Masquerade (port-mapped) NAT

Port-mapped network address translation (NAT) is a variation of masquerade NAT.

In port-mapped NAT, you can specify both the IP address and the port number to translate. This enables both your internal personal computer and the external workstation to initiate IP traffic. You can use port-mapped NAT if the external workstation (or client) needs to access workstations or systems inside your network. Only IP traffic that matches both the IP address and the port number is allowed to access.

Internal initiation

When the internal personal computer with Address 1: Port 1 initiates traffic to an outside workstation, the translating code will check the NAT rule file for Address 1: Port 1. If both the source IP address (Address 1) and the source port number (Port 1) match the NAT rule, NAT starts the conversation and performs the translation. The specified values from the NAT rule replace the IP source address and source port number. Address 1: Port 1 is replaced with Address 2: Port 2.

External initiation

An external workstation initiates IP traffic with the destination IP address of Address 2. The destination port number is Port 2. The NAT server untranslates the datagram with or without an existing conversation. In other words, NAT automatically creates a conversation if one does not already exist. Address 2: Port 2 is untranslated to Address 1: Port 1.

The following list highlights the features of masquerade port-mapped NAT:

  • Masquerade port-mapped NAT has a one-to-one relationship.
  • Masquerade port-mapped NAT can be initiated by both external and internal networks.
  • The registered address that the private address hides behind must be defined on the IBM® i platform that performs the NAT operations.
  • IP traffic outside of NAT operations cannot use the registered address. However, if this address attempts to use a port number that matches the hidden port in the NAT rule, then the traffic will be translated. The interface will be unusable.
  • Typically the port numbers are mapped to well-known port numbers, so extra information is not necessary. For example, you can run an HTTP server bound to port 5123, then map this to the public IP and port 80. If you want to hide an internal port number behind another (uncommon) port number, the client needs to be physically told the value of the destination port number. If not, it is difficult for communication to occur.
  • You must set MAXCON high enough to accommodate the number of conversations you want to use. For example, if you are using File Transfer Protocol (FTP), your personal computer will have two conversations active. You need to set MAXCON high enough to accommodate multiple conversations for each personal computer. The default value is 128.
  • Masquerade NAT supports only the following protocols: TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
  • Whenever you use NAT, you must enable IP forwarding. Use the Change TCP/IP Attributes (CHGTCPA) command to verify that IP datagram forwarding is set to YES.