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)->
 (192.168.247.6:80) Xlation failed: Session may have prematurely timed out.

Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to (255.255.255.254:20001)->(192.168.65.50:23)

Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)->
 (192.168.65.50:23) translated to (192.168.129.129:20001)->(192.168.65.50:23)


_______ Debug Commands

The following commands set ComOS debugging options for NAT:

    set debug nat-ftp on | off		Displays FTP payload processing.

    set debug nat-icmp-err on | off	Displays ICMP error payload
					processing.

    set debug nat-rt-interface on | off	Displays NAT parameters changes
					during interface binding.

    set debug nat-max on | off		Enables full NAT debugging.


_______ Network Diagnostic Tools

Because NAT includes ICMP and UDP translation, the two most common
network diagnostic tools, ping and traceroute, can still be used---with
the following restrictions:

* When using NAPT, you will not be able to run traceroute or ping
inbound to the private hosts because you cannot reach them directly
from the outside.  But you can use the tools in an outbound direction
without any problems.

*  When using basic NAT, you can run traceroute and ping inbound but
only if you have an inbound map active. You still must include an entry
for the actual host you are trying to ping or trace routes to.  As with
NAPT, you can do all network diagnostics in outbound mode.


_______ References

* draft-ietf-nat-traditional-01.txt, The IP Network Address Translator (NAT)

* RFC 1918, Address Allocation for Private Internets



_______________ Limitations

* Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and
MDM-PM3-10) has been removed from this release, except for support of
the V.110 protocol. The "True Digital 56K Card" (MDM-56K-8 and
MDM-56K-10) is still supported.

* Downgrading a PortMaster 3 from ComOS 3.9b8 to a previous release
requires two successful downgrades. After the first successful
downgrade the PortMaster is operational, but without system messages.
The second downgrade applies the system messages.

* The PortMaster 3 can support either the stac compression card or the
IPSec coprocessor card, not both. Both cards use the same interface on
the PortMaster 3 motherboard.

* Neither the Internet Key Exchange (IKE) protocol nor the Internet
Security Association Key Management Protocol (ISAKMP) is supported in
this release.

* IPSec passive profiles are not supported in this release.

* NAT and IPSec cannot be configured to work together on the same port
in this release.

* This release does not support mixing of NFAS and non-NFAS PRIs in the
same chassis. If one line is used for NFAS, the other line must be used
for NFAS or left empty.

* NFAS operates only on National ISDN (NI-2) switch types.

* Configuring NFAS settings on a line that is not configured for ISDN
or unable to perform ISDN functions makes the line behave strangely.

* When you are using NFAS and a problem occurs on the physical PRI line
with the D channel, the line sometimes does not return to service until
you reset the D channel.

* When a PortMaster running NFAS is rebooted, you must sometimes reset
the D channel to return the PRI to service.



_______________ Upgrade Instructions

You can upgrade your PortMaster 3 using PMVision 1.3, or pmupgrade 4.0
from PMTools. Alternatively, you can upgrade using the older programs
pminstall 3.5.3, PMconsole 3.5.3, or PMconsole for Windows 3.5.1.4, or
later releases. You can also upgrade using TFTP with the
"tftp get comos" command from the PortMaster command line interface.

See ftp://ftp.livingston.com/pub/le/software/java/pmvision13.txt for
installation instructions for PMVision 1.3.

*** CAUTION!  If the upgrade fails, do NOT reboot!  Contact
*** Lucent Remote Access Technical Support without rebooting.

The upgrade process on the PortMaster 3 erases the configuration area
from nonvolatile memory and saves the current configuration into
nonvolatile memory. Never interrupt the upgrade process, or loss of
configuration information can result.

WARNING! The amount of NVRAM available for saving configurations has
been reduced from 128KB to 64KB. PortMaster products with configurations
greater than 64KB will lose some of their configuration. For this
reason be sure to backup your PortMaster configuration before
upgrading to this release. You can check the amount of memory used for
your configuration with the "show files" command. Ignore any files that
also include an uncompressed size.

IMPORTANT: Any PortMaster running ComOS 3.9b8 requires 4MB of RAM.
If you are running BGP, 16MB of RAM is required.

The installation software can be retrieved by FTP from
ftp://ftp.livingston.com/pub/le/software/, and the upgrade image
can be found at ftp://ftp.livingston.com/pub/le/upgrades:

ComOS           Upgrade Image   Product
_________       _____________   _____________________________________
3.9b8           pm3_3.9b8       PortMaster 3

________________________________________________________________________

        Copyright and Trademarks

Copyright 1999 Lucent Technologies. All rights reserved.

PortMaster, ComOS, and ChoiceNet are registered trademarks of Lucent
Technologies, Inc. RADIUS ABM, PMVision, IRX, and PortAuthority are
trademarks of Lucent Technologies, Inc. All other marks are the
property of their respective owners.

        Notices

Lucent Technologies, Inc. makes no representations or warranties with
respect to the contents or use of this publication, and specifically
disclaims any express or implied warranties of merchantability or
fitness for any particular purpose. Further, Lucent Technologies, Inc.
reserves the right to revise this publication and to make changes to
its content, any time, without obligation to notify any person or
entity of such revisions or changes.

	Contacting Lucent Remote Access Technical Support

Lucent Technologies Remote Access Business Unit (previously Livingston
Enterprises) provides technical support via voice, fax, electronic
mail, or through the World Wide Web at http://www.livingston.com/.
Specify that you are running ComOS 3.9b8 when reporting problems with
this release.

Internet service providers (ISPs) and other end users in Europe, the
Middle East, Africa, India, and Pakistan should contact their
authorized Lucent Remote Access sales channel partner for technical
support; see http://www.livingston.com/International/EMEA/distributors.html.

For North and South America and Asia Pacific customers, technical
support is available Monday through Friday from 7 a.m. to 5 p.m. U.S.
Pacific Time (GMT -8). Dial 1-800-458-9966 within the United States
(including Alaska and Hawaii), Canada, and the Caribbean, or
1-925-737-2100 from elsewhere, for voice support. Otherwise, fax to
1-925-737-2110, or send email to support@livingston.com
(asia-support@livingston.com for Asia Pacific customers).

