20.1. NAT resource

Abilis implements NAT (Network Address Translation) with PAT (Port Address Translation) and IPACL (IP Access Control List) services.

By properly specifying:

a high level of security is granted.


Abilis is not a Firewall! It implements basic firewall function, but evolved features must be commissioned to a “real” firewall. Abilis and firewall can coexist with no problems.

20.1.1. Frequently used expression

  • Inside. The set of networks there are subject of translation, usually “private” networks.

  • Outside. All other networks, usually “public” addresses located on the Internet.

  • Inside local IP address. The IP address which was assigned to a host on the inside network.

  • Inside global IP address. The IP address of an inside host as it appears to the outside networks. If, as usual, the outside network is the Internet, the address must be one of the “public” addresses which the ISPs have assigned to user's router for those connections. In the table of NAT Aliases this term called as ANET:.

  • Processed IP packet. It mean in this packet was changed a source or destination address in some cases a source or destination port was changed too.

  • Ignored IP packet. It mean that this packet was not changed.

  • Static Address Translation. The user can establish a one-to-one mapping between the inside local and global addresses, which happens when the number (netmask) of inside local and global addresses are identical.

  • Dynamic Source Address Translation. The user can establish dynamic mapping between the inside and global addresses, which happens when the number (netmask) of inside local and global addresses are different.

  • Port Address Translation (PAT). The user can save addresses in the global address pool by allowing source ports in TCP connections or UDP conversations to be translated. Different local addresses will be mapped to the same global address, with port translation providing the necessary uniqueness for TCP/UDP and other tricks providing uniqueness for ICMP.

  • Extended filtering in PAT mode. The purpose of this feature is to allow a selective activation of the PAT translation based on the destination TCP/UDP port and on the IP protocol, with the result that network managers can empower their control of the network by:

    • Granting access only to some service, e.g. web and ftp.

    • Blocking access only to specific services, e.g. realaudio / realvideo servers

    • Precisely distinguishing inbound connections from outbound ones

    • Allowing internal users to access ANY service on the Internet while outside users may access only a restricted set

  • Destination port mapping. This behaviour is very useful in many situations, the most frequents are:

    • The user has just one public IP address and on the internal LAN there are more computers on several IP addresses running different services that must be reached from outside, e.g. FTP, HTTP, SMTP and so on

    • The user has just one public IP address and on the internal LAN there are more computers on several IP addresses running the same service with different contents, e.g. a commercial web, a technical web, a restricted access web.

20.1.2. Activating the NAT resource

Add the resource to the Abilis system with the command:

[11:01:39] ABILIS_CPX:a res:nat


The NAT resource may already exist in the system, but may not yet be active: set it active with the command:

[11:01:48] ABILIS_CPX:s act res:nat


After adding or setting the NAT active, you must restart the Abilis to make the resource running (use the command warm start to reboot the Abilis).

[11:01:39] ABILIS_CPX:s p nat act:yes


[11:01:39] ABILIS_CPX:d p nat

RES:Nat - Not Saved (SAVE CONF), Not Refreshed (INIT) -------------------------
Run    DESCR:Network_Address_Translator
       LOG:DS             ACT:YES         dimtable:1000
       DNS-ALG:NO         SNMP-ALG:NO     PPTP-ALG:NO         IKE-AWARE:YES
       - Not PAT mode parameters ----------------------------------------------
       - PAT mode parameters --------------------------------------------------
       FRAG:5             ICMP:5          DNS:5    SNMP:5     SNTP:5
       UDP-OPENING:5      UDP-CONN:180
       TCP-OPENING:5      TCP-CONN:360    TCP-CLOSING:15      TCP-CLOSED:1
       TCP-RST:YES        PPTP-CONN:360

20.1.3. NAT resource parameters

Use the following command to display resource parameters; teh command d p nat ? displays the meaning of all parameters.

[11:01:39] ABILIS_CPX:d p nat

RES:Nat -----------------------------------------------------------------------
Run    DESCR:Network_Address_Translator
       LOG:DS             ACT:YES         dimtable:1000
       DNS-ALG:NO         SNMP-ALG:NO     PPTP-ALG:NO         IKE-AWARE:YES
       - Not PAT mode parameters ----------------------------------------------
       - PAT mode parameters --------------------------------------------------
       FRAG:5             ICMP:5          DNS:5    SNMP:5     SNTP:5
       UDP-OPENING:5      UDP-CONN:180
       TCP-OPENING:5      TCP-CONN:360    TCP-CLOSING:15      TCP-CLOSED:1
       TCP-RST:YES        PPTP-CONN:360

Meaning of the most important parameters:


Logging functionalities activation/deactivation.


NAT runtime activation/deactivation.


It specifies how many translations can be created at the same time.


Enable/disable DNS Application Level Gateway [NO, YES]


Enable/disable SNMP Application Level Gateway [NO, YES]


Enable/disable PPTP Application Level Gateway [NO, YES]


Enable/disable IKE awareness. Minimise remap of UDP ports 500 and 4500 [NO, YES]


This value sets the timeout of static and dynamic translations, i.e. those created without the PAT mode. If the translation is not used for the specified time (i.e. no packets need it), it times out and it has removed by the translation table.


Time-out for linkable fragment identifier [1..240 sec]


Time-out for ICMP link type [1..240 sec]


Time-out for DNS link type [1..240 sec]


Time-out for SNMP link type [1..240 sec]


Time-out for SNTP link type [1..240 sec]


Time-out for UDP links in Opening state [1..240 sec]


Time-out for UDP links in Connected state [60..65535 sec]


Time-out for TCP links in Opening state [1..240 sec]


Time-out for TCP links in Connected state [60..65535 sec]


Time-out for TCP links in Closed state [1..240 sec]


Enable sending of RESET for expired links [NO, YES]


Time-out for PPTP links in Connected state [60..65535 sec]


Maximal number of links that same IP address on INSIDE interface can open at the same time [NOLIMIT, 1..10000]


Maximal number of links that same IP address on OUTSIDE interface can open at the same time [NOLIMIT, 1..10000]


Maximal number of links that same IP address on VPN interface can open at the same time [NOLIMIT, 1..10000]


Maximal number of links that same IP address on DMZ interface can open at the same time [NOLIMIT, 1..10000]


Resync time used for maximal initiator links procedure [2..30 sec]

The following command allows the administrator to change the configuration of the resource:

s p nat parameter:value...


To activate the changes made on the upper case parameters, execute the initialization command init res:nat; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. with warm start command).