idnits 2.17.1 draft-ietf-behave-nat-mib-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document obsoletes RFC4008, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (September 27, 2013) is 3863 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 4008 (Obsoleted by RFC 7658) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Perreault 3 Internet-Draft Viagenie 4 Obsoletes: 4008 (if approved) T. Tsou 5 Intended status: Standards Track Huawei Technologies (USA) 6 Expires: March 31, 2014 S. Sivakumar 7 Cisco Systems 8 September 27, 2013 10 Definitions of Managed Objects for Network Address Translators (NAT) 11 draft-ietf-behave-nat-mib-08 13 Abstract 15 This memo defines a portion of the Management Information Base (MIB) 16 for devices implementing Network Address Translator (NAT) function. 17 This MIB module may be used for monitoring of a device capable of NAT 18 function. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on March 31, 2014. 37 Copyright Notice 39 Copyright (c) 2013 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. The Internet-Standard Management Framework . . . . . . . . . 2 56 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3.1. Deprecated Features . . . . . . . . . . . . . . . . . . . 3 58 3.2. New Features . . . . . . . . . . . . . . . . . . . . . . 4 59 3.3. Realms . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 77 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80 63 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 80 64 7.1. Normative References . . . . . . . . . . . . . . . . . . 80 65 7.2. Informative References . . . . . . . . . . . . . . . . . 81 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82 68 1. Introduction 70 This memo defines a portion of the Management Information Base (MIB) 71 for devices implementing NAT function. This MIB module may be used 72 for monitoring of a device capable of NAT function. Using it for 73 configuration is deprecated. NAT types and their characteristics are 74 defined in [RFC2663]. Traditional NAT function, in particular is 75 defined in [RFC3022]. This MIB does not address the firewall 76 functions and must not be used for configuring or monitoring these. 77 Section 2 provides references to the SNMP management framework, which 78 was used as the basis for the MIB module definition. Section 3 79 provides an overview of the MIB features. Lastly, Section 4 has the 80 complete NAT MIB definition. 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in [RFC2119]. 86 2. The Internet-Standard Management Framework 88 For a detailed overview of the documents that describe the current 89 Internet-Standard Management Framework, please refer to section 7 of 90 RFC 3410 [RFC3410]. 92 Managed objects are accessed via a virtual information store, termed 93 the Management Information Base or MIB. MIB objects are generally 94 accessed through the Simple Network Management Protocol (SNMP). 95 Objects in the MIB are defined using the mechanisms defined in the 96 Structure of Management Information (SMI). This memo specifies a MIB 97 module that is compliant to the SMIv2, which is described in STD 58, 98 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 99 [RFC2580]. 101 3. Overview 103 3.1. Deprecated Features 105 All objects defined in [RFC4008] have been marked with "STATUS 106 deprecated" for the following reasons: 108 Writability: Experience with NAT has shown that implementations vary 109 tremendously. The NAT algorithms and data structures have little 110 in common across devices, and this results in wildly incompatible 111 configuration parameters. Therefore, few implementations were 112 ever able to claim full compliance. 114 Lesson learned: the MIB should be read-only as much as possible. 116 Exposing configuration parameters: Even in read-only mode, many 117 configuration parameters were exposed by [RFC4008] (e.g. 118 timeouts). Since implementations vary wildly in their sets of 119 configuration parameters, few implementations could claim even 120 basic compliance. 122 Lesson learned: the NAT MIB's purpose is not to expose 123 configuration parameters. 125 Interfaces: Objects from [RFC4008] tie NAT state with interfaces 126 (e.g. the interface table, the way map entries are grouped by 127 interface). Many NAT implementations either never keep track of 128 the interface or associate a mapping to a set of interfaces. 129 Since interfaces are at the core of [RFC4008], many NAT devices 130 were unable to have a proper implementation. 132 Lesson learned: NAT is a logical function that may be independent 133 of interfaces. Do not tie NAT state with interfaces. 135 NAT service types: [RFC4008] used four categories of NAT service: 136 basicNat, napt, bidirectionalNat, twiceNat. These are ill-defined 137 and many implementations either use different categories or do not 138 use categories at all. 140 Lesson learned: do not try to categorize NAT types. 142 Limited transport protocol set: The set of transport protocols was 143 defined as: other, icmp, udp, tcp. Furthermore, the numeric 144 values corresponding to those labels were arbitrary, without 145 relation to the actual standard protocol numbers. This meant that 146 NAT implementations were limited to those protocols and were 147 unable to expose information about DCCP, SCTP, etc. 149 Lesson learned: use standard transport protocol numbers. 151 3.2. New Features 153 New features in this module are as follows: 155 Counters: Many new counters are introduced. Most of them are 156 available in two variants: global and per-transport protocol. 158 Limits: A few limits on the quantity of state data stored by the NAT 159 device. Some of them can trigger notifications. 161 Address+Port Pools: Pools of external addresses and ports are often 162 used in enterprise and ISP settings. Pools are listed in a table, 163 each with its range of addresses and ports. It is possible to 164 inspect each pool's usage, to set limits, and to receive 165 notifications when thresholds are crossed. 167 Address Mappings: NATs that have an "IP address pooling" behavior of 168 "Paired" [RFC4787] maintain a mapping from internal address to 169 external address. This module allows inspection of this mapping 170 table. 172 Mapping table indexed by external 3-tuple: It is often necessary to 173 determine the internal address that is mapped to a given external 174 address and port. This MIB provides this table with an index to 175 accomplish this efficiently, without having to iterate over all 176 mappings. 178 Realms: See Section 3.3. 180 RFC 4787 terminology: Mapping table entries indicate the mapping 181 behavior, the filtering behavior, and the address pooling behavior 182 that were used to create the mapping. 184 Subscriber awareness: With the advent of CGN deployment, a set of 185 subscriber specific counters, limits and parameters are added. 187 3.3. Realms 189 Current NAT devices commonly allow the internal and external parts of 190 a mapping to come from different realms. The meaning of "realm" is 191 implementation-dependent. On some implementations it can be 192 equivalent to the name of a VPN Routing and Forwarding table (VRF). 194 On others it is simply the numeric index of a virtual routing table. 195 Note that this usage of "realm" is completely different from the one 196 in [RFC4008]. 198 This MIB allows the realm to be indicated where it makes sense. The 199 format is an SnmpAdminString. On platforms that identify realms with 200 integers, the string representation of the integer is used instead. 201 The empty string has special meaning: it refers to the default realm. 203 Note that many MIBs implicitly support realms in one form or another 204 by using SNMPv3 contexts. See for example the OSPFv2 MIB [RFC4750]. 205 This method cannot be used for the NAT MIB because mapppings can 206 belong to two realms simultaneously: the internal part can be in one 207 realm while the external part is in another. In such cases the NAT 208 function acts like a "wormhole" between two realms. Using contexts 209 would implicitly impose the restriction that all objects would have 210 to belong to the same realm. 212 4. Definitions 214 This MIB module IMPORTs objects from [RFC2578], [RFC2579], and 215 [RFC4001]. 217 NAT-MIB DEFINITIONS ::= BEGIN 219 IMPORTS 220 MODULE-IDENTITY, 221 OBJECT-TYPE, 222 Integer32, 223 Unsigned32, 224 Gauge32, 225 Counter64, 226 TimeTicks, 227 mib-2, 228 NOTIFICATION-TYPE 229 FROM SNMPv2-SMI 230 TEXTUAL-CONVENTION, 231 StorageType, 232 RowStatus 233 FROM SNMPv2-TC 234 MODULE-COMPLIANCE, 235 NOTIFICATION-GROUP, 236 OBJECT-GROUP 237 FROM SNMPv2-CONF 238 ifIndex, 239 ifCounterDiscontinuityGroup 240 FROM IF-MIB 241 SnmpAdminString 242 FROM SNMP-FRAMEWORK-MIB 243 InetAddressType, 244 InetAddress, 245 InetAddressPrefixLength, 246 InetPortNumber 247 FROM INET-ADDRESS-MIB; 249 natMIB MODULE-IDENTITY 250 LAST-UPDATED "201304260000Z" 251 -- RFC Ed.: set to publication date 252 ORGANIZATION 253 "IETF Behavior Engineering for Hindrance Avoidance 254 (BEHAVE) Working Group" 255 CONTACT-INFO 256 "Working Group Email: behave@ietf.org 258 Simon Perreault 259 Viagenie 260 246 Aberdeen 261 Quebec, QC G1R 2E1 262 Canada 264 Phone: +1 418 656 9254 265 Email: simon.perreault@viagenie.ca 266 URI: http://viagenie.ca 268 Tina Tsou 269 Huawei Technologies (USA) 270 2330 Central Expressway 271 Santa Clara, CA 95050 272 USA 274 Phone: +1 408 330 4424 275 Email: tina.tsou.zouting@huawei.com 277 Senthil Sivakumar 278 Cisco Systems 279 7100-8 Kit Creek Road 280 Research Triangle Park, North Carolina 27709 281 USA 283 Phone: +1 919 392 5158 284 Email: ssenthil@cisco.com" 285 DESCRIPTION 286 "This MIB module defines the generic managed objects 287 for NAT. 289 Copyright (C) The Internet Society (2013). This 290 version of this MIB module is part of RFC yyyy; see 291 the RFC itself for full legal notices." 292 -- RFC Ed.: replace yyyy with actual RFC number & remove this note" 293 REVISION "201304260000Z" 294 -- RFC Ed.: set to publication date 295 DESCRIPTION 296 "Complete rewrite, published as RFC yyyy." 297 -- RFC Ed.: replace yyyy with actual RFC number & set date" 298 REVISION "200503210000Z" -- 21th March 2005 299 DESCRIPTION 300 "Initial version, published as RFC 4008." 301 ::= { mib-2 123 } 303 natMIBObjects OBJECT IDENTIFIER ::= { natMIB 1 } 305 NatProtocolType ::= TEXTUAL-CONVENTION 306 STATUS deprecated 307 DESCRIPTION 308 "A list of protocols that support the network 309 address translation. Inclusion of the values is 310 not intended to imply that those protocols 311 need to be supported. Any change in this 312 TEXTUAL-CONVENTION should also be reflected in 313 the definition of NatProtocolMap, which is a 314 BITS representation of this." 315 SYNTAX INTEGER { 316 none (1), -- not specified 317 other (2), -- none of the following 318 icmp (3), 319 udp (4), 320 tcp (5) 321 } 323 NatProtocolMap ::= TEXTUAL-CONVENTION 324 STATUS deprecated 325 DESCRIPTION 326 "A bitmap of protocol identifiers that support 327 the network address translation. Any change 328 in this TEXTUAL-CONVENTION should also be 329 reflected in the definition of NatProtocolType." 330 SYNTAX BITS { 331 other (0), 332 icmp (1), 333 udp (2), 334 tcp (3) 335 } 337 NatAddrMapId ::= TEXTUAL-CONVENTION 338 DISPLAY-HINT "d" 339 STATUS deprecated 340 DESCRIPTION 341 "A unique id that is assigned to each address map 342 by a NAT enabled device." 343 SYNTAX Unsigned32 (1..4294967295) 345 NatBindIdOrZero ::= TEXTUAL-CONVENTION 346 DISPLAY-HINT "d" 347 STATUS deprecated 348 DESCRIPTION 349 "A unique id that is assigned to each bind by 350 a NAT enabled device. The bind id will be zero 351 in the case of a Symmetric NAT." 352 SYNTAX Unsigned32 (0..4294967295) 354 NatBindId ::= TEXTUAL-CONVENTION 355 DISPLAY-HINT "d" 356 STATUS deprecated 357 DESCRIPTION 358 "A unique id that is assigned to each bind by 359 a NAT enabled device." 360 SYNTAX Unsigned32 (1..4294967295) 362 NatSessionId ::= TEXTUAL-CONVENTION 363 DISPLAY-HINT "d" 364 STATUS deprecated 365 DESCRIPTION 366 "A unique id that is assigned to each session by 367 a NAT enabled device." 368 SYNTAX Unsigned32 (1..4294967295) 370 NatBindMode ::= TEXTUAL-CONVENTION 371 STATUS deprecated 372 DESCRIPTION 373 "An indication of whether the bind is 374 an address bind or an address port bind." 375 SYNTAX INTEGER { 376 addressBind (1), 377 addressPortBind (2) 378 } 380 NatAssociationType ::= TEXTUAL-CONVENTION 381 STATUS deprecated 382 DESCRIPTION 383 "An indication of whether the association is 384 static or dynamic." 386 SYNTAX INTEGER { 387 static (1), 388 dynamic (2) 389 } 391 NatTranslationEntity ::= TEXTUAL-CONVENTION 392 STATUS deprecated 393 DESCRIPTION 394 "An indication of a) the direction of a session for 395 which an address map entry, address bind or port 396 bind is applicable, and b) the entity (source or 397 destination) within the session that is subject to 398 translation." 399 SYNTAX BITS { 400 inboundSrcEndPoint (0), 401 outboundDstEndPoint(1), 402 inboundDstEndPoint (2), 403 outboundSrcEndPoint(3) 404 } 406 -- 407 -- Default Values for the Bind and NAT Protocol Timers 408 -- 410 natDefTimeouts OBJECT IDENTIFIER ::= { natMIBObjects 1 } 412 natNotifCtrl OBJECT IDENTIFIER ::= { natMIBObjects 2 } 414 -- 415 -- Address Bind and Port Bind related NAT configuration 416 -- 418 natBindDefIdleTimeout OBJECT-TYPE 419 SYNTAX Unsigned32 (0..4294967295) 420 UNITS "seconds" 421 MAX-ACCESS read-write 422 STATUS deprecated 423 DESCRIPTION 424 "The default Bind (Address Bind or Port Bind) idle 425 timeout parameter. 427 If the agent is capable of storing non-volatile 428 configuration, then the value of this object must be 429 restored after a re-initialization of the management 430 system." 431 DEFVAL { 0 } 432 ::= { natDefTimeouts 1 } 434 -- 435 -- UDP related NAT configuration 436 -- 438 natUdpDefIdleTimeout OBJECT-TYPE 439 SYNTAX Unsigned32 (1..4294967295) 440 UNITS "seconds" 441 MAX-ACCESS read-write 442 STATUS deprecated 443 DESCRIPTION 444 "The default UDP idle timeout parameter. 446 If the agent is capable of storing non-volatile 447 configuration, then the value of this object must be 448 restored after a re-initialization of the management 449 system." 450 DEFVAL { 300 } 451 ::= { natDefTimeouts 2 } 453 -- 454 -- ICMP related NAT configuration 455 -- 457 natIcmpDefIdleTimeout OBJECT-TYPE 458 SYNTAX Unsigned32 (1..4294967295) 459 UNITS "seconds" 460 MAX-ACCESS read-write 461 STATUS deprecated 462 DESCRIPTION 463 "The default ICMP idle timeout parameter. 465 If the agent is capable of storing non-volatile 466 configuration, then the value of this object must be 467 restored after a re-initialization of the management 468 system." 469 DEFVAL { 300 } 470 ::= { natDefTimeouts 3 } 472 -- 473 -- Other protocol parameters 474 -- 476 natOtherDefIdleTimeout OBJECT-TYPE 477 SYNTAX Unsigned32 (1..4294967295) 478 UNITS "seconds" 479 MAX-ACCESS read-write 480 STATUS deprecated 481 DESCRIPTION 482 "The default idle timeout parameter for protocols 483 represented by the value other (2) in 484 NatProtocolType. 486 If the agent is capable of storing non-volatile 487 configuration, then the value of this object must be 488 restored after a re-initialization of the management 489 system." 490 DEFVAL { 60 } 491 ::= { natDefTimeouts 4 } 493 -- 494 -- TCP related NAT Timers 495 -- 497 natTcpDefIdleTimeout OBJECT-TYPE 498 SYNTAX Unsigned32 (1..4294967295) 499 UNITS "seconds" 500 MAX-ACCESS read-write 501 STATUS deprecated 502 DESCRIPTION 503 "The default time interval that a NAT session for an 504 established TCP connection is allowed to remain 505 valid without any activity on the TCP connection. 507 If the agent is capable of storing non-volatile 508 configuration, then the value of this object must be 509 restored after a re-initialization of the management 510 system." 511 DEFVAL { 86400 } 512 ::= { natDefTimeouts 5 } 514 natTcpDefNegTimeout OBJECT-TYPE 515 SYNTAX Unsigned32 (1..4294967295) 516 UNITS "seconds" 517 MAX-ACCESS read-write 518 STATUS deprecated 519 DESCRIPTION 520 "The default time interval that a NAT session for a TCP 521 connection that is not in the established state 522 is allowed to remain valid without any activity on 523 the TCP connection. 525 If the agent is capable of storing non-volatile 526 configuration, then the value of this object must be 527 restored after a re-initialization of the management 528 system." 529 DEFVAL { 60 } 530 ::= { natDefTimeouts 6 } 532 natNotifThrottlingInterval OBJECT-TYPE 533 SYNTAX Integer32 (0 | 5..3600) 534 UNITS "seconds" 535 MAX-ACCESS read-write 536 STATUS deprecated 537 DESCRIPTION 538 "This object controls the generation of the 539 natPacketDiscard notification. 541 If this object has a value of zero, then no 542 natPacketDiscard notifications will be transmitted by 543 the agent. 545 If this object has a non-zero value, then the agent must 546 not generate more than one natPacketDiscard 547 'notification-event' in the indicated period, where a 548 'notification-event' is the generation of a single 549 notification PDU type to a list of notification 550 destinations. If additional NAT packets are discarded 551 within the throttling period, then notification-events 552 for these changes must be suppressed by the agent until 553 the current throttling period expires. 555 If natNotifThrottlingInterval notification generation 556 is enabled, the suggested default throttling period is 557 60 seconds, but generation of the natPacketDiscard 558 notification should be disabled by default. 560 If the agent is capable of storing non-volatile 561 configuration, then the value of this object must be 562 restored after a re-initialization of the management 563 system. 565 The actual transmission of notifications is controlled 566 via the MIB modules in RFC 3413." 567 DEFVAL { 0 } 568 ::= { natNotifCtrl 1 } 570 -- 571 -- The NAT Interface Table 572 -- 574 natInterfaceTable OBJECT-TYPE 575 SYNTAX SEQUENCE OF NatInterfaceEntry 576 MAX-ACCESS not-accessible 577 STATUS deprecated 578 DESCRIPTION 579 "This table specifies the attributes for interfaces on a 580 device supporting NAT function." 581 ::= { natMIBObjects 3 } 583 natInterfaceEntry OBJECT-TYPE 584 SYNTAX NatInterfaceEntry 585 MAX-ACCESS not-accessible 586 STATUS deprecated 587 DESCRIPTION 588 "Each entry in the natInterfaceTable holds a set of 589 parameters for an interface, instantiated by 590 ifIndex. Therefore, the interface index must have been 591 assigned, according to the applicable procedures, 592 before it can be meaningfully used. 593 Generally, this means that the interface must exist. 595 When natStorageType is of type nonVolatile, however, 596 this may reflect the configuration for an interface 597 whose ifIndex has been assigned but for which the 598 supporting implementation is not currently present." 599 INDEX { ifIndex } 600 ::= { natInterfaceTable 1 } 602 NatInterfaceEntry ::= SEQUENCE { 603 natInterfaceRealm INTEGER, 604 natInterfaceServiceType BITS, 605 natInterfaceInTranslates Counter64, 606 natInterfaceOutTranslates Counter64, 607 natInterfaceDiscards Counter64, 608 natInterfaceStorageType StorageType, 609 natInterfaceRowStatus RowStatus 610 } 612 natInterfaceRealm OBJECT-TYPE 613 SYNTAX INTEGER { 614 private (1), 615 public (2) 616 } 617 MAX-ACCESS read-create 618 STATUS deprecated 619 DESCRIPTION 620 "This object identifies whether this interface is 621 connected to the private or the public realm." 622 DEFVAL { public } 623 ::= { natInterfaceEntry 1 } 625 natInterfaceServiceType OBJECT-TYPE 626 SYNTAX BITS { 627 basicNat (0), 628 napt (1), 629 bidirectionalNat (2), 630 twiceNat (3) 631 } 632 MAX-ACCESS read-create 633 STATUS deprecated 634 DESCRIPTION 635 "An indication of the direction in which new sessions 636 are permitted and the extent of translation done within 637 the IP and transport headers." 638 ::= { natInterfaceEntry 2 } 640 natInterfaceInTranslates OBJECT-TYPE 641 SYNTAX Counter64 642 MAX-ACCESS read-only 643 STATUS deprecated 644 DESCRIPTION 645 "Number of packets received on this interface that 646 were translated. 647 Discontinuities in the value of this counter can occur 648 at reinitialization of the management system and at 649 other times as indicated by the value of 650 ifCounterDiscontinuityTime on the relevant interface." 651 ::= { natInterfaceEntry 3 } 653 natInterfaceOutTranslates OBJECT-TYPE 654 SYNTAX Counter64 655 MAX-ACCESS read-only 656 STATUS deprecated 657 DESCRIPTION 658 "Number of translated packets that were sent out this 659 interface. 661 Discontinuities in the value of this counter can occur 662 at reinitialization of the management system and at 663 other times as indicated by the value of 664 ifCounterDiscontinuityTime on the relevant interface." 665 ::= { natInterfaceEntry 4 } 667 natInterfaceDiscards OBJECT-TYPE 668 SYNTAX Counter64 669 MAX-ACCESS read-only 670 STATUS deprecated 671 DESCRIPTION 672 "Number of packets that had to be rejected/dropped due to 673 a lack of resources for this interface. 675 Discontinuities in the value of this counter can occur 676 at reinitialization of the management system and at 677 other times as indicated by the value of 678 ifCounterDiscontinuityTime on the relevant interface." 679 ::= { natInterfaceEntry 5 } 681 natInterfaceStorageType OBJECT-TYPE 682 SYNTAX StorageType 683 MAX-ACCESS read-create 684 STATUS deprecated 685 DESCRIPTION 686 "The storage type for this conceptual row. 687 Conceptual rows having the value 'permanent' 688 need not allow write-access to any columnar objects 689 in the row." 690 REFERENCE 691 "Textual Conventions for SMIv2, Section 2." 692 DEFVAL { nonVolatile } 693 ::= { natInterfaceEntry 6 } 695 natInterfaceRowStatus OBJECT-TYPE 696 SYNTAX RowStatus 697 MAX-ACCESS read-create 698 STATUS deprecated 699 DESCRIPTION 700 "The status of this conceptual row. 702 Until instances of all corresponding columns are 703 appropriately configured, the value of the 704 corresponding instance of the natInterfaceRowStatus 705 column is 'notReady'. 707 In particular, a newly created row cannot be made 708 active until the corresponding instance of 709 natInterfaceServiceType has been set. 711 None of the objects in this row may be modified 712 while the value of this object is active(1)." 713 REFERENCE 714 "Textual Conventions for SMIv2, Section 2." 715 ::= { natInterfaceEntry 7 } 717 -- 718 -- The Address Map Table 719 -- 720 natAddrMapTable OBJECT-TYPE 721 SYNTAX SEQUENCE OF NatAddrMapEntry 722 MAX-ACCESS not-accessible 723 STATUS deprecated 724 DESCRIPTION 725 "This table lists address map parameters for NAT." 726 ::= { natMIBObjects 4 } 728 natAddrMapEntry OBJECT-TYPE 729 SYNTAX NatAddrMapEntry 730 MAX-ACCESS not-accessible 731 STATUS deprecated 732 DESCRIPTION 733 "This entry represents an address map to be used for 734 NAT and contributes to the dynamic and/or static 735 address mapping tables of the NAT device." 736 INDEX { ifIndex, natAddrMapIndex } 737 ::= { natAddrMapTable 1 } 739 NatAddrMapEntry ::= SEQUENCE { 740 natAddrMapIndex NatAddrMapId, 741 natAddrMapName SnmpAdminString, 742 natAddrMapEntryType NatAssociationType, 743 natAddrMapTranslationEntity NatTranslationEntity, 744 natAddrMapLocalAddrType InetAddressType, 745 natAddrMapLocalAddrFrom InetAddress, 746 natAddrMapLocalAddrTo InetAddress, 747 natAddrMapLocalPortFrom InetPortNumber, 748 natAddrMapLocalPortTo InetPortNumber, 749 natAddrMapGlobalAddrType InetAddressType, 750 natAddrMapGlobalAddrFrom InetAddress, 751 natAddrMapGlobalAddrTo InetAddress, 752 natAddrMapGlobalPortFrom InetPortNumber, 753 natAddrMapGlobalPortTo InetPortNumber, 754 natAddrMapProtocol NatProtocolMap, 755 natAddrMapInTranslates Counter64, 756 natAddrMapOutTranslates Counter64, 757 natAddrMapDiscards Counter64, 758 natAddrMapAddrUsed Gauge32, 759 natAddrMapStorageType StorageType, 760 natAddrMapRowStatus RowStatus 761 } 763 natAddrMapIndex OBJECT-TYPE 764 SYNTAX NatAddrMapId 765 MAX-ACCESS not-accessible 766 STATUS deprecated 767 DESCRIPTION 768 "Along with ifIndex, this object uniquely 769 identifies an entry in the natAddrMapTable. 770 Address map entries are applied in the order 771 specified by natAddrMapIndex." 772 ::= { natAddrMapEntry 1 } 774 natAddrMapName OBJECT-TYPE 775 SYNTAX SnmpAdminString (SIZE(1..32)) 776 MAX-ACCESS read-create 777 STATUS deprecated 778 DESCRIPTION 779 "Name identifying all map entries in the table associated 780 with the same interface. All map entries with the same 781 ifIndex MUST have the same map name." 782 ::= { natAddrMapEntry 2 } 784 natAddrMapEntryType OBJECT-TYPE 785 SYNTAX NatAssociationType 786 MAX-ACCESS read-create 787 STATUS deprecated 788 DESCRIPTION 789 "This parameter can be used to set up static 790 or dynamic address maps." 791 ::= { natAddrMapEntry 3 } 793 natAddrMapTranslationEntity OBJECT-TYPE 794 SYNTAX NatTranslationEntity 795 MAX-ACCESS read-create 796 STATUS deprecated 797 DESCRIPTION 798 "The end-point entity (source or destination) in 799 inbound or outbound sessions (i.e., first packets) that 800 may be translated by an address map entry. 802 Session direction (inbound or outbound) is 803 derived from the direction of the first packet 804 of a session traversing a NAT interface. 805 NAT address (and Transport-ID) maps may be defined 806 to effect inbound or outbound sessions. 808 Traditionally, address maps for Basic NAT and NAPT are 809 configured on a public interface for outbound sessions, 810 effecting translation of source end-point. The value of 811 this object must be set to outboundSrcEndPoint for 812 those interfaces. 814 Alternately, if address maps for Basic NAT and NAPT were 815 to be configured on a private interface, the desired 816 value for this object for the map entries 817 would be inboundSrcEndPoint (i.e., effecting translation 818 of source end-point for inbound sessions). 820 If TwiceNAT were to be configured on a private 821 interface, the desired value for this object for the map 822 entries would be a bitmask of inboundSrcEndPoint and 823 inboundDstEndPoint." 824 ::= { natAddrMapEntry 4 } 826 natAddrMapLocalAddrType OBJECT-TYPE 827 SYNTAX InetAddressType 828 MAX-ACCESS read-create 829 STATUS deprecated 830 DESCRIPTION 831 "This object specifies the address type used for 832 natAddrMapLocalAddrFrom and natAddrMapLocalAddrTo." 833 ::= { natAddrMapEntry 5 } 835 natAddrMapLocalAddrFrom OBJECT-TYPE 836 SYNTAX InetAddress 837 MAX-ACCESS read-create 838 STATUS deprecated 839 DESCRIPTION 840 "This object specifies the first IP address of the range 841 of IP addresses mapped by this translation entry. The 842 value of this object must be less than or equal to the 843 value of the natAddrMapLocalAddrTo object. 845 The type of this address is determined by the value of 846 the natAddrMapLocalAddrType object." 847 ::= { natAddrMapEntry 6 } 849 natAddrMapLocalAddrTo OBJECT-TYPE 850 SYNTAX InetAddress 851 MAX-ACCESS read-create 852 STATUS deprecated 853 DESCRIPTION 854 "This object specifies the last IP address of the range 855 of IP addresses mapped by this translation entry. If 856 only a single address is being mapped, the value of this 857 object is equal to the value of natAddrMapLocalAddrFrom. 858 For a static NAT, the number of addresses in the range 859 defined by natAddrMapLocalAddrFrom and 860 natAddrMapLocalAddrTo must be equal to the number of 861 addresses in the range defined by 862 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo. 863 The value of this object must be greater than or equal 864 to the value of the natAddrMapLocalAddrFrom object. 866 The type of this address is determined by the value of 867 the natAddrMapLocalAddrType object." 868 ::= { natAddrMapEntry 7 } 870 natAddrMapLocalPortFrom OBJECT-TYPE 871 SYNTAX InetPortNumber 872 MAX-ACCESS read-create 873 STATUS deprecated 874 DESCRIPTION 875 "If this conceptual row describes a Basic NAT address 876 mapping, then the value of this object must be zero. If 877 this conceptual row describes NAPT, then the value of 878 this object specifies the first port number in the range 879 of ports being mapped. 881 The value of this object must be less than or equal to 882 the value of the natAddrMapLocalPortTo object. If the 883 translation specifies a single port, then the value of 884 this object is equal to the value of 885 natAddrMapLocalPortTo." 886 DEFVAL { 0 } 887 ::= { natAddrMapEntry 8 } 889 natAddrMapLocalPortTo OBJECT-TYPE 890 SYNTAX InetPortNumber 891 MAX-ACCESS read-create 892 STATUS deprecated 893 DESCRIPTION 894 "If this conceptual row describes a Basic NAT address 895 mapping, then the value of this object must be zero. If 896 this conceptual row describes NAPT, then the value of 897 this object specifies the last port number in the range 898 of ports being mapped. 900 The value of this object must be greater than or equal 901 to the value of the natAddrMapLocalPortFrom object. If 902 the translation specifies a single port, then the value 903 of this object is equal to the value of 904 natAddrMapLocalPortFrom." 905 DEFVAL { 0 } 906 ::= { natAddrMapEntry 9 } 908 natAddrMapGlobalAddrType OBJECT-TYPE 909 SYNTAX InetAddressType 910 MAX-ACCESS read-create 911 STATUS deprecated 912 DESCRIPTION 913 "This object specifies the address type used for 914 natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo." 915 ::= { natAddrMapEntry 10 } 917 natAddrMapGlobalAddrFrom OBJECT-TYPE 918 SYNTAX InetAddress 919 MAX-ACCESS read-create 920 STATUS deprecated 921 DESCRIPTION 922 "This object specifies the first IP address of the range 923 of IP addresses being mapped to. The value of this 924 object must be less than or equal to the value of the 925 natAddrMapGlobalAddrTo object. 927 The type of this address is determined by the value of 928 the natAddrMapGlobalAddrType object." 929 ::= { natAddrMapEntry 11 } 931 natAddrMapGlobalAddrTo OBJECT-TYPE 932 SYNTAX InetAddress 933 MAX-ACCESS read-create 934 STATUS deprecated 935 DESCRIPTION 936 "This object specifies the last IP address of the range 937 of IP addresses being mapped to. If only a single 938 address is being mapped to, the value of this object is 939 equal to the value of natAddrMapGlobalAddrFrom. For a 940 static NAT, the number of addresses in the range defined 941 by natAddrMapGlobalAddrFrom and natAddrMapGlobalAddrTo 942 must be equal to the number of addresses in the range 943 defined by natAddrMapLocalAddrFrom and 944 natAddrMapLocalAddrTo. The value of this object must be 945 greater than or equal to the value of the 946 natAddrMapGlobalAddrFrom object. 948 The type of this address is determined by the value of 949 the natAddrMapGlobalAddrType object." 950 ::= { natAddrMapEntry 12 } 952 natAddrMapGlobalPortFrom OBJECT-TYPE 953 SYNTAX InetPortNumber 954 MAX-ACCESS read-create 955 STATUS deprecated 956 DESCRIPTION 957 "If this conceptual row describes a Basic NAT address 958 mapping, then the value of this object must be zero. If 959 this conceptual row describes NAPT, then the value of 960 this object specifies the first port number in the range 961 of ports being mapped to. 963 The value of this object must be less than or equal to 964 the value of the natAddrMapGlobalPortTo object. If the 965 translation specifies a single port, then the value of 966 this object is equal to the value 967 natAddrMapGlobalPortTo." 968 DEFVAL { 0 } 969 ::= { natAddrMapEntry 13 } 971 natAddrMapGlobalPortTo OBJECT-TYPE 972 SYNTAX InetPortNumber 973 MAX-ACCESS read-create 974 STATUS deprecated 975 DESCRIPTION 976 "If this conceptual row describes a Basic NAT address 977 mapping, then the value of this object must be zero. If 978 this conceptual row describes NAPT, then the value of 979 this object specifies the last port number in the range 980 of ports being mapped to. 982 The value of this object must be greater than or equal 983 to the value of the natAddrMapGlobalPortFrom object. If 984 the translation specifies a single port, then the value 985 of this object is equal to the value of 986 natAddrMapGlobalPortFrom." 987 DEFVAL { 0 } 988 ::= { natAddrMapEntry 14 } 990 natAddrMapProtocol OBJECT-TYPE 991 SYNTAX NatProtocolMap 992 MAX-ACCESS read-create 993 STATUS deprecated 994 DESCRIPTION 995 "This object specifies a bitmap of protocol identifiers." 996 ::= { natAddrMapEntry 15 } 998 natAddrMapInTranslates OBJECT-TYPE 999 SYNTAX Counter64 1000 MAX-ACCESS read-only 1001 STATUS deprecated 1002 DESCRIPTION 1003 "The number of inbound packets pertaining to this address 1004 map entry that were translated. 1006 Discontinuities in the value of this counter can occur 1007 at reinitialization of the management system and at 1008 other times, as indicated by the value of 1009 ifCounterDiscontinuityTime on the relevant interface." 1010 ::= { natAddrMapEntry 16 } 1012 natAddrMapOutTranslates OBJECT-TYPE 1013 SYNTAX Counter64 1014 MAX-ACCESS read-only 1015 STATUS deprecated 1016 DESCRIPTION 1017 "The number of outbound packets pertaining to this 1018 address map entry that were translated. 1020 Discontinuities in the value of this counter can occur 1021 at reinitialization of the management system and at 1022 other times, as indicated by the value of 1023 ifCounterDiscontinuityTime on the relevant interface." 1024 ::= { natAddrMapEntry 17 } 1026 natAddrMapDiscards OBJECT-TYPE 1027 SYNTAX Counter64 1028 MAX-ACCESS read-only 1029 STATUS deprecated 1030 DESCRIPTION 1031 "The number of packets pertaining to this address map 1032 entry that were dropped due to lack of addresses in the 1033 address pool identified by this address map. The value 1034 of this object must always be zero in case of static 1035 address map. 1037 Discontinuities in the value of this counter can occur 1038 at reinitialization of the management system and at 1039 other times, as indicated by the value of 1040 ifCounterDiscontinuityTime on the relevant interface." 1041 ::= { natAddrMapEntry 18 } 1043 natAddrMapAddrUsed OBJECT-TYPE 1044 SYNTAX Gauge32 1045 MAX-ACCESS read-only 1046 STATUS deprecated 1047 DESCRIPTION 1048 "The number of addresses pertaining to this address map 1049 that are currently being used from the NAT pool. 1050 The value of this object must always be zero in the case 1051 of a static address map." 1052 ::= { natAddrMapEntry 19 } 1054 natAddrMapStorageType OBJECT-TYPE 1055 SYNTAX StorageType 1056 MAX-ACCESS read-create 1057 STATUS deprecated 1058 DESCRIPTION 1059 "The storage type for this conceptual row. 1060 Conceptual rows having the value 'permanent' 1061 need not allow write-access to any columnar objects 1062 in the row." 1063 REFERENCE 1064 "Textual Conventions for SMIv2, Section 2." 1065 DEFVAL { nonVolatile } 1066 ::= { natAddrMapEntry 20 } 1068 natAddrMapRowStatus OBJECT-TYPE 1069 SYNTAX RowStatus 1070 MAX-ACCESS read-create 1071 STATUS deprecated 1072 DESCRIPTION 1073 "The status of this conceptual row. 1075 Until instances of all corresponding columns are 1076 appropriately configured, the value of the 1077 corresponding instance of the natAddrMapRowStatus 1078 column is 'notReady'. 1080 None of the objects in this row may be modified 1081 while the value of this object is active(1)." 1082 REFERENCE 1083 "Textual Conventions for SMIv2, Section 2." 1084 ::= { natAddrMapEntry 21 } 1086 -- 1087 -- Address Bind section 1088 -- 1090 natAddrBindNumberOfEntries OBJECT-TYPE 1091 SYNTAX Gauge32 1092 MAX-ACCESS read-only 1093 STATUS deprecated 1094 DESCRIPTION 1095 "This object maintains a count of the number of entries 1096 that currently exist in the natAddrBindTable." 1097 ::= { natMIBObjects 5 } 1099 -- 1100 -- The NAT Address BIND Table 1101 -- 1102 natAddrBindTable OBJECT-TYPE 1103 SYNTAX SEQUENCE OF NatAddrBindEntry 1104 MAX-ACCESS not-accessible 1105 STATUS deprecated 1106 DESCRIPTION 1107 "This table holds information about the currently 1108 active NAT BINDs." 1109 ::= { natMIBObjects 6 } 1111 natAddrBindEntry OBJECT-TYPE 1112 SYNTAX NatAddrBindEntry 1113 MAX-ACCESS not-accessible 1114 STATUS deprecated 1115 DESCRIPTION 1116 "Each entry in this table holds information about 1117 an active address BIND. These entries are lost 1118 upon agent restart. 1120 This row has indexing which may create variables with 1121 more than 128 subidentifiers. Implementers of this 1122 table must be careful not to create entries that would 1123 result in OIDs which exceed the 128 subidentifier limit. 1124 Otherwise, the information cannot be accessed using 1125 SNMPv1, SNMPv2c or SNMPv3." 1127 INDEX { ifIndex, 1128 natAddrBindLocalAddrType, 1129 natAddrBindLocalAddr } 1130 ::= { natAddrBindTable 1 } 1132 NatAddrBindEntry ::= SEQUENCE { 1133 natAddrBindLocalAddrType InetAddressType, 1134 natAddrBindLocalAddr InetAddress, 1135 natAddrBindGlobalAddrType InetAddressType, 1136 natAddrBindGlobalAddr InetAddress, 1137 natAddrBindId NatBindId, 1138 natAddrBindTranslationEntity NatTranslationEntity, 1139 natAddrBindType NatAssociationType, 1140 natAddrBindMapIndex NatAddrMapId, 1141 natAddrBindSessions Gauge32, 1142 natAddrBindMaxIdleTime TimeTicks, 1143 natAddrBindCurrentIdleTime TimeTicks, 1144 natAddrBindInTranslates Counter64, 1145 natAddrBindOutTranslates Counter64 1146 } 1148 natAddrBindLocalAddrType OBJECT-TYPE 1149 SYNTAX InetAddressType 1150 MAX-ACCESS not-accessible 1151 STATUS deprecated 1152 DESCRIPTION 1153 "This object specifies the address type used for 1154 natAddrBindLocalAddr." 1155 ::= { natAddrBindEntry 1 } 1157 natAddrBindLocalAddr OBJECT-TYPE 1158 SYNTAX InetAddress (SIZE (4|16)) 1159 MAX-ACCESS not-accessible 1160 STATUS deprecated 1161 DESCRIPTION 1162 "This object represents the private-realm specific 1163 network layer address, which maps to the public-realm 1164 address represented by natAddrBindGlobalAddr. 1166 The type of this address is determined by the value of 1167 the natAddrBindLocalAddrType object." 1168 ::= { natAddrBindEntry 2 } 1170 natAddrBindGlobalAddrType OBJECT-TYPE 1171 SYNTAX InetAddressType 1172 MAX-ACCESS read-only 1173 STATUS deprecated 1174 DESCRIPTION 1175 "This object specifies the address type used for 1176 natAddrBindGlobalAddr." 1177 ::= { natAddrBindEntry 3 } 1179 natAddrBindGlobalAddr OBJECT-TYPE 1180 SYNTAX InetAddress 1181 MAX-ACCESS read-only 1182 STATUS deprecated 1183 DESCRIPTION 1184 "This object represents the public-realm network layer 1185 address that maps to the private-realm network layer 1186 address represented by natAddrBindLocalAddr. 1188 The type of this address is determined by the value of 1189 the natAddrBindGlobalAddrType object." 1190 ::= { natAddrBindEntry 4 } 1192 natAddrBindId OBJECT-TYPE 1193 SYNTAX NatBindId 1194 MAX-ACCESS read-only 1195 STATUS deprecated 1196 DESCRIPTION 1197 "This object represents a bind id that is dynamically 1198 assigned to each bind by a NAT enabled device. Each 1199 bind is represented by a bind id that is 1200 unique across both, the natAddrBindTable and the 1201 natAddrPortBindTable." 1202 ::= { natAddrBindEntry 5 } 1204 natAddrBindTranslationEntity OBJECT-TYPE 1205 SYNTAX NatTranslationEntity 1206 MAX-ACCESS read-only 1207 STATUS deprecated 1208 DESCRIPTION 1209 "This object represents the direction of sessions 1210 for which this bind is applicable and the endpoint 1211 entity (source or destination) within the sessions that 1212 is subject to translation using the BIND. 1214 Orientation of the bind can be a superset of 1215 translationEntity of the address map entry which 1216 forms the basis for this bind. 1218 For example, if the translationEntity of an 1219 address map entry is outboundSrcEndPoint, the 1220 translationEntity of a bind derived from this 1221 map entry may either be outboundSrcEndPoint or 1222 it may be bidirectional (a bitmask of 1223 outboundSrcEndPoint and inboundDstEndPoint)." 1224 ::= { natAddrBindEntry 6 } 1226 natAddrBindType OBJECT-TYPE 1227 SYNTAX NatAssociationType 1228 MAX-ACCESS read-only 1229 STATUS deprecated 1230 DESCRIPTION 1231 "This object indicates whether the bind is static or 1232 dynamic." 1233 ::= { natAddrBindEntry 7 } 1235 natAddrBindMapIndex OBJECT-TYPE 1236 SYNTAX NatAddrMapId 1237 MAX-ACCESS read-only 1238 STATUS deprecated 1239 DESCRIPTION 1240 "This object is a pointer to the natAddrMapTable entry 1241 (and the parameters of that entry) which was used in 1242 creating this BIND. This object, in conjunction with 1243 the ifIndex (which identifies a unique addrMapName) 1244 points to a unique entry in the natAddrMapTable." 1245 ::= { natAddrBindEntry 8 } 1247 natAddrBindSessions OBJECT-TYPE 1248 SYNTAX Gauge32 1249 MAX-ACCESS read-only 1250 STATUS deprecated 1251 DESCRIPTION 1252 "Number of sessions currently using this BIND." 1253 ::= { natAddrBindEntry 9 } 1255 natAddrBindMaxIdleTime OBJECT-TYPE 1256 SYNTAX TimeTicks 1257 MAX-ACCESS read-only 1258 STATUS deprecated 1259 DESCRIPTION 1260 "This object indicates the maximum time for 1261 which this bind can be idle with no sessions 1262 attached to it. 1264 The value of this object is of relevance only for 1265 dynamic NAT." 1266 ::= { natAddrBindEntry 10 } 1268 natAddrBindCurrentIdleTime OBJECT-TYPE 1269 SYNTAX TimeTicks 1270 MAX-ACCESS read-only 1271 STATUS deprecated 1272 DESCRIPTION 1273 "At any given instance, this object indicates the 1274 time that this bind has been idle without any sessions 1275 attached to it. 1277 The value of this object is of relevance only for 1278 dynamic NAT." 1279 ::= { natAddrBindEntry 11 } 1281 natAddrBindInTranslates OBJECT-TYPE 1282 SYNTAX Counter64 1283 MAX-ACCESS read-only 1284 STATUS deprecated 1285 DESCRIPTION 1286 "The number of inbound packets that were successfully 1287 translated by using this bind entry. 1289 Discontinuities in the value of this counter can occur 1290 at reinitialization of the management system and at 1291 other times, as indicated by the value of 1292 ifCounterDiscontinuityTime on the relevant interface." 1293 ::= { natAddrBindEntry 12 } 1295 natAddrBindOutTranslates OBJECT-TYPE 1296 SYNTAX Counter64 1297 MAX-ACCESS read-only 1298 STATUS deprecated 1299 DESCRIPTION 1300 "The number of outbound packets that were successfully 1301 translated using this bind entry. 1303 Discontinuities in the value of this counter can occur 1304 at reinitialization of the management system and at 1305 other times as indicated by the value of 1306 ifCounterDiscontinuityTime on the relevant interface." 1307 ::= { natAddrBindEntry 13 } 1309 -- 1310 -- Address Port Bind section 1311 -- 1313 natAddrPortBindNumberOfEntries OBJECT-TYPE 1314 SYNTAX Gauge32 1315 MAX-ACCESS read-only 1316 STATUS deprecated 1317 DESCRIPTION 1318 "This object maintains a count of the number of entries 1319 that currently exist in the natAddrPortBindTable." 1320 ::= { natMIBObjects 7 } 1322 -- 1323 -- The NAT Address Port Bind Table 1324 -- 1326 natAddrPortBindTable OBJECT-TYPE 1327 SYNTAX SEQUENCE OF NatAddrPortBindEntry 1328 MAX-ACCESS not-accessible 1329 STATUS deprecated 1330 DESCRIPTION 1331 "This table holds information about the currently 1332 active NAPT BINDs." 1333 ::= { natMIBObjects 8 } 1335 natAddrPortBindEntry OBJECT-TYPE 1336 SYNTAX NatAddrPortBindEntry 1337 MAX-ACCESS not-accessible 1338 STATUS deprecated 1339 DESCRIPTION 1340 "Each entry in the this table holds information 1341 about a NAPT bind that is currently active. 1342 These entries are lost upon agent restart. 1344 This row has indexing which may create variables with 1345 more than 128 subidentifiers. Implementers of this 1346 table must be careful not to create entries which would 1347 result in OIDs that exceed the 128 subidentifier limit. 1348 Otherwise, the information cannot be accessed using 1349 SNMPv1, SNMPv2c or SNMPv3." 1350 INDEX { ifIndex, natAddrPortBindLocalAddrType, 1351 natAddrPortBindLocalAddr, natAddrPortBindLocalPort, 1352 natAddrPortBindProtocol } 1353 ::= { natAddrPortBindTable 1 } 1355 NatAddrPortBindEntry ::= SEQUENCE { 1356 natAddrPortBindLocalAddrType InetAddressType, 1357 natAddrPortBindLocalAddr InetAddress, 1358 natAddrPortBindLocalPort InetPortNumber, 1359 natAddrPortBindProtocol NatProtocolType, 1360 natAddrPortBindGlobalAddrType InetAddressType, 1361 natAddrPortBindGlobalAddr InetAddress, 1362 natAddrPortBindGlobalPort InetPortNumber, 1363 natAddrPortBindId NatBindId, 1364 natAddrPortBindTranslationEntity NatTranslationEntity, 1365 natAddrPortBindType NatAssociationType, 1366 natAddrPortBindMapIndex NatAddrMapId, 1367 natAddrPortBindSessions Gauge32, 1368 natAddrPortBindMaxIdleTime TimeTicks, 1369 natAddrPortBindCurrentIdleTime TimeTicks, 1370 natAddrPortBindInTranslates Counter64, 1371 natAddrPortBindOutTranslates Counter64 1372 } 1374 natAddrPortBindLocalAddrType OBJECT-TYPE 1375 SYNTAX InetAddressType 1376 MAX-ACCESS not-accessible 1377 STATUS deprecated 1378 DESCRIPTION 1379 "This object specifies the address type used for 1380 natAddrPortBindLocalAddr." 1381 ::= { natAddrPortBindEntry 1 } 1383 natAddrPortBindLocalAddr OBJECT-TYPE 1384 SYNTAX InetAddress (SIZE(4|16)) 1385 MAX-ACCESS not-accessible 1386 STATUS deprecated 1387 DESCRIPTION 1388 "This object represents the private-realm specific 1389 network layer address which, in conjunction with 1390 natAddrPortBindLocalPort, maps to the public-realm 1391 network layer address and transport id represented by 1392 natAddrPortBindGlobalAddr and natAddrPortBindGlobalPort 1393 respectively. 1395 The type of this address is determined by the value of 1396 the natAddrPortBindLocalAddrType object." 1397 ::= { natAddrPortBindEntry 2 } 1399 natAddrPortBindLocalPort OBJECT-TYPE 1400 SYNTAX InetPortNumber 1401 MAX-ACCESS not-accessible 1402 STATUS deprecated 1403 DESCRIPTION 1404 "For a protocol value TCP or UDP, this object represents 1405 the private-realm specific port number. On the other 1406 hand, for ICMP a bind is created only for query/response 1407 type ICMP messages such as ICMP echo, Timestamp, and 1408 Information request messages, and this object represents 1409 the private-realm specific identifier in the ICMP 1410 message, as defined in RFC 792 for ICMPv4 and in RFC 1411 2463 for ICMPv6. 1413 This object, together with natAddrPortBindProtocol, 1414 natAddrPortBindLocalAddrType, and 1415 natAddrPortBindLocalAddr, constitutes a session endpoint 1416 in the private realm. A bind entry binds a private 1417 realm specific endpoint to a public realm specific 1418 endpoint, as represented by the tuple of 1419 (natAddrPortBindGlobalPort, natAddrPortBindProtocol, 1420 natAddrPortBindGlobalAddrType, and 1421 natAddrPortBindGlobalAddr)." 1422 ::= { natAddrPortBindEntry 3 } 1424 natAddrPortBindProtocol OBJECT-TYPE 1425 SYNTAX NatProtocolType 1426 MAX-ACCESS not-accessible 1427 STATUS deprecated 1428 DESCRIPTION 1429 "This object specifies a protocol identifier. If the 1430 value of this object is none(1), then this bind entry 1431 applies to all IP traffic. Any other value of this 1432 object specifies the class of IP traffic to which this 1433 BIND applies." 1434 ::= { natAddrPortBindEntry 4 } 1436 natAddrPortBindGlobalAddrType OBJECT-TYPE 1437 SYNTAX InetAddressType 1438 MAX-ACCESS read-only 1439 STATUS deprecated 1440 DESCRIPTION 1441 "This object specifies the address type used for 1442 natAddrPortBindGlobalAddr." 1443 ::= { natAddrPortBindEntry 5 } 1445 natAddrPortBindGlobalAddr OBJECT-TYPE 1446 SYNTAX InetAddress 1447 MAX-ACCESS read-only 1448 STATUS deprecated 1449 DESCRIPTION 1450 "This object represents the public-realm specific network 1451 layer address that, in conjunction with 1452 natAddrPortBindGlobalPort, maps to the private-realm 1454 network layer address and transport id represented by 1455 natAddrPortBindLocalAddr and natAddrPortBindLocalPort, 1456 respectively. 1458 The type of this address is determined by the value of 1459 the natAddrPortBindGlobalAddrType object." 1460 ::= { natAddrPortBindEntry 6 } 1462 natAddrPortBindGlobalPort OBJECT-TYPE 1463 SYNTAX InetPortNumber 1464 MAX-ACCESS read-only 1465 STATUS deprecated 1466 DESCRIPTION 1467 "For a protocol value TCP or UDP, this object represents 1468 the public-realm specific port number. On the other 1469 hand, for ICMP a bind is created only for query/response 1470 type ICMP messages such as ICMP echo, Timestamp, and 1471 Information request messages, and this object represents 1472 the public-realm specific identifier in the ICMP 1473 message, as defined in RFC 792 for ICMPv4 and in RFC 1474 2463 for ICMPv6. 1476 This object, together with natAddrPortBindProtocol, 1477 natAddrPortBindGlobalAddrType, and 1478 natAddrPortBindGlobalAddr, constitutes a session 1479 endpoint in the public realm. A bind entry binds a 1480 public realm specific endpoint to a private realm 1481 specific endpoint, as represented by the tuple of 1482 (natAddrPortBindLocalPort, natAddrPortBindProtocol, 1483 natAddrPortBindLocalAddrType, and 1484 natAddrPortBindLocalAddr)." 1485 ::= { natAddrPortBindEntry 7 } 1487 natAddrPortBindId OBJECT-TYPE 1488 SYNTAX NatBindId 1489 MAX-ACCESS read-only 1490 STATUS deprecated 1491 DESCRIPTION 1492 "This object represents a bind id that is dynamically 1493 assigned to each bind by a NAT enabled device. Each 1494 bind is represented by a unique bind id across both 1495 the natAddrBindTable and the natAddrPortBindTable." 1496 ::= { natAddrPortBindEntry 8 } 1498 natAddrPortBindTranslationEntity OBJECT-TYPE 1499 SYNTAX NatTranslationEntity 1500 MAX-ACCESS read-only 1501 STATUS deprecated 1502 DESCRIPTION 1503 "This object represents the direction of sessions 1504 for which this bind is applicable and the entity 1505 (source or destination) within the sessions that is 1506 subject to translation with the BIND. 1508 Orientation of the bind can be a superset of the 1509 translationEntity of the address map entry that 1510 forms the basis for this bind. 1512 For example, if the translationEntity of an 1513 address map entry is outboundSrcEndPoint, the 1514 translationEntity of a bind derived from this 1515 map entry may either be outboundSrcEndPoint or 1516 may be bidirectional (a bitmask of 1517 outboundSrcEndPoint and inboundDstEndPoint)." 1518 ::= { natAddrPortBindEntry 9 } 1520 natAddrPortBindType OBJECT-TYPE 1521 SYNTAX NatAssociationType 1522 MAX-ACCESS read-only 1523 STATUS deprecated 1524 DESCRIPTION 1525 "This object indicates whether the bind is static or 1526 dynamic." 1527 ::= { natAddrPortBindEntry 10 } 1529 natAddrPortBindMapIndex OBJECT-TYPE 1530 SYNTAX NatAddrMapId 1531 MAX-ACCESS read-only 1532 STATUS deprecated 1533 DESCRIPTION 1534 "This object is a pointer to the natAddrMapTable entry 1535 (and the parameters of that entry) used in 1536 creating this BIND. This object, in conjunction with 1537 the ifIndex (which identifies a unique addrMapName), 1538 points to a unique entry in the natAddrMapTable." 1539 ::= { natAddrPortBindEntry 11 } 1541 natAddrPortBindSessions OBJECT-TYPE 1542 SYNTAX Gauge32 1543 MAX-ACCESS read-only 1544 STATUS deprecated 1545 DESCRIPTION 1546 "Number of sessions currently using this BIND." 1547 ::= { natAddrPortBindEntry 12 } 1549 natAddrPortBindMaxIdleTime OBJECT-TYPE 1550 SYNTAX TimeTicks 1551 MAX-ACCESS read-only 1552 STATUS deprecated 1554 DESCRIPTION 1555 "This object indicates the maximum time for 1556 which this bind can be idle without any sessions 1557 attached to it. 1558 The value of this object is of relevance 1559 only for dynamic NAT." 1560 ::= { natAddrPortBindEntry 13 } 1562 natAddrPortBindCurrentIdleTime OBJECT-TYPE 1563 SYNTAX TimeTicks 1564 MAX-ACCESS read-only 1565 STATUS deprecated 1566 DESCRIPTION 1567 "At any given instance, this object indicates the 1568 time that this bind has been idle without any sessions 1569 attached to it. 1571 The value of this object is of relevance 1572 only for dynamic NAT." 1573 ::= { natAddrPortBindEntry 14 } 1575 natAddrPortBindInTranslates OBJECT-TYPE 1576 SYNTAX Counter64 1577 MAX-ACCESS read-only 1578 STATUS deprecated 1579 DESCRIPTION 1580 "The number of inbound packets that were translated as 1581 per this bind entry. 1583 Discontinuities in the value of this counter can occur 1584 at reinitialization of the management system and at 1585 other times, as indicated by the value of 1586 ifCounterDiscontinuityTime on the relevant interface." 1587 ::= { natAddrPortBindEntry 15 } 1589 natAddrPortBindOutTranslates OBJECT-TYPE 1590 SYNTAX Counter64 1591 MAX-ACCESS read-only 1592 STATUS deprecated 1593 DESCRIPTION 1594 "The number of outbound packets that were translated as 1595 per this bind entry. 1597 Discontinuities in the value of this counter can occur 1598 at reinitialization of the management system and at 1599 other times, as indicated by the value of 1600 ifCounterDiscontinuityTime on the relevant interface." 1601 ::= { natAddrPortBindEntry 16 } 1603 -- 1604 -- The Session Table 1605 -- 1607 natSessionTable OBJECT-TYPE 1608 SYNTAX SEQUENCE OF NatSessionEntry 1609 MAX-ACCESS not-accessible 1610 STATUS deprecated 1611 DESCRIPTION 1612 "The (conceptual) table containing one entry for each 1613 NAT session currently active on this NAT device." 1614 ::= { natMIBObjects 9 } 1616 natSessionEntry OBJECT-TYPE 1617 SYNTAX NatSessionEntry 1618 MAX-ACCESS not-accessible 1619 STATUS deprecated 1620 DESCRIPTION 1621 "An entry (conceptual row) containing information 1622 about an active NAT session on this NAT device. 1623 These entries are lost upon agent restart." 1624 INDEX { ifIndex, natSessionIndex } 1625 ::= { natSessionTable 1 } 1627 NatSessionEntry ::= SEQUENCE { 1628 natSessionIndex NatSessionId, 1629 natSessionPrivateSrcEPBindId NatBindIdOrZero, 1630 natSessionPrivateSrcEPBindMode NatBindMode, 1631 natSessionPrivateDstEPBindId NatBindIdOrZero, 1632 natSessionPrivateDstEPBindMode NatBindMode, 1633 natSessionDirection INTEGER, 1634 natSessionUpTime TimeTicks, 1635 natSessionAddrMapIndex NatAddrMapId, 1636 natSessionProtocolType NatProtocolType, 1637 natSessionPrivateAddrType InetAddressType, 1638 natSessionPrivateSrcAddr InetAddress, 1639 natSessionPrivateSrcPort InetPortNumber, 1640 natSessionPrivateDstAddr InetAddress, 1641 natSessionPrivateDstPort InetPortNumber, 1642 natSessionPublicAddrType InetAddressType, 1643 natSessionPublicSrcAddr InetAddress, 1644 natSessionPublicSrcPort InetPortNumber, 1645 natSessionPublicDstAddr InetAddress, 1646 natSessionPublicDstPort InetPortNumber, 1647 natSessionMaxIdleTime TimeTicks, 1648 natSessionCurrentIdleTime TimeTicks, 1649 natSessionInTranslates Counter64, 1650 natSessionOutTranslates Counter64 1651 } 1653 natSessionIndex OBJECT-TYPE 1654 SYNTAX NatSessionId 1655 MAX-ACCESS not-accessible 1656 STATUS deprecated 1657 DESCRIPTION 1658 "The session ID for this NAT session." 1659 ::= { natSessionEntry 1 } 1661 natSessionPrivateSrcEPBindId OBJECT-TYPE 1662 SYNTAX NatBindIdOrZero 1663 MAX-ACCESS read-only 1664 STATUS deprecated 1665 DESCRIPTION 1666 "The bind id associated between private and public 1667 source end points. In the case of Symmetric-NAT, 1668 this should be set to zero." 1669 ::= { natSessionEntry 2 } 1671 natSessionPrivateSrcEPBindMode OBJECT-TYPE 1672 SYNTAX NatBindMode 1673 MAX-ACCESS read-only 1674 STATUS deprecated 1675 DESCRIPTION 1676 "This object indicates whether the bind indicated 1677 by the object natSessionPrivateSrcEPBindId 1678 is an address bind or an address port bind." 1680 ::= { natSessionEntry 3 } 1682 natSessionPrivateDstEPBindId OBJECT-TYPE 1683 SYNTAX NatBindIdOrZero 1684 MAX-ACCESS read-only 1685 STATUS deprecated 1686 DESCRIPTION 1687 "The bind id associated between private and public 1688 destination end points." 1689 ::= { natSessionEntry 4 } 1691 natSessionPrivateDstEPBindMode OBJECT-TYPE 1692 SYNTAX NatBindMode 1693 MAX-ACCESS read-only 1694 STATUS deprecated 1695 DESCRIPTION 1696 "This object indicates whether the bind indicated 1697 by the object natSessionPrivateDstEPBindId 1698 is an address bind or an address port bind." 1699 ::= { natSessionEntry 5 } 1701 natSessionDirection OBJECT-TYPE 1702 SYNTAX INTEGER { 1703 inbound (1), 1704 outbound (2) 1705 } 1707 MAX-ACCESS read-only 1708 STATUS deprecated 1709 DESCRIPTION 1710 "The direction of this session with respect to the 1711 local network. 'inbound' indicates that this session 1712 was initiated from the public network into the private 1713 network. 'outbound' indicates that this session was 1714 initiated from the private network into the public 1715 network." 1716 ::= { natSessionEntry 6 } 1718 natSessionUpTime OBJECT-TYPE 1719 SYNTAX TimeTicks 1720 MAX-ACCESS read-only 1721 STATUS deprecated 1722 DESCRIPTION 1723 "The up time of this session in one-hundredths of a 1724 second." 1725 ::= { natSessionEntry 7 } 1727 natSessionAddrMapIndex OBJECT-TYPE 1728 SYNTAX NatAddrMapId 1729 MAX-ACCESS read-only 1730 STATUS deprecated 1731 DESCRIPTION 1732 "This object is a pointer to the natAddrMapTable entry 1733 (and the parameters of that entry) used in 1734 creating this session. This object, in conjunction with 1735 the ifIndex (which identifies a unique addrMapName), 1736 points to a unique entry in the natAddrMapTable." 1737 ::= { natSessionEntry 8 } 1739 natSessionProtocolType OBJECT-TYPE 1740 SYNTAX NatProtocolType 1741 MAX-ACCESS read-only 1742 STATUS deprecated 1743 DESCRIPTION 1744 "The protocol type of this session." 1745 ::= { natSessionEntry 9 } 1747 natSessionPrivateAddrType OBJECT-TYPE 1748 SYNTAX InetAddressType 1749 MAX-ACCESS read-only 1750 STATUS deprecated 1751 DESCRIPTION 1752 "This object specifies the address type used for 1753 natSessionPrivateSrcAddr and natSessionPrivateDstAddr." 1754 ::= { natSessionEntry 10 } 1756 natSessionPrivateSrcAddr OBJECT-TYPE 1757 SYNTAX InetAddress 1758 MAX-ACCESS read-only 1759 STATUS deprecated 1760 DESCRIPTION 1761 "The source IP address of the session endpoint that 1762 lies in the private network. 1764 The value of this object must be zero only when the 1765 natSessionPrivateSrcEPBindId object has a zero value. 1766 When the value of this object is zero, the NAT session 1767 lookup will match any IP address to this field. 1769 The type of this address is determined by the value of 1770 the natSessionPrivateAddrType object." 1771 ::= { natSessionEntry 11 } 1773 natSessionPrivateSrcPort OBJECT-TYPE 1774 SYNTAX InetPortNumber 1775 MAX-ACCESS read-only 1776 STATUS deprecated 1777 DESCRIPTION 1778 "When the value of protocol is TCP or UDP, this object 1779 represents the source port in the first packet of 1780 session while in private-realm. On the other hand, when 1781 the protocol is ICMP, a NAT session is created only for 1782 query/response type ICMP messages such as ICMP echo, 1783 Timestamp, and Information request messages, and this 1784 object represents the private-realm specific identifier 1785 in the ICMP message, as defined in RFC 792 for ICMPv4 1786 and in RFC 2463 for ICMPv6. 1788 The value of this object must be zero when the 1789 natSessionPrivateSrcEPBindId object has zero value 1790 and value of natSessionPrivateSrcEPBindMode is 1791 addressPortBind(2). In such a case, the NAT session 1792 lookup will match any port number to this field. 1794 The value of this object must be zero when the object 1795 is not a representative field (SrcPort, DstPort, or 1796 ICMP identifier) of the session tuple in either the 1797 public realm or the private realm." 1798 ::= { natSessionEntry 12 } 1800 natSessionPrivateDstAddr OBJECT-TYPE 1801 SYNTAX InetAddress 1802 MAX-ACCESS read-only 1803 STATUS deprecated 1804 DESCRIPTION 1805 "The destination IP address of the session endpoint that 1806 lies in the private network. 1808 The value of this object must be zero when the 1809 natSessionPrivateDstEPBindId object has a zero value. 1810 In such a scenario, the NAT session lookup will match 1811 any IP address to this field. 1813 The type of this address is determined by the value of 1814 the natSessionPrivateAddrType object." 1815 ::= { natSessionEntry 13 } 1817 natSessionPrivateDstPort OBJECT-TYPE 1818 SYNTAX InetPortNumber 1819 MAX-ACCESS read-only 1820 STATUS deprecated 1821 DESCRIPTION 1822 "When the value of protocol is TCP or UDP, this object 1823 represents the destination port in the first packet 1824 of session while in private-realm. On the other hand, 1825 when the protocol is ICMP, this object is not relevant 1826 and should be set to zero. 1828 The value of this object must be zero when the 1829 natSessionPrivateDstEPBindId object has a zero 1830 value and natSessionPrivateDstEPBindMode is set to 1831 addressPortBind(2). In such a case, the NAT session 1832 lookup will match any port number to this field. 1834 The value of this object must be zero when the object 1835 is not a representative field (SrcPort, DstPort, or 1836 ICMP identifier) of the session tuple in either the 1837 public realm or the private realm." 1838 ::= { natSessionEntry 14 } 1840 natSessionPublicAddrType OBJECT-TYPE 1841 SYNTAX InetAddressType 1842 MAX-ACCESS read-only 1843 STATUS deprecated 1844 DESCRIPTION 1845 "This object specifies the address type used for 1846 natSessionPublicSrcAddr and natSessionPublicDstAddr." 1847 ::= { natSessionEntry 15 } 1849 natSessionPublicSrcAddr OBJECT-TYPE 1850 SYNTAX InetAddress 1851 MAX-ACCESS read-only 1852 STATUS deprecated 1853 DESCRIPTION 1854 "The source IP address of the session endpoint that 1855 lies in the public network. 1857 The value of this object must be zero when the 1858 natSessionPrivateSrcEPBindId object has a zero value. 1859 In such a scenario, the NAT session lookup will match 1860 any IP address to this field. 1862 The type of this address is determined by the value of 1863 the natSessionPublicAddrType object." 1864 ::= { natSessionEntry 16 } 1866 natSessionPublicSrcPort OBJECT-TYPE 1867 SYNTAX InetPortNumber 1868 MAX-ACCESS read-only 1869 STATUS deprecated 1870 DESCRIPTION 1871 "When the value of protocol is TCP or UDP, this object 1872 represents the source port in the first packet of 1873 session while in public-realm. On the other hand, when 1874 protocol is ICMP, a NAT session is created only for 1875 query/response type ICMP messages such as ICMP echo, 1876 Timestamp, and Information request messages, and this 1877 object represents the public-realm specific identifier 1878 in the ICMP message, as defined in RFC 792 for ICMPv4 1879 and in RFC 2463 for ICMPv6. 1881 The value of this object must be zero when the 1882 natSessionPrivateSrcEPBindId object has a zero value 1883 and natSessionPrivateSrcEPBindMode is set to 1884 addressPortBind(2). In such a scenario, the NAT 1885 session lookup will match any port number to this 1886 field. 1888 The value of this object must be zero when the object 1889 is not a representative field (SrcPort, DstPort or 1890 ICMP identifier) of the session tuple in either the 1891 public realm or the private realm." 1892 ::= { natSessionEntry 17 } 1894 natSessionPublicDstAddr OBJECT-TYPE 1895 SYNTAX InetAddress 1896 MAX-ACCESS read-only 1897 STATUS deprecated 1898 DESCRIPTION 1899 "The destination IP address of the session endpoint that 1900 lies in the public network. 1902 The value of this object must be non-zero when the 1903 natSessionPrivateDstEPBindId object has a non-zero 1904 value. If the value of this object and the 1905 corresponding natSessionPrivateDstEPBindId object value 1906 is zero, then the NAT session lookup will match any IP 1907 address to this field. 1909 The type of this address is determined by the value of 1910 the natSessionPublicAddrType object." 1911 ::= { natSessionEntry 18 } 1913 natSessionPublicDstPort OBJECT-TYPE 1914 SYNTAX InetPortNumber 1915 MAX-ACCESS read-only 1916 STATUS deprecated 1917 DESCRIPTION 1918 "When the value of protocol is TCP or UDP, this object 1919 represents the destination port in the first packet of 1920 session while in public-realm. On the other hand, when 1921 the protocol is ICMP, this object is not relevant for 1922 translation and should be zero. 1924 The value of this object must be zero when the 1925 natSessionPrivateDstEPBindId object has a zero value 1926 and natSessionPrivateDstEPBindMode is 1927 addressPortBind(2). In such a scenario, the NAT 1928 session lookup will match any port number to this 1929 field. 1931 The value of this object must be zero when the object 1932 is not a representative field (SrcPort, DstPort, or 1933 ICMP identifier) of the session tuple in either the 1934 public realm or the private realm." 1935 ::= { natSessionEntry 19 } 1937 natSessionMaxIdleTime OBJECT-TYPE 1938 SYNTAX TimeTicks 1939 MAX-ACCESS read-only 1940 STATUS deprecated 1941 DESCRIPTION 1942 "The max time for which this session can be idle 1943 without detecting a packet." 1944 ::= { natSessionEntry 20 } 1946 natSessionCurrentIdleTime OBJECT-TYPE 1947 SYNTAX TimeTicks 1948 MAX-ACCESS read-only 1949 STATUS deprecated 1950 DESCRIPTION 1951 "The time since a packet belonging to this session was 1952 last detected." 1953 ::= { natSessionEntry 21 } 1955 natSessionInTranslates OBJECT-TYPE 1956 SYNTAX Counter64 1957 MAX-ACCESS read-only 1958 STATUS deprecated 1959 DESCRIPTION 1960 "The number of inbound packets that were translated for 1961 this session. 1963 Discontinuities in the value of this counter can occur 1964 at reinitialization of the management system and at 1965 other times, as indicated by the value of 1966 ifCounterDiscontinuityTime on the relevant interface." 1967 ::= { natSessionEntry 22 } 1969 natSessionOutTranslates OBJECT-TYPE 1970 SYNTAX Counter64 1971 MAX-ACCESS read-only 1972 STATUS deprecated 1973 DESCRIPTION 1974 "The number of outbound packets that were translated for 1975 this session. 1977 Discontinuities in the value of this counter can occur 1978 at reinitialization of the management system and at 1979 other times, as indicated by the value of 1980 ifCounterDiscontinuityTime on the relevant interface." 1981 ::= { natSessionEntry 23 } 1983 -- 1984 -- The Protocol table 1985 -- 1987 natProtocolTable OBJECT-TYPE 1988 SYNTAX SEQUENCE OF NatProtocolEntry 1989 MAX-ACCESS not-accessible 1990 STATUS deprecated 1991 DESCRIPTION 1992 "The (conceptual) table containing per protocol NAT 1993 statistics." 1994 ::= { natMIBObjects 10 } 1996 natProtocolEntry OBJECT-TYPE 1997 SYNTAX NatProtocolEntry 1998 MAX-ACCESS not-accessible 1999 STATUS deprecated 2000 DESCRIPTION 2001 "An entry (conceptual row) containing NAT statistics 2002 pertaining to a particular protocol." 2003 INDEX { natProtocol } 2004 ::= { natProtocolTable 1 } 2006 NatProtocolEntry ::= SEQUENCE { 2007 natProtocol NatProtocolType, 2008 natProtocolInTranslates Counter64, 2009 natProtocolOutTranslates Counter64, 2010 natProtocolDiscards Counter64 2011 } 2013 natProtocol OBJECT-TYPE 2014 SYNTAX NatProtocolType 2015 MAX-ACCESS not-accessible 2016 STATUS deprecated 2017 DESCRIPTION 2018 "This object represents the protocol pertaining to which 2019 parameters are reported." 2020 ::= { natProtocolEntry 1 } 2022 natProtocolInTranslates OBJECT-TYPE 2023 SYNTAX Counter64 2024 MAX-ACCESS read-only 2025 STATUS deprecated 2026 DESCRIPTION 2027 "The number of inbound packets pertaining to the protocol 2028 identified by natProtocol that underwent NAT. 2030 Discontinuities in the value of this counter can occur 2031 at reinitialization of the management system and at 2032 other times, as indicated by the value of 2033 ifCounterDiscontinuityTime on the relevant interface." 2034 ::= { natProtocolEntry 2 } 2036 natProtocolOutTranslates OBJECT-TYPE 2037 SYNTAX Counter64 2038 MAX-ACCESS read-only 2039 STATUS deprecated 2040 DESCRIPTION 2041 "The number of outbound packets pertaining to the 2042 protocol identified by natProtocol that underwent NAT. 2044 Discontinuities in the value of this counter can occur 2045 at reinitialization of the management system and at 2046 other times, as indicated by the value of 2047 ifCounterDiscontinuityTime on the relevant interface." 2048 ::= { natProtocolEntry 3 } 2050 natProtocolDiscards OBJECT-TYPE 2051 SYNTAX Counter64 2052 MAX-ACCESS read-only 2053 STATUS deprecated 2054 DESCRIPTION 2055 "The number of packets pertaining to the protocol 2056 identified by natProtocol that had to be 2057 rejected/dropped due to lack of resources. These 2058 rejections could be due to session timeout, resource 2059 unavailability, lack of address space, etc. 2061 Discontinuities in the value of this counter can occur 2062 at reinitialization of the management system and at 2063 other times, as indicated by the value of 2064 ifCounterDiscontinuityTime on the relevant interface." 2066 ::= { natProtocolEntry 4 } 2068 -- 2069 -- Notifications section 2070 -- 2072 natMIBNotifications OBJECT IDENTIFIER ::= { natMIB 0 } 2074 -- 2075 -- Notifications 2076 -- 2078 natPacketDiscard NOTIFICATION-TYPE 2079 OBJECTS { ifIndex } 2080 STATUS deprecated 2081 DESCRIPTION 2082 "This notification is generated when IP packets are 2083 discarded by the NAT function; e.g., due to lack of 2084 mapping space when NAT is out of addresses or ports. 2086 Note that the generation of natPacketDiscard 2087 notifications is throttled by the agent, as specified 2088 by the 'natNotifThrottlingInterval' object." 2089 ::= { natMIBNotifications 1 } 2091 -- 2092 -- Conformance information. 2093 -- 2095 natMIBConformance OBJECT IDENTIFIER ::= { natMIB 2 } 2097 natMIBGroups OBJECT IDENTIFIER ::= { natMIBConformance 1 } 2098 natMIBCompliances OBJECT IDENTIFIER ::= { natMIBConformance 2 } 2100 -- 2101 -- Units of conformance 2102 -- 2104 natConfigGroup OBJECT-GROUP 2105 OBJECTS { natInterfaceRealm, 2106 natInterfaceServiceType, 2107 natInterfaceStorageType, 2108 natInterfaceRowStatus, 2109 natAddrMapName, 2110 natAddrMapEntryType, 2111 natAddrMapTranslationEntity, 2112 natAddrMapLocalAddrType, 2113 natAddrMapLocalAddrFrom, 2114 natAddrMapLocalAddrTo, 2115 natAddrMapLocalPortFrom, 2116 natAddrMapLocalPortTo, 2117 natAddrMapGlobalAddrType, 2118 natAddrMapGlobalAddrFrom, 2119 natAddrMapGlobalAddrTo, 2120 natAddrMapGlobalPortFrom, 2121 natAddrMapGlobalPortTo, 2122 natAddrMapProtocol, 2123 natAddrMapStorageType, 2124 natAddrMapRowStatus, 2125 natBindDefIdleTimeout, 2126 natUdpDefIdleTimeout, 2127 natIcmpDefIdleTimeout, 2128 natOtherDefIdleTimeout, 2129 natTcpDefIdleTimeout, 2130 natTcpDefNegTimeout, 2131 natNotifThrottlingInterval } 2132 STATUS deprecated 2133 DESCRIPTION 2134 "A collection of configuration-related information 2135 required to support management of devices supporting 2136 NAT." 2137 ::= { natMIBGroups 1 } 2139 natTranslationGroup OBJECT-GROUP 2140 OBJECTS { natAddrBindNumberOfEntries, 2141 natAddrBindGlobalAddrType, 2142 natAddrBindGlobalAddr, 2143 natAddrBindId, 2144 natAddrBindTranslationEntity, 2145 natAddrBindType, 2146 natAddrBindMapIndex, 2147 natAddrBindSessions, 2148 natAddrBindMaxIdleTime, 2149 natAddrBindCurrentIdleTime, 2150 natAddrBindInTranslates, 2151 natAddrBindOutTranslates, 2152 natAddrPortBindNumberOfEntries, 2153 natAddrPortBindGlobalAddrType, 2154 natAddrPortBindGlobalAddr, 2155 natAddrPortBindGlobalPort, 2156 natAddrPortBindId, 2157 natAddrPortBindTranslationEntity, 2158 natAddrPortBindType, 2159 natAddrPortBindMapIndex, 2160 natAddrPortBindSessions, 2161 natAddrPortBindMaxIdleTime, 2162 natAddrPortBindCurrentIdleTime, 2163 natAddrPortBindInTranslates, 2164 natAddrPortBindOutTranslates, 2165 natSessionPrivateSrcEPBindId, 2166 natSessionPrivateSrcEPBindMode, 2167 natSessionPrivateDstEPBindId, 2168 natSessionPrivateDstEPBindMode, 2169 natSessionDirection, 2170 natSessionUpTime, 2171 natSessionAddrMapIndex, 2172 natSessionProtocolType, 2173 natSessionPrivateAddrType, 2174 natSessionPrivateSrcAddr, 2175 natSessionPrivateSrcPort, 2176 natSessionPrivateDstAddr, 2177 natSessionPrivateDstPort, 2178 natSessionPublicAddrType, 2179 natSessionPublicSrcAddr, 2180 natSessionPublicSrcPort, 2181 natSessionPublicDstAddr, 2182 natSessionPublicDstPort, 2183 natSessionMaxIdleTime, 2184 natSessionCurrentIdleTime, 2185 natSessionInTranslates, 2186 natSessionOutTranslates } 2187 STATUS deprecated 2189 DESCRIPTION 2190 "A collection of BIND-related objects required to support 2191 management of devices supporting NAT." 2192 ::= { natMIBGroups 2 } 2194 natStatsInterfaceGroup OBJECT-GROUP 2195 OBJECTS { natInterfaceInTranslates, 2196 natInterfaceOutTranslates, 2197 natInterfaceDiscards } 2198 STATUS deprecated 2199 DESCRIPTION 2200 "A collection of NAT statistics associated with the 2201 interface on which NAT is configured, to aid 2202 troubleshooting/monitoring of the NAT operation." 2203 ::= { natMIBGroups 3 } 2205 natStatsProtocolGroup OBJECT-GROUP 2206 OBJECTS { natProtocolInTranslates, 2207 natProtocolOutTranslates, 2208 natProtocolDiscards } 2209 STATUS deprecated 2210 DESCRIPTION 2211 "A collection of protocol specific NAT statistics, 2212 to aid troubleshooting/monitoring of NAT operation." 2213 ::= { natMIBGroups 4 } 2215 natStatsAddrMapGroup OBJECT-GROUP 2216 OBJECTS { natAddrMapInTranslates, 2217 natAddrMapOutTranslates, 2218 natAddrMapDiscards, 2219 natAddrMapAddrUsed } 2220 STATUS deprecated 2221 DESCRIPTION 2222 "A collection of address map specific NAT statistics, 2223 to aid troubleshooting/monitoring of NAT operation." 2224 ::= { natMIBGroups 5 } 2226 natMIBNotificationGroup NOTIFICATION-GROUP 2227 NOTIFICATIONS { natPacketDiscard } 2228 STATUS deprecated 2229 DESCRIPTION 2230 "A collection of notifications generated by 2231 devices supporting this MIB." 2232 ::= { natMIBGroups 6 } 2234 -- 2235 -- Compliance statements 2236 -- 2238 natMIBFullCompliance MODULE-COMPLIANCE 2239 STATUS deprecated 2240 DESCRIPTION 2241 "When this MIB is implemented with support for 2242 read-create, then such an implementation can claim 2243 full compliance. Such devices can then be both 2244 monitored and configured with this MIB. 2246 The following index objects cannot be added as OBJECT 2247 clauses but nevertheless have the compliance 2248 requirements: 2249 " 2250 -- OBJECT natAddrBindLocalAddrType 2251 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2252 -- DESCRIPTION 2253 -- "An implementation is required to support 2254 -- global IPv4 and/or IPv6 addresses, depending 2255 -- on its support for IPv4 and IPv6." 2257 -- OBJECT natAddrBindLocalAddr 2258 -- SYNTAX InetAddress (SIZE(4|16)) 2259 -- DESCRIPTION 2260 -- "An implementation is required to support 2261 -- global IPv4 and/or IPv6 addresses, depending 2262 -- on its support for IPv4 and IPv6." 2264 -- OBJECT natAddrPortBindLocalAddrType 2265 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2266 -- DESCRIPTION 2267 -- "An implementation is required to support 2268 -- global IPv4 and/or IPv6 addresses, depending 2269 -- on its support for IPv4 and IPv6." 2271 -- OBJECT natAddrPortBindLocalAddr 2272 -- SYNTAX InetAddress (SIZE(4|16)) 2273 -- DESCRIPTION 2274 -- "An implementation is required to support 2275 -- global IPv4 and/or IPv6 addresses, depending 2276 -- on its support for IPv4 and IPv6." 2278 MODULE IF-MIB -- The interfaces MIB, RFC2863 2279 MANDATORY-GROUPS { 2280 ifCounterDiscontinuityGroup 2281 } 2283 MODULE -- this module 2284 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2285 natStatsInterfaceGroup } 2287 GROUP natStatsProtocolGroup 2288 DESCRIPTION 2289 "This group is optional." 2290 GROUP natStatsAddrMapGroup 2291 DESCRIPTION 2292 "This group is optional." 2293 GROUP natMIBNotificationGroup 2294 DESCRIPTION 2295 "This group is optional." 2297 OBJECT natAddrMapLocalAddrType 2298 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2299 DESCRIPTION 2300 "An implementation is required to support global IPv4 2301 and/or IPv6 addresses, depending on its support 2302 for IPv4 and IPv6." 2304 OBJECT natAddrMapLocalAddrFrom 2305 SYNTAX InetAddress (SIZE(4|16)) 2306 DESCRIPTION 2307 "An implementation is required to support global IPv4 2308 and/or IPv6 addresses, depending on its support 2309 for IPv4 and IPv6." 2311 OBJECT natAddrMapLocalAddrTo 2312 SYNTAX InetAddress (SIZE(4|16)) 2313 DESCRIPTION 2314 "An implementation is required to support global IPv4 2315 and/or IPv6 addresses, depending on its support 2316 for IPv4 and IPv6." 2318 OBJECT natAddrMapGlobalAddrType 2319 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2320 DESCRIPTION 2321 "An implementation is required to support global IPv4 2322 and/or IPv6 addresses, depending on its support 2323 for IPv4 and IPv6." 2325 OBJECT natAddrMapGlobalAddrFrom 2326 SYNTAX InetAddress (SIZE(4|16)) 2327 DESCRIPTION 2328 "An implementation is required to support global IPv4 2329 and/or IPv6 addresses, depending on its support 2330 for IPv4 and IPv6." 2332 OBJECT natAddrMapGlobalAddrTo 2333 SYNTAX InetAddress (SIZE(4|16)) 2334 DESCRIPTION 2335 "An implementation is required to support global IPv4 2336 and/or IPv6 addresses, depending on its support 2337 for IPv4 and IPv6." 2339 OBJECT natAddrBindGlobalAddrType 2340 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2341 DESCRIPTION 2342 "An implementation is required to support global IPv4 2343 and/or IPv6 addresses, depending on its support 2344 for IPv4 and IPv6." 2346 OBJECT natAddrBindGlobalAddr 2347 SYNTAX InetAddress (SIZE(4|16)) 2348 DESCRIPTION 2349 "An implementation is required to support global IPv4 2350 and/or IPv6 addresses, depending on its support 2351 for IPv4 and IPv6." 2353 OBJECT natAddrPortBindGlobalAddrType 2354 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2355 DESCRIPTION 2356 "An implementation is required to support global IPv4 2357 and/or IPv6 addresses, depending on its support 2358 for IPv4 and IPv6." 2360 OBJECT natAddrPortBindGlobalAddr 2361 SYNTAX InetAddress (SIZE(4|16)) 2362 DESCRIPTION 2363 "An implementation is required to support global IPv4 2364 and/or IPv6 addresses, depending on its support 2365 for IPv4 and IPv6." 2367 OBJECT natSessionPrivateAddrType 2368 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2369 DESCRIPTION 2370 "An implementation is required to support global IPv4 2371 and/or IPv6 addresses, depending on its support 2372 for IPv4 and IPv6." 2374 OBJECT natSessionPrivateSrcAddr 2375 SYNTAX InetAddress (SIZE(4|16)) 2376 DESCRIPTION 2377 "An implementation is required to support global IPv4 2378 and/or IPv6 addresses, depending on its support 2379 for IPv4 and IPv6." 2381 OBJECT natSessionPrivateDstAddr 2382 SYNTAX InetAddress (SIZE(4|16)) 2383 DESCRIPTION 2384 "An implementation is required to support global IPv4 2385 and/or IPv6 addresses, depending on its support 2386 for IPv4 and IPv6." 2388 OBJECT natSessionPublicAddrType 2389 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2390 DESCRIPTION 2391 "An implementation is required to support global IPv4 2392 and/or IPv6 addresses, depending on its support 2393 for IPv4 and IPv6." 2395 OBJECT natSessionPublicSrcAddr 2396 SYNTAX InetAddress (SIZE(4|16)) 2397 DESCRIPTION 2398 "An implementation is required to support global IPv4 2399 and/or IPv6 addresses, depending on its support 2400 for IPv4 and IPv6." 2402 OBJECT natSessionPublicDstAddr 2403 SYNTAX InetAddress (SIZE(4|16)) 2404 DESCRIPTION 2405 "An implementation is required to support global IPv4 2406 and/or IPv6 addresses, depending on its support 2407 for IPv4 and IPv6." 2409 ::= { natMIBCompliances 1 } 2411 natMIBReadOnlyCompliance MODULE-COMPLIANCE 2412 STATUS deprecated 2413 DESCRIPTION 2414 "When this MIB is implemented without support for 2415 read-create (i.e., in read-only mode), then such an 2416 implementation can claim read-only compliance. 2417 Such a device can then be monitored but cannot be 2418 configured with this MIB. 2420 The following index objects cannot be added as OBJECT 2421 clauses but nevertheless have the compliance 2422 requirements: 2423 " 2424 -- OBJECT natAddrBindLocalAddrType 2425 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2426 -- DESCRIPTION 2427 -- "An implementation is required to support 2428 -- global IPv4 and/or IPv6 addresses, depending 2429 -- on its support for IPv4 and IPv6." 2431 -- OBJECT natAddrBindLocalAddr 2432 -- SYNTAX InetAddress (SIZE(4|16)) 2434 -- DESCRIPTION 2435 -- "An implementation is required to support 2436 -- global IPv4 and/or IPv6 addresses, depending 2437 -- on its support for IPv4 and IPv6." 2439 -- OBJECT natAddrPortBindLocalAddrType 2440 -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2441 -- DESCRIPTION 2442 -- "An implementation is required to support 2443 -- global IPv4 and/or IPv6 addresses, depending 2444 -- on its support for IPv4 and IPv6." 2445 -- OBJECT natAddrPortBindLocalAddr 2446 -- SYNTAX InetAddress (SIZE(4|16)) 2447 -- DESCRIPTION 2448 -- "An implementation is required to support 2449 -- global IPv4 and/or IPv6 addresses, depending 2450 -- on its support for IPv4 and IPv6." 2452 MODULE IF-MIB -- The interfaces MIB, RFC2863 2453 MANDATORY-GROUPS { 2454 ifCounterDiscontinuityGroup 2455 } 2457 MODULE -- this module 2458 MANDATORY-GROUPS { natConfigGroup, natTranslationGroup, 2459 natStatsInterfaceGroup } 2461 GROUP natStatsProtocolGroup 2462 DESCRIPTION 2463 "This group is optional." 2464 GROUP natStatsAddrMapGroup 2465 DESCRIPTION 2466 "This group is optional." 2467 GROUP natMIBNotificationGroup 2468 DESCRIPTION 2469 "This group is optional." 2470 OBJECT natInterfaceRowStatus 2471 SYNTAX RowStatus { active(1) } 2472 MIN-ACCESS read-only 2473 DESCRIPTION 2474 "Write access is not required, and active is the only 2475 status that needs to be supported." 2477 OBJECT natAddrMapLocalAddrType 2478 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2479 MIN-ACCESS read-only 2480 DESCRIPTION 2481 "Write access is not required. An implementation is 2482 required to support global IPv4 and/or IPv6 addresses, 2483 depending on its support for IPv4 and IPv6." 2485 OBJECT natAddrMapLocalAddrFrom 2486 SYNTAX InetAddress (SIZE(4|16)) 2487 MIN-ACCESS read-only 2488 DESCRIPTION 2489 "Write access is not required. An implementation is 2490 required to support global IPv4 and/or IPv6 addresses, 2491 depending on its support for IPv4 and IPv6." 2493 OBJECT natAddrMapLocalAddrTo 2494 SYNTAX InetAddress (SIZE(4|16)) 2495 MIN-ACCESS read-only 2496 DESCRIPTION 2497 "Write access is not required. An implementation is 2498 required to support global IPv4 and/or IPv6 addresses, 2499 depending on its support for IPv4 and IPv6." 2501 OBJECT natAddrMapGlobalAddrType 2502 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2503 MIN-ACCESS read-only 2504 DESCRIPTION 2505 "Write access is not required. An implementation is 2506 required to support global IPv4 and/or IPv6 addresses, 2507 depending on its support for IPv4 and IPv6." 2509 OBJECT natAddrMapGlobalAddrFrom 2510 SYNTAX InetAddress (SIZE(4|16)) 2511 MIN-ACCESS read-only 2512 DESCRIPTION 2513 "Write access is not required. An implementation is 2514 required to support global IPv4 and/or IPv6 addresses, 2515 depending on its support for IPv4 and IPv6." 2517 OBJECT natAddrMapGlobalAddrTo 2518 SYNTAX InetAddress (SIZE(4|16)) 2519 MIN-ACCESS read-only 2520 DESCRIPTION 2521 "Write access is not required. An implementation is 2522 required to support global IPv4 and/or IPv6 addresses, 2523 depending on its support for IPv4 and IPv6." 2525 OBJECT natAddrMapRowStatus 2526 SYNTAX RowStatus { active(1) } 2527 MIN-ACCESS read-only 2528 DESCRIPTION 2529 "Write access is not required, and active is the only 2530 status that needs to be supported." 2532 OBJECT natAddrBindGlobalAddrType 2533 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2534 DESCRIPTION 2535 "An implementation is required to support global IPv4 2536 and/or IPv6 addresses, depending on its support for 2537 IPv4 and IPv6." 2539 OBJECT natAddrBindGlobalAddr 2540 SYNTAX InetAddress (SIZE(4|16)) 2541 DESCRIPTION 2542 "An implementation is required to support global IPv4 2543 and/or IPv6 addresses, depending on its support for 2544 IPv4 and IPv6." 2546 OBJECT natAddrPortBindGlobalAddrType 2547 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2548 DESCRIPTION 2549 "An implementation is required to support global IPv4 2550 and/or IPv6 addresses, depending on its support for 2551 IPv4 and IPv6." 2553 OBJECT natAddrPortBindGlobalAddr 2554 SYNTAX InetAddress (SIZE(4|16)) 2555 DESCRIPTION 2556 "An implementation is required to support global IPv4 2557 and/or IPv6 addresses, depending on its support for 2558 IPv4 and IPv6." 2560 OBJECT natSessionPrivateAddrType 2561 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2562 DESCRIPTION 2563 "An implementation is required to support global IPv4 2564 and/or IPv6 addresses, depending on its support for 2565 IPv4 and IPv6." 2567 OBJECT natSessionPrivateSrcAddr 2568 SYNTAX InetAddress (SIZE(4|16)) 2569 DESCRIPTION 2570 "An implementation is required to support global IPv4 2571 and/or IPv6 addresses, depending on its support for 2572 IPv4 and IPv6." 2574 OBJECT natSessionPrivateDstAddr 2575 SYNTAX InetAddress (SIZE(4|16)) 2576 DESCRIPTION 2577 "An implementation is required to support global IPv4 2578 and/or IPv6 addresses, depending on its support for 2579 IPv4 and IPv6." 2581 OBJECT natSessionPublicAddrType 2582 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 2583 DESCRIPTION 2584 "An implementation is required to support global IPv4 2585 and/or IPv6 addresses, depending on its support for 2586 IPv4 and IPv6." 2588 OBJECT natSessionPublicSrcAddr 2589 SYNTAX InetAddress (SIZE(4|16)) 2590 DESCRIPTION 2591 "An implementation is required to support global IPv4 2592 and/or IPv6 addresses, depending on its support for 2593 IPv4 and IPv6." 2595 OBJECT natSessionPublicDstAddr 2596 SYNTAX InetAddress (SIZE(4|16)) 2597 DESCRIPTION 2598 "An implementation is required to support global IPv4 2599 and/or IPv6 addresses, depending on its support for 2600 IPv4 and IPv6." 2602 ::= { natMIBCompliances 2 } 2604 --=================================================================== 2605 -- END OF DEPRECATED OBJECTS. CURRENT OBJECTS FOLLOW. 2607 -- textual conventions 2609 ProtocolNumber ::= TEXTUAL-CONVENTION 2610 DISPLAY-HINT "d" 2611 STATUS current 2612 DESCRIPTION 2613 "A transport protocol number, from the 'protocol-numbers' 2614 IANA registry." 2615 SYNTAX Unsigned32 (0..255) 2617 NatPoolId ::= TEXTUAL-CONVENTION 2618 DISPLAY-HINT "d" 2619 STATUS current 2620 DESCRIPTION 2621 "A unique ID that is assigned to each pool." 2622 SYNTAX Unsigned32 (1..4294967295) 2624 NatBehaviorType ::= TEXTUAL-CONVENTION 2625 STATUS current 2626 DESCRIPTION 2627 "Behavior type as described in [RFC4787] sections 4.1 and 5." 2628 SYNTAX INTEGER { 2629 endpointIndependent (0), 2630 addressDependent (1), 2631 addressAndPortDependent (2) 2632 } 2634 NatPoolingType ::= TEXTUAL-CONVENTION 2635 STATUS current 2636 DESCRIPTION 2637 "Pooling type as described in [RFC4787] sections 4.1." 2639 SYNTAX INTEGER { 2640 arbitrary (0), 2641 paired (1) 2642 } 2644 -- notifications 2646 natNotifPoolWatermarkLow NOTIFICATION-TYPE 2647 OBJECTS { natPoolIndex } 2648 STATUS current 2649 DESCRIPTION 2650 "This notification is generated when the specified pool's 2651 usage percentage becomes lower than or equal to the 2652 specified threshold. The threshold is specified by the 2653 natPoolWatermarkLow object" 2654 ::= { natMIBNotifications 2 } 2656 natNotifPoolWatermarkHigh NOTIFICATION-TYPE 2657 OBJECTS { natPoolIndex } 2658 STATUS current 2659 DESCRIPTION 2660 "This notification is generated when the specified pool's 2661 usage percentage becomes greater than or equal to the 2662 specified threshold. The threshold is specified by the 2663 natPoolWatermarkHigh object" 2664 ::= { natMIBNotifications 3 } 2666 natNotifMappings NOTIFICATION-TYPE 2667 OBJECTS { natMappingCreations, natMappingRemovals } 2668 STATUS current 2669 DESCRIPTION 2670 "This notification is generated when the number of active 2671 mappings exceeds the value of natMappingsNotifyThreshold." 2672 ::= { natMIBNotifications 4 } 2674 natNotifAddrMappings NOTIFICATION-TYPE 2675 OBJECTS { natAddressMappingCreations, natAddressMappingRemovals } 2676 STATUS current 2677 DESCRIPTION 2678 "This notification is generated when the number of active 2679 address mappings exceeds the value of 2680 natAddrMapNotifyThreshold." 2681 ::= { natMIBNotifications 5 } 2683 natNotifSubscriberMappings NOTIFICATION-TYPE 2684 OBJECTS { natSubscriberMappingCreations, 2685 natSubscriberMappingRemovals } 2687 STATUS current 2688 DESCRIPTION 2689 "This notification is generated when the number of active 2690 mappings exceeds the value of natSubscriberMapNotifyThresh, 2691 unless natSubscriberMapNotifyThresh is zero.." 2692 ::= { natMIBNotifications 6 } 2694 -- counters 2696 natCounters OBJECT IDENTIFIER ::= { natMIBObjects 11 } 2698 natTranslations OBJECT-TYPE 2699 SYNTAX Counter64 2700 MAX-ACCESS read-only 2701 STATUS current 2702 DESCRIPTION 2703 "The number of packets translated." 2704 ::= { natCounters 1 } 2706 natOutOfPortErrors OBJECT-TYPE 2707 SYNTAX Counter64 2708 MAX-ACCESS read-only 2709 STATUS current 2710 DESCRIPTION 2711 "The number of packets not translated because no external 2712 port was available, excluding quota limitations." 2713 ::= { natCounters 2 } 2715 natResourceErrors OBJECT-TYPE 2716 SYNTAX Counter64 2717 MAX-ACCESS read-only 2718 STATUS current 2719 DESCRIPTION 2720 "The number of packets not translated because of resource 2721 constraints (excluding out-of-ports error and quota drops)." 2722 ::= { natCounters 3 } 2724 natQuotaDrops OBJECT-TYPE 2725 SYNTAX Counter64 2726 MAX-ACCESS read-only 2727 STATUS current 2728 DESCRIPTION 2729 "The number of incoming packets not translated because of 2730 quota limitations. Quotas include absolute limits as well 2731 as limits on rate of allocation." 2732 ::= { natCounters 4 } 2734 natMappingCreations OBJECT-TYPE 2735 SYNTAX Counter64 2736 MAX-ACCESS read-only 2737 STATUS current 2738 DESCRIPTION 2739 "Number of mapping creations. This includes static mappings." 2740 ::= { natCounters 5 } 2742 natMappingRemovals OBJECT-TYPE 2743 SYNTAX Counter64 2744 MAX-ACCESS read-only 2745 STATUS current 2746 DESCRIPTION 2747 "Number of mapping removals. This includes static mappings." 2748 ::= { natCounters 6 } 2750 natAddressMappingCreations OBJECT-TYPE 2751 SYNTAX Counter64 2752 MAX-ACCESS read-only 2753 STATUS current 2754 DESCRIPTION 2755 "Number of address mapping creations. This includes static 2756 mappings." 2757 ::= { natCounters 7 } 2759 natAddressMappingRemovals OBJECT-TYPE 2760 SYNTAX Counter64 2761 MAX-ACCESS read-only 2762 STATUS current 2763 DESCRIPTION 2764 "Number of address mapping removals. This includes static 2765 mappings. 2767 The number of active mappings is equal to 2768 natAddressMappingCreations - natAddressMappingRemovals." 2769 ::= { natCounters 8 } 2771 natL4ProtocolTable OBJECT-TYPE 2772 SYNTAX SEQUENCE OF NatPerProtocolEntry 2773 MAX-ACCESS not-accessible 2774 STATUS current 2775 DESCRIPTION 2776 "Table of protocols with per-protocol counters." 2777 ::= { natCounters 128 } 2779 natL4ProtocolEntry OBJECT-TYPE 2780 SYNTAX NatPerProtocolEntry 2781 MAX-ACCESS not-accessible 2782 STATUS current 2783 DESCRIPTION 2784 "Per-protocol counters." 2785 INDEX { natL4ProtocolNumber } 2786 ::= { natL4ProtocolTable 1 } 2788 NatPerProtocolEntry ::= 2789 SEQUENCE { 2790 natL4ProtocolNumber ProtocolNumber, 2791 natL4ProtocolTranslations Counter64, 2792 natL4ProtocolOutOfPortErrors Counter64, 2793 natL4ProtocolResourceErrors Counter64, 2794 natL4ProtocolQuotaDrops Counter64, 2795 natL4ProtocolMappingCreations Counter64, 2796 natL4ProtocolMappingRemovals Counter64 2797 } 2799 natL4ProtocolNumber OBJECT-TYPE 2800 SYNTAX ProtocolNumber 2801 MAX-ACCESS not-accessible 2802 STATUS current 2803 DESCRIPTION 2804 "Counters in this conceptual row apply to packets using the 2805 transport protocol identified by this object's value." 2806 ::= { natL4ProtocolEntry 1 } 2808 natL4ProtocolTranslations OBJECT-TYPE 2809 SYNTAX Counter64 2810 MAX-ACCESS read-only 2811 STATUS current 2812 DESCRIPTION 2813 "The number of packets translated." 2814 ::= { natL4ProtocolEntry 2 } 2816 natL4ProtocolOutOfPortErrors OBJECT-TYPE 2817 SYNTAX Counter64 2818 MAX-ACCESS read-only 2819 STATUS current 2820 DESCRIPTION 2821 "The number of packets not translated because no external 2822 port was available." 2823 ::= { natL4ProtocolEntry 3 } 2825 natL4ProtocolResourceErrors OBJECT-TYPE 2826 SYNTAX Counter64 2827 MAX-ACCESS read-only 2828 STATUS current 2829 DESCRIPTION 2830 "The number of packets not translated because of resource 2831 constraints (excluding out-of-ports errors and quota 2832 drops)." 2833 ::= { natL4ProtocolEntry 4 } 2835 natL4ProtocolQuotaDrops OBJECT-TYPE 2836 SYNTAX Counter64 2837 MAX-ACCESS read-only 2838 STATUS current 2839 DESCRIPTION 2840 "The number of incoming packets not translated because of 2841 exceeded quotas. Quotas include absolute limits as well as 2842 limits on rate of allocation." 2843 ::= { natL4ProtocolEntry 5 } 2845 natL4ProtocolMappingCreations OBJECT-TYPE 2846 SYNTAX Counter64 2847 MAX-ACCESS read-only 2848 STATUS current 2849 DESCRIPTION 2850 "Number of mapping creations. This includes static mappings." 2851 ::= { natL4ProtocolEntry 6 } 2853 natL4ProtocolMappingRemovals OBJECT-TYPE 2854 SYNTAX Counter64 2855 MAX-ACCESS read-only 2856 STATUS current 2857 DESCRIPTION 2858 "Number of mapping removals. This includes static mappings. 2860 The number of active mappings is equal to 2861 natL4ProtocolMappingCreations - 2862 natL4ProtocolMappingRemovals." 2863 ::= { natL4ProtocolEntry 7 } 2865 -- limits 2867 natLimits OBJECT IDENTIFIER ::= { natMIBObjects 12 } 2869 natLimitMappings OBJECT-TYPE 2870 SYNTAX Unsigned32 2871 MAX-ACCESS read-write 2872 STATUS current 2873 DESCRIPTION 2874 "Global limit on the total number of mappings. Zero means 2875 unlimited." 2876 ::= { natLimits 1 } 2878 natMappingsNotifyThreshold OBJECT-TYPE 2879 SYNTAX Unsigned32 2880 MAX-ACCESS read-write 2881 STATUS current 2882 DESCRIPTION 2883 "See natNotifMappings." 2884 ::= { natLimits 2 } 2886 natLimitAddressMappings OBJECT-TYPE 2887 SYNTAX Unsigned32 2888 MAX-ACCESS read-write 2889 STATUS current 2890 DESCRIPTION 2891 "Global limit on the total number of internal-to-external 2892 address mappings. Zero means unlimited. 2894 This limit is only applicable to NATs that have an 'IP 2895 address pooling' behavior of 'Paired' [RFC4787]." 2896 ::= { natLimits 3 } 2898 natAddrMapNotifyThreshold OBJECT-TYPE 2899 SYNTAX Unsigned32 2900 MAX-ACCESS read-write 2901 STATUS current 2902 DESCRIPTION 2903 "See natNotifAddrMappings." 2904 ::= { natLimits 4 } 2906 natLimitFragments OBJECT-TYPE 2907 SYNTAX Unsigned32 2908 MAX-ACCESS read-write 2909 STATUS current 2910 DESCRIPTION 2911 "Global limit on the total number of fragments pending 2912 reassembly. Zero means unlimited. 2914 This limit is only applicable to NATs having 'Receive 2915 Fragments Out of Order' behavior [RFC4787]." 2916 ::= { natLimits 5 } 2918 natLimitSubscribers OBJECT-TYPE 2919 SYNTAX Unsigned32 2920 MAX-ACCESS read-write 2921 STATUS current 2922 DESCRIPTION 2923 "Global limit on the number of subscribers with active 2924 mappings. Zero means unlimited." 2925 ::= { natLimits 6 } 2927 -- pools 2929 natPoolObjects OBJECT IDENTIFIER ::= { natMIBObjects 13 } 2931 natPoolTable OBJECT-TYPE 2932 SYNTAX SEQUENCE OF NatPoolEntry 2933 MAX-ACCESS not-accessible 2934 STATUS current 2935 DESCRIPTION 2936 "Table of pools." 2937 ::= { natPoolObjects 1 } 2939 natPoolEntry OBJECT-TYPE 2940 SYNTAX NatPoolEntry 2941 MAX-ACCESS not-accessible 2942 STATUS current 2943 DESCRIPTION 2944 "Entry in the table of pools." 2945 INDEX { natPoolIndex } 2946 ::= { natPoolTable 1 } 2948 NatPoolEntry ::= 2949 SEQUENCE { 2950 natPoolIndex NatPoolId, 2951 natPoolRealm SnmpAdminString, 2952 natPoolUsage Integer32, 2953 natPoolWatermarkLow Integer32, 2954 natPoolWatermarkHigh Integer32, 2955 natPoolPortMin InetPortNumber, 2956 natPoolPortMax InetPortNumber 2957 } 2959 natPoolIndex OBJECT-TYPE 2960 SYNTAX NatPoolId 2961 MAX-ACCESS read-only 2962 STATUS current 2963 DESCRIPTION 2964 "Index of an address pool." 2965 ::= { natPoolEntry 1 } 2967 natPoolRealm OBJECT-TYPE 2968 SYNTAX SnmpAdminString (SIZE (0..32)) 2969 MAX-ACCESS read-only 2970 STATUS current 2971 DESCRIPTION 2972 "Realm to which this pool's addresses belong." 2973 ::= { natPoolEntry 2 } 2975 natPoolUsage OBJECT-TYPE 2976 SYNTAX Integer32 (0..100) 2977 MAX-ACCESS read-only 2978 STATUS current 2979 DESCRIPTION 2980 "Percentage of the pool's total number of external ports 2981 currently mapped." 2982 ::= { natPoolEntry 3 } 2984 natPoolWatermarkLow OBJECT-TYPE 2985 SYNTAX Integer32 (-1|0..100) 2986 MAX-ACCESS read-create 2987 STATUS current 2988 DESCRIPTION 2989 "Low watermark on a pool's usage, in percentage of the total 2990 number of ports available. If set to -1, the watermark is 2991 disabled. Otherwise when natPoolUsage becomes lower than or 2992 equal to natPoolWatermarkLow, a notification is sent. The 2993 NAT may also start behaving in low usage mode (this is 2994 implementation-defined)." 2995 ::= { natPoolEntry 4 } 2997 natPoolWatermarkHigh OBJECT-TYPE 2998 SYNTAX Integer32 (-1|0..100) 2999 MAX-ACCESS read-create 3000 STATUS current 3001 DESCRIPTION 3002 "High watermark on a pool's usage, in percentage of the total 3003 number of ports available. If set to -1, the watermark is 3004 disabled. Otherwise, when natPoolUsage becomes higher than 3005 or equal to natPoolWatermarkHigh, a notification is sent. 3006 The NAT may also start behaving in high usage mode (this is 3007 implementation-defined)." 3008 ::= { natPoolEntry 5 } 3010 natPoolPortMin OBJECT-TYPE 3011 SYNTAX InetPortNumber 3012 MAX-ACCESS read-create 3013 STATUS current 3014 DESCRIPTION 3015 "Minimal port number to be allocated in this pool." 3016 ::= { natPoolEntry 6 } 3018 natPoolPortMax OBJECT-TYPE 3019 SYNTAX InetPortNumber 3020 MAX-ACCESS read-create 3021 STATUS current 3022 DESCRIPTION 3023 "Maximal port number to be allocated in this pool." 3024 ::= { natPoolEntry 7 } 3026 natPoolRangeTable OBJECT-TYPE 3027 SYNTAX SEQUENCE OF NatPoolRangeEntry 3028 MAX-ACCESS not-accessible 3029 STATUS current 3030 DESCRIPTION 3031 "This table contains address ranges used by pool entries." 3032 ::= { natPoolObjects 2 } 3034 natPoolRangeEntry OBJECT-TYPE 3035 SYNTAX NatPoolRangeEntry 3036 MAX-ACCESS not-accessible 3037 STATUS current 3038 DESCRIPTION 3039 "NAT pool address range." 3040 INDEX { natPoolRangeType, 3041 natPoolRangeBegin } 3042 ::= { natPoolRangeTable 1 } 3044 NatPoolRangeEntry ::= 3045 SEQUENCE { 3046 natPoolRangePoolIndex NatPoolId, 3047 natPoolRangeType InetAddressType, 3048 natPoolRangeBegin InetAddress, 3049 natPoolRangeEnd InetAddress, 3050 natPoolRangeAllocatedPorts Gauge32 3051 } 3053 natPoolRangePoolIndex OBJECT-TYPE 3054 SYNTAX NatPoolId 3055 MAX-ACCESS read-only 3056 STATUS current 3057 DESCRIPTION 3058 "Index of the address pool to which this address range 3059 belongs. See natPoolIndex." 3060 ::= { natPoolRangeEntry 1 } 3062 natPoolRangeType OBJECT-TYPE 3063 SYNTAX InetAddressType 3064 MAX-ACCESS not-accessible 3065 STATUS current 3066 DESCRIPTION 3067 "The address type of natPoolRangeBegin and 3068 natPoolRangeEnd." 3069 ::= { natPoolRangeEntry 2 } 3071 natPoolRangeBegin OBJECT-TYPE 3072 SYNTAX InetAddress (SIZE (4|16)) 3073 MAX-ACCESS not-accessible 3074 STATUS current 3075 DESCRIPTION 3076 "Lowest address included in this range." 3077 ::= { natPoolRangeEntry 3 } 3079 natPoolRangeEnd OBJECT-TYPE 3080 SYNTAX InetAddress (SIZE (4|16)) 3081 MAX-ACCESS read-only 3082 STATUS current 3083 DESCRIPTION 3084 "Highest address included in this range." 3085 ::= { natPoolRangeEntry 4 } 3087 natPoolRangeAllocatedPorts OBJECT-TYPE 3088 SYNTAX Gauge32 3089 MAX-ACCESS read-only 3090 STATUS current 3091 DESCRIPTION 3092 "Number of ports currently allocated on the addresses in this 3093 range." 3094 ::= { natPoolRangeEntry 5 } 3096 -- indexed mapping tables 3098 natMapObjects OBJECT IDENTIFIER ::= { natMIBObjects 14 } 3100 natMapIntAddrTable OBJECT-TYPE 3101 SYNTAX SEQUENCE OF NatMapIntAddrEntry 3102 MAX-ACCESS not-accessible 3103 STATUS current 3104 DESCRIPTION 3105 "Table of mappings from internal to external address. 3107 This table is only applicable to NATs that have an 'IP 3108 address pooling' behavior of 'Paired' [RFC4787]." 3109 ::= { natMapObjects 1 } 3111 natMapIntAddrEntry OBJECT-TYPE 3112 SYNTAX NatMapIntAddrEntry 3113 MAX-ACCESS not-accessible 3114 STATUS current 3115 DESCRIPTION 3116 "Mapping from internal to external address." 3117 INDEX { natMapIntAddrIntRealm, 3118 natMapIntAddrIntType, 3119 natMapIntAddrInt } 3120 ::= { natMapIntAddrTable 1 } 3122 NatMapIntAddrEntry ::= 3123 SEQUENCE { 3124 natMapIntAddrIntRealm SnmpAdminString, 3125 natMapIntAddrExtRealm SnmpAdminString, 3126 natMapIntAddrIntType InetAddressType, 3127 natMapIntAddrInt InetAddress, 3128 natMapIntAddrExtType InetAddressType, 3129 natMapIntAddrExt InetAddress 3130 } 3132 natMapIntAddrIntRealm OBJECT-TYPE 3133 SYNTAX SnmpAdminString (SIZE(0..32)) 3134 MAX-ACCESS not-accessible 3135 STATUS current 3136 DESCRIPTION 3137 "Realm to which natMapIntAddrInt belongs." 3138 ::= { natMapIntAddrEntry 1 } 3140 natMapIntAddrExtRealm OBJECT-TYPE 3141 SYNTAX SnmpAdminString 3142 MAX-ACCESS read-only 3143 STATUS current 3144 DESCRIPTION 3145 "Realm to which natMapIntAddrExt belongs." 3146 ::= { natMapIntAddrEntry 2 } 3148 natMapIntAddrIntType OBJECT-TYPE 3149 SYNTAX InetAddressType 3150 MAX-ACCESS not-accessible 3151 STATUS current 3152 DESCRIPTION 3153 "Address type for natMapIntAddrInt." 3154 ::= { natMapIntAddrEntry 3 } 3156 natMapIntAddrInt OBJECT-TYPE 3157 SYNTAX InetAddress (SIZE (4|16)) 3158 MAX-ACCESS not-accessible 3159 STATUS current 3160 DESCRIPTION 3161 "Internal address." 3162 ::= { natMapIntAddrEntry 4 } 3164 natMapIntAddrExtType OBJECT-TYPE 3165 SYNTAX InetAddressType 3166 MAX-ACCESS not-accessible 3167 STATUS current 3168 DESCRIPTION 3169 "Address type for natMapIntAddrExt." 3170 ::= { natMapIntAddrEntry 5 } 3172 natMapIntAddrExt OBJECT-TYPE 3173 SYNTAX InetAddress 3174 MAX-ACCESS read-only 3175 STATUS current 3176 DESCRIPTION 3177 "External address." 3178 ::= { natMapIntAddrEntry 6 } 3180 natMappingTable OBJECT-TYPE 3181 SYNTAX SEQUENCE OF NatMappingTableEntry 3182 MAX-ACCESS not-accessible 3183 STATUS current 3184 DESCRIPTION 3185 "Table of mappings indexed by external 3-tuple." 3186 ::= { natMapObjects 2 } 3188 natMappingTableEntry OBJECT-TYPE 3189 SYNTAX NatMappingTableEntry 3190 MAX-ACCESS not-accessible 3191 STATUS current 3192 DESCRIPTION 3193 "A single NAT mapping." 3194 INDEX { natMappingProto, 3195 natMappingExtRealm, 3196 natMappingExtAddressType, 3197 natMappingExtAddress, 3198 natMappingExtPort } 3199 ::= { natMappingTable 1 } 3201 NatMappingTableEntry ::= 3202 SEQUENCE { 3203 natMappingProto ProtocolNumber, 3204 natMappingExtRealm SnmpAdminString, 3205 natMappingExtAddressType InetAddressType, 3206 natMappingExtAddress InetAddress, 3207 natMappingExtPort InetPortNumber, 3208 natMappingIntRealm SnmpAdminString, 3209 natMappingIntAddressType InetAddressType, 3210 natMappingIntAddress InetAddress, 3211 natMappingIntPort InetPortNumber, 3212 natMappingPool Unsigned32, 3213 natMappingMapBehavior NatBehaviorType, 3214 natMappingFilterBehavior NatBehaviorType, 3215 natMappingAddressPooling NatPoolingType 3216 } 3218 natMappingProto OBJECT-TYPE 3219 SYNTAX ProtocolNumber 3220 MAX-ACCESS not-accessible 3221 STATUS current 3222 DESCRIPTION 3223 "The mapping's transport protocol number." 3224 ::= { natMappingTableEntry 1 } 3226 natMappingExtRealm OBJECT-TYPE 3227 SYNTAX SnmpAdminString (SIZE(0..32)) 3228 MAX-ACCESS not-accessible 3229 STATUS current 3230 DESCRIPTION 3231 "The realm to which natMappingExtAddress belongs." 3232 ::= { natMappingTableEntry 2 } 3234 natMappingExtAddressType OBJECT-TYPE 3235 SYNTAX InetAddressType 3236 MAX-ACCESS not-accessible 3237 STATUS current 3238 DESCRIPTION 3239 "Type of the mapping's external address." 3240 ::= { natMappingTableEntry 3 } 3242 natMappingExtAddress OBJECT-TYPE 3243 SYNTAX InetAddress (SIZE (4|16)) 3244 MAX-ACCESS not-accessible 3245 STATUS current 3246 DESCRIPTION 3247 "The mapping's external address. If this is the undefined 3248 address, all external addresses are mapped to the internal 3249 address." 3250 ::= { natMappingTableEntry 4 } 3252 natMappingExtPort OBJECT-TYPE 3253 SYNTAX InetPortNumber 3254 MAX-ACCESS not-accessible 3255 STATUS current 3256 DESCRIPTION 3257 "The mapping's external port number. If this is zero, all 3258 external ports are mapped to the internal port." 3259 ::= { natMappingTableEntry 5 } 3261 natMappingIntRealm OBJECT-TYPE 3262 SYNTAX SnmpAdminString 3263 MAX-ACCESS read-only 3264 STATUS current 3265 DESCRIPTION 3266 "The realm to which natMappingIntAddress belongs." 3267 ::= { natMappingTableEntry 6 } 3269 natMappingIntAddressType OBJECT-TYPE 3270 SYNTAX InetAddressType 3271 MAX-ACCESS read-only 3272 STATUS current 3273 DESCRIPTION 3274 "Type of the mapping's internal address." 3275 ::= { natMappingTableEntry 7 } 3277 natMappingIntAddress OBJECT-TYPE 3278 SYNTAX InetAddress 3279 MAX-ACCESS read-only 3280 STATUS current 3281 DESCRIPTION 3282 "The mapping's internal address. If this is the undefined 3283 address, addresses are not translated." 3284 ::= { natMappingTableEntry 8 } 3286 natMappingIntPort OBJECT-TYPE 3287 SYNTAX InetPortNumber 3288 MAX-ACCESS read-only 3289 STATUS current 3290 DESCRIPTION 3291 "The mapping's internal port number. If this is zero, ports 3292 are not translated." 3293 ::= { natMappingTableEntry 9 } 3295 natMappingPool OBJECT-TYPE 3296 SYNTAX Unsigned32 (0|1..4294967295) 3297 MAX-ACCESS read-only 3298 STATUS current 3299 DESCRIPTION 3300 "Index of the pool that contains this mapping's external 3301 address and port. If zero, no pool is associated with this 3302 mapping." 3303 ::= { natMappingTableEntry 10 } 3305 natMappingMapBehavior OBJECT-TYPE 3306 SYNTAX NatBehaviorType 3307 MAX-ACCESS read-only 3308 STATUS current 3309 DESCRIPTION 3310 "Mapping behavior as described in [RFC4787] section 4.1." 3311 ::= { natMappingTableEntry 11 } 3313 natMappingFilterBehavior OBJECT-TYPE 3314 SYNTAX NatBehaviorType 3315 MAX-ACCESS read-only 3316 STATUS current 3317 DESCRIPTION 3318 "Filtering behavior as described in [RFC4787] section 5." 3319 ::= { natMappingTableEntry 12 } 3321 natMappingAddressPooling OBJECT-TYPE 3322 SYNTAX NatPoolingType 3323 MAX-ACCESS read-only 3324 STATUS current 3325 DESCRIPTION 3326 "Type of address pooling behavior that was used to create 3327 this mapping." 3328 ::= { natMappingTableEntry 13 } 3330 -- subscribers 3332 natSubscribers OBJECT IDENTIFIER ::= { natMIBObjects 15 } 3334 natSubscribersTable OBJECT-TYPE 3335 SYNTAX SEQUENCE OF NatSubscribersTableEntry 3336 MAX-ACCESS not-accessible 3337 STATUS current 3338 DESCRIPTION 3339 "Table of CGN subscribers." 3340 ::= { natSubscribers 1 } 3342 natSubscribersTableEntry OBJECT-TYPE 3343 SYNTAX NatSubscribersTableEntry 3344 MAX-ACCESS not-accessible 3345 STATUS current 3346 DESCRIPTION 3347 "Each entry describes a single CGN subscriber." 3348 INDEX { natSubscriberIdentifierType, 3349 natSubscriberIdentifier } 3350 ::= { natSubscribersTable 1 } 3352 NatSubscribersTableEntry ::= 3353 SEQUENCE { 3354 natSubscriberIdentifierType InetAddressType, 3355 natSubscriberIdentifier InetAddress, 3356 natSubscriberIntPrefixType InetAddressType, 3357 natSubscriberIntPrefix InetAddress, 3358 natSubscriberIntPrefixLength InetAddressPrefixLength, 3359 natSubscriberRealm SnmpAdminString, 3360 natSubscriberPool Unsigned32, 3361 natSubscriberTranslations Counter64, 3362 natSubscriberOutOfPortErrors Counter64, 3363 natSubscriberResourceErrors Counter64, 3364 natSubscriberQuotaDrops Counter64, 3365 natSubscriberMappingCreations Counter64, 3366 natSubscriberMappingRemovals Counter64, 3367 natSubscriberLimitMappings Unsigned32, 3368 natSubscriberMapNotifyThresh Unsigned32 3369 } 3371 natSubscriberIdentifierType OBJECT-TYPE 3372 SYNTAX InetAddressType 3373 MAX-ACCESS not-accessible 3374 STATUS current 3375 DESCRIPTION 3376 "Address type of the subscriber identifier." 3377 ::= { natSubscribersTableEntry 1 } 3379 natSubscriberIdentifier OBJECT-TYPE 3380 SYNTAX InetAddress (SIZE (4|16)) 3381 MAX-ACCESS not-accessible 3382 STATUS current 3383 DESCRIPTION 3384 "Address used for uniquely identifying the subscriber. 3386 In traditional NAT, this is the internal address assigned to 3387 the CPE. In case an address range is assigned to a 3388 subscriber, the first address in the range is used as 3389 identifier. For tunnelled connectivity (e.g., DS-Lite 3390 [RFC6333]), the outer address is used as identifier (i.e., 3391 the IPv6 address in the case of DS-Lite)." 3392 ::= { natSubscribersTableEntry 2 } 3394 natSubscriberIntPrefixType OBJECT-TYPE 3395 SYNTAX InetAddressType 3396 MAX-ACCESS read-only 3397 STATUS current 3398 DESCRIPTION 3399 "Subscriber's internal prefix type." 3400 ::= { natSubscribersTableEntry 3 } 3402 natSubscriberIntPrefix OBJECT-TYPE 3403 SYNTAX InetAddress 3404 MAX-ACCESS read-only 3405 STATUS current 3406 DESCRIPTION 3407 "Prefix assigned to a subscriber's CPE." 3408 ::= { natSubscribersTableEntry 4 } 3410 natSubscriberIntPrefixLength OBJECT-TYPE 3411 SYNTAX InetAddressPrefixLength 3412 MAX-ACCESS read-only 3413 STATUS current 3414 DESCRIPTION 3415 "Length of the prefix assigned to a subscriber's CPE, in 3416 bits. In case a single address is assigned, this will be 32 3417 for IPv4 and 128 for IPv6." 3418 ::= { natSubscribersTableEntry 5 } 3420 natSubscriberRealm OBJECT-TYPE 3421 SYNTAX SnmpAdminString 3422 MAX-ACCESS read-only 3423 STATUS current 3424 DESCRIPTION 3425 "The realm to which this subscriber belongs." 3426 ::= { natSubscribersTableEntry 6 } 3428 natSubscriberPool OBJECT-TYPE 3429 SYNTAX Unsigned32 (0|1..4294967295) 3430 MAX-ACCESS read-only 3431 STATUS current 3432 DESCRIPTION 3433 "External address pool to which this subscriber belongs, or 3434 zero if the subscriber does not belong to any pool." 3435 ::= { natSubscribersTableEntry 7 } 3437 natSubscriberTranslations OBJECT-TYPE 3438 SYNTAX Counter64 3439 MAX-ACCESS read-only 3440 STATUS current 3441 DESCRIPTION 3442 "The number of translated packets received from or sent to 3443 this subscriber." 3444 ::= { natSubscribersTableEntry 8 } 3446 natSubscriberOutOfPortErrors OBJECT-TYPE 3447 SYNTAX Counter64 3448 MAX-ACCESS read-only 3449 STATUS current 3450 DESCRIPTION 3451 "The number of packets received from this subscriber not 3452 translated because no external port was available, excluding 3453 quota limitations." 3455 ::= { natSubscribersTableEntry 9 } 3457 natSubscriberResourceErrors OBJECT-TYPE 3458 SYNTAX Counter64 3459 MAX-ACCESS read-only 3460 STATUS current 3461 DESCRIPTION 3462 "The number of packets received from this subscriber not 3463 translated because of resource constraints (excluding 3464 out-of-port errors and quota drops)." 3465 ::= { natSubscribersTableEntry 10 } 3467 natSubscriberQuotaDrops OBJECT-TYPE 3468 SYNTAX Counter64 3469 MAX-ACCESS read-only 3470 STATUS current 3471 DESCRIPTION 3472 "The number of incoming packets received from or destined to 3473 this subscriber not translated because of quota limitations. 3474 Quotas include absolute limits as well as limits on the rate 3475 of allocation." 3476 ::= { natSubscribersTableEntry 11 } 3478 natSubscriberMappingCreations OBJECT-TYPE 3479 SYNTAX Counter64 3480 MAX-ACCESS read-only 3481 STATUS current 3482 DESCRIPTION 3483 "Number of mappings created by or for this subscriber." 3484 ::= { natSubscribersTableEntry 12 } 3486 natSubscriberMappingRemovals OBJECT-TYPE 3487 SYNTAX Counter64 3488 MAX-ACCESS read-only 3489 STATUS current 3490 DESCRIPTION 3491 "Number of mappings removed by or for this subscriber." 3492 ::= { natSubscribersTableEntry 13 } 3494 natSubscriberLimitMappings OBJECT-TYPE 3495 SYNTAX Unsigned32 3496 MAX-ACCESS read-write 3497 STATUS current 3498 DESCRIPTION 3499 "Limit on the number of active mappings created by or for 3500 this subscriber. Zero means unlimited." 3501 ::= { natSubscribersTableEntry 14 } 3503 natSubscriberMapNotifyThresh OBJECT-TYPE 3504 SYNTAX Unsigned32 3505 MAX-ACCESS read-write 3506 STATUS current 3507 DESCRIPTION 3508 "See natNotifSubscriberMappings." 3509 ::= { natSubscribersTableEntry 15 } 3511 -- object groups 3513 natGroupBasicObjects OBJECT-GROUP 3514 OBJECTS { natTranslations, 3515 natOutOfPortErrors, 3516 natResourceErrors, 3517 natQuotaDrops, 3518 natMappingCreations, 3519 natMappingRemovals, 3520 natL4ProtocolTranslations , 3521 natL4ProtocolOutOfPortErrors, 3522 natL4ProtocolResourceErrors, 3523 natL4ProtocolQuotaDrops, 3524 natL4ProtocolMappingCreations, 3525 natL4ProtocolMappingRemovals, 3526 natLimitMappings, 3527 natMappingsNotifyThreshold, 3528 natPoolIndex, 3529 natPoolRealm, 3530 natPoolUsage, 3531 natPoolWatermarkLow, 3532 natPoolWatermarkHigh, 3533 natPoolPortMin, 3534 natPoolPortMax, 3535 natPoolRangePoolIndex, 3536 natPoolRangeEnd, 3537 natPoolRangeAllocatedPorts, 3538 natMappingIntRealm, 3539 natMappingIntAddressType, 3540 natMappingIntAddress, 3541 natMappingIntPort, 3542 natMappingPool, 3543 natMappingMapBehavior, 3544 natMappingFilterBehavior, 3545 natMappingAddressPooling } 3546 STATUS current 3547 DESCRIPTION 3548 "Basic counters, limits, and thresholds." 3549 ::= { natMIBGroups 7 } 3551 natGroupAddrMapObjects OBJECT-GROUP 3552 OBJECTS { natAddressMappingCreations, 3553 natAddressMappingRemovals, 3554 natLimitAddressMappings, 3555 natAddrMapNotifyThreshold, 3556 natMapIntAddrExtRealm, 3557 natMapIntAddrExt } 3558 STATUS current 3559 DESCRIPTION 3560 "Objects that require 'Paired IP address pooling' behavior 3561 [RFC4787]." 3562 ::= { natMIBGroups 8 } 3564 natGroupFragmentObjects OBJECT-GROUP 3565 OBJECTS { natLimitFragments } 3566 STATUS current 3567 DESCRIPTION 3568 "Objects that require 'Receive Fragments Out of Order' 3569 behavior [RFC4787]." 3570 ::= { natMIBGroups 9 } 3572 natGroupBasicNotifications NOTIFICATION-GROUP 3573 NOTIFICATIONS { natNotifPoolWatermarkLow, 3574 natNotifPoolWatermarkHigh, 3575 natNotifMappings } 3576 STATUS current 3577 DESCRIPTION 3578 "Basic notifications." 3579 ::= { natMIBGroups 11 } 3581 natGroupAddrMapNotifications NOTIFICATION-GROUP 3582 NOTIFICATIONS { natNotifAddrMappings } 3583 STATUS current 3584 DESCRIPTION 3585 "Notifications about address mappings." 3586 ::= { natMIBGroups 12 } 3588 natGroupSubscriberObjects OBJECT-GROUP 3589 OBJECTS { natSubscriberIntPrefixType, 3590 natSubscriberIntPrefix, 3591 natSubscriberIntPrefixLength, 3592 natSubscriberRealm, 3593 natSubscriberPool, 3594 natSubscriberTranslations, 3595 natSubscriberOutOfPortErrors, 3596 natSubscriberResourceErrors, 3597 natSubscriberQuotaDrops, 3598 natSubscriberMappingCreations, 3599 natSubscriberMappingRemovals, 3600 natSubscriberLimitMappings, 3601 natLimitSubscribers, 3602 natSubscriberMapNotifyThresh } 3603 STATUS current 3604 DESCRIPTION 3605 "Per-subscriber counters, limits, and thresholds." 3606 ::= { natMIBGroups 13 } 3608 natGroupSubscriberNotifications NOTIFICATION-GROUP 3609 NOTIFICATIONS { natNotifSubscriberMappings } 3610 STATUS current 3611 DESCRIPTION 3612 "Subscriber notifications." 3613 ::= { natMIBGroups 14 } 3615 -- compliance statements 3617 natBasicCompliance MODULE-COMPLIANCE 3618 STATUS current 3619 DESCRIPTION 3620 "Basic compliance with this MIB is attained when the objects 3621 contained in the mandatory groups are implemented." 3622 MODULE -- this module 3623 MANDATORY-GROUPS { natGroupBasicObjects, 3624 natGroupBasicNotifications } 3625 ::= { natMIBCompliances 3 } 3627 natAddrMapCompliance MODULE-COMPLIANCE 3628 STATUS current 3629 DESCRIPTION 3630 "NATs that have 'Paired IP address pooling' behavior 3631 [RFC4787] and implement the objects in this group can claim 3632 this level of compliance." 3633 MODULE -- this module 3634 MANDATORY-GROUPS { natGroupBasicObjects, 3635 natGroupBasicNotifications, 3636 natGroupAddrMapObjects, 3637 natGroupAddrMapNotifications } 3638 ::= { natMIBCompliances 4 } 3640 natFragmentsCompliance MODULE-COMPLIANCE 3641 STATUS current 3642 DESCRIPTION 3643 "NATs that have 'Receive Fragments Out of Order' behavior 3644 [RFC4787] and implement the objects in this group can claim 3645 this level of compliance." 3647 MODULE -- this module 3648 MANDATORY-GROUPS { natGroupBasicObjects, 3649 natGroupBasicNotifications, 3650 natGroupFragmentObjects } 3651 ::= { natMIBCompliances 5 } 3653 natCGNCompliance MODULE-COMPLIANCE 3654 STATUS current 3655 DESCRIPTION 3656 "NATs that have 'Paired IP address pooling' and 'Receive 3657 Fragments Out of Order' behavior [RFC4787] and implement the 3658 objects in this group can claim this level of compliance. 3660 This level of compliance is to be expected of a CGN 3661 compliant with [RFC6888]." 3662 MODULE -- this module 3663 MANDATORY-GROUPS { natGroupBasicObjects, 3664 natGroupBasicNotifications, 3665 natGroupAddrMapObjects, 3666 natGroupAddrMapNotifications, 3667 natGroupFragmentObjects, 3668 natGroupSubscriberObjects, 3669 natGroupSubscriberNotifications } 3670 ::= { natMIBCompliances 6 } 3672 END 3674 5. Security Considerations 3676 There are a number of management objects defined in this MIB module 3677 with a MAX-ACCESS clause of read-write and/or read-create. Such 3678 objects may be considered sensitive or vulnerable in some network 3679 environments. The support for SET operations in a non-secure 3680 environment without proper protection can have a negative effect on 3681 network operations. These are the tables and objects and their 3682 sensitivity/vulnerability: 3684 Limits: An attacker setting a very low or very high limit can easily 3685 cause a denial-of-service situation. 3687 * natLimitMappings 3689 * natLimitAddressMappings 3691 * natLimitFragments 3692 * natLimitSubscribers 3694 * natSubscriberLimitMappings 3696 Notification thresholds: An attacker setting an arbitrarily low 3697 treshold can cause many useless notifications to be generated. 3698 Setting an arbitrarily high threshold can effectively disable 3699 notifications, which could be used to hide another attack. 3701 * natMappingsNotifyThreshold 3703 * natAddrMapNotifyThreshold 3705 * natSubscriberMapNotifyThresh 3707 Some of the readable objects in this MIB module (i.e., objects with a 3708 MAX-ACCESS other than not-accessible) may be considered sensitive or 3709 vulnerable in some network environments. It is thus important to 3710 control even GET and/or NOTIFY access to these objects and possibly 3711 to even encrypt the values of these objects when sending them over 3712 the network via SNMP. These are the tables and objects and their 3713 sensitivity/vulnerability: 3715 Objects that reveal host identities: Various objects can reveal the 3716 identity of private hosts that are engaged in a session with 3717 external end nodes. A curious outsider could monitor these to 3718 assess the number of private hosts being supported by the NAT 3719 device. Further, a disgruntled former employee of an enterprise 3720 could use the information to break into specific private hosts by 3721 intercepting the existing sessions or originating new sessions 3722 into the host. 3724 * natMapIntAddrType 3726 * natMapIntAddrInt 3728 * natMapIntAddrExt 3730 * natMappingIntRealm 3732 * natMappingIntAddressType 3734 * natMappingIntAddress 3736 * natMappingIntPort 3738 * natMappingMapBehavior 3739 * natMappingFilterBehavior 3741 * natMappingAddressPooling 3743 * natSubscriberIntPrefixType 3745 * natSubscriberIntPrefix 3747 * natSubscriberIntPrefixLength 3749 Other objects that reveal NAT state: Other managed objects in this 3750 MIB may contain information that may be sensitive from a business 3751 perspective, in that they may represent NAT state information. 3753 * natCntAddressMappings 3755 * natCntProtocolMappings 3757 * natPoolUsage 3759 * natPoolRangeAllocatedPorts 3761 * natSubscriberCntMappings 3763 There are no objects that are sensitive in their own right, such as 3764 passwords or monetary amounts. 3766 SNMP versions prior to SNMPv3 did not include adequate security. 3767 Even if the network itself is secure (for example by using IPsec), 3768 there is no control as to who on the secure network is allowed to 3769 access and GET/SET (read/change/create/delete) the objects in this 3770 MIB module. 3772 Implementations SHOULD provide the security features described by the 3773 SNMPv3 framework (see [RFC3410]), and implementations claiming 3774 compliance to the SNMPv3 standard MUST include full support for 3775 authentication and privacy via the User-based Security Model (USM) 3776 [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations 3777 MAY also provide support for the Transport Security Model (TSM) 3778 [RFC5591] in combination with a secure transport such as SSH 3779 [RFC5592] or TLS/DTLS [RFC6353]. 3781 Further, deployment of SNMP versions prior to SNMPv3 is NOT 3782 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 3783 enable cryptographic security. It is then a customer/operator 3784 responsibility to ensure that the SNMP entity giving access to an 3785 instance of this MIB module is properly configured to give access to 3786 the objects only to those principals (users) that have legitimate 3787 rights to indeed GET or SET (change/create/delete) them. 3789 6. IANA Considerations 3791 IANA has assigned object identifier 123 to the natMIB module, with 3792 prefix iso.org.dod.internet.mgmt.mib-2 in the Network Management 3793 Parameters registry [SMI-NUMBERS]. 3795 No IANA actions are required by this document. 3797 7. References 3799 7.1. Normative References 3801 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3802 Requirement Levels", BCP 14, RFC 2119, March 1997. 3804 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 3805 Schoenwaelder, Ed., "Structure of Management Information 3806 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 3808 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 3809 Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 3810 58, RFC 2579, April 1999. 3812 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 3813 "Conformance Statements for SMIv2", STD 58, RFC 2580, 3814 April 1999. 3816 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 3817 (USM) for version 3 of the Simple Network Management 3818 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 3820 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 3821 Advanced Encryption Standard (AES) Cipher Algorithm in the 3822 SNMP User-based Security Model", RFC 3826, June 2004. 3824 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 3825 Schoenwaelder, "Textual Conventions for Internet Network 3826 Addresses", RFC 4001, February 2005. 3828 [RFC4750] Joyal, D., Galecki, P., Giacalone, S., Coltun, R., and F. 3829 Baker, "OSPF Version 2 Management Information Base", RFC 3830 4750, December 2006. 3832 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 3833 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 3834 RFC 4787, January 2007. 3836 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 3837 for the Simple Network Management Protocol (SNMP)", RFC 3838 5591, June 2009. 3840 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 3841 Shell Transport Model for the Simple Network Management 3842 Protocol (SNMP)", RFC 5592, June 2009. 3844 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 3845 Model for the Simple Network Management Protocol (SNMP)", 3846 RFC 6353, July 2011. 3848 7.2. Informative References 3850 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 3851 Translator (NAT) Terminology and Considerations", RFC 3852 2663, August 1999. 3854 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 3855 Address Translator (Traditional NAT)", RFC 3022, January 3856 2001. 3858 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 3859 "Introduction and Applicability Statements for Internet- 3860 Standard Management Framework", RFC 3410, December 2002. 3862 [RFC4008] Rohit, R., Srisuresh, P., Raghunarayan, R., Pai, N., and 3863 C. Wang, "Definitions of Managed Objects for Network 3864 Address Translators (NAT)", RFC 4008, March 2005. 3866 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 3867 Stack Lite Broadband Deployments Following IPv4 3868 Exhaustion", RFC 6333, August 2011. 3870 [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., 3871 and H. Ashida, "Common Requirements for Carrier-Grade NATs 3872 (CGNs)", BCP 127, RFC 6888, April 2013. 3874 [SMI-NUMBERS] 3875 , "Network Management Parameters registry at IANA", , 3876 . 3878 Authors' Addresses 3880 Simon Perreault 3881 Viagenie 3882 246 Aberdeen 3883 Quebec, QC G1R 2E1 3884 Canada 3886 Phone: +1 418 656 9254 3887 Email: simon.perreault@viagenie.ca 3888 URI: http://viagenie.ca 3890 Tina Tsou 3891 Huawei Technologies (USA) 3892 2330 Central Expressway 3893 Santa Clara, CA 95050 3894 USA 3896 Phone: +1 408 330 4424 3897 Email: tina.tsou.zouting@huawei.com 3899 Senthil Sivakumar 3900 Cisco Systems 3901 7100-8 Kit Creek Road 3902 Research Triangle Park, North Carolina 27709 3903 USA 3905 Phone: +1 919 392 5158 3906 Email: ssenthil@cisco.com