Nortel 4134 用户指南
30
Firewall and NAT Fundamentals
NAT failover for firewalls
When you specify the external address for the NAT translation, you can
either specify an IP address or an interface name. If you specify an interface
name for the NAT translation, packets going out through the interface are
translated using the IP address of that interface. However, firewall policies
do not change when an interface goes up or down. As a result, if the NAT
interface goes down, NAT continues to perform the translation of internal
IP addresses to the public IP address of this interface. Therefore, traffic is
blackholed.
either specify an IP address or an interface name. If you specify an interface
name for the NAT translation, packets going out through the interface are
translated using the IP address of that interface. However, firewall policies
do not change when an interface goes up or down. As a result, if the NAT
interface goes down, NAT continues to perform the translation of internal
IP addresses to the public IP address of this interface. Therefore, traffic is
blackholed.
NAT failover provides a solution to this issue by allowing a primary interface
(for example, T1 WAN bundle) using PAT to failover to a backup interface
(for example, PPPoE or ISDN). In this case, when the primary interface
is up, packets going out through the interface are translated using the IP
address of the primary interface. When the primary interface goes down,
the IP address of the backup interface is used for the translations, and the
stale firewall connections are flushed.
(for example, T1 WAN bundle) using PAT to failover to a backup interface
(for example, PPPoE or ISDN). In this case, when the primary interface
is up, packets going out through the interface are translated using the IP
address of the primary interface. When the primary interface goes down,
the IP address of the backup interface is used for the translations, and the
stale firewall connections are flushed.
To enable NAT failover, you must configure a PAT policy specifying the
interface name of the primary interface. You can then specify the primary
and backup interface using the
interface name of the primary interface. You can then specify the primary
and backup interface using the
nat-failover
command.
Scalability
The SR4134 firewall can support the following:
•
64000 concurrent firewall connections system wide
•
25 virtual firewall zones
•
1024 policies per virtual firewall
•
30000 entries in NAT translation table
Interoperability with CS 1000 and MCS 5100 call servers
There are three NAT traversal strategies available for VoIP:
•
Cone NAT with Simple Traversal of UDP Networking (STUN) for CS 1000
•
Application Layer Gateway (ALG) for MCS 5100
•
NAT avoidance (use of VPN or other tunneling)
The following sections provide details on the first two options.
Cone NAT for CS 1000
The Simple Traversal of UDP through NAT (STUN) protocol provides a NAT
traversal strategy for VoIP solutions. STUN allows IP phones behind a NAT
to call each other through a publicly reachable call server (or echo server).
To properly interact with STUN for NAT traversal, you must configure the
NAT as a Cone NAT.
traversal strategy for VoIP solutions. STUN allows IP phones behind a NAT
to call each other through a publicly reachable call server (or echo server).
To properly interact with STUN for NAT traversal, you must configure the
NAT as a Cone NAT.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.