One document matched: draft-ietf-nat-natmib-05.txt
Differences from draft-ietf-nat-natmib-04.txt
NAT Working Group R. Raghunarayan
INTERNET-DRAFT N. Pai
Expires May 2003 Cisco Systems, Inc.
R. Rohit
World Wide Packets, Inc.
C. Wang
Bank One Corp
P. Srisuresh
Kuokoa Networks, Inc.
November 2002
Definitions of Managed Objects for Network Address Translators (NAT)
<draft-ietf-nat-natmib-05.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [16].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This memo defines an SMIv2 Management Information Base (MIB) for
a device implementing traditional NAT [17] function. This may be
used for configuration as well as monitoring of a device capable
of traditional NAT function.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 1]
INTERNET-DRAFT NAT MIB November 2003
Table of Contents
1 Introduction ................................................2
2 The Network Management Framework ............................2
3 Terminology .................................................3
4 Overview ....................................................3
5 Extending this MIB ..........................................7
6 Definitions .................................................8
7 Security Considerations ....................................51
8 References .................................................52
9 Acknowledgements ...........................................53
10 Author's Addresses .........................................53
11 Change History .............................................54
1. Introduction
This memo defines an SMIv2 Management Information Base (MIB) for
a device implementing traditional NAT [17] function. This may be
used for configuration as well as monitoring of a device capable
of traditional NAT function.
2. The Network Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2571 [1].
o Mechanisms for describing and naming objects and events for
the purpose of management. The first version of this Structure
of Management Information (SMI) is called SMIv1 and described
in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215
[4]. The second version, called SMIv2, is described in STD 58,
RFC 2578 [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7].
o Message protocols for transferring management information.
The first version of the SNMP message protocol is called
SNMPv1 and is described in STD 15, RFC 1157 [8]. A second
version of the SNMP message protocol, which is not an Internet
standards track protocol, is called SNMPv2c and described in
RFC 1901 [9] and RFC 1906 [10]. The third version of the
message protocol is called SNMPv3 and described in RFC 1906
[10], RFC 2572 [11] and RFC 2574 [12].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in STD 15, RFC 1157 [8]. A second set of protocol
operations and associated PDU formats is described in RFC 1905
[13].
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 2]
INTERNET-DRAFT NAT MIB November 2003
o A set of fundamental applications described in RFC 2573 [14]
and the view-based access control mechanism described in RFC
2575 [15].
Managed Objects are accessed via virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using a subset of Abstract Syntax Notation One (ASN.1)
defined in the SMIv2.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of
machine readable information is not considered to change the
semantics of the MIB.
3. Terminology
The terminology used throughout this document is mostly as per RFC
2663 [18].
The term NAT has been used, throughout the document, to represent
traditional NAT. In cases, where necessary, NAPT and Basic NAT will
be used to represent port translation and address translation
respectively.
The terms public and private are used throughout the document in
the context of networks, while the terms local and global are used
when referring to addresses and ports.
4. Overview
The MIB module has been split into three groups:
o the configuration group,
o the translation group, and
o the statistics group.
The configuration group consists of four tables and seven scalars:
o the interface specific configuration table, which specifies the
nat config parameters for a specific interface.
o the address map table, which is an extension of the per-interface
configuration table, and specifies information required to setup
static/dynamic address and ports maps.
o the protocol specific table, which specifies protocol specific NAT
configuration parameters. The table also provides extensibility
for the configuration of the newer protocols.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 3]
INTERNET-DRAFT NAT MIB November 2003
Since most protocols e.g. TCP, UDP, ICMP, have idle timeouts as a
common parameter for the configuration, this parameter has been
added to the natConfProtTable. The extension tables, if any, may
add other configuration parameters.
o the tcp nat config table, which specifies tcp related NAT
configuration parameters.
o five protocol specific scalars, specifying the BIND timeout
values for the more common protocols, TCP, UDP and ICMP, and a
generic timeout value that can be used for all other protocols
(unless overridden by protocol specific value in another mib).
o two scalars used to monitor address thresholds and generate
notifications when the thresholds are crossed.
The translation group, monitoring the dynamic activities of the NAT
device, consists of two scalars and three tables:
o the scalars, natAddrBindNumberOfEntries and
natAddrPortBindNumberOfEntries, hold the number of entries
the currently exist in the Address bind and the Address-Port
bind tables respectively.
o the Address bind table, which holds the currently active
address bindings.
o the Address-Port bind table, which holds the currently active
transport bindings.
o the session table, holds information regarding active NAT
sessions.
And finally, the statistics group consists of three tables:
o the Protocol stats table, indicating translation statistics
per protocol.
o the Address Map stats table, indicating translation statistics
per address map.
o the Interface stats table, indicating translation statistics
per interface.
There are also two notifications defined in the MIB:
o natAddressUseRising notifies the end user/manager of the address
usage exceeding a pre-defined threshold.
o And finally, natPacketDiscard notifies the end user/manager of
packets being discarded due to lack of address mappings.
4.1 Relation between the NAT configuration tables
The association between the various configuration tables can be
represented as follows:
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 4]
INTERNET-DRAFT NAT MIB November 2003
per interface config (global config parameters)
|
|
| . . . . . . . . . . . .
| . [optional linkage]
| .
| .
address map protocol config
Every interface nat config is associated with a set of global
(TCP, UDP and ICMP) config parameters, represented by the five
protocol specific scalars, and an address map (via
natConfAddrMapConfigName).
If deemed required (and supported by the implementation), the
administrator may hook up a different set of (TCP, UDP and/or
ICMP) configuration parameters with a specific interface. This
configuration overrides the global configuration (mentioned above).
This linkage is provided via the natConfProtConfigName, which
links this interface with an entry in the protocol config table
(natConfProtTable).
4.2 Relation between the translation and the configuration tables
The association between the configuration and the translation
tables can be represented as follows.
Address map
|
|
|
----------------------------------------------
| |
| |
| |
Address Bind Address Port Bind
| |
| |
| |
----------------------------------------------
|
|
|
Session
Every bind, address as well as address-port bind, is derived
from an address map. The natAddrBindAddrMapName and
natAddrPortBindAddrMapName objects provide the linkage between
the bind and the address map it has been derived from.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 5]
INTERNET-DRAFT NAT MIB November 2003
On the other hand, every NAT session is derived from a bind,
address or address-port bind. The natSessionBindId and the
natSessionSecondBindId objects represent this linkage.
4.3 Configuration via the MIB
Entries in the Address Bind and Address-Port Bind Tables are
derived from the address map table. Entries MUST, therefore,
not exist in the Address Bind or a Address-Port Bind Entry
without an associated entry in the Address Map table.
Likewise, the session entries are derived from the Binds and
an entry MUST not exist in the Session table without a
corresponding Bind table entry.
A Management station may use the following steps to configure
entries in the NAT-MIB:
- Create an entry in the natConfTable specifying the
the value of natConfInterfaceIndex as the interface index of
the interface on which nat is being configured. Specify
appropriate values, as applicable, for the other objects e.g.
natConfInterfaceRealm, natConfServiceType, in the table.
- Create an address map entry in the natConfAddrMapTable, and
set natConfAddrMapConfigName to the name of the address map
entry created.
- If the nat is being configured for a new protocol which is
not listed in the NATProtocolType TEXTUAL-CONVENTION then
the Management Station should follow the instructions
specified in "Extending this MIB" section of this document.
To configure NAT for a currently listed protocol in the
NATProtocolType TEXTUAL-CONVENTION, the management station
can either set the protocol specific scalars or it can create
a entry in the natConfProtTable. The natConfProtSpecName in
the natConfProtEntry can further point to the natConfProtType
specific parameters.
- If the management station creates an entry in the
natConfProtTable, then it should set natConfProtConfigName
to natConfProtName of the natConfProtEntry.
- Setting the natConfStatus to 'active'(1) will enable
nat on the interface. Note that the associated entries in the
natConfAddrMapTable and natConfProtTable (if any) must also
be made active.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 6]
INTERNET-DRAFT NAT MIB November 2003
- The Address Bind and Address-Port Table will have the entries
created due to this nat configuration. A Management Station may
also, if deemed necessary, create entries Address Bind or a
Address-Port Bind entry and link those entries to the appropriate
address map configured.
5. Extending this MIB
The NAT MIB has currently been defined to support only TCP, UDP and
ICMP as protocols. There are, though, points in the MIB to hook in
support for other protocols in the future.
Following is the list of protocol specific information, identified at
this point, which could potentially require protocol specific
extensions to this mib:
o Each protocol could support its set of timers and/or other protocol
specific configuration parameters for operation with NAT.
o Statistics could be maintained per protocol, and type of
statistics could be protocol specific.
To support the first requirement, the natConfTable consists of a
pointer (natConfProtConfigName) to a protocol configuration table,
natConfProtTable. The natConfProtTable consists of a pointer
(natConfProtSpecName) into a protocol specific configuration table.
The protocol specific configuration table can be used to
configure/retrieve protocol specific configuration parameters
pertaining to a NAT configuration. The natConfTcpTable, defined in
this mib module, is an example of a protocol specific configuration
table, which allows varying the TCP negotiation timeout for NAT.
To represent the configuration with an example, assume the existence
of the following row in the natConfTable, which contains a pointer to
a row in the protocol configuration table:
natConfInterfaceIndex = 1
natConfInterfaceRealm = private (1)
natConfServiceType = basicNat (1)
natConfProtConfigName = "Protocol Config 1"
natConfStorageType = nonVolatile (3)
natConfStatus = active (1)
The following row in natConfProtTable would contain a pointer to a row
in the TCP specific configuration table:
natConfProtName = "Protocol Config 1"
natConfProtType = tcp (5)
natConfProtSpecName = "TCP Config 1"
natConfProtIdleTimeout = 86400
natConfProtRowStatus = active (1)
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 7]
INTERNET-DRAFT NAT MIB November 2003
And finally the following row in the TCP specific configuration table
would complete the TCP specific configuration:
natConfTcpName = "TCP Config 1"
natConfTcpNegTimeout = 120
natConfTcpRowStatus = active (1)
If a new protocol FOO needs to be supported, a new protocol specific
configuration table could be defined in a FOO-NAT-MIB, with the index
of the table being an SnmpAdminString that is referenced via
natConfProtSpecName in natConfProtTable. The protocol specific
configuration parameters could be defined in this table, and linked to
a NAT configuration by the aforementioned mechanism.
The natProtocolStatsTable, on the other hand, represents statistics on
a per protocol basis, where the protocol is one of those defined in
the NATProtocolType textual convention. Only the basic per protocol
statistics are represented via the NAT MIB. If any further protocol
specific statistics need to be defined, they could be defined via
protocol specific statistics objects/table in the protocol specific
mib.
For e.g. if a protocol FOO needs a counter which represents the
packets rejected due to some event foobar, it would define a protocol
specific object fooNatFoobarReject in the FOO-NAT-MIB.
6. Definitions
NAT-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
Integer32,
Unsigned32,
Gauge32,
Counter32,
TimeTicks,
mib-2,
NOTIFICATION-TYPE
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
NOTIFICATION-GROUP,
OBJECT-GROUP
FROM SNMPv2-CONF
StorageType,
RowStatus
FROM SNMPv2-TC
InterfaceIndex
FROM IF-MIB
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 8]
INTERNET-DRAFT NAT MIB November 2003
InetAddressType,
InetAddress
FROM INET-ADDRESS-MIB
NATProtocolType
FROM NAT-TC;
natMIB MODULE-IDENTITY
LAST-UPDATED "200211030000Z"
ORGANIZATION "IETF NAT Working Group"
CONTACT-INFO
" Rohit
World Wide Packets
115 North Sullivan Road
Veradale, Spokane, WA 99037
Phone: +1 509 242 9320
Email: Rohit.Rohit@worldwidepackets.com
Nalinaksh Pai
Cisco Systems, Inc.
Prestige Waterford
No. 9, Brunton Road
Bangalore - 560 025
India
Phone: +91 80 532 1300
Email: npai@cisco.com
Rajiv Raghunarayan
Cisco Systems Inc.
170 West Tasman Drive
San Jose, CA 95134
Phone: +1 408 853 9612
Email: raraghun@cisco.com
Cliff Wang
Information Security
Bank One Corp
1111 Polaris Pkwy
Columbus, OH 43240
Phone: +1 614 213 6117
Email: cliffwang2000@yahoo.com
P. Srisuresh
Kuokoa networks
475 Potrero Ave.
Sunnyvale, CA 94085
Phone: +1 408 962 3709
Email: srisuresh@yahoo.com
"
DESCRIPTION
"This MIB module defines the generic managed objects
for NAT."
REVISION "200211030000Z" -- 3rd Nov. 2002
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 9]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"This revision addresses the comments raised by the
MIDCOM Working Group."
REVISION "200206140000Z" -- 14th June 2002
DESCRIPTION
"This MIB module addresses the smilint warnings found
in the IETF MIB Module Validation."
REVISION "200202070000Z" -- 7th Feb. 2002
DESCRIPTION
"Merged the Config and Interface specific Tables.
Added the ability for the Management Station to
create/destroy nat address binds and sessions."
REVISION "200111090000Z" -- 9th Nov. 2001
DESCRIPTION
"Merged the Static and Dynamic addr Tables.
Protocol specific extensibility added."
REVISION "200109100000Z" -- 10th Sep. 2001
DESCRIPTION
"Notifications added."
REVISION "200103010000Z" -- 1st Mar. 2001
DESCRIPTION
"Initial version of this MIB module."
::= { mib-2 xx } -- xx to be assigned by RFC-editor.
natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 }
--
-- The Groups
-- o natConfig - Pertaining to NAT configuration information
-- o natTranslation - Pertaining to the NAT BINDs/sessions.
-- o natStatistics - NAT statistics, other than those maintained
-- by the Bind and Session tables.
--
natConfig OBJECT IDENTIFIER ::= { natMIBObjects 1 }
natTranslation OBJECT IDENTIFIER ::= { natMIBObjects 2 }
natStatistics OBJECT IDENTIFIER ::= { natMIBObjects 3 }
--
-- The Configuration Group
-- The per-interface NAT Configuration Table
--
natConfTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatConfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table specifies the configuration attributes for a
device supporting NAT function."
::= { natConfig 1 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 10]
INTERNET-DRAFT NAT MIB November 2003
natConfEntry OBJECT-TYPE
SYNTAX NatConfEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in the natConfTable holds a set of
configuration parameters regarding the interface
on which NAT is enabled."
INDEX { natConfInterfaceIndex }
::= { natConfTable 1 }
NatConfEntry ::= SEQUENCE {
natConfInterfaceIndex InterfaceIndex,
natConfInterfaceRealm INTEGER,
natConfServiceType BITS,
natConfAddrMapConfigName SnmpAdminString,
natConfProtConfigName SnmpAdminString,
natConfStorageType StorageType,
natConfStatus RowStatus
}
natConfInterfaceIndex OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The ifIndex of the interface on which NAT is enabled."
::= { natConfEntry 1 }
natConfInterfaceRealm OBJECT-TYPE
SYNTAX INTEGER {
private (1),
public (2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object identifies whether this interface is
connected to the private or the public realm."
DEFVAL { public }
::= { natConfEntry 2 }
natConfServiceType OBJECT-TYPE
SYNTAX BITS {
basicNat (0),
napt (1),
bidirectionalNat (2),
twiceNat (3),
multihomedNat (4)
}
MAX-ACCESS read-create
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 11]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"An indication of the direction in which new sessions
are permitted and the extent of translation done within
the IP and transport headers."
::= { natConfEntry 3 }
natConfAddrMapConfigName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object selects a set of address maps defined in
the natConfAddrMapTable.The selected set of addr maps
are defined by entries in the natConfAddrMapTable whose
index value (natConfAddrMapName) is equal to this object."
DEFVAL { ''H }
::= { natConfEntry 4 }
natConfProtConfigName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The index pointing to a set of protocol related
NAT parameters in natProtConfTable.
This object is used to point to protocol specific
configuration that override any global (per-box)
settings."
DEFVAL { ''H }
::= { natConfEntry 5 }
natConfStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this conceptual row."
REFERENCE
"Textual Conventions for SMIv2, Section 2."
DEFVAL { nonVolatile }
::= { natConfEntry 6 }
natConfStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row."
::= { natConfEntry 7 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 12]
INTERNET-DRAFT NAT MIB November 2003
--
-- The Address Map Table
--
natConfAddrMapTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatConfAddrMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists address map configuration for NAT."
::= { natConfig 2 }
natConfAddrMapEntry OBJECT-TYPE
SYNTAX NatConfAddrMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This entry represents an address map to be used for
NAT, and contributes to the dynamic and/or static
address mapping tables of the NAT device."
INDEX { natConfAddrMapName, natConfAddrMapIndex }
::= { natConfAddrMapTable 1 }
NatConfAddrMapEntry ::= SEQUENCE {
natConfAddrMapName SnmpAdminString,
natConfAddrMapIndex Integer32,
natConfAddrMapEntryType INTEGER,
natConfAddrMapDirection INTEGER,
natConfLocalAddrType InetAddressType,
natConfLocalAddrFrom InetAddress,
natConfLocalAddrTo InetAddress,
natConfLocalPortFrom Integer32,
natConfLocalPortTo Integer32,
natConfGlobalAddrType InetAddressType,
natConfGlobalAddrFrom InetAddress,
natConfGlobalAddrTo InetAddress,
natConfGlobalPortFrom Integer32,
natConfGlobalPortTo Integer32,
natConfProtocol BITS,
natConfAddrMapStorageType StorageType,
natConfAddrMapStatus RowStatus
}
natConfAddrMapName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 13]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"Name identifying a set of entries in this table.
The combination of natConfAddrMapName and
natConfAddrMapIndex uniquely identifies
an entry in this table."
::= { natConfAddrMapEntry 1 }
natConfAddrMapIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Along with natConfAddrMapName, this object uniquely
identifies an entry in the natConfAddrMapTable.
Address map entries are applied in the order
specified by natConfAddrMapIndex."
::= { natConfAddrMapEntry 2 }
natConfAddrMapEntryType OBJECT-TYPE
SYNTAX INTEGER {
static (1),
dynamic (2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This config parameter can be used to set up static
or dynamic address maps."
::= { natConfAddrMapEntry 3 }
natConfAddrMapDirection OBJECT-TYPE
SYNTAX INTEGER {
inbound (1),
outbound (2),
both (3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Address (and Transport-ID) maps may be defined for
both inbound and outbound direction.
Outbound address map refers to mapping a selected set of
addresses from private realm to a selected set of
addresses in public realm, whereas inbound address map
refers to mapping a set of addresses from the public
realm to private realm."
::= { natConfAddrMapEntry 4 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 14]
INTERNET-DRAFT NAT MIB November 2003
natConfLocalAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natConfLocalAddr."
::= { natConfAddrMapEntry 5 }
natConfLocalAddrFrom OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the first IP address of the range
of IP addresses mapped by this translation entry."
::= { natConfAddrMapEntry 6 }
natConfLocalAddrTo OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the last IP address of the range of
IP addresses mapped by this translation entry. If only
a single address being mapped, the value of this object
is equal to the value of natConfLocalAddrFrom. For a
static NAT, the number of addresses in the range defined
by natConfLocalAddrFrom and natConfLocalAddrTo should be
equal to the number of addresses in the range defined by
natConfGlobalAddrFrom and natConfGlobalAddrTo."
::= { natConfAddrMapEntry 7 }
natConfLocalPortFrom OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If this conceptual row describes a Basic NAT address
mapping, then the value of this object is 0. If this
conceptual row describes NAPT, then the value of this
object specifies the first port number in the range of
ports being mapped.
If the translation specifies a single port, then
the value of this object is equal to the value of
natConfLocalPortTo."
::= { natConfAddrMapEntry 8 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 15]
INTERNET-DRAFT NAT MIB November 2003
natConfLocalPortTo OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If this conceptual row describes a Basic NAT address
mapping, then the value of this object is 0. If this
conceptual row describes NAPT, then the value of this
object specifies the last port number in the range of
ports being mapped.
If the translation specifies a single port, then the
value of this object is equal to the value of
natConfLocalPortFrom."
::= { natConfAddrMapEntry 9 }
natConfGlobalAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natConfGlobalAddrFrom."
::= { natConfAddrMapEntry 10 }
natConfGlobalAddrFrom OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the first IP address of the range of
IP addresses being mapped to."
::= { natConfAddrMapEntry 11 }
natConfGlobalAddrTo OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the last IP address of the range of
IP addresses being mapped to. If only a single address is
being mapped to, the value of this object is equal to the
value of natConfGlobalAddrFrom. For a static NAT, the
number of addresses in the range defined by
natConfGlobalAddrFrom and natConfGlobalAddrTo should be
equal to the number of addresses in the range defined by
natConfLocalAddrFrom and natConfLocalAddrTo."
::= { natConfAddrMapEntry 12 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 16]
INTERNET-DRAFT NAT MIB November 2003
natConfGlobalPortFrom OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If this conceptual row describes a Basic NAT address
mapping, then the value of this object is 0. If this
conceptual row describes NAPT, then the value of this
object specifies the first port number in the range of
ports being mapped to. If the translation specifies a
single port, then the value of this object is equal to
the value natConfGlobalPortTo."
::= { natConfAddrMapEntry 13 }
natConfGlobalPortTo OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If this conceptual row describes a Basic NAT address
mapping, then the value of this object is 0. If this
conceptual describes NAPT, then the value of this object
specifies the last port number in the range of ports
being to. If the translation specifies a single port,
then the value of this object is equal to the value of
natConfGlobalPortFrom."
::= { natConfAddrMapEntry 14 }
natConfProtocol OBJECT-TYPE
SYNTAX BITS {
other (0),
icmp (1),
udp (2),
tcp (3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies a protocol identifier."
::= { natConfAddrMapEntry 15 }
natConfAddrMapStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this conceptual row."
REFERENCE
"Textual Conventions for SMIv2, Section 2."
DEFVAL { nonVolatile }
::= { natConfAddrMapEntry 16 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 17]
INTERNET-DRAFT NAT MIB November 2003
natConfAddrMapStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row."
::= { natConfAddrMapEntry 17 }
--
-- UDP related NAT configuration
--
natConfUdpDefIdleTimeout OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default UDP idle timeout parameter. This applies
to all NAT configuration unless overridden by a more
specific value in the natConfProtTable."
DEFVAL { 300 }
::= { natConfig 3 }
--
-- ICMP related NAT configuration
--
natConfIcmpDefIdleTimeout OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default ICMP idle timeout parameter. This applies to
all NAT configuration unless overridden by a more
specific value in the natConfProtTable."
DEFVAL { 300 }
::= { natConfig 4 }
--
-- Other protocol parameters
--
natConfOtherDefIdleTimeout OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 18]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"The default idle timeout parameter for protocols
represented by the value other (2) in NATProtocolType.
This applies to all NAT configuration unless overridden
by a more specific value in the natConfProtTable."
DEFVAL { 60 }
::= { natConfig 5 }
--
-- TCP related NAT configuration
--
natConfTcpDefIdleTimeout OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default TCP idle timeout parameter. This applies to
all NAT configuration unless overridden by a more
specific value in the natConfProtTable."
DEFVAL { 86400 }
::= { natConfig 6 }
natConfTcpDefNegTimeout OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default interval of time for which a TCP protocol
session, is allowed to remain valid without any
activity. This timeout value applies to a TCP session
during its establishment and termination phases.
This value is taken into account in the absence of a
more specific natConfTcpNegTimeout defined in the
natConfTcpTable."
DEFVAL { 60 }
::= { natConfig 7 }
--
-- NAT per protocol config table.
--
natConfProtTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatConfProtEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table holds pointers to protocol specific parameters
required by NAT."
::= { natConfig 8 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 19]
INTERNET-DRAFT NAT MIB November 2003
natConfProtEntry OBJECT-TYPE
SYNTAX NatConfProtEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in natConfProtTable points to a protocol
specific table which holds parameters that are required
for NAT configuration."
INDEX { natConfProtName, natConfProtType }
::= { natConfProtTable 1 }
NatConfProtEntry ::= SEQUENCE {
natConfProtName SnmpAdminString,
natConfProtType NATProtocolType,
natConfProtSpecName SnmpAdminString,
natConfProtIdleTimeout Integer32,
natConfProtRowStatus RowStatus
}
natConfProtName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Name identifying a set of entries in this table that
point to protocol specific NAT configuration. The
combination of natConfProtName and natConfProtType
uniquely identifies an entry in this table."
::= { natConfProtEntry 1 }
natConfProtType OBJECT-TYPE
SYNTAX NATProtocolType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Identifies the protocol type.
natConfProtSpecName points to an entry in the protocol
specific table. For e.g. if natConfProtType is set to
'tcp', natConfProtSpecName points to an entry in the
natConfTcpTable."
::= { natConfProtEntry 2 }
natConfProtSpecName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Index of an entry in the protocol specific table
identified by natConfProtType."
::= { natConfProtEntry 3 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 20]
INTERNET-DRAFT NAT MIB November 2003
natConfProtIdleTimeout OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The interval of time for which the protocol session,
associated with the protocol represented by
natConfProtType, is allowed to remain valid without
any activity."
DEFVAL { 86400 }
::= { natConfProtEntry 4 }
natConfProtRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row."
::= { natConfProtEntry 5 }
natConfTcpTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatConfTcpEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table holds TCP related NAT configuration entries
which are pointed to by entries in the natConfProtTable
having a natConfProtSpecType of 'tcp'."
::= { natConfig 9 }
natConfTcpEntry OBJECT-TYPE
SYNTAX NatConfTcpEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains TCP related NAT parameters. An entry
in this table is pointed to by an entry in the
natConfProtTable."
INDEX { natConfTcpName }
::= { natConfTcpTable 1 }
NatConfTcpEntry ::= SEQUENCE {
natConfTcpName SnmpAdminString,
natConfTcpNegTimeout Integer32,
natConfTcpRowStatus RowStatus
}
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 21]
INTERNET-DRAFT NAT MIB November 2003
natConfTcpName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Uniquely identifies an entry in this table."
::= { natConfTcpEntry 1 }
natConfTcpNegTimeout OBJECT-TYPE
SYNTAX Integer32 (0..2147483647)
UNITS "seconds"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The interval of time for which a TCP protocol session,
associated with this configuration, is allowed to remain
valid without any activity. This timeout value applies
to a TCP session during its establishment and termination
phases."
DEFVAL { 60 } -- 1 minute
::= { natConfTcpEntry 2 }
natConfTcpRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row."
::= { natConfTcpEntry 3 }
--
-- Notification thresholds
--
natConfAddressRiseThreshold OBJECT-TYPE
SYNTAX Unsigned32 (0..100)
UNITS "percentage"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This objects represents the rising threshold value for
generation of the natAddressUseRising notification. A
notification is generated whenever the usage percentage
of the address map is equal to or greater than
natConfAddressRiseThreshold.
Notifications should not be generated when the value of
this object is 0."
DEFVAL { 0 }
::= { natConfig 10 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 22]
INTERNET-DRAFT NAT MIB November 2003
natConfAddressFallThreshold OBJECT-TYPE
SYNTAX Unsigned32 (0..100)
UNITS "percentage"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object represents the falling threshold value for
generation of the natAddressUseRising notification.
This object only represents the lower end of the
hysteresis curve, and notifications are not generated
when this threshold is crossed."
DEFVAL { 0 }
::= { natConfig 11 }
--
-- The Translation Group
--
--
-- Address Bind section
--
natAddrBindNumberOfEntries OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object maintains a count of the number of entries
that currently exist in the natAddrBindTable."
::= { natTranslation 1 }
--
-- The NAT Address BIND Table
--
natAddrBindTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatAddrBindEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table holds information about the currently
active NAT BINDs. This table only holds information
regarding the active address BINDs."
::= { natTranslation 2 }
natAddrBindEntry OBJECT-TYPE
SYNTAX NatAddrBindEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in this table holds information about
an active address BIND."
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 23]
INTERNET-DRAFT NAT MIB November 2003
INDEX { natAddrBindLocalAddrType, natAddrBindLocalAddr }
::= { natAddrBindTable 1 }
NatAddrBindEntry ::= SEQUENCE {
natAddrBindLocalAddrType InetAddressType,
natAddrBindLocalAddr InetAddress,
natAddrBindGlobalAddrType InetAddressType,
natAddrBindGlobalAddr InetAddress,
natAddrBindId Unsigned32,
natAddrBindDirection INTEGER,
natAddrBindType INTEGER,
natAddrBindAddrMapName SnmpAdminString,
natAddrBindSessionCount Gauge32,
natAddrBindCurrentIdleTime TimeTicks,
natAddrBindInTranslate Counter32,
natAddrBindOutTranslate Counter32,
natAddrBindOrigin INTEGER,
natAddrBindStatus RowStatus
}
natAddrBindLocalAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object specifies the address type used for
natAddrBindLocalAddr."
::= { natAddrBindEntry 1 }
natAddrBindLocalAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the private-realm specific network
layer address, which maps to the public-realm address
represented by natAddrBindGlobalAddr."
::= { natAddrBindEntry 2 }
natAddrBindGlobalAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natAddrBindGlobalAddr."
::= { natAddrBindEntry 3 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 24]
INTERNET-DRAFT NAT MIB November 2003
natAddrBindGlobalAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the public-realm network layer
address that maps to the private-realm network layer
address represented by natAddrBindLocalAddr."
::= { natAddrBindEntry 4 }
natAddrBindId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object represents a BIND id that is dynamically
assigned to each BIND by a NAT enabled device. Each
BIND is represented by a BIND id that is
unique across both, the Address bind and the
Address-Port bind tables."
::= { natAddrBindEntry 5 }
natAddrBindDirection OBJECT-TYPE
SYNTAX INTEGER {
uniDirectional (1),
biDirectional (2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the direction of the BIND.
A BIND may be either uni-directional or bi-directional,
same as the orientation of the address map, based on
which this bind is formed."
::= { natAddrBindEntry 6 }
natAddrBindType OBJECT-TYPE
SYNTAX INTEGER {
static (1),
dynamic (2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates whether the BIND is static or
dynamic."
::= { natAddrBindEntry 7 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 25]
INTERNET-DRAFT NAT MIB November 2003
natAddrBindAddrMapName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is a pointer to the natConfAddrMapTable entry
(and the parameters of that entry) which was used in
creating this BIND. If the bind is being created by the
Management Station, then it should set the value for this
object to an existing addrMapName. An attempt to set this
object to a nonExistent addrMapName will result in
badValue error."
::= { natAddrBindEntry 8 }
natAddrBindSessionCount OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of sessions currently using this BIND."
::= { natAddrBindEntry 9 }
natAddrBindCurrentIdleTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"At any given instance of time, this object indicates the
time that this BIND has been idle with no sessions
attached to it.
The value of this object is of relevance only for
dynamic NAT."
::= { natAddrBindEntry 10 }
natAddrBindInTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets that were successfully
translated using this BIND entry."
::= { natAddrBindEntry 11 }
natAddrBindOutTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets that were successfully
translated using this BIND entry."
::= { natAddrBindEntry 12 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 26]
INTERNET-DRAFT NAT MIB November 2003
natAddrBindOrigin OBJECT-TYPE
SYNTAX INTEGER {
snmp (1), -- created via SNMP
cli (2), -- created via command line interface
nat (3), -- dynamically created
other(4) -- other mechanism e.g. XML
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This originator of this NAT bind entry.
If the Bind entry is dynamically created by the NAT
protocol, then the value of this object should be
'nat'."
::= { natAddrBindEntry 13 }
natAddrBindStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row."
::= { natAddrBindEntry 14 }
--
-- Address-Port Bind section
--
natAddrPortBindNumberOfEntries OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object maintains a count of the number of entries
that currently exist in the natAddrPortBindTable."
::= { natTranslation 3 }
--
-- The NAT Address-Port BIND Table
--
natAddrPortBindTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatAddrPortBindEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table holds information about the currently
active NAPT BINDs."
::= { natTranslation 4 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 27]
INTERNET-DRAFT NAT MIB November 2003
natAddrPortBindEntry OBJECT-TYPE
SYNTAX NatAddrPortBindEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry in the this table holds information
about a NAPT BIND that is currently active."
INDEX { natAddrPortBindLocalAddrType, natAddrPortBindLocalAddr,
natAddrPortBindLocalPort, natAddrPortBindProtocol }
::= { natAddrPortBindTable 1 }
NatAddrPortBindEntry ::= SEQUENCE {
natAddrPortBindLocalAddrType InetAddressType,
natAddrPortBindLocalAddr InetAddress,
natAddrPortBindLocalPort Integer32,
natAddrPortBindProtocol NATProtocolType,
natAddrPortBindGlobalAddrType InetAddressType,
natAddrPortBindGlobalAddr InetAddress,
natAddrPortBindGlobalPort Integer32,
natAddrPortBindId Unsigned32,
natAddrPortBindDirection INTEGER,
natAddrPortBindType INTEGER,
natAddrPortBindAddrMapName SnmpAdminString,
natAddrPortBindSessionCount Gauge32,
natAddrPortBindCurrentIdleTime TimeTicks,
natAddrPortBindInTranslate Counter32,
natAddrPortBindOutTranslate Counter32,
natAddrPortBindOrigin INTEGER,
natAddrPortBindStatus RowStatus
}
natAddrPortBindLocalAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object specifies the address type used for
natAddrPortBindLocalAddr."
::= { natAddrPortBindEntry 1 }
natAddrPortBindLocalAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the private-realm specific network
layer address which, in conjunction with
natAddrPortBindLocalPort, maps to the public-realm
network layer address and transport id represented by
natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort
respectively."
::= { natAddrPortBindEntry 2 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 28]
INTERNET-DRAFT NAT MIB November 2003
natAddrPortBindLocalPort OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the private-realm specific port
number (or query ID in case of ICMP messages) which, in
conjunction with natAddrPortBindLocalAddr, maps to the
public-realm network layer address and transport id
represented by natAddrPortBindGlobalAddr and
natAddrPortBindGlobalPort respectively."
::= { natAddrPortBindEntry 3 }
natAddrPortBindProtocol OBJECT-TYPE
SYNTAX NATProtocolType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object specifies a protocol identifier. If the
value of this object is none(1), then this BIND entry
applies to all IP traffic. Any other value of this object
specifies the class of IP traffic to which this BIND
applies."
::= { natAddrPortBindEntry 4 }
natAddrPortBindGlobalAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natAddrPortBindGlobalAddr."
::= { natAddrPortBindEntry 5 }
natAddrPortBindGlobalAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the public-realm specific network
layer address that, in conjunction with
natAddrPortBindGlobalPort, maps to the private-realm
network layer address and transport id represented by
natAddrPortBindLocalAddr and natAddrPortBindLocalPort
respectively."
::= { natAddrPortBindEntry 6 }
natAddrPortBindGlobalPort OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 29]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"This object represents the port number (or query id in
case of ICMP) that, in conjunction with
natAddrPortBindGlobalAddr, maps to the private-realm
network layer address and transport id represented by
natAddrPortBindLocalAddr and natAddrPortBindLocalPort
respectively."
::= { natAddrPortBindEntry 7 }
natAddrPortBindId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object represents a BIND id that is dynamically
assigned to each BIND by a NAT enabled device. Each
BIND is represented by a unique BIND id across both,
the Address Bind and Address-Port Bind tables."
::= { natAddrPortBindEntry 8 }
natAddrPortBindDirection OBJECT-TYPE
SYNTAX INTEGER {
uniDirectional (1),
biDirectional (2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object represents the direction of the BIND. A
BIND may be either uni-directional or bi-directional,
same as the orientation of the address map, based on
which this bind is formed."
::= { natAddrPortBindEntry 9 }
natAddrPortBindType OBJECT-TYPE
SYNTAX INTEGER {
static (1),
dynamic (2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates whether the BIND is static or
dynamic."
::= { natAddrPortBindEntry 10 }
natAddrPortBindAddrMapName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 30]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"This object is a pointer to the NatConfAddrMapEntry entry
(and the parameters of that entry) which was used in
creating this BIND. If the bind is being created by the
Management Station, then it should set the value for
this object as well. An attempt to set this object to a
nonExistent addrMapName will result in badValue error."
::= { natAddrPortBindEntry 11 }
natAddrPortBindSessionCount OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of sessions currently using this BIND."
::= { natAddrPortBindEntry 12 }
natAddrPortBindCurrentIdleTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"At any given instance of time, this object indicates the
time that this BIND has been idle with no sessions
attached to it. The value of this object is of relevance
only for dynamic NAT."
::= { natAddrPortBindEntry 13 }
natAddrPortBindInTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets that were translated as per
this BIND entry."
::= { natAddrPortBindEntry 14 }
natAddrPortBindOutTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets that were translated as per
this BIND entry."
::= { natAddrPortBindEntry 15 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 31]
INTERNET-DRAFT NAT MIB November 2003
natAddrPortBindOrigin OBJECT-TYPE
SYNTAX INTEGER {
snmp (1), -- created via SNMP
cli (2), -- created via command line interface
nat (3), -- dynamically created
other(4) -- other mechanisms e.g. XML
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This originator of this NAPT bind entry.
If the Bind entry is dynamically created by the NAT
protocol, then the value of this object should be
'nat'."
::= { natAddrPortBindEntry 16 }
natAddrPortBindStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row."
::= { natAddrPortBindEntry 17 }
--
-- The Session Table
--
natSessionTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatSessionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing one entry for each
NAT session currently active on this NAT device."
::= { natTranslation 5 }
natSessionEntry OBJECT-TYPE
SYNTAX NatSessionEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing information
about an active NAT session on this NAT device."
INDEX { natSessionBindId, natSessionId }
::= { natSessionTable 1 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 32]
INTERNET-DRAFT NAT MIB November 2003
NatSessionEntry ::= SEQUENCE {
natSessionBindId Unsigned32,
natSessionId Unsigned32,
natSessionDirection INTEGER,
natSessionUpTime TimeTicks,
natSessionProtocolType NATProtocolType,
natSessionOrigPrivateAddrType InetAddressType,
natSessionOrigPrivateAddr InetAddress,
natSessionTransPrivateAddrType InetAddressType,
natSessionTransPrivateAddr InetAddress,
natSessionOrigPrivatePort Integer32,
natSessionTransPrivatePort Integer32,
natSessionOrigPublicAddrType InetAddressType,
natSessionOrigPublicAddr InetAddress,
natSessionTransPublicAddrType InetAddressType,
natSessionTransPublicAddr InetAddress,
natSessionOrigPublicPort Integer32,
natSessionTransPublicPort Integer32,
natSessionCurrentIdletime TimeTicks,
natSessionSecondBindId Unsigned32,
natSessionInTranslate Counter32,
natSessionOutTranslate Counter32,
natSessionStatus RowStatus
}
natSessionBindId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents a BIND id that is dynamically
assigned to each BIND by a NAT enabled device. This
bind id is that same as represented by the BindId
objects in the Address bind and Address-Port bind
tables."
::= { natSessionEntry 1 }
natSessionId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The session ID for this NAT session."
::= { natSessionEntry 2 }
natSessionDirection OBJECT-TYPE
SYNTAX INTEGER {
inbound (1),
outbound (2)
}
MAX-ACCESS read-create
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 33]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"The direction of this session with respect to the
local network. 'inbound' indicates that this session
was initiated from the public network into the private
network. 'outbound' indicates that this session was
initiated from the private network into the public
network."
::= { natSessionEntry 3 }
natSessionUpTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The up time of this session in one-hundredths of a
second."
::= { natSessionEntry 4 }
natSessionProtocolType OBJECT-TYPE
SYNTAX NATProtocolType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The protocol type of this session.
TCP and UDP sessions are uniquely identified by the
tuple of (source IP address, source TCP/UDP port,
destination IP address, destination TCP/UDP port).
ICMP query sessions are identified by the tuple of
(source IP address, ICMP query ID, destination IP
address)."
::= { natSessionEntry 5 }
natSessionOrigPrivateAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natSessionOrigPrivateAddr."
::= { natSessionEntry 6 }
natSessionOrigPrivateAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The original IP address of the session endpoint that
lies in the private network."
::= { natSessionEntry 7 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 34]
INTERNET-DRAFT NAT MIB November 2003
natSessionTransPrivateAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natSessionTransPrivateAddr."
::= { natSessionEntry 8 }
natSessionTransPrivateAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The translated IP address of the session endpoint that
lies in the private network. The value of this object
is equal to that of the original private IP Address
(natSessionOrigPrivateAddr) when there is no
translation."
::= { natSessionEntry 9 }
natSessionOrigPrivatePort OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The original transport port of the session endpoint that
belongs to the private network. If this is an ICMP
session then the value is the ICMP request ID. The value
of this object should be 0 when ports are not involved
in the translation."
::= { natSessionEntry 10 }
natSessionTransPrivatePort OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The translated transport port of the session that lies in
the private network.The value of this object is equal to
that of the original transport port
(natSessionOrigPrivatePort) when there is no
translation."
::= { natSessionEntry 11 }
natSessionOrigPublicAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natSessionOrigPublicAddr."
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 35]
INTERNET-DRAFT NAT MIB November 2003
::= { natSessionEntry 12 }
natSessionOrigPublicAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The original IP address of the session endpoint that lies
in the public network."
::= { natSessionEntry 13 }
natSessionTransPublicAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object specifies the address type used for
natSessionTransPublicAddr."
::= { natSessionEntry 14 }
natSessionTransPublicAddr OBJECT-TYPE
SYNTAX InetAddress (SIZE (0..20))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The translated IP address of the session endpoint that
belongs to the public network. The value of this object
is equal to that of the original public IP Address
(natSessionOrigPublicAddr) when there is no
translation."
::= { natSessionEntry 15 }
natSessionOrigPublicPort OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The original transport port of the session endpoint that
belongs to the public network. If this is an ICMP
session then the value contains the ICMP request ID.
The value of this object should be 0 when ports are
not involved in the translation."
::= { natSessionEntry 16 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 36]
INTERNET-DRAFT NAT MIB November 2003
natSessionTransPublicPort OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The translated transport port of the session endpoint
that belongs to the public network. The value of this
object is equal to that of the original transport port
(natSessionOrigPublicPort) when there is no
translation."
::= { natSessionEntry 17 }
natSessionCurrentIdletime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time in one-hundredths of a second since a packet
belonging to this session was last detected."
::= { natSessionEntry 18 }
natSessionSecondBindId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The natBindId of the 'other' NAT binding incase of Twice
NAT.
An instance of this object contains a valid value
only if the binding type for this session is TwiceNAT.
This object may not be modified while the value of
natSessionStatus is active(1). An attempt to set this
object while the value of natSessionStatus is active(1)
will result in an inconsistentValue error.
The value of this object MUST point to a valid bind id,
in case of TwiceNAT."
::= { natSessionEntry 19 }
natSessionInTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets that were translated for
this session."
::= { natSessionEntry 20 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 37]
INTERNET-DRAFT NAT MIB November 2003
natSessionOutTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets that were translated for
this session."
::= { natSessionEntry 21 }
natSessionStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
For a TwiceNAT session, until instance of
natSessionSecondBindId column has an appropriate (valid)
value, the value of the corresponding instance of the
natSessionStatus column must be 'notReady'."
::= { natSessionEntry 22 }
--
-- natStatistics Group
--
--
-- The Protocol Stats table
--
natProtocolStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatProtocolStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing per protocol NAT
statistics."
::= { natStatistics 1 }
natProtocolStatsEntry OBJECT-TYPE
SYNTAX NatProtocolStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing NAT statistics
pertaining to a particular protocol."
INDEX { natProtocolStatsName }
::= { natProtocolStatsTable 1 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 38]
INTERNET-DRAFT NAT MIB November 2003
NatProtocolStatsEntry ::= SEQUENCE {
natProtocolStatsName NATProtocolType,
natProtocolStatsInTranslate Counter32,
natProtocolStatsOutTranslate Counter32,
natProtocolStatsRejectCount Counter32
}
natProtocolStatsName OBJECT-TYPE
SYNTAX NATProtocolType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object represents the protocol pertaining to which
statistics are reported."
::= { natProtocolStatsEntry 1 }
natProtocolStatsInTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets, pertaining to the protocol
identified by natProtocolStatsName, that underwent NAT."
::= { natProtocolStatsEntry 2 }
natProtocolStatsOutTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets, pertaining to the protocol
identified by natProtocolStatsName, that underwent NAT."
::= { natProtocolStatsEntry 3 }
natProtocolStatsRejectCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of packets, pertaining to the protocol
identified by natProtocolStatsName, that had to be
rejected/dropped due to lack of resources. These
rejections could be due to session timeout, resource
unavailability, lack of address space etc."
::= { natProtocolStatsEntry 4 }
--
-- The Address Map Stats table
--
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 39]
INTERNET-DRAFT NAT MIB November 2003
natAddrMapStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatAddrMapStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table containing per address map NAT
statistics."
::= { natStatistics 2 }
natAddrMapStatsEntry OBJECT-TYPE
SYNTAX NatAddrMapStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) containing NAT statistics per
address map."
AUGMENTS { natConfAddrMapEntry }
::= { natAddrMapStatsTable 1 }
NatAddrMapStatsEntry ::= SEQUENCE {
natAddrMapStatsInTranslate Counter32,
natAddrMapStatsOutTranslate Counter32,
natAddrMapStatsNoResource Counter32,
natAddrMapStatsAddrUsed Gauge32
}
natAddrMapStatsInTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of inbound packets, pertaining to this address
map entry, that were translated."
::= { natAddrMapStatsEntry 3 }
natAddrMapStatsOutTranslate OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of outbound packets, pertaining to this
address map entry, that were translated."
::= { natAddrMapStatsEntry 4 }
natAddrMapStatsNoResource OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 40]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"The number of packets, pertaining to this address map
entry, that were dropped due to lack of addresses in the
address pool identified by this address map. The value of
this object must always be zero in case of static
address map."
::= { natAddrMapStatsEntry 5 }
natAddrMapStatsAddrUsed OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of addresses, pertaining to this address map,
that are currently being used from the nat pool. The
value of this object is irrelevant if the address map in
question is a static address map."
::= { natAddrMapStatsEntry 6 }
--
-- The Interface Stats table
--
natInterfaceStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF NatInterfaceStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table provides statistics information per
interface."
::= { natStatistics 3 }
natInterfaceStatsEntry OBJECT-TYPE
SYNTAX NatInterfaceStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry of the natInterfaceStatsTable represents stats
pertaining to one interface, which is identified by its
ifIndex."
AUGMENTS { natConfEntry }
::= { natInterfaceStatsTable 1 }
NatInterfaceStatsEntry ::= SEQUENCE {
natInterfacePktsIn Counter32,
natInterfacePktsOut Counter32
}
natInterfacePktsIn OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 41]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"Number of packets received on this interface that
were translated."
::= { natInterfaceStatsEntry 1 }
natInterfacePktsOut OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Number of translated packets that were sent out this
interface."
::= { natInterfaceStatsEntry 2 }
--
-- Notifications section
--
natNotificationPrefix OBJECT IDENTIFIER ::= { natMIB 2 }
natNotifications OBJECT IDENTIFIER ::=
{ natNotificationPrefix 0 }
--
-- Notification objects i.e. objects accessible only for notification
-- purpose.
--
natNotificationObjects OBJECT IDENTIFIER ::=
{ natNotificationPrefix 1 }
natAddrMapName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"This object represent the address map corresponding to
which the addresses/ports have been exhausted, thereby
resulting in a natPacketDiscard notification."
::= { natNotificationObjects 1 }
natPktDiscardReason OBJECT-TYPE
SYNTAX INTEGER {
other (1),
addressSpaceExhausted (2)
}
MAX-ACCESS accessible-for-notify
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 42]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"This object represents the reason for which a packet is
discarded by NAT.
addressSpaceExhausted (2) represents a situation wherein
the address space required to do this mapping has been
exhausted (used up by other translations).
other (1) represents a case where the packet was
discarded due to any other reasons."
::= { natNotificationObjects 2 }
--
-- Notifications
--
natAddressUseRising NOTIFICATION-TYPE
OBJECTS { natAddrMapStatsAddrUsed }
STATUS current
DESCRIPTION
"This notification is generated whenever the number of
addresses per address map is equal to or greater than the
configured address rising threshold value.
Note that once this notification is generated, another
notification for the same address map should be generated
only after the address usage falls to/below the defined
falling threshold.
This notification should be generated only for dynamic
address maps, since they do not provide any useful
information for static maps."
::= { natNotifications 1 }
natPacketDiscard NOTIFICATION-TYPE
OBJECTS { natAddrMapName, natPktDiscardReason }
STATUS current
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 43]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"This notification is generated whenever packets are
discarded e.g. due to lack of mapping space when we run
out of address/ports in case of Basic NAT/NAPT
respectively.
An agent should not generate more than one
natPacketDiscard 'notification-events' in a given time
interval (five seconds is the suggested default). A
'notification-event' is the transmission of a single
trap or inform PDU to a list of notification
destinations.
If additional nat packets are discarded within the
throttling period, then notification-events for these
changes should be suppressed by the agent until the
current throttling period expires. At the end of a
throttling period, one notification-event should be
generated if any NAT packet was discarded since the
start of the throttling period. In such a case, another
throttling period is started right away."
::= { natNotifications 2 }
--
-- Conformance information.
--
natMIBConformance OBJECT IDENTIFIER ::= { natMIB 3 }
natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 }
natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 }
--
-- Units of conformance
--
natConfigGroup OBJECT-GROUP
OBJECTS { natConfInterfaceRealm,
natConfServiceType,
natConfAddrMapConfigName,
natConfStorageType,
natConfStatus,
natConfAddrMapEntryType,
natConfAddrMapDirection,
natConfLocalAddrType,
natConfLocalAddrFrom,
natConfLocalAddrTo,
natConfLocalPortFrom,
natConfLocalPortTo,
natConfGlobalAddrType,
natConfGlobalAddrFrom,
natConfGlobalAddrTo,
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 44]
INTERNET-DRAFT NAT MIB November 2003
natConfGlobalPortFrom,
natConfGlobalPortTo,
natConfProtocol,
natConfAddrMapStorageType,
natConfAddrMapStatus,
natConfUdpDefIdleTimeout,
natConfIcmpDefIdleTimeout,
natConfOtherDefIdleTimeout,
natConfTcpDefIdleTimeout,
natConfTcpDefNegTimeout }
STATUS current
DESCRIPTION
"A collection of configuration-related information
required to support management of devices supporting
NAT."
::= { natMIBGroups 1 }
natTranslationGroup OBJECT-GROUP
OBJECTS { natAddrBindNumberOfEntries,
natAddrBindGlobalAddrType,
natAddrBindGlobalAddr,
natAddrBindId,
natAddrBindDirection,
natAddrBindType,
natAddrBindAddrMapName,
natAddrBindSessionCount,
natAddrBindCurrentIdleTime,
natAddrBindInTranslate,
natAddrBindOutTranslate,
natAddrBindOrigin,
natAddrBindStatus,
natAddrPortBindNumberOfEntries,
natAddrPortBindGlobalAddrType,
natAddrPortBindGlobalAddr,
natAddrPortBindGlobalPort,
natAddrPortBindId,
natAddrPortBindDirection,
natAddrPortBindType,
natAddrPortBindAddrMapName,
natAddrPortBindSessionCount,
natAddrPortBindCurrentIdleTime,
natAddrPortBindInTranslate,
natAddrPortBindOutTranslate,
natAddrPortBindOrigin,
natAddrPortBindStatus,
natSessionDirection,
natSessionUpTime,
natSessionProtocolType,
natSessionOrigPrivateAddrType,
natSessionOrigPrivateAddr,
natSessionTransPrivateAddrType,
natSessionTransPrivateAddr,
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 45]
INTERNET-DRAFT NAT MIB November 2003
natSessionOrigPrivatePort,
natSessionTransPrivatePort,
natSessionOrigPublicAddrType,
natSessionOrigPublicAddr,
natSessionTransPublicAddrType,
natSessionTransPublicAddr,
natSessionOrigPublicPort,
natSessionTransPublicPort,
natSessionCurrentIdletime,
natSessionSecondBindId,
natSessionInTranslate,
natSessionOutTranslate,
natSessionStatus }
STATUS current
DESCRIPTION
"A collection of BIND-related objects required to support
management of devices supporting NAT."
::= { natMIBGroups 2 }
natInterfaceStatsGroup OBJECT-GROUP
OBJECTS { natInterfacePktsIn,
natInterfacePktsOut }
STATUS current
DESCRIPTION
"A collection of NAT statistics associated with the
interface on which NAT is configured, to aid
troubleshooting/monitoring of the NAT operation."
::= { natMIBGroups 3 }
natProtocolStatsGroup OBJECT-GROUP
OBJECTS { natProtocolStatsInTranslate,
natProtocolStatsOutTranslate,
natProtocolStatsRejectCount }
STATUS current
DESCRIPTION
"A collection of protocol specific NAT statistics,
to aid troubleshooting/monitoring of NAT operation."
::= { natMIBGroups 4 }
natAddrMapStatsGroup OBJECT-GROUP
OBJECTS { natAddrMapStatsInTranslate,
natAddrMapStatsOutTranslate,
natAddrMapStatsNoResource,
natAddrMapStatsAddrUsed }
STATUS current
DESCRIPTION
"A collection of address map specific NAT statistics,
to aid troubleshooting/monitoring of NAT operation."
::= { natMIBGroups 5 }
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 46]
INTERNET-DRAFT NAT MIB November 2003
natConfProtGroup OBJECT-GROUP
OBJECTS { natConfProtConfigName,
natConfProtSpecName,
natConfProtIdleTimeout,
natConfProtRowStatus }
STATUS current
DESCRIPTION
"A collection of objects to facilitate protocol related
NAT configuration."
::= { natMIBGroups 6 }
natConfTcpGroup OBJECT-GROUP
OBJECTS { natConfTcpNegTimeout,
natConfTcpRowStatus }
STATUS current
DESCRIPTION
"A collection of TCP related NAT parameter objects
used for NAT configuration."
::= { natMIBGroups 7 }
natMIBNotifConfigGroup OBJECT-GROUP
OBJECTS { natConfAddressRiseThreshold,
natConfAddressFallThreshold }
STATUS current
DESCRIPTION
"A collection of configuration objects required to support
the threshold-based notifications."
::= { natMIBGroups 8 }
natMIBNotificationObjectsGroup OBJECT-GROUP
OBJECTS { natAddrMapName,
natPktDiscardReason }
STATUS current
DESCRIPTION
"A collection of objects required to support NAT
notifications."
::= { natMIBGroups 9 }
natMIBNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { natAddressUseRising,
natPacketDiscard }
STATUS current
DESCRIPTION
"A collection of notifications which are generated by
devices supporting this MIB."
::= { natMIBGroups 10 }
--
-- Compliance statements
--
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 47]
INTERNET-DRAFT NAT MIB November 2003
natMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for devices running NAT."
MODULE -- this module
MANDATORY-GROUPS { natConfigGroup, natTranslationGroup,
natInterfaceStatsGroup }
GROUP natConfProtGroup
DESCRIPTION
"This group is mandatory if any of the protocol
specific tables (below) are supported."
GROUP natConfTcpGroup
DESCRIPTION
"This group is mandatory if tcp is supported over nat."
GROUP natProtocolStatsGroup
DESCRIPTION
"This group is optional."
GROUP natAddrMapStatsGroup
DESCRIPTION
"This group is optional."
GROUP natMIBNotifConfigGroup
DESCRIPTION
"This group is optional."
GROUP natMIBNotificationObjectsGroup
DESCRIPTION
"This group is optional."
GROUP natMIBNotificationGroup
DESCRIPTION
"This group is optional."
OBJECT natConfInterfaceRealm
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { natMIBCompliances 1 }
END
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 48]
INTERNET-DRAFT NAT MIB November 2003
NAT-TC DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
mib-2
FROM SNMPv2-SMI
TEXTUAL-CONVENTION
FROM SNMPv2-TC;
natTextualConventions MODULE-IDENTITY
LAST-UPDATED "200111090000Z"
ORGANIZATION "IETF NAT Working Group"
CONTACT-INFO
" Rohit
World Wide Packets
115 North Sullivan Road
Veradale, Spokane, WA 99037
Phone: +1 509 242 9320
Email: Rohit.Rohit@worldwidepackets.com
Nalinaksh Pai
Cisco Systems, Inc.
Prestige Waterford
No. 9, Brunton Road
Bangalore - 560 025
India
Phone: +91 80 532 1300
Email: npai@cisco.com
Rajiv Raghunarayan
Cisco Systems Inc.
170 West Tasman Drive
San Jose, CA 95134
Phone: +1 408 853 9612
Email: raraghun@cisco.com
Cliff Wang
Information Security
Bank One Corp
1111 Polaris Pkwy
Columbus, OH 43240
Phone: +1 614 213 6117
Email: cliffwang2000@yahoo.com
P. Srisuresh
Kuokoa networks
475 Potrero Ave.
Sunnyvale, CA 94085
Phone: +1 408 962 3709
Email: srisuresh@yahoo.com
"
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 49]
INTERNET-DRAFT NAT MIB November 2003
DESCRIPTION
"This MIB module defines the NATProtocolType textual
convention for use in MIBs that need to identify the
protocols which support network address translation."
REVISION "200111090000Z" -- 9th Nov. 2001
DESCRIPTION
"Initial version of this MIB module."
::= { mib-2 xx } -- to be assigned by RFC-editor
NATProtocolType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A list of protocols that are affected/support
network address translation. Inclusion of values is
not intended to imply that those protocols need be
supported."
SYNTAX INTEGER {
none (1), -- not specified
other (2), -- none of the following
icmp (3),
udp (4),
tcp (5)
}
END
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 50]
INTERNET-DRAFT NAT MIB November 2003
7. Security Considerations
This MIB contains readable objects whose values provide information
related to nat binds and sessions. Some of these objects could
contain sensitive information e.g. bind information. There are
a number of management objects defined in this MIB that have a
MAX-ACCESS clause of read-write and/or read-create. Such objects
may be considered sensitive or vulnerable in some network
environments.
While unauthorized access to the readable objects may be relatively
innocuous, unauthorized access to the write-able objects could
cause a denial of service, and/or widespread network
disturbance. Hence, the support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations.
SNMPv1 by itself is not a secure environment. Even if the network
itself is secure, there is no control as to who on the secure
network is allowed to access and GET/SET (read/change/create/delete)
the objects in this MIB.
It is recommended that the implementors consider the security
features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 2574 [12] and the View-based
Access Control Model RFC 2575 [15] is recommended.
It is then a customer/user responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly
configured to give access to the objects only to those
principals (users) that have legitimate rights to indeed GET or
SET (change/create/delete) them.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 51]
INTERNET-DRAFT NAT MIB November 2003
8. References
[1] Wijnen, B., Harrington, D. and R. Presuhn, "An Architecture
for Describing SNMP Management Frameworks", RFC 2571, April
1999.
[2] Rose, M. and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", STD 16,
RFC 1155, May 1990.
[3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16,
RFC 1212, March 1991.
[4] Rose, M., "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991.
[5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999.
[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999.
[8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, May 1990.
[9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January
1996.
[10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
[11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, April 1999.
[12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM)
for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2574, April 1999.
[13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1905, January 1996.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 52]
INTERNET-DRAFT NAT MIB November 2003
[14] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC
2573, April 1999.
[15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2575, April 1999.
[16] Bradner, S., "The Internet Standards Process -- Revision 3",
BCP 9, RFC 2026, October 1996.
[17] Srisuresh, P. and Egevang, K., "Traditional IP Network Address
Translator (Traditional NAT)", RFC 3022, January 2001.
[18] Srisuresh, P. and M. Holdrege, "NAT Terminology and
Considerations", RFC 2663, August 1999.
[19] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, J.,
"Textual Conventions for Internet Network Addresses", RFC
3291, May 2002.
9. Acknowledgements
The authors of this memo would like to thank Randy Turner, Ashwini
S T, Kevin Luehrs, Sam Sankoorikal and Juergen Quittek for their
valuable feedback.
10. Author's Addresses
Rohit R.
World Wide Packets
115 North Sullivan Road
Veradale, Spokane, WA 99037
Phone: +1 509 242 9320
Email: Rohit.Rohit@worldwidepackets.com
Nalinaksh Pai
Cisco Systems, Inc.
Prestige Waterford
No. 9, Brunton Road
Bangalore - 560 025
India
Phone: +91 80 532 1300 extn. 6354
Email: npai@cisco.com
Rajiv Raghunarayan
Cisco Systems Inc.
170 West Tasman Drive
San Jose, CA 95134
Phone: +1 408 853 9612
Email: raraghun@cisco.com
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 53]
INTERNET-DRAFT NAT MIB November 2003
Cliff Wang
Information Security
Bank One Corp
1111 Polaris Pkwy
Columbus, OH 43240
Phone: +1 614 213 6117
Email: cliffwang2000@yahoo.com
P. Srisuresh
Kuokoa networks
475 Potrero Ave.
Sunnyvale, CA 94085
Phone: +1 408 962 3709
Email: srisuresh@yahoo.com
11. Change History
A record of changes which will be removed before publication.
10 September 2001
o Added the following objects to support notifications:
natConfAddressRiseThreshold, natConfAddressFallThreshold,
natAddrMapName and natPktDiscardReason.
o Following notifications were added (there are still some
unclear parameters though):
natAddressUseRising and natPacketDiscard.
10 November 2001
o Dynamic and Static Address Map tables are Merged.
o Protocol Extensibility added.
o Rearrangement of OIDs done to get things in proper sequence.
07 February 2002
o Config and Interface Specific tables are Merged.
o MAX-ACCESS for the bind and session entry objects are
changed to be read-create.
o natConfAddrMapType renamed to natConfAddrMapDirection.
14 June 2002
o Changed the syntax of natConfServiceType to BITS and renumbered
the enumeration to start with 0.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 54]
INTERNET-DRAFT NAT MIB November 2003
o Addressed the warning raised by smilint - all InetAddress values
now restricted to the size range (0..20) i.e. valid InetAddress
types are now ipv4, ipv6, ipv4z and ipv6z.
o MIN-ACCESS for natConfInterfaceRealm restricted to read-only.
o Changed the natConfIcmpDefIdleTimeout default value to be 300.
o natConfProtConfigName made a part of the optional
natConfProtGroup.
o RFC 3291 now referred to instead of RFC 2578
2 Nov 2002
o Added the Bind Origin Objects.
o Updated the description of natSessionSecondBindId.
o Interface specific statistics made mandatory.
o New sections, 4.1, 4.2 and 4.3 added indicating relationship
between tables and configuration guidelines.
Full Copyright Statement
"Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Rohit, Pai, Raghunarayan, Wang, Srisuresh [Page 55]
| PAFTECH AB 2003-2026 | 2026-04-22 15:18:51 |